Cybersecurity Saturday

Happy New Year!

From the cybersecurity policy and law enforcement front,

Federal News Network points out five things to watch in cybersecurity policy at the federal level during 2026.
- “New national cyber strategy”
- “AI and cyber”
- “CISA 2015 reauthorization”
- “CIRCIA rule” and
- “Cyber leader gaps”

Security Week reports,
- “Two cybersecurity professionals from the United States have pleaded guilty to charges related to their role in BlackCat/Alphv ransomware attacks, the Justice Department announced this week [December 30].
- “Three individuals were charged in October for allegedly conducting ransomware attacks against several US-based companies. Two of the suspects, 36-year-old Kevin Martin from Texas and an unnamed individual, were employed as ransomware negotiators at threat intelligence and incident response firm DigitalMint.
- “The third suspect, 40-year-old Ryan Goldberg from Georgia, worked as an incident response manager at cybersecurity company Sygnia.
- “The three are accused of hacking into the systems of several companies, stealing valuable information, and deploying BlackCat ransomware.
- “Based on the Justice Department’s description of the scheme, the suspects were BlackCat ransomware affiliates, paying 20% of the ransoms they received from victims to the administrators of the ransomware operation in exchange for access to the file-encrypting malware and a platform designed for managing extortions.”

From the cybersecurity breaches and vulnerabilities front,

Bleeping Computer points out the 15 biggest cybersecurity and cyber attack stories of 2025.

Security Week adds,
- “Insurance giant Aflac is notifying roughly 22.65 million people that their personal information was stolen from its systems in June 2025.
- “The company disclosed the intrusion on June 20, saying it had identified suspicious activity on its network in the US on June 12 and blaming it on a sophisticated cybercrime group.
- “The company said it immediately contained the attack and engaged with third-party cybersecurity experts to help with incident response. Aflac’s operations were not affected, as file-encrypting ransomware was not deployed.
- “Just before Christmas, the Columbus, Georgia-based company announced it had completed its investigation into the potentially compromised data and had started notifying the affected individuals.
- “Based on our review of potentially impacted files, we have determined personal information associated with approximately 22.65 million individuals was involved,” the company said.
- “The compromised information, the insurance giant says, includes names, addresses, Social Security numbers, dates of birth, driver’s license numbers, government ID numbers, medical and health insurance information, and other data.”

The Cybersecurity and Infrastructure Security Agency (CISA) added one known exploited vulnerability to its catalog this week.
- December 29, 2025
  - CVE-2025-14847. MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability
    - Cyberscoop discusses this KVE here.

Bleeping Computer informs us,
- “IBM urged customers to patch a critical authentication bypass vulnerability in its API Connect enterprise platform that could allow attackers to access apps remotely.
- “API Connect is an application programming interface (API) gateway that enables organizations to develop, test, and manage APIs and provide controlled access to internal services for applications, business partners, and external developers.
- “Available in on-premises, cloud, or hybrid deployments, API Connect is used by hundreds of companies in banking, healthcare, retail, and telecommunications sectors.
- “Tracked as CVE-2025-13915 and rated 9.8/10 in severity, this authentication bypass security flaw affects IBM API Connect versions 10.0.11.0 and 10.0.8.0 through 10.0.8.5.
- “Successful exploitation enables unauthenticated threat actors to remotely access exposed applications by circumventing authentication in low-complexity attacks that don’t require user interaction.”
and
- “Over 10,000 Fortinet firewalls are still exposed online and vulnerable to ongoing attacks exploiting a five-year-old critical two-factor authentication (2FA) bypass vulnerability.
- “Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw (tracked as CVE-2020-12812) and advised admins who couldn’t immediately patch to turn off username-case-sensitivity to block 2FA bypass attempts targeting their devices.
- “This improper authentication security flaw (rated 9.8/10 in severity) was found in FortiGate SSL VPN and allows attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when the username’s case is changed.
- “Last week, Fortinet warned customers that attackers are still exploiting CVE-2020-12812, targeting firewalls with vulnerable configurations that require LDAP (Lightweight Directory Access Protocol) to be enabled.
- “Fortinet has observed recent abuse of the July 2020 vulnerability FG-IR-19-283 / CVE-2020-12812 in the wild based on specific configurations,” the company said.”
and
- “Trust Wallet believes the compromise of its web browser to steal roughly $8.5 million from over 2,500 crypto wallets is likely related to an “industry-wide” Sha1-Hulud attack in November.
- “Trust Wallet, a crypto wallet used by over 200 million people, enables users to store, send, and receive Bitcoin, Ethereum, Solana, and thousands of other cryptocurrencies and digital tokens via a web browser extension and free mobile apps.
- “As BleepingComputer previously reported, this December 24th incident resulted in the theft of millions of dollars in cryptocurrency from the compromised wallets of Trust Wallet users.
- This happened after attackers added a malicious JavaScript file to version 2.68.0 of Trust Wallet’s Chrome extension, which stole sensitive wallet data and enabled threat actors to execute unauthorized transactions.
- “Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said in a Tuesday [December 30] update.
and
- “A fourth wave of the “GlassWorm” campaign is targeting macOS developers with malicious VSCode/OpenVSX extensions that deliver trojanized versions of crypto wallet applications.
- “Extensions in the OpenVSX registry and the Microsoft Visual Studio Marketplace expand the capabilities of a VS Code-compatible editor by adding features and productivity enhancements in the form of development tools, language support, or themes.
- “The Microsoft marketplace is the official extension store for Visual Studio Code, whereas OpenVSX serves as an open, vendor-neutral alternative, primarily used by editors that do not support or choose not to rely on Microsoft’s proprietary marketplace.”
- “The GlassWorm malware first appeared on the marketplaces in October, hidden inside malicious extensions using “invisible” Unicode characters.”
- “Once installed, the malware attempted to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from multiple extensions. Additionally, it supported remote access through VNC and can route traffic through the victim’s machine via a SOCKS proxy.
- “Despite the public exposure and increased defenses, GlassWorm returned in early November on OpenVSX and then again in early December on VSCode.”

From the ransomware front,

Cybersecurity Insiders recounts the top ransomware attacks of 2025.

SC Media tells us,
- “HackRead reports that U.S. automaker Chrysler had over 1 TB of data, including more than 105 GB of Salesforce-related information, claimed to have been exfiltrated by the Everest ransomware gang.
- “Allegedly included in the stolen data trove spanning between 2021 and 2025 were personal and operational records from customers, internal agents, and dealers, with screenshots revealing internal spreadsheets, structured databases, CRM exports, and directory trees, as well as customer interaction logs with names, physical and email addresses, phone numbers, vehicle details, recall case notes, and call outcomes.” * * *
- “Everest has warned that it would release not only the entire dataset but also customer service-related audio recordings purportedly stolen from Chrysler should it refuse to fulfill its demands.”
Morphisec points out,
- “In Morphisec’s recent CTO Briefing: The State of Ransomware, CTO Michael Gorelik highlighted one of the most significant and troubling shifts in the ransomware landscape: many ransomware attacks no longer involve encryption at all.  
- “Instead, attackers quietly steal sensitive data—sometimes over weeks or months—and then extort victims long after the breach. This “ransomware without encryption” model is growing rapidly because it has lower risk for attackers, harder for defenders to detect, and nearly impossible for victims to investigate once logs have aged out.”

From the cybersecurity defenses front,

Dark Reading calls attention to
- “Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats. Cybersecurity experts discuss 2026 predictions, highlighting the rise of AI-driven threats, the shift to resilience over prevention, and the urgent need for advanced security measures to combat evolving risks”
and
- “5 Threats That Defined Security in 2025. 2025 included a number of monumental threats, from global nation-state attacks to a critical vulnerability under widespread exploitation.”
  - “Salt Typhoon continues its onslaught”
  - “CISA see big layoffs and budget cuts”
  - “React2Shell carries echos of Log4Shell.
  - “Shai-Hulud opens floodgates on self-propagating Open Source Malware.” and
  - “Threat Campaigns Target Salesforce Customers.”
and
- “The Ivanti Endpoint Manager Mobile (EPMM) zero-day attacks, which began last spring and lasted well into the summer as attackers took advantage of patching lag, were one of the top cyber-stories of 2025, sending thousands of victims to the depths of the data exfiltration sea. A recent deep-dive into the wreckage of those attacks highlights the risk inherent in buggy endpoint management systems — a concern that needs to be a higher priority than it typically is, one researcher argues.”

SC Media notes,
- “A whopping 99% of security leaders plan to increase their cybersecurity budgets over the next two to three years, signaling that cybersecurity has become a critical business imperative, according to a KPMG Cybersecurity Survey released earlier this month.
- “KPMG’s survey, which polled more than 300 C-suite and senior security leaders, found that the projected spending increases come at a time when 83% of organizations report a rise in cyberattacks, which include everything from phishing and ransomware to more advanced AI-powered social-engineering schemes.
- “The data doesn’t just point to steady growth, it signals a potential boom,” said Michael Isensee, cybersecurity and tech risk leader, KPMG LLP. “We’re seeing a major market pivot where cybersecurity is now a fundamental driver of business strategy.
- “Leaders are moving beyond reactive defense and are actively investing to build a security posture that can withstand future shocks, especially from AI and other emerging technologies,” continued Isensee. “This isn’t just about spending more, it’s about strategic investment in resilience.”

Security Affairs warns,
- “Your next breach probably won’t start inside your network—it will start with someone you trust. Every supplier, contractor, and service provider needs access to your systems to keep business running, yet each login is a potential doorway for attackers. Access management is meant to control the risks of granting that access, but weak controls and poor hygiene remain the norm. The Thales Digital Trust Index report, Third-Party Edition, highlights that over half of surveyed professionals (51%) keep access to partner systems for days or even a month after they no longer need it, turning everyday collaborations into hidden vulnerabilities that accumulate over time.
- “Ask yourself: Are you evaluating and managing these risks well enough? If the answer isn’t clear, it’s time to revisit the basics of identity lifecycle management. Supply chain risks are preventable—but only if they aren’t tolerated or ignored. This article is a primer on how to ensure B2B collaboration remains a source of agility and resilience, not your Achilles’ heel.”

Here is a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

FEHBlog

Leave a Reply Cancel reply

Subscribe to FEHBlog

Leave a Reply Cancel reply