Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports,
    • “The Defense Department would require that senior leaders have secure mobile phones, that personnel would get cybersecurity training that includes a focus on artificial intelligence and that cyber troops would have access to mental health services under a compromise annual defense policy bill released over the weekend.
    • The deal between House and Senate negotiators on the fiscal 2026 National Defense Authorization Act (NDAA) [reached last weekend] is a massive piece of legislation that runs the gamut of the Pentagon, including a record-breaking $901 billion topline figure. It also has a grab bag of cybersecurity policy provisions.”
  • Roll Call adds,
    • “Senate leaders plan for the chamber to vote next week to clear the bicameral compromise National Defense Authorization Act for President Donald Trump’s signature.
    • “As the fiscal 2026 bill edges closer to enactment, one of the few last-minute controversies shadowing it concerns whether the measure goes far enough to restrict military aircraft operations in close proximity to Ronald Reagan Washington National Airport.
    • “The Senate on Thursday [Decmber 11] voted 75-22 to take one procedural step closer to voting on the measure — agreeing to proceed to the legislation — which would authorize $900.6 billion for defense programs, mostly at the Pentagon.
    • “The chamber still plans to cast another procedural vote — set for Monday evening — and is expected to vote to clear the NDAA soon thereafter next week.
    • “The House passed the bill Wednesday [December 10} by a vote of 312-112.”
  • The American Hospital Association News tells us,
    • “The Cybersecurity and Infrastructure Security Agency Dec. 11 released an update to its voluntary Cybersecurity Performance Goals, which includes measurable actions for critical infrastructure, including health care. The update aligns with the latest cybersecurity standards outlined by the National Institute of Standards and Technology and addresses the most common and impactful threats facing critical infrastructure. The guidance also highlights the role of governance in cybersecurity management, emphasizing accountability, risk management and strategic integration of cybersecurity into day-to-day operations.” 
  • The HIPAA Journal relates,
    • “The College of Healthcare Information Management Executives (CHIME) and more than 100 U.S. hospital systems, healthcare provider organizations, and provider associations have called for the Department of Health and Human Services (HHS) to withdraw its proposed updates to the HIPAA Security Rule.
    • “The HIPAA Security Rule was enacted in 2002, nine years after HIPAA was signed into law, to establish security standards for electronic protected health information created, received, used, or maintained by a covered entity, with the requirements subsequently expanded to cover business associates of HIPAA-regulated entities. The Security Rule was written to be technology agnostic to avoid frequent rule changes in response to advances in technology; however, 22 years after its initial release, the HHS proposed a substantial update that specified many new cybersecurity requirements.” * * *
    • “While few healthcare industry stakeholders would disagree with the main purpose of the update – to improve healthcare cybersecurity and prevent costly and damaging cyberattacks that threaten patient safety – the proposed update attracted considerable criticism from healthcare and provider organizations. In February 2025, 8 industry associations, including CHIME, co-signed a letter to President Trump calling for the proposed update to be rescinded, pointing out that under the previous Trump administration, healthcare organizations were incentivized to adopt recognized cybersecurity best practices, and that was a better approach than imposing unreasonable cybersecurity mandates that would be costly and difficult to implement.
    • “In the December 8, 2025, joint stakeholder letter to HHS Secretary Robert F. Kennedy, Jr., the signatories called for the proposed update to be immediately withdrawn, and for the HHS to instead “conduct a collaborative outreach initiative with our organizations and other regulated entities that are impacted to develop practical and actionable cybersecurity standards for more robust protections of individuals’ health information, without the extreme and unnecessary regulatory burden that health care providers and other stakeholders would face under the crushing and unprecedented provisions of this Proposed Rule.”
  • Per a National Institute of Standards and Technology news release,
    • “NIST Special Publication (SP) 800-70r5 ipd (Revision 5, initial public draft), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, is now available for public comment through January 16, 2026, at 11:59 PM (EST).
    • “NIST established the National Checklist Program (NCP) to facilitate the generation of security checklists from authoritative sources, centralize the location of checklists, and make checklists broadly accessible. SP 800-70r5 ipd describes the uses, benefits, and management of checklists and checklist control catalogs, as well as the policies, procedures, and general requirements for participation in the NCP.”
  • Security Weeks informs us,
    • “The US government has announced rewards of up to $10 million for information on members of the Iranian hacking group known as Emennet Pasargad.
    • “The reward offers come roughly a year after a US-Israel joint advisory described the activities of the group, which was then identified by the name of its front company, Aria Sepehr Ayandehsazan (ASA).
    • “Noting that the group was previously identified as Emennet Pasargad, Ayandeh Sazan Sepehr Arya (ASSA), Eeleyanet Gostar, and Net Peygard Samavat Company, the US now calls it Shahid Shushtari.
    • “In the private sector, the threat group has been known as Cotton Sandstorm, Marnanbridge, and Haywire Kitten.”
  • Cyberscoop adds,
    • “The Justice Department has charged a Ukrainian national with conducting cyberattacks on critical infrastructure worldwide as part of two Russian state-sponsored hacking operations that targeted water systems, food processing facilities and government networks across the United States and allied nations.
    • “Victoria Eduardovna Dubranova, 33, was arraigned on a second indictment Tuesday [December 9] after being extradited to the U.S. earlier this year. She faces charges related to her alleged work with CyberArmyofRussia_Reborn, known as CARR, and NoName057(16), two groups federal prosecutors say received backing from Moscow to advance Russian geopolitical interests. 
    • “Dubranova pleaded not guilty in both cases.”

From the cybersecurity breaches and vulnerabilities front,

  • Bleeping Computer reports,
    • “MITRE has shared this year’s top 25 list of the most dangerous software weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
    • “The list was released in cooperation with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and the Cybersecurity and Infrastructure Security Agency (CISA), which manage and sponsor the Common Weakness Enumeration (CWE) program.
    • “Software weaknesses can be flaws, bugs, vulnerabilities, or errors found in a software’s code, implementation, architecture, or design, and attackers can abuse them to breach systems running the vulnerable software. Successful exploitation allows threat actors to gain control over compromised devices and trigger denial-of-service attacks or access sensitive data.
  • Cyberscoop relates,
    • “Security experts have observed a steady increase in malicious activity from a widening pool of attackers seeking to exploit React2Shell, a critical vulnerability disclosed last week in React Server Components.
    • “Authorities are also responding to heightened concern about the defect, with the Cybersecurity and Infrastructure Security Agency shortening the deadline for agencies to patch the vulnerability to Friday [December 12] . The agency previously set a deadline of Dec. 26 when it added CVE-2025-55182 to its known exploited vulnerabilities catalog last week.
    • “Palo Alto Networks Unit 42 said more than 50 organizations are impacted by attacks involving exploitation of the vulnerability with victims observed in the United States, Asia, South America and the Middle East.” 
  • Cybrsecurity Dive adds,
    • “React on Thursday [December 11] warned that customers will need to apply new upgrades amid the React2Shell crisis, after researchers discovered additional vulnerabilities, including a denial of service flaw and a source code exposure. 
    • “A denial of service vulnerability, tracked as CVE-2025-55184 and CVE-2025-67779, allows an attacker to craft a malicious HTTP request and send it to a Server Functions endpoint, which can lead to an infinite loop. The flaw has a severity score of 7.5. 
    • “The source code exposure, tracked as CVE-2025-55183, allows a malicious HTTP request sent to a vulnerable Server Function to unsafely return the source code of any Server Function.”
  • The American Hospital Association News lets us know,
    • “U.S. and international agencies are warning of potential cyberattacks on health care and other critical infrastructure from state-sponsored cyber actors in Russia and China.
    • “An advisory released yesterday [December 11] warns of incidents by Russian hackers using internet-facing desktop-sharing systems to access operational technology and industrial control systems for malicious activity. A Dec. 4 report warns of Chinese state-sponsored cyber actors using BRICKSTORM malware to attack VMware vSphere and Windows cloud platforms.
    • “These nation-state level threats may be difficult for civilian network defenders to counter,” said John Riggi, AHA national advisor for cybersecurity and risk. “However, robust cyber threat information sharing between the private sector and the federal government, implementation of recommended practices, and the commendable and aggressive enforcement operations by the FBI and other agencies will help mitigate the threat. Organizations should also update, integrate and routinely test emergency preparedness, cyber incident response and clinical continuity plans should there be an extended technology outage affecting hospitals directly or indirectly through a cyberattack against mission-critical third parties.”
  • CISA added seven known exploited vulnerabilities to its catalog this week.
    • December 8, 2025
      • CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability
      • CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability
        • Cyber Press discusses the D-Link KVE here
        • F5 discusses the Array Networks KVE here.
    • December 9, 2025,
      • CVE-2025-6218 RARLAB WinRAR Path Traversal Vulnerability
      • CVE-2025-62221 Microsoft Windows Use After Free Vulnerability 
        • Cybersecurity News discusses the RARLAB KVE here.
        • Bleeping Computer discusses the Microsoft KVE here.
    • December 11, 2025
      • CVE-2025-58360 OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability 
        • Bleeping Computer discusses this KVE here.
    • December 12, 2025
      • CVE-2025-14174 Google Chromium Out-of-Bounds Memory Access Vulnerability
        • The Hacker News discusses this KVE here.
    • December 12, 2025 (double shot day, not a typo)
      • CVE-2018-4063 Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
        • Windows Forum discusses this KVE here
  • Bleeping Computer adds,
    • “Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals.
    • “The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation.
    • “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” reads Apple’s security bulletin.”
  • Cybersecurity Dive notes,
    • “Utility-scale battery energy storage systems are facing heightened risks of attack from nation-state and criminal threat groups, and immediate action needs to be taken to secure critical industries from potential disruption, according to a white paper from Brattle Group and Dragos. 
    • BESS deployments are expected to grow between 20% and 45% over the next five years, driven by increased demand for data centers and other power requirements. At the same time, state-linked actors have turned their attention toward disrupting critical industries, such as utilities and rival nations competing with the U.S. for dominance in AI and clean energy.”
  • Per Infosecurity Magazine,
    • “A new iteration of the ClayRat Android spyware featuring expanded surveillance and device-control functions has been identified by cybersecurity researchers.
    • First seen in October, ClayRat was originally capable of stealing SMS messages, call logs and photos, as well as sending mass texts.
    • “The latest version introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services.”

From the ransomware front,

  • Cybersecurity Dive reports,
    • “Ransomware activity reached an all-time high in 2023, totaling more than 1,500 incidents and $1.1 billion in reported payments, before dropping the following year after two high-profile law enforcement takedowns.
    • “The two critical law enforcement actions were the 2023 U.S.-led takedown of AlphV/BlackCat and the 2024 disruption of LockBit by U.S. and U.K. authorities, according to a new U.S. government study.
    • “The report by the U.S. Treasury’s Financial Crimes Enforcement Networkshows ransomware fell to 1,476 incidents in 2024, with reported payments reaching $734 million. 
    • ‘More than $2.1 billion in ransomware payments were reported between 2022 and 2024, according to the report. 
    • “The medium amount of a single ransomware transaction rose from $122,097 in 2022 to $155,257 in 2024, according to the report. The most common payment amount was less than $250,000 during the period. 
    • ‘AlphV/BlackCat was the most prevalent ransomware variant during the 2022–2024 period, according to the report. The other most reported variants included Akira, LockBit, Phobos and Black Basta.” 
  • Dark Reading adds,
    • “You may be familiar with ransomware-as-a-service (RaaS), but now there’s also packer-as-a-service.
    • “Security vendor Sophos on Dec. 6 published research on “Shanya,” a packer-as-a-service family that augments ransomware so it can avoid anti-malware software. While ransomware-as-a-service provides low-level attackers with extortion malware they might not be able to create otherwise, packers-as-a-service (PaaS) provide a shell around pre-existing ransomware that acts as an extra layer of obfuscation.
    • “Shanya covers ground previously paved by PaaS operation HeartCrypt, which over the past year has firmly entrenched itself in the modern ransomware ecosystem. Sophos’ Gabor Szappanos and Steeve Gaudreault say Shanya is “already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit.”
  • and
    • “Initial access broker Storm‑0249 has shifted from noisy, easily detected phishing attacks to highly targeted campaigns that are much harder to detect and stop. 
    • “According to ReliaQuest, Storm-0249, which is known for brokering network access to ransomware operators, is increasingly weaponizing legitimate endpoint detection and response (EDR) processes as well as built-in Windows utilities to carry out post-compromise activities. This includes poking around compromised systems to gather information, setting up command-and-control (C2) channels, and staying persistent in the environment. These new tactics let Storm‑0249 slip past defenses, get deep into networks, and operate almost completely under the radar, the security vendor said.”
  • and
    • “A new attack uses SEO poisoning and popular AI models to deliver infostealer malware, all while leveraging legitimate domains. 
    • ClickFix attacks have gained significant popularity over the past year, using otherwise benign CAPTCHA-style prompts to lure users into a false sense of security and then tricking them into executing malicious prompts against themselves. These prompts are often delivered through SEO poisoning and phishing campaigns, representing one of the fancier applications of social engineering in cybercrime to date.” 
  • The Register points out,
    • “Researchers at security software vendor Huntress say they’ve noticed a huge increase in ransomware attacks on hypervisors and urged users to ensure they’re as secure as can be and properly backed up.
    • “Huntress case data revealed a stunning surge in hypervisor ransomware: its role in malicious encryption rocketed from just three percent in the first half of the year to 25 percent so far in the second half,” wrote Senior Hunt & Response Analyst Anna Pham, Technical Account Manager Ben Bernstein, and Senior Manager for Hunt & Response, Dray Agha in a Monday [December 8] post.
    • “The primary actor driving this trend is the Akira ransomware group,” the trio warned, adding that the gang, and other attackers, are going after hypervisors “in an attempt to circumvent endpoint and network security controls.”

From the cybersecurity business and defenses front,

  • Security Week reports,
    • “Enterprise cybersecurity giant Proofpoint has completed the acquisition of Germany-based Microsoft 365 security solutions provider Hornetsecurity.
    • “Financial details were not officially disclosed when news of the transaction came to light, but it was reported that Proofpoint would be paying $1 billion for its European competitor. SecurityWeek learned at the time that the deal size well exceeded $1 billion.
    • Proofpoint has now revealed that the transaction has been valued at $1.8 billion. 
    • “Through the acquisition of Hornetsecurity, Proofpoint is aggressively expanding its reach into the SMB market and strengthening its foothold in Europe.”
  • Info Bank Security adds,
    • “An identity security stalwart led by the company’s longtime founder raised $700 million to support the management of non-human identities and agentic artificial intelligence.
    • “Los Angeles-based Saviynt plans to use the Series B proceeds to invest in core platform capabilities, AI governance protocols and deep integrations with the likes of AWS, Google and CrowdStrike, said Saviynt President Paul Zolfaghari. What was once about on premise human access is now a multidimensional challenge involving extended workforces, robotic accounts and AI-driven agents, Zolfaghari said.
    • “It was an opportunity to put in place the resources necessary to deliver on the vision for the future. The interest in identity security and AI has gone up quite a bit,” he said. “The amount is just a function of the resources that we think that we need for the foreseeable future. It’s an opportunity for us to have the resources we need while still maintaining the control and the culture that has gotten us to this point.”
  • Cyberscoop relates,
    • “Global cybersecurity agencies have issued the first unified guidance on applying artificial intelligence (AI) within critical infrastructure, signaling a major shift from theoretical debate to practical guardrails for safety and reliability.
    • “The release of joint guidance on Principles for the Secure Integration of Artificial Intelligence in Operational Technology marks a meaningful milestone for critical infrastructure security because major global cybersecurity agencies, including CISA, the FBI, the NSA, the Australian Signals Directorate’s Australian Cyber Security Centre, and other partners, have aligned on a shared direction. As AI adoption accelerates across operational environments, this document moves us from theory to practice. It acknowledges AI’s promise while making clear that it also “introduces significant risks—such as operational technology (OT) process models drifting over time or safety-process bypasses” that operators must actively manage to ensure reliability.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *