Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • The Record reports,
    • “The National Security Agency has a new leadership roster for its cybersecurity directorate as the agency waits for its first Senate-confirmed chief in more than nine months. 
    • “David Imbordino, a NSA senior executive who is currently serving as the directorate’s deputy chief, will take the reins in an acting capacity at the end of the month, according to three people familiar with the matter. 
    • “Holly Baroody, a senior official at the agency in the United Kingdom, will return as planned from her assignment this summer to be the directorate’s acting No. 2, according to these people. All were granted anonymity to speak candidly about personnel matters.”
  • The HHS Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, posted its January 2026 Cybersecurity Newsletter. The Newsletter concerns system hardening.
    • “System hardening and security baselines can be an effective means to enhance security, and for regulated entities to protect ePHI. However, defining, creating, and applying system hardening techniques is not a one-and-done exercise. Evaluating the ongoing effectiveness of implemented security measures is important to ensure such measures remain effective over time. As new threats and vulnerabilities evolve and are discovered, and attackers vary and improve their tactics, techniques, and procedures, regulated entities need to remain vigilant to ensure that their implemented security solutions remain effective. Indeed, for regulated entities, the periodic review and modification, as needed, of security measures implemented under the HIPAA Security Rule is a requirement to maintain protection of ePHI.”
  • Cybersecurity Dive informs us,
    • “The National Institute of Standards and Technology is asking the public for suggested approaches to managing the security risks of AI agents.
    • “In a Federal Register notice set for publication on Thursday, NIST’s Center for AI Standards and Innovation (CAISI) solicited “information and insights from stakeholders on practices and methodologies for measuring and improving the secure development and deployment of artificial intelligence (AI) agent systems.”
    • “The public engagement reflects persistent concerns about security weaknesses in increasingly ubiquitous AI agents. Many companies have adopted these agents without fully understanding or developing plans to mitigate their flaws, inadvertently creating new avenues for hackers to penetrate their computer networks. The wide latitude given to poorly secured AI agents could be especially dangerous in critical infrastructure networks, which sometimes control industrial machinery that is essential to health and safety.
    • “If left unchecked, these security risks may impact public safety, undermine consumer confidence, and curb adoption of the latest AI innovations,” NIST said in its solicitation.”
  • Here is a link to a related NIST blog post.
  • Security Week tells us,
    • The US cybersecurity agency CISA on Thursday announced closing 10 Emergency Directives issued between 2019 and 2024.
    • The retired directives, CISA says, have achieved their mission to mitigate urgent and imminent risks to federal agencies.
    • “Since their issuance, CISA has partnered closely with federal agencies to drive remediation, embed best practices and overcome systemic challenges – establishing a stronger, more resilient digital infrastructure for a more secure America,” the agency notes.” * * *
    • “All targeted vulnerabilities are now in CISA’s Known Exploited Vulnerabilities (KEV) catalog and the required actions are defined in Binding Operational Directive (BOD) 22-01, which mandates that federal agencies resolve flaws added to KEV within weeks.
    • “The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise. Looking ahead, CISA continues to advance Secure by Design principles – prioritizing transparency, configurability, and interoperability - so every organization can better defend their diverse environments,” CISA Acting Director Madhu Gottumukkala said.”
  • Cybersecurity Dive describes CISA’s seven biggest challenges for 2026.

From the cybersecurity vulnerabilities front,

  • A Dark Reader commentator makes,
    • “Cybersecurity Predictions 2026: An AI Arms Race and Malware Autonomy
    • “The year ahead will see an intensified AI-driven cybersecurity arms race, with attackers leveraging autonomous malware and advanced AI technologies to outpace defenders, while security teams adopt increasingly sophisticated AI tools to combat evolving threats amidst growing vendor consolidation and platformization in the industry.”
  • CISA added two known exploited vulnerabilities to its catalog this week.
  • Cyberscoop reports,
    • “Researchers warn that a critical vulnerability in n8n, an automation platform that allows organizations to integrate AI agents, workflows and hundreds of other enterprise services, could be exploited by attackers to achieve full control of targeted networks.
    • “The maximum-severity vulnerability — CVE-2026-21858 — affects about 100,000 servers globally, according to Cyera, which initially discovered and reported the defect to n8n on Nov. 9. Developers responsible for the widely used platform released a patch for the vulnerability on Nov. 18, but didn’t publicly disclose or assign the vulnerability a CVE until Wednesday.
    • “The risk is massive,” Dor Attias, security researcher at Cyera Research Labs, told CyberScoop. “n8n sits at the heart of enterprise automation infrastructure. Gaining control of n8n means gaining access to your secrets, customer data, CI/CD pipelines and more.”
    • “Researchers haven’t observed active exploitation of the vulnerability, but Cyera published a working proof of concept, which typically triggers a race for defenders to patch a defect before in-the-wild exploitation occurs.”
  • The American Hospital Association News notes,
    • “The FBI Jan. 8 released an alert on evolving threat tactics by Kimsuky, a North Korean state-sponsored cyber threat group. As of last year, the group has targeted research organizations, academic institutions, and U.S. and foreign government entities by embedding malicious QR codes in spear-phishing campaigns, referred to as “quishing.” The technique forces victims to use a mobile device to view the QR code, which could be received as an image, email attachment or embedded graphic that evades URL inspection. After scanning the malicious code, victims are routed through attacker-controlled redirectors that collect device and identity information for harvesting and use in additional malicious actions. 
    • “Although it appears that Kimsuky threat actors are not targeting health care directly, this serves as a reminder that social engineering, email and text-based ‘quishing’ attacks from other hacking groups are increasingly targeting health care due its effectiveness and ability to evade common cybersecurity defensive measures,” said John Riggi, AHA national advisor for cybersecurity and risk. “As we see an increase in the use of malicious QR code attacks, staff should be provided education on the dangers of scanning unsolicited QR codes at work, home and on their mobile devices.” 
  • CSO cautions,
    • “Threat actors are abusing misconfigured MX records and weak DMARC/SPF policies to make phishing emails look internal, bypassing filters and increasing credential theft risk.
    • “Microsoft’s Threat Intelligence team has disclosed that threat actors are increasingly exploiting complex email routing and misconfigured domain spoof protection to make phishing messages appear as if they were sent from inside the organizations they’re targeting.
    • “These campaigns are relying on configuration gaps, specifically scenarios where mail exchanger (MX) DNS records don’t point directly to Microsoft 365 and where Domain-based Message Authentication, Reporting & Conformance (DMARC) and Sender Policy Framework (SPF) policies are permissive or misconfigured.
    • “Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon 2FA,” Microsoft said in a security blog post.
    • “The blog noted that while the attack vector isn’t brand new, the exploitation has picked up significantly since mid-2025, delivering phishing lures ranging from password resets to shared documents.”
  • Cybersecurity Dive points out,
    • “The new year will bring more dangerous AI-powered cyberattacks and growing obstacles to regulatory harmonization, Moody’s said in a 2026 outlook report published on Thursday.
    • “The report also forecasts increased cryptocurrency thefts through cyberattacks on both transaction and storage platforms.
    • “Moody’s said recent cloud computing outages resulting from accidents highlighted “the potential for catastrophic impact if exploited by attackers.”

From the ransomware front,

  • Security Affairs reports that “Sedgwick confirmed a cyber incident at its federal contractor unit after TridentLocker claimed to steal 3.4GB of data.”
  • Cybersecurity Dive adds,
    • “The volume of ransomware attacks on telecommunications companies around the world increased fourfold from 2022 to 2025, according to a report that the threat intelligence firm Cyble published this week.
    • “Cyble also identified 444 incidents involving data theft from telecom firms, including 133 listings of stolen databases that could contain sensitive customer data or operational information.
    • “Businesses in multiple industries closely track the security posture of the telecom sector because of their need for secure and resilient communications.”
  • Emsisoft discusses the state of ransomware in the United States during 2025.
  • TechTarget examines ransomware trends, statistics and facts in 2026.

From the cybersecurity business and defenses front,

  • Cyberscoop reports,
    • “CrowdStrike is buying identity management startup SGNL, a move that underscores how identity security has become a central battleground in enterprise cybersecurity as companies add cloud services and deploy AI-driven tools.
    • “The cybersecurity firm did not disclose financial terms in a Thursday announcement, but CrowdStrike CEO George Kurtz told CNBC the deal is valued at nearly $740 million.
    • “The acquisition targets a growing problem for large organizations: Access is no longer limited to employees logging into a handful of internal systems. Modern environments include contractors, automated scripts, cloud workloads and an expanding set of non-human identities, such as service accounts and machine credentials. More recently, companies have begun experimenting with AI agents that can take actions across multiple systems, sometimes with broad privileges.”
  • Cybersecurity Dive relates,
    • “AI promises to exponentially improve innovation and efficiency for businesses of all kinds, but it’s also ushering in a new age of cyberthreats.
    • “Nearly 9 in 10 CISOs say AI-driven attacks represent a major risk for their organizations, according to a study from Trellix.
    • “While the trend represents a security problem, it’s on the minds of CIOs too, as they “play a very important role as we think about AI attacks,” said Allie Mellen, principal analyst at Forrester. “Many of the changes that security recommends, we take to improve and defend the infrastructure we have.”
    • “As risks mount, CIOs from different sectors are preparing to help their businesses secure critical data in the age of AI-driven attacks.”
  • Here’s a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *