Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cybersecurity Dive reports,
    • “The Trump administration’s top cybersecurity official on Tuesday [November 18, 2025,] previewed the contours of the administration’s cyber strategy, saying it would focus heavily on countering foreign adversaries and reducing regulatory burdens on industry.
    • “We are striving as an administration to make sure that there is a single coordinated strategy in this domain in a way that hasn’t happened before,” National Cyber Director Sean Cairncross said at the Aspen Cyber Summit. “We are working in very close partnership with our interagency colleagues to develop this strategy and get it out the door.”
    • “Like its Biden administration predecessor, the new cyber strategy will be accompanied by an action plan that lists lines of effort under six pillars of activity. “It’s going to be a short statement of intent and policy,” Cairncross said.
    • “One of the pillars will focus on shaping the behavior of Russia, China, ransomware gangs and other adversaries by imposing costs when they attack the U.S. In emphasizing the need for consequences, Cairncross repeated a frequent criticism of the government’s approach to cyber defense, saying policymakers have failed to deter adversaries’ malicious cyber activity.
    • “We need to do that,” he said, “because it is scaling, and it is becoming more aggressive every passing day.”
  • and
    • “The Cybersecurity and Infrastructure Security Agency will increase its hiring efforts in 2026 as it seeks to rebuild from the Trump administration’s deep cuts and prepare for a potential U.S. conflict with China.
    • “The recent reduction in personnel has limited CISA’s ability to fully support national security imperatives and administration priorities,” acting CISA director Madhu Gottumukkala said in a Nov. 5 memo to staff obtained by Cybersecurity Dive. The agency has “reached a pivotal moment,” he added, but it remains “hampered by an approximately 40% vacancy rate across key mission areas.”
  • The American Hospital Association tells us,
    • U.S. and international agencies Nov. 19, 2025, released a guide on mitigating potential cybercrimes from bulletproof hosting providers. A BPH provider is an internet infrastructure provider that intentionally markets and leases their infrastructure to cybercriminals. The agencies said they have recognized a notable increase in cybercriminals using BPH resources for cyberattacks on critical infrastructure and other targets. Mitigating malicious activity from BPH providers requires a nuanced approach, as BPH infrastructure is integrated into legitimate internet infrastructure systems, and actions from internet service providers or network defenders could impact legitimate activity. 
    • “Bulletproof hosts have long been used to facilitate cybercrime,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “They hide in plain sight, looking like other legitimate providers. They do not cooperate with law enforcement investigations, providing cybercriminals cover for their activities.” 
  • Cyberscoop relates,
    • “The Securities and Exchange Commission on Thursday [November 20, 2025,] dropped its case against SolarWinds and its chief information security officer over its handling of an alleged Russian cyberespionage campaign uncovered in 2020, an incident that penetrated at least nine federal agencies and hundreds of companies.
    • “The SEC’s decision brings to a halt one of the more divisive steps under the Biden administration to hold companies’ feet to the fire over their security failings, a groundbreaking suit that a judge last year dismissed in significant measure.
    • “It comes the same day the Federal Communications Commission rescinded Biden-era cyber regulations the FCC wrote in response to another major cyberespionage campaign that saw alleged Chinese hackers infiltrate telecommunications carriers.
    • Two years ago, the SEC took action against SolarWinds and its CISO, Tim Brown, over claims that it didn’t adequately disclose the Sunburst attack that began in 2019, as well as over other security assertions the company made.
    • The SEC litigation notice Thursday didn’t explain why it had dropped the case. An SEC spokesperson declined to comment beyond the notice.
    • ‘A SolarWinds spokesperson said the company welcomed the SEC decision. The mere threat of SEC action two years ago had panicked some cyber executives who said it could create a chilling effect to disclose cyber information.”

From the cybersecurity vulnerabilities and breaches front,

  • Security Week informs us,
    • “Outages hit a wide range of online services, including ChatGPT, X, Dropbox, Shopify, and the game League of Legends. The incident has also reportedly caused some disruptions to websites and other digital services associated with critical organizations such as New Jersey Transit, New York City Emergency Management, and the French national railway company SNCF.
    • “Cloudflare initially reported seeing a “spike in unusual traffic”, which led some to believe that the outage may be the result of a cyberattack.
    • “However, Cloudflare CTO Dane Knecht pointed out on Tuesday morning [November 18, 2025,] that it was not an attack.
    • “Instead, Knecht said, “a latent bug in a service underpinning our bot mitigation capability started to crash after a routine configuration change we made. That cascaded into a broad degradation to our network and other services.”
    • “That issue, impact it caused, and time to resolution is unacceptable. Work is already underway to make sure it does not happen again, but I know it caused real pain today,” he added.
  • Cybersecurity Dive adds,
    • “Microsoft said Monday [November 17, 2025,] it was able to neutralize a record breaking distributed denial of service attack against its Azure service in late October. 
    • “The multivector attack, measuring 15.72 Tbps and almost 3.64 billion packets per second, was the largest single attack in the cloud ever recorded, according to the company.
    • “The company traced the attack to the Aisuru botnet, which often targets compromised home routers and cameras. Most of the threat activity linked to Aisuru involved residential internet service providers in the U.S., but also includes other countries, according to Microsoft.”
  • Dark Reading points out,
    • “In a near replica of a separate campaign this summer, hackers connected to the ShinyHunters extortion operation have once again breached many organizations’ Salesforce instances via a third-party integration.
    • “Following a spring vishing campaign targeting organizations’ Salesforce environments, a ShinyHunters-adjacent threat group hit Salesforce again in August. The threat actors performed a supply chain breach through Salesloft’s Drift, an integrated application that uses artificial intelligence (AI) to automate marketing and sales processes. They broke into Salesloft, stole OAuth tokens that connect Drift and Salesforce, and used them to reach hundreds of organizations’ Salesforce environments, with all of the powers and permissions within Salesforce that those organizations had granted the Drift app.” * * *
    • “Researchers from the Google Threat Intelligence Group (GTIG) have publicly attributed the attack to hackers tied to ShinyHunters, and said that more than 200 customer instances have been impacted. DataBreaches.net directly contacted the group, which confirmed responsibility, claiming that between Drift and Gainsight the group has gained access to Salesforce data for nearly 1,000 organizations. 
    • “Dark Reading has not independently confirmed that these organizations have been affected.”
  • and
    • “For more than half a decade now, a Chinese state-aligned threat actor has been spying on Chinese organizations by infecting their trusted software updates.
    • “When the SolarWinds breach was unearthed in 2020, it might have seemed like a uniquely devious event in cybersecurity history. But cyberattackers and cybersecurity researchers have been finding other, novel ways of poisoning software updates since then.
    • “PlushDaemon” is one such group that has quietly, for quite a while now, been taking its own approach to the update hijack. Like Chinese advanced persistent threats (APTs) often do, it infects organizations through their edge devices. But where most APTs use edge devices as initial entry points to deeper network compromise, researchers at ESET have found that PlushDaemon uses them in its own way. It hijacks network traffic using a specially designed implant, re-routes legitimate software update requests to its own infrastructure, and then serves victims malicious substitutes.”
  • Cyberscoop adds,
    • “Federal, state, and local government agencies face a critical vulnerability hiding in plain sight: outdated web forms collecting citizen data through insecure channels. While agencies invest in perimeter security and threat detection, many continue using legacy forms built years ago without modern encryption, authentication, or compliance capabilities. These aging systems collect Social Security numbers, financial records, health information, and security clearance data through technology that cannot meet current federal security standards.
    • “The scope of the problem is substantial. Government agencies allocate 80% of IT budgets to maintaining legacy systems, starving modernization efforts while feeding outdated technology. The federal government’s 10 most critical legacy systems—ranging from 8 to 51 years old—cost $337 million annually to operate and maintain, with total projected spending on legacy systems reaching $2.4 billion by 2030. Meanwhile, government data breaches cost an average of $10.22 million per incident in the United States—the highest globally.” * * *
    • “Legacy government web forms that do implement encryption often use outdated protocols that no longer meet regulatory requirements. Older systems rely on SHA-1 hashing and TLS 1.0, which are vulnerable to known exploits and don’t meet NIST, CJIS, or HIPAA requirements. Without HTTP Strict Transport Security enforcement, browsers don’t automatically use secure connections, allowing users to access unencrypted form pages.”
  • Per Bleeping Computer,
    • “American cybersecurity company SonicWall urged customers today [November 20, 2025,] to patch a high-severity SonicOS SSLVPN security flaw that can allow attackers to crash vulnerable firewalls.
    • Tracked as CVE-2025-40601, this denial-of-service vulnerability is caused by a stack-based buffer overflow impacting Gen8 and Gen7 (hardware and virtual) firewalls.
    • “A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash,” SonicWall said.
  • and
    • “American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors.
    • “However, the company noted that its systems were not breached as a result of this incident and that customers’ data was not compromised.
    • “We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally,” a CrowdStrike spokesperson told BleepingComputer today.
    • “Our systems were never compromised, and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies.”

From the ransomware front,

  • Bleeping Computer reports,
    • “An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation.
    • “ShinySp1d3r is the name of an emerging RaaS created by threat actors associated with the ShinyHunters and Scattered Spider extortion groups.
    • “These threat actors have traditionally used other ransomware gangs’ encryptors in attacks, including ALPHV/BlackCatQilinRansomHub, and DragonForce, but are now creating their own operation to deploy attacks themselves and their affiliates.
    • “News of the upcoming RaaS first came to light on a Telegram channel, where threat actors calling themselves “Scattered Lapsus$ Hunters,” from the names of the three gangs forming the collective (Scattered Spider, Lapsus$, and ShinyHunters), were attempting to extort victims of data theft at Salesforce and Jaguar Land Rover (JLR).”
  • eSecurity Planets adds,
    • “A fast-moving ransomware group known as “The Gentlemen” has emerged as one of 2025’s most aggressive cybercrime operations, rapidly scaling its attacks across Windows, Linux, and ESXi environments. 
    • “First observed in July 2025, the group has already listed 48 victims on its leak site and continues to release new, highly capable ransomware variants. 
    • “Cybereason researchers said the group “… blends mature ransomware techniques with RaaS features, dual‑extortion, cross‑platform (Windows/Linux/ESXi) lockers, automated persistence, flexible propagation, and affiliate support, allowing it to scale attacks and evade basic defenses quickly.
    • “The Gentlemen ransomware group relies on tried-and-true tactics borrowed from other successful RaaS operations. Organizations can stay ahead by validating their defenses against these established methods before attackers utilize them,” said Hüseyin Can Yüceel, Security Research Lead at Picus Security.”
  • Cyber Press relates,
    • “The notorious Clop ransomware gang, also tracked as Graceful Spider, has escalated its latest extortion campaign by listing Oracle Corporation on its dark web leak site. 
    • “The group claims to have successfully breached the tech giant’s internal systems using a critical zero-day vulnerability in Oracle E-Business Suite (EBS), designated as CVE-2025-61882. 
    • ‘This marks a significant development in supply chain attacks, with Oracle potentially falling victim to a flaw in its own software.​”

From the cybersecurity business and defenses front,

  • The Wall Street Journal reports
    • Palo Alto Networks PANW is buying the observability platform Chronosphere for $3.35 billion, the latest acquisition by the cybersecurity company to capitalize on an AI-intensive economy.
    • The Santa Clara, Calif.-based company said Wednesday the cash-and-stock deal will address demands for observability in the rapidly expanding artificial-intelligence data center market, combining Chronosphere’s observability architecture with Palo Alto Networks’ AI-powered AgentiX tool.
    • “Once we leverage AgentiX with Chronosphere, we will take observability from simple dashboards to real-time, agentic remediation,” Palo Alto Networks Chief Executive Nikesh Arora said. “We are excited to not just enter this space, but to disrupt it.”
    • “The deal is expected to close in the second half of Palo Alto Networks’ fiscal 2026.
    • “The deal came as Palo Alto Networks posted higher revenue in its latest quarter and raised its top-line view for the year.”
  • CISA announced a #SecuretheSeason campaign promoting online shopping safety.
  • Per Dark Reading,
    • “Editors from Dark Reading, Cybersecurity Dive, and TechTarget Search Security break down the depressing state of cybersecurity awareness campaigns and how organizations can overcome basic struggles with password hygiene and phishing attacks.”
  • and
    • “Securing the Win: What Cybersecurity Can Learn from the Paddock. A Formula 1 pit crew demonstrates the basic principles of how modern security teams should work.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *