Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity law enforcement front,

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports,
    • “The National Institute of Standards and Technology announced that it will partner with The MITRE Corporation on a $20 million project to stand up two new research centers focused on artificial intelligence, including how the technology may impact cybersecurity for U.S. critical infrastructure.
    • “On Monday [December 22], the agency said one center will focus on advanced manufacturing while the second — the AI Economic Security Center to Secure U.S. Critical Infrastructure from Cyberthreats — will focus more directly on how industries that provide water, electricity, internet and other essential services can protect and maintain services in the face of AI-enabled threats. According to NIST, the centers will “drive the development and adoption” of AI-driven tools, including agentic AI solutions.
    • “The centers will develop the technology evaluations and advancements that are necessary to effectively protect U.S. dominance in AI innovation, address threats from adversaries’ use of AI, and reduce risks from reliance on insecure AI,” spokesperson Jennifer Huergo wrote in an agency release.
  • Federal News Network interviewed “a panel of former federal executives for their opinions about 2025 and what federal IT and acquisition storylines stood out over the last 12 months.”
  • Security Week tells us,
    • “The US Justice Department announced on Monday [December 22] the seizure of a web domain and a password database used by a cybercrime group to steal millions of dollars from bank accounts.
    • “According to the DOJ, the seized domain, web3adspanels.org, hosted a backend web panel used by the cybercriminals to store and manipulate thousands of stolen bank login credentials.
    • The threat actor conducted a massive bank account takeover scheme that involved malicious ads on search engines such as Google and Bing in an effort to lure users to fake bank websites.
    • “These phishing sites tricked victims into handing over their login credentials, which the cybercriminals could then use to access and drain their bank accounts.
    • “The FBI has identified nearly 20 victims in the US, including two companies, and has determined that the cybercriminals attempted to steal roughly $28 million, with the actual losses estimated at approximately $14.6 million.” 
  • Bleeping Computer informs us,
    • “An Interpol-coordinated initiative called Operation Sentinel led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents.
    • “Between October 27 and November 27, the investigation, which involved law enforcement in 19 countries, took down more than 6,000 malicious links and decrypted six distinct ransomware variants.
    • “Interpol says that the cybercrime cases investigated are connected to more than $21 million in financial losses.”

From the cybersecurity breaches and vulnerabilities front,

  • Cybersecurity Dive reports,
    • “WatchGuard warns that a critical vulnerability in its Firebox devices is facing exploitation as part of a campaign targeting edge devices, according to an advisory from the company
    • “The flaw, tracked as CVE-2025-14733, involves an out-of-bounds write vulnerability in the Fireware OS internet key exchange daemon process. An unauthenticated attacker can achieve remote code execution. 
    • “WatchGuard said it discovered the flaw through an internal process and issued a patch on Thursday. 
    • “Since the fix became available, our partners and end users have been actively patching affected Firebox appliances,” a WatchGuard spokesperson told Cybersecurity Dive. “We continue to strongly encourage timely patching as a core best practice in security hygiene.”
  • Security Week shares information about the Watchguard patch.
  • Dark Reading points out,
    • “Much has been said about IT worker scams in the last few years, but it’s not every day that we get a glimpse into how pervasive the issue has become. 
    • “Stephen Schmidt, senior vice president and chief security officer at Amazon, wrote on LinkedIn over the weekend that the company has prevented “more than 1,800 suspected DPRK operatives from joining [Amazon] since April 2024, and we’ve detected 27% more DPRK-affiliated applications quarter-over-quarter this year.” 
    • “IT worker scams involve operatives working as part of or on behalf of a government try to gain remote IT employment. It is most often associated with North Korea (DPRK), but that’s not the only entity engaging in this practice. While one primary goal may be the worker gaining a foothold in a network for espionage purposes or for sensitive IP theft (and these things do happen), Schmidt, who wrote about North Korean worker scams specifically, highlighted another reason: “Their objective is typically straightforward: get hired, get paid, and funnel wages back to fund the regime’s weapons programs,” he wrote.
  • The Wall Street Journal relates,
    • “AI is making cybercriminals more efficient, enabling them to scale up operations and create more targeted and convincing scams.
    • “Thanks to AI, criminals are getting better at finding targets—for example, by scanning social media to identify people going through big life changes.
    • “Most experts don’t think fully autonomous AI cyberattacks are possible yet in the real world, but research has shown that AI is capable of planning and carrying out an attack on its own in a lab.”
  •  Per SC Media,
    • “A series of campaigns were observed targeting the financial sector across multiple continents worldwide — attacks that exhibited the tradecraft of North Korean-affiliated threat actors.
    • “In a Dec. 18 white paper, Darktrace researchers said the attacks leveraged advanced social engineering focused on job hunters, spear-phishing, React2Shell exploitation, and a new Beavertail malware variant.
    • “While the initial access vector remains unknown, Darktrace said evidence suggests it originated from a malicious npm package hosted on GitHub or GitLab — behavior that aligns with the Lazarus Group’s history of exploiting supply-chain vulnerabilities.
    • “According to Darktrace, the attackers used Beavertail for initial credential theft, followed by heavily obfuscated Python scripts and Tsunami modules, hallmarks of a “well-resourced adversary.”
  • Cyber Insider adds,
    • “A malicious NPM package masquerading as a WhatsApp API library has been discovered exfiltrating users’ messages, credentials, contacts, and media, all while delivering fully functional code.
    • “The package, named lotusbail, had been available on the NPM registry for over six months, amassing more than 56,000 downloads before its true purpose came to light.
    • “The discovery was made by Koi Security, whose researchers published a detailed technical report over the weekend, outlining the package’s behavior. The threat actor behind lotusbail cloned the legitimate @whiskeysockets/baileys WhatsApp Web API library and inserted advanced malware designed to siphon off sensitive user data during normal operation.”

From the ransomware front,

  • Cybersecurity Dive reports,
    • A Cybersecurity and Infrastructure Security Agency program that warns organizations about imminent ransomware attacks has suffered a major setback after its lead staffer left the agency rather than take a forced reassignment.
    • David Stern, the driving force behind CISA’s Pre-Ransomware Notification Initiative (PRNI) — through which the agency alerts organizations that ransomware actors are preparing to encrypt or steal their data — resigned on Dec. 19, according to four people familiar with the matter. The Department of Homeland Security had ordered Stern to take a job at the Federal Emergency Management Agency in Boston or quit, and Stern chose the latter, three of the people said. * * *
    • “The fate of the warning initiative is now unclear. In a statement, CISA Director of Public Affairs Marci McCarthy said the program “has not stopped and continues to operate as a key element in CISA’s efforts to defeat ransomware attacks.” One person familiar with the matter said the agency is preparing several staffers to take over for Stern. But others said the program relied heavily on Stern’s trusted relationships with the organizations that alert CISA to pending ransomware attacks.”
  • InfoSecurity Magazine explores this year’s top ransomware trends.
  • The HIPAA Journal tells us,
    • “Madison, WI-based ARC Community Services, a provider of behavioral health, substance use disorder treatment, and support services to women and children, has experienced a ransomware attack involving the theft of sensitive data from its network.” The attack occurred in November 2024.
  • CSO informs us,
    • “A recent upgrade to the RansomHouse ransomware operation has added new concerns for enterprise defenders, introducing a multi-layered encryption update to the group’s double-extortion RaaS model.
    • “Also tracked under the cluster Jolly Scorpius, the ransomware gang has transitioned from a simple, single-phase encryption routine to a multi-layered dual-key encryption architecture that increases the complexity of its extortion operations.
    • “Detailed by Palo Alto Networks’ threat intelligence team, the update raises the bar for recovery once systems are compromised. The change affects how files are processed and encrypted during an attack, complicating analysis and limiting defenders’ ability to recover data without paying a ransom.”

From the cybersecurity business and defenses front,

  • The Wall Street Journal reports,
    • Artificial-intelligence software company ServiceNow NOW agreed to acquire cybersecurity startup Armis for about $7.75 billion in cash in a move intended to take advantage of growing demand for AI security.
    • Armis recently raised $435 million in a funding round that valued the company at $6.1 billion, and it had been planning for an initial public offering at the end of 2026 or early 2027.
    • ServiceNow said on Tuesday that the acquisition would triple its market opportunity for security and risk solutions and entrench its position in the market for securing AI technology.
    • The increasing integration of AI tools into business workflows has raised worries that companies could become more vulnerable to cyberattacks and hacks.
  • Cyberscoop lets us know,
    • “How to determine if agentic AI browsers are safe enough for your enterprise. Automation is transforming web browsing, enabling AI agents to perform tasks once handled by humans. Yet with greater convenience comes a complex security landscape that enterprises can’t afford to ignore.”
  • Federal News Network discusses “The next cyber battlefield: Preparing federal networks for autonomous malware.”
    • “Recent research from Google’s Threat Intelligence Group has drawn new attention to a long-standing question in cybersecurity: How close are we to malware that can truly think and adapt on its own?
    • “Earlier this month, Google disclosed five experimental code families, including PROMPTFLUX and PROMPTSTEAL, that used large language models (LLMs) during execution to generate commands, rewrite portions of their own code, and adapt to their environment.
    • “While these findings are concerning, it’s important to note that “autonomous” malware is still in the early stages. But that’s precisely the point. Even in this primitive form, these early samples show how the threat landscape is rapidly evolving. Federal agencies now have a narrow window to prepare before those capabilities mature into operational threats.
    • “Autonomous malware represents a fundamental shift in cybersecurity, as this malicious code can reason about its surroundings, make tactical decisions, and evolve its behavior in real time. For federal networks built on complex systems and strict change-control policies, that evolution could eventually collapse traditional defense timelines and upend response models.”
  • Per a CISA news release,
    • “NIST and CISA’s draft Interagency Report Protecting Tokens and Assertions from Forgery, Theft, and Misuse is now available for public comment through January 30, 2026. This report is in response to Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, providing implementation guidance to help federal agencies and cloud service providers (CSPs) protect identity tokens and assertions from forgery, theft, and misuse.
    • “This report emphasizes the need for CSPs and cloud consumers, including government agencies, to better define their respective roles and responsibilities in managing identity and access management (IAM) controls in cloud environments. It establishes principles for both CSPs and cloud consumers, calling on CSPs to apply Secure by Designbest practices, and to prioritize transparency, configurability, and interoperability—empowering cloud consumers to better defend their diverse environments. It also calls upon government agencies to understand the architecture and deployment models of their procured CSPs to ensure proper alignment with risk posture and threat environment. 
    • “Comments on the report may be submitted to iam@list.nist.gov. Please visit NIST’s site for more information.” 
  • Per Dark Reading,
    • “As More Coders Adopt AI Agents, Security Pitfalls Lurk in 2026. Developers are leaning more heavily on AI for code generation, but in 2026, the development pipeline and security need to be prioritized.”
  • Here is a link to Dark Reading’s CISO Corner.