Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • The Wall Street Journal reports,
    • “Senators voted 71-29 to pass a $1.2 trillion package of five bills funding many agencies through September and a sixth to provide two weeks of funding for the Department of Homeland Security. The measure was designed to give lawmakers more time to negotiate over proposed new restrictions on immigration enforcement.
    • “The proposal still needs to be approved by the House, which isn’t expected to return until Monday. With no law passed, funding for the Pentagon, DHS and other departments lapsed at 12:01 a.m. Saturday, and the partial shutdown is expected to run through the weekend.”
  • The Homeland Security appropriations had been Division H of the consolidated appropriations bill, H.R. 7148. The amended version which the Senate passed yesterday, replaced Section H with a two week long extension of Fiscal Year 2025 appropriations. The FEHBlog raises this point because the provision reauthorizing CISA 2015 is found in Division I.
    • SEC. 5008. CYBERSECURITY INFORMATION SHARING ACT OF 2015. Section 111(a) of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1510(a)) is amended by striking “September 30, 2025” and inserting “September 30, 2026”
  • Consequently this reauthorization will apply when the House passes amended H.R. 7148 next week.
  • Per a Cybersecurity and Infrastructure Security Agency (CISA) news release,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) is calling on critical infrastructure organizations to take decisive action against insider threats. To support this effort, CISA has released today a powerful new resource—Assembling a Multi-Disciplinary Insider Threat Management Team. Designed for critical infrastructure entities and state, local, tribal, and territorial (SLTT) governments, this comprehensive infographic provides actionable strategies guidance to proactively prevent, detect and mitigate insider threats-helping organizations stay ahead of evolving organizational vulnerabilities.
    • “Insider threats often take two forms: calculated acts of harm and unintentional mistakes. Malicious insiders may exploit access for personal gain or revenge, causing severe damage to systems and trust, At the same time, negligence or simple human errors can open the door to vulnerabilities that adversaries can exploit. Whether driven by intent or accident, insider threats pose one of the most serious risks to organizational security and resilience- demanding proactive measures to detect, prevent and respond.
    • “Insider threats remain one of the most serious challenges to organizational security because they can erode trust and disrupt critical operations.” said Acting CISA Director Dr. Madhu Gottumukkala. “CISA is committed to helping organizations confront this risk head-on by delivering practical strategies, expert guidance, and actionable resources that empower leaders to act decisively — building resilient, multi-disciplinary teams, fostering accountability, and safeguarding the systems Americans rely on every day.”
  • Security Week reports,
    • “The White House has announced that software security guidance issued during the Biden administration has been rescinded due to “unproven and burdensome” requirements that prioritized administrative compliance over meaningful security investments.
    • “The US Office of Management and Budget (OMB) has issued Memorandum M-26-05, officially revoking the previous administration’s 2022 policy, ‘Enhancing the Security of the Software Supply Chain through Secure Software Development Practices’ (M-22-18), as well as the follow-up enhancements announced in 2023 (M-23-16).
    • “The new guidance shifts responsibility to individual agency heads to develop tailored security policies for both software and hardware based on their specific mission needs and risk assessments. 
    • “Each agency head is ultimately responsible for assuring the security of software and hardware that is permitted to operate on the agency’s network,” reads the memo sent by the OMB to departments and agencies. 
    • “There is no universal, one-size-fits-all method of achieving that result. Each agency should validate provider security utilizing secure development principles and based on a comprehensive risk assessment,” the OMB added.
    • “While agencies are no longer strictly required to do so, they may continue to use secure software development attestation forms, Software Bills of Materials (SBOMs), and other resources described in M-22-18.”
  • The American Hospital Association News relates,
    • “The FBI has launched a two-month campaign, Operation Winter SHIELD (Securing Homeland Infrastructure by Enhancing Layered Defense), highlighting 10 actions organizations can use to protect against cyberattacks. The recommendations were developed with domestic and international partners and based on recent cyber investigations to reflect adversary behavior and defensive gaps. The recommendations include adopting phish-resistant authentication, implementing a risk-based vulnerability management program, tracking and retiring end-of-life technology on a defined schedule, and managing third-party risk, among others.
    • “Operation Winter SHIELD is based on lessons learned from the most significant nation state and criminal cyber investigations,” said John Riggi, AHA national advisor for cybersecurity and risk. “In sum, agencies involved focused on the most common methodologies threat actors are using to ‘beat us,’ and what cyber defensive measures are the most effective at reducing cyber risk and increasing resiliency and recovery. There is nothing surprising on the list, but the landmark campaign serves as an excellent validation and a concise summary of cybersecurity best practices. Operation Winter SHIELD also acknowledges the private sector’s crucial role in defending the nation’s critical infrastructure against the very real and very serious cyber threats we face as a nation.”
  • Cyberscoop tells us,
    • “The internet domain registration system is a major weakness that malicious hackers can exploit, but is often being overlooked, a senior Secret Service official said Thursday.
    • “It is staggering to me that we live in a world where domain registrars and registrars will do bulk registration of various spellings of a major institution’s brand name to create URLs to then use in phishing campaigns or in fraudulent advertising,” the official, Matt Noyes, said at a conference in Washington, D.C.
    • “It was one of two areas Noyes identified as attack vectors that aren’t adequately being addressed during a panel at the 2026 Identity, Authentication and the Road Ahead Policy Forum, along with susceptibility to business email compromise scams.
    • “The problem is in how the Internet Assigned Numbers Authority (IANA) functions, he said. A decade ago, the United States relinquished its control of that process.
  • The Register informs us,
    • “Ransomware crims have just lost one of their best business platforms. US law enforcement has seized the notorious RAMP cybercrime forum’s dark web and clearnet domains.
    • “RAMP, which stands for Russian Anonymous Marketplace, was an online souk, favored by ransomware-as-a-service gangs, extortionists, initial access brokers, and other miscreants specializing in digital crime. Its websites now say “This Site Has Been Seized,” with the notice attributing the takedown to the FBI in coordination with the US Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.” * * *
    • “It’s highly unlikely impossible that this takedown signals the end of ransomware and other crime crews who used RAMP’s websites to buy and sell malware and exploits and recruit affiliates. Much like horror-movie monsters, cybercrime forums never really die, and their users will likely scatter to other underground marketplaces to buy and sell their illicit services.
    • “Still, “its loss represents a meaningful disruption to a core piece of criminal infrastructure,” Tammy Harper, a senior threat intelligence researcher at Flare who specializes in ransomware research, told The Register.”
  • Per Cyberscoop,
    • “Millions of devices used as proxies by cybercriminals, espionage groups and data thieves have been removed from circulation following Google’s disruption of IPIDEA, a China-based residential proxy network. The reduction in available proxy devices came after Google’s Threat Intelligence Group used legal action and intelligence sharing to target the company’s domain infrastructure, Google said in a blog post Wednesday. 
    • “Google’s action, aided by Cloudflare, Lumen’s Black Lotus Labs and Spur, impaired some of IPIDEA’s proxy infrastructure, but not all of it. The coordinated strikes against malicious infrastructure underscore the back-and-forth struggle threat hunters confront when they take out pieces of cybercriminals’ vast and growing infrastructure. 
    • “Initial data indicates IPIDEA’s proxy network was cut by about 40%.
    • “We have still seen around 5 million distinct bots communicating with the IPIDEA command and control servers, so as of now they are still able to operate with a large volume of proxies,” Chris Formosa, senior lead information security engineer at Lumen Technologies’ Black Lotus Labs, told CyberScoop Thursday.”

From the cybersecurity breaches and vulnerabilities front,

  • Cybersecurity Dive reports,
    • “The share of cyberattacks that relied on vulnerability exploitation as the initial means of access dropped in the fourth quarter of 2025, although it still remained high, researchers from Cisco’s Talos threat intelligence team said in a blog post published on Thursday.
    • “Nearly 40% of the incidents to which Cisco responded in Q4 began with the exploitation of public-facing network services, compared with 62% in the third quarter.
    • “Cisco also saw fewer ransomware attacks in Q4 (13% of all incidents) compared with Q3 (when it was 20%) and the first half of the year (when it was nearly 50% in both Q1 and Q2).
    • “Notably, Cisco said it “did not respond to any previously unseen ransomware variants.”
  • and
    • “Federal authorities and security researchers are warning about a critical vulnerability in Fortinet FortiCloud single sign-on, which is currently under exploitation. 
    • “The flaw, tracked as CVE-2026-24858, allows an attacker with a registered device and a FortiCloud account to access devices registered to other accounts. FortiCloud SSO authentication needs to be enabled in those other devices in order for the attack to work. 
    • “The Cybersecurity and Infrastructure Security Agency on Wednesday warned that Fortinet has confirmed several forms of malicious activity, including hackers changing firewall configurations on FortiGate devices, creating false unauthorized accounts and making changes on VPN accounts in order to get access to new accounts.”
  • Cyberscoop relates,
    • “Google Threat Intelligence Group warned that a diverse and growing collection of attackers, including nation-state groups and financially motivated cybercriminals, are exploiting a path-traversal vulnerability affecting WinRAR that was disclosed and patched six months ago.
    • “The high-severity vulnerability — CVE-2025-8088 — was exploited in the wild almost two weeks before RARLAB, the vendor behind the file archiver tool, addressed the vulnerability in a software update in late July. 
    • “Active exploitation of the vulnerability has consistently extended to more threat groups during the past six months and remains ongoing. Google threat hunters have attributed attacks to at least three financially motivated attackers, four Russia state-sponsored groups and one attacker based in China.” 
  • and
    • “ChatGPT users beware: your browser extensions could be used to steal your accounts and identity.
    • “LayerX Research has identified at least 16 Chrome browser extensions for ChatGPT floating around the internet that promise to enhance work productivity. All show signs of being built by the same threat actor and designed for the same purpose: to pilfer account credentials.
    • “According to security researcher Natalie Zargarov, as legitimate AI browser extensions have become more widely used, “many of these extensions mimic known brands to gain users’ trust, particularly those designed to enhance interaction with large language models.”
    • “As these extensions increasingly require deep integration with authenticated web applications, they introduce a materially expanded browser attack surface,” Zargarov wrote.”
  • CISA added seven five known exploited vulnerabilities to its catalog this week.
    • January 26, 2025
      • CVE-2018-14634 Linux Kernel Integer Overflow Vulnerability
      • CVE-2025-52691 SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
      • CVE-2026-21509 Microsoft Office Security Feature Bypass Vulnerability
      • CVE-2026-23760 SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
      • CVE-2026-24061 GNU InetUtils Argument Injection Vulnerability
        • Security Affairs discusses these KVEs here.
    • January 27, 2025
      • CVE-2026-24858 Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability
        • The Hacker News discusses this KVE here.
    • January 29, 2025
      • CVE-2026-128 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
        • Bleeping Computer discusses this KVE here.
  • Cybersecurity Dive points out,
    • “The cybercrime group ShinyHunters is claiming credit for at least five attacks related to a voice phishing campaign that previously was disclosed by security researchers at Okta. 
    • “Okta warned Thursday that a social engineering campaign using custom phishing kits was targeting Google, Microsoft and Okta environments using voice phishing techniques. 
    • ‘The phishing kits were capable of intercepting user credentials and persuading targeted users to skip multifactor authentication.”
  • Bank Info Security notes,
    • “The victim count in a 2025 hack against a Maryland-based firm that provides “artificial intelligence-powered” administrative and technology services to healthcare practices soared to nearly 3.1 million nationwide, according to an updated breach report from Healthcare Interactive.
    • “The company, more commonly known as HCIactive, previously filed lowball estimate breach reports to several state attorneys general. But in a Jan. 7 breach report submitted to Oregon state regulators, HCIactive said the incident affected a total of about 3.06 million individuals.
    • “Based on HCIactive’s latest breach tally provided to Oregon regulators, the company’s hacking incident as of Wednesday would rank among the 10 largest of the 691 protected health information breaches reported in 2025.”

From the ransomware front,

  • WFSB (Hartford, CT) reports,
    • “A ransomware attack has disrupted New Britain [CT]’s city network systems for more than 48 hours, forcing departments to operate with pen and paper while federal authorities investigate.
    • “What began as a suspected cyberattack has been confirmed as a ransomware attack that started early Wednesday morning when the New Britain Police Department was notified of a network disruption that spread throughout the city’s internet server.” * * *
    • “The city hopes to restore its server sometime this weekend. The attack comes as data breaches have increased significantly, with the Identity Theft Resource Center reporting that data breaches increased by five percent over the last year and 79 percent over the past five years.
    • “One of those incidents included a phishing attack that hit a New Haven [CT] High School.”
  • Sophos explains how ransomware operators choose victims.
    • “Counter Threat Unit™ (CTU) researchers are frequently asked about ransomware groups posing a threat to organizations in specific verticals or geographic locations. These questions usually follow the publication of third-party reports that highlight how a particular ransomware group is “targeting” a specific sector. CTU™ researchers understand the concerns but maintain that focusing on defending against specific groups is not the best way to avoid becoming a victim of ransomware. As the majority of ransomware attacks are opportunistic, organizations should instead consider how they can best prepare for any ransomware or data theft attack, regardless of the perpetrators.
    • “How threat actors choose their victims and deploy ransomware depends on their motivations. Cybercriminals want to make money, so all organizations are potential victims of these groups. In contrast, state-sponsored actors use ransomware for destructive purposes, to obscure espionage activity, to generate revenue, or to achieve a combination of these outcomes. Each of these groups therefore has a separate threat profile, and the organizations at risk can vary greatly.”
  • Panda Security shares “50+ Ransomware Statistics Vital for Security in 2026.”
    • “Ransomware statistics for 2026 reveal how widespread attacks have become and why awareness is your first line of defense.”
  • Per Dark Reading,
    • “Victims hit with the emerging Sicarii ransomware should never opt to pay up: the decryption process doesn’t work, likely a result of an unskilled cybercriminal using vibe-coding to create it.
    • “Researchers at Halcyon’s Ransomware Research Center observed a technical flaw where even if a victim pays, the decryption process fails in such a way where not even the threat actor can fix the issue. Paying the ransom is, of course, not recommended in general, as doing so funds further cybercrime and doesn’t necessarily guarantee your data is safe, nor that attackers wouldn’t simply exploit you again.”
  • Bleeping Computer lets us know,
    • “Marquis Software Solutions, a Texas-based financial services provider, is blaming a ransomware attack that impacted its systems and affected dozens of U.S. banks and credit unions in August 2025 on a security breach reported by SonicWall a month later.
    • “The software company provides data analytics, compliance reporting, CRM tools, and digital marketing services to more than 700 banks, credit unions, and mortgage lenders across the United States.
    • “In statements to customers earlier this week seen by BleepingComputer, Marquis says the ransomware operators didn’t breach its systems by exploiting an unpatched SonicWall firewall, as previously believed.
    • “Instead, the attackers used information obtained from firewall configuration backup files stolen after gaining unauthorized access to SonicWall’s MySonicWall online customer portal.
    • “Based on the ongoing third-party investigation, we have determined that the threat actor that attacked Marquis was able to circumvent our firewall by leveraging the configuration data extracted from the service provider’s cloud backup breach,” Marquis said.”
  • Dark Reading considers “How Can CISOs Respond to Ransomware Getting More Violent?”
    • “Ransomware defense requires focusing on business resilience. This means patching issues promptly, improving user education, and deploying multifactor authentication.”

From the cybersecurity defenses front,

  • Security Week explores offensive cybersecurity.
  • Cyberscooop observes that “Cybersecurity can be America’s secret weapon in the AI race.”
    • “Beijing is aggressively exploiting global data for strategic purposes. AI-powered cybersecurity is essential to Washington’s counter-offensive to win the global market.”
  • Dark Reading shines a light on “From Quantum to AI Risks: Preparing for Cybersecurity’s Future.”
    • “In the latest edition of “Reporters’ Notebook,” a trio of journalists urge the cybersecurity industry to prioritize patching vulnerabilities, preparing for quantum threats, and refining AI applications.”
  • and
    • “Out-of-the-Box Expectations for 2026 Reveal a Grab-Bag of Risk.”
      • “Security teams need to be thinking about this list of emerging cybersecurity realities, to avoid rolling the dice on enterprise security risks (and opportunities).”
  • The Hackers News calls attention to “3 Decisions CISOs Need to Make to Prevent Downtime Risk in 2026.”
    • “Prioritizing relevant threat intelligence, filling operational gaps, and improving the entire workflow from triage to response directly impacts performance rates across SOCs. For CISOs, this translated into a clear priority: take targeted action to reduce dwell time by empowering analysts with actionable, relevant, and unique threat intelligence feeds, enabling fast and confident decision-making.”
  • Here’s a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *