Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports,
    • “With a little more than a month left before a foundational cyber threat information sharing law expires for a second time, Congress might have to do another short-term extension as negotiations on a longer deal aren’t yet bearing fruit, a key lawmaker said Tuesday.
    • “House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the problem with a long-term extension of the Cybersecurity Information Sharing Act of 2015, which provides legal protections to companies to share cyber threat data with the federal government and other companies, is that there are three different views about how to approach it.
    • “The Trump administration and some in the Senate want a clean, 10-year reauthorization of the law, which Congress extended last month until Jan. 30 as part of the legislation that ended the government shutdown, after the information sharing law lapsed in October. But a reauthorization without any changes could run into House opposition, Garbarino said.” * * *
    • “Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul, R-Ky., also has a version of the bill that focuses largely on language he said is needed to defend free speech. And Garbarino’s version takes yet another approach to tweaking the law.
    • “Unfortunately, I don’t think we’re close enough with the discussions on the Senate to get it to figure out which bill will pass and what will get done,” Garbarino said. That leaves another extension tied to any funding bill that replaces the legislation currently funding the government, which also runs through Jan. 30.”
  • and
    • “Policymakers and companies are reckoning with increased reports over the past few months showing AI tools being leveraged to conduct cyber attacks on a larger and faster scale.
    • “Most notably, Anthropic reported last month that Chinese hackers had jailbroken and tricked its AI model Claude into assisting with a cyberespionage hacking campaign that ultimately targeted more than 30 entities around the world.
    • “The Claude-enabled Chinese hacks have underscored existing concerns among AI companies and policymakers that the technology’s development and relevance to offensive cybersecurity may be outpacing the cybersecurity, legal and policy responses being developed to defend against them.
    • “At a House Homeland Security hearing this week, Logan Graham, head of Anthropic’s red team, said the Chinese spying campaign demonstrates that worries about AI models being used to supercharge hacking are more than theoretical.”
  • Cybersecurity Dive tells us,
    • “A top Senate Republican is pressing the Trump administration for a plan to address the cybersecurity consequences of the U.S.’s dependence on open-source software.
    • “Leaving our reliance on OSS unmonitored is exposing America to increasingly dangerous risks,” Senate Intelligence Committee Chair Tom Cotton, R-Okla., wrote in a Wednesday letter to National Cyber Director Sean Cairncross.
    • “Cotton cited recent incidents that highlighted the unstable and sometimes untrustworthy foundations of the open-source ecosystem, including the XZ Utils crisis, a Russian developer’s control of a package that the U.S. military uses for sensitive applications and the prevalence of code contributions by Chinese companies’ employees, who are bound by Chinese laws that could force them to disclose software flaws to Beijing before fixing them.”
  • and
    • “The National Institute of Standards and Technology has prepared a companion to its widely used Cybersecurity Framework that focuses on how organizations can safely use AI.
    • “NIST’s Cybersecurity Framework Profile for Artificial Intelligence, which the agency released in draft form on Tuesday [December 16], describes how organizations can manage the cybersecurity challenges of different AI systems, improve their cyber defense capabilities with AI and block AI-powered cyberattacks. The document maps components of the Cybersecurity Framework (CSF) onto specific recommendations in each of those three areas, which NIST dubbed “secure,” “defend” and “thwart,” respectively.
    • “The three focus areas reflect the fact that AI is entering organizations’ awareness in different ways,” Barbara Cuthill, one of the profile’s authors, said in a statement. “But ultimately every organization will have to deal with all three.”
  • Cyberscoop tells us,
    • “Federal prosecutors in Michigan say they have dismantled online infrastructure tied to an alleged money laundering operation that moved tens of millions of dollars in proceeds from ransomware and other cybercrime, along with indicting the service’s creator.
    • “The U.S. Attorney’s Office for the Eastern District of Michigan announced a coordinated action with international partners and the Michigan State Police targeting E-Note, a cryptocurrency exchange and payment processing service used to launder illicit funds. The announcement coincided with the unsealing of an indictment charging a Russian national, Mykhalio Petrovich Chudnovets, with one count of money laundering conspiracy.”
  • and
    • “Former cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty Thursday to participating in a series of ransomware attacks in 2023 while they were employed at cybersecurity companies tasked with helping organizations respond to ransomware attacks.
    • “Goldberg, who was a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint at the time, collaborated with an unnamed co-conspirator to attack victim computers and networks and use ALPHV, also known as BlackCat, ransomware to extort payments.
    • “The plea deals mark a relatively quick turnaround as prosecutors successfully persuaded the pair to cop to their crimes less than three months after they were indicted in the U.S. District Court for the Southern District of Florida. Goldberg was arrested Sept. 22 and Martin was arrested Oct. 14.”
  • and
    • “Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, pleaded guilty Friday to multiple crimes stemming from his involvement in a string of ransomware attacks targeting U.S. and Europe-based organizations from mid 2018 to late 2021. He faces up to 10 years in jail for conspiracy to commit fraud, including extortion. 
    • “Stryzhak was arrested in Spain in June 2024 and extradited to the United States in April. Authorities are still looking for his alleged co-conspirator Volodymyr Tymoshchuk and announced a $11 million reward for information leading to his arrest or conviction.
    • “The defendant used Nefilim ransomware to target high-revenue companies in the United States, steal data and extort victims,” Joseph Nocella, U.S. attorney for the Eastern District of New York, said in a statement.”

From the cybersecurity breaches and vulnerabilities front,

  • Cybersecurity Dive reports,
    • “Apartment owner and developer Rockrose Development Corp. recently found that unauthorized individuals hacked its systems and claimed to have acquired confidential information, according to a letter posted to its website on Dec. 12. 
    • “The security breach occurred on July 4 and affected 47,392 people, according to a data breach notification submitted to Maine’s attorney general’s office. Rockrose discovered the issues on Nov. 14. 
    • “Rockrose determined that personally identifiable information for some individuals may have been impacted, which could indicate that the hackers accessed some sensitive areas of the network. That information could include name, Social Security number, taxpayer identification number, driver’s license number, passport number, bank account and routing numbers, health insurance information, medical information and online account credentials.”
  • Cyberscoop adds,
    • “Fallout from React2Shell — a stubborn vulnerability that impacts wide swaths of the internet’s scaffolding — continues to spread as public exploits and stealth backdoors proliferate and worrying details emerge about the targets attackers are pursuing. 
    • “Threat researchers and incident responders are reacting to swift-moving developments on React2Shell with mounting concern. Cybercriminals, ransomware gangs and nation-state threat groups are all swarming to exploit the maximum-severity vulnerability.
    • Palo Alto Networks’ Unit 42 puts the latest victim count at more than 60 organizations, which have been impacted by attacks involving exploitation of CVE-2025-55182, which Meta and the React team publicly disclosed Dec. 3.
    • “Microsoft said it found “several hundred machines across a diverse set of organizations” that were compromised via exploitation resulting in remote-code execution. Post-exploitation activity in those attacks includes reverse shell implants, lateral movement, data theft and steps that allowed attackers to maintain access to targeted networks, Microsoft said in a research blog Tuesday [December 16]. 
  • The Cybersecurity and Infrastructure Security Agency (“CISA”) added seven known exploited vulnerabilities to its catalog this week.
    • December 15, 2025
      • CVE-2025-14611 Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
      • CVE-2025-43529 Apple Multiple Products Use-After-Free WebKit Vulnerability 
        • Kubelski Security discusses the Gladinet KVEs here.
        • The Center for Internet Security discusses the Apple KVEs here.
    • December 16, 2025
      • CVE-2025-59718 Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability 
        • Security Affairs discusses this KVE here.
    • December 17, 2025
      • CVE-2025-20393 Cisco Multiple Products Improper Input Validation Vulnerability
      • CVE-2025-40602 SonicWall SMA1000 Missing Authorization Vulnerability
      • CVE-2025-59374 ASUS Live Update Embedded Malicious Code Vulnerability
        • The Hacker News discusses the Cisco KVE here.
        • Security Week discusses the SonicWall KVE here.
        • Malwarebytes discusses the ASUS KVE here.
    • December 19, 2025
      • CVE-2025-14733 WatchGuard Firebox Out-of-Bounds Write Vulnerability 
        • Bleeping Computer discusses this KVE here.
  • Cyberscoop relates,
    • “Cisco customers are confronting a fresh wave of attacks from a Chinese threat group that has actively exploited a critical zero-day vulnerability affecting the vendor’s software for email and web security since at least late November, the company said in an advisory Wednesday. 
    • “Cisco said it became aware of the attacks Dec. 10. The defect CVE-2025-20393, which has a CVSS rating of 10, is an improper input validation vulnerability affecting Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager that allows attackers to execute commands with unrestricted privileges and implant persistent backdoors on compromised devices.
    • “There is no patch for the vulnerability and Cisco declined to say when one would be made available. Cisco said “non-standard configurations” have been observed in compromised networks, specifically customer systems that are configured with a publicly exposed spam quarantine feature.
    • “Cisco Talos researchers attributed the attacks to a Chinese advanced persistent threat group it tracks as UAT-9686, which has used tooling and infrastructure consistent with other China state-sponsored threat groups such as APT41 and UNC5174.
  • Cybersecurity Dive informs us,
    • “Multiple threat groups have been ramping up attacks using a technique called device code phishing to trick users into granting access to their Microsoft 365 accounts, according to a report Thursday from Proofpoint
    • “Hackers affiliated with China and Russia have used the technique in recent months to launch attacks. A number of criminal groups have used the same method to target M365 users as well. 
    • “This is a social engineering method that abuses a legitimate and trusted workflow for authorized access,” Sarah Sabotka, staff threat researcher at Proofpoint, told Cybersecurity Dive.”
  • and
    • A coordinated, credential-based hacking campaign has been targeting Palo Alto Networks GlobalProtect services, as well as Cisco SSL VPNs, in a surge of mid-December attacks, according to a blog post Wednesday by GreyNoise
    • The threat activity does not involve targeting of any vulnerabilities, but uses automated scripted login attempts over two days. 
    • More than 1.7 million sessions were observed targeting Palo Alto Networks GlobalProtect and PAN-OS profiles over a 16-hour period, according to GreyNoise. More than 10,000 unique IPs were detected trying to log into GlobalProtect portals on Dec. 11.  
  • and
    • “A Russia-linked hacker group has been targeting critical infrastructure organizations using vulnerabilities in their edge devices since at least 2021, highlighting an alarming shift toward exploiting well-known flaws in common networking equipment, Amazon’s threat intelligence team said Monday.
    • “The threat actor’s shift [toward edge devices] represents a concerning evolution,” Amazon researchers wrote in a blog post. “While customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation.”
  • Bleeping Computer points out,
    • “The UEFI firmware implementation in some motherboards from ASUS, Gigabyte, MSI, and ASRock is vulnerable to direct memory access (DMA) attacks that can bypass early-boot memory protections.
    • “The security issue has received multiple identifiers (CVE-2025-11901, CVE-2025‑14302, CVE-2025-14303, and CVE-2025-14304) due to differences in vendor implementations.”

From the ransomware front,

  • Cyber Press reports,
    • SentinelLABS research indicates that large language models (LLMs) such as ChatGPT, Claude, and open-source alternatives are accelerating every stage of the ransomware lifecycle, from reconnaissance to negotiation. 
    • “However, analysts emphasize that these tools are improving speed and scale rather than introducing fundamentally new attack methods.
    • “By repurposing enterprise-grade AI workflows, ransomware actors are using models to automate tasks such as creating phishing content, drafting multilingual ransom notes, and triaging data across leaked datasets. 
    • “This enables threat actors to identify financially sensitive files and tailor extortion tactics across multiple languages with greater precision.” * * *
    • “The report finds that while law enforcement disruptions have weakened mega cartels such as LockBit, Conti, and REvil, smaller, short-lived groups such as Termite, Punisher, and Obscura are emerging rapidly. 
    • “These groups exploit LLM-driven workflows to emulate more experienced operators, reducing entry barriers and complicating attribution.”
  • Manufacturing Business Technology adds,
    • “Sophos recently announced new findings from the Sophos State of Ransomware in Manufacturing and Production 2025 report which reveals that manufacturers are stopping more ransomware attacks before data can be encrypted.
    • “However, adversaries are increasingly stealing data and using extortion-only tactics to maintain pressure. As a result, more than half of manufacturing organizations impacted by encryption paid the ransom despite progress in defensive measures.”
  • Bleeping Computer relates,
    • “The Clop ransomware gang (also known as Cl0p) is targeting Internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign.
    • Gladinet CentreStack enables businesses to securely share files hosted on on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN. According to Gladinet, CentreStack “is used by thousands of businesses from over 49 countries.”
    • “Since April, Gladinet has released security updates to address several other security flaws that were exploited in attacks, some of them as zero-days.
    • “The Clop cybercrime gang is now scanning for and breaching CentreStack servers exposed online, with Curated Intel telling BleepingComputer that ransom notes are left on compromised servers.
    • “However, there is currently no information on the vulnerability Clop is exploiting to hack into CentreStack servers. It is unclear whether this is a zero-day flaw or a previously addressed bug that the owners of the hacked systems have yet to patch.”
  • CSO offers advice on how to create a ransomware playbook that works.

From the cybersecurity business and defenses front,

  • The Wall Street Journal reports,
    • “Blackstone is leading a $400 million investment in data-security firm Cyera that values the New York-based company at $9 billion, according to people familiar with the matter. 
    • “Cyera is among a crop of cybersecurity startups leveraging artificial intelligence to protect companies from new security vulnerabilities introduced by AI. The startup, founded in 2021 by former Israeli Defence Forces military intelligence officers Yotam Segev and Tamar Bar-Ilan, raised funding at a $6 billion valuation in June.”
  • and
    • “Kevin Mandia, founder of the cybersecurity firm Mandiant—which was acquired by Alphabet’s GOOGL 0.61%increase; green up pointing triangle Google for $5.4 billion—has formed a new company called Armadin that will take on the imminent threat from AI hacking.
    • “The company aims to use artificial intelligence to supercharge the business of testing networks for vulnerabilities. Armadin raised $24 million in seed funding from Ballistic Ventures, a venture-capital firm co-founded by Mandia, and is in talks with Accel, GV and Kleiner Perkins to raise $100 million or more, people familiar with the matter said. The deal is expected to value the company at more than $600 million. The round isn’t finalized, and the details could still change.
    • “Known as red-teaming, this kind of service will become more important as hackers turn to AI to speed up their attacks, Mandia said in an interview.  
    • “Offense is going to be all-AI in under two years,” he said. “And because that’s going to happen, that means defense has to be autonomous. You can’t have a human in the loop or it’s going to be too slow.”
  • CISA announced,
    • Today [December 19], the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Canadian Centre for Cyber Security released an update to the Malware Analysis Report BRICKSTORM Backdoor with indicators of compromise (IOCs) and detection signatures for additional BRICKSTORM samples. This update provides information on additional samples, including Rust-based samples. These samples demonstrate advanced persistence and defense evasion mechanisms, such as running as background services, and enhanced command and control capabilities through encrypted WebSocket connections.
    • The update includes two new detection signatures in the form of YARA rules, enabling organizations to better identify BRICKSTORM-related activity. Organizations are strongly encouraged to deploy these updated IOCs and signatures, and to follow the detection guidance to scan for and respond to BRICKSTORM infections If BRICKSTORM, similar malware, or potentially related activity is detected, report the incident to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or (888) 282-0870.
  • Cybersecurity Dive lets us know,
    • “Hybrid infrastructure that includes a mix of public/private cloud environments, on-premises workloads and air-gapped systems are preferred by security leaders as a way to boost resilience and better manage risk, according to a report Thursday by Trellix
    • “About 96% of chief information security officers said a hybrid model is the preferred approach to meet regulatory and compliance requirements, while 97% said such a model will help meet obligations related to data sovereignty and residency. 
    • “Ultimately, a CISO must ensure their teams, technology and business partners understand the specific shared responsibility model for each service they consume and implement the necessary controls to manage the daily risks that remain the customer’s responsibility,” Trellix CISO Michael Green told Cybersecurity Dive. “This often involves leveraging tools and governance processes designed to operate across multicloud and hybrid environments to provide consistent security posture and visibility.”
  • An ISACA expert notes,
    • “Cybersecurity budgets are often built on assumptions, including the assumption that backups will always work, that insurance will cover the losses and that existing controls are “good enough.” Yet, when those assumptions fail, the operational fallout can be staggering. The City of Hamilton in Canada learned this lesson when a ransomware attack crippled nearly 80% of its network and left taxpayers facing a CAD $18.3 million recovery bill. Misplaced assumptions regarding backups, authentication, insurance and system resilience can lead organizations to underestimate risk and drive up the cost of a cyberattack.”
  • Dark Reading offers advice on creating an AI adoption playbook and of course its CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *