Cybersecurity Saturday

David ErmerCybersecurity, Generative AI, Uncategorized

From the cybersecurity policy front,

  • The Wall Street Journal reports,
    • “After months of partisan wrangling, a temporary extension on Tuesday of legislation aimed at encouraging firms to share cyberattack intelligence with Washington might be too little, too late for corporate cybersecurity leaders. 
    • “The seesaw effect we saw last year has eroded the trust that intel sharing needs to be built on,” said Timothy Youngblood, an investor who led cybersecurity teams at T-MobileMcDonald’s and Kimberly-Clark. Before providing sensitive details of a data breach or ransomware attack, companies need to be assured “they will not have the information used against them,” Youngblood said.
    • “The Cybersecurity Information Sharing Act, or CISA, provides liability and antitrust protections for companies that share attack data with federal agencies. Created in 2015 with a 10-year sunset clause, the act lapsed twice over the past four months as lawmakers clashed over proposed revisions. It was extended this week [to September 30, 2026] as part of a broader spending bill approved by Congress and signed by President Trump.  
    • “But an eight-month shelf life—and on-again off-again status—is unlikely to encourage hacked companies to risk legal or reputational damage by sharing sensitive data, especially in the wake of costly downtime, cybersecurity experts said. Staffing and resource cuts over the past year at the federal Cybersecurity and Infrastructure Security Agency, which shepherds private-public intelligence sharing, is adding to their concerns, they said.
    • “Temporary extensions are Band-Aids,” said Kevin Greene, public sector chief cybersecurity technologist at security firm BeyondTrust. Prolonged uncertainties, he said, will “absolutely create some friction in information sharing.”
  • Cyberscoop relates,
    • “The Trump administration needs help from industry to reduce the cybersecurity regulatory burden and to back important cyber legislation on Capitol Hill, among other areas, National Cyber Director Sean Cairncross said Tuesday.
    • “You know your regulatory scheme better than I do: Where there’s friction, where there’s frustration with information sharing, what sort of information is shared, the process through which it’s shared,” he said. “It is helpful for us to hear that and have that feedback so that we can address it, engage it and try to make it better.”
    • “The Trump administration is interested in being a partner with industry rather than a “scold,” Cairncross said at an Information Technology Industry Council event. The Biden administration sought to impose more cybersecurity rules on the private sector than prior administrations.”
  • Cybersecurity Dive adds,
    • “Cairncross’s comments come as the White House prepares to unveil its five-page national cybersecurity strategy, which will focus heavily on streamlining regulations to reduce the burden on industry, including critical infrastructure organizations.
    • “The White House wants to revise the current patchwork of cybersecurity regulations “so that form follows function rather than [the rules being] a compliance checklist,” said Cairncross, who has led the relatively new Office of the National Cyber Director since August.” * * *
    • “Cairncross did not provide a timeline for the strategy’s release, but he said the White House would publish it “sooner rather than later.” The goal of the brief document, he explained, is “to point a direction for the USG to go so resources and effort can be lined up.”
  • and
    • “Governments should work closely with the private sector when designing and detailing their national cybersecurity strategies, a prominent think tank said in a report published on Monday.
    • “Active participation from the private sector, particularly large technology, telecommunications, and cybersecurity firms, is critical throughout the strategy’s development,” the Center for Cybersecurity Policy and Law (CCPL) said in its white paper. “The private sector can help not only support but also deliver on the government’s cybersecurity objectives and is key to a secure and resilient nation.”
  • and
    • “The Trump administration is making progress on creating an information sharing and analysis center for the AI industry to improve its ties with the government as AI cyber threats proliferate, a U.S. official said on Tuesday.
    • “The administration is absolutely committed to making sure that we’re supporting this industry, making sure that we’re going to foster information sharing,” Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said during a talk at an event hosted by the Information Technology Industry Council. “We just want to make sure we take the opportunity to get that relationship right.”
  • Federal News Network shares five updates on the Trump Administration’s cybersecurity agenda.
    • Six-pillar national cyber strategy
    • CIRCIA update
    • AI-ISAC in development
    • AI security policy framework
    • CIPAC replacement coming soon?
  • DefenseScoop notes,
    • “Marine Corps Maj. Gen. Lorna Mahlock was confirmed by the Senate on Friday evening [January 30] as deputy commander of U.S. Cyber Command, where she could have an outsized influence as the organization prepares for new leadership and other major changes.
    • “She was nominated for the position by President Donald Trump.
    • “Her Senate confirmation, which happened via voice vote, means she’ll also pin on a third star and become a lieutenant general.
    • “Mahlock brings deep cyber knowledge and background to her new role.”
  • Per Cybersecurity Dive,
    • “The Federal Communications Commission is warning telecommunications companies to regularly patch their systems, enable multifactor authentication and segment their networks to avoid falling victim to ransomware attacks.
    • “Recent events show that some U.S. communications networks are vulnerable to cyber exploits that may pose significant risks to national security, public safety, and business operations,” the FCC’s Public Safety and Homeland Security Bureau said in a Jan. 29 alert.”

From the cybersecurity vulnerabilities and breaches front.

  • Cyberscoop reports,
    • “Cybersecurity and Infrastructure Security Agency order published Thursday [February 4, 2026] directs federal agencies to stop using “edge devices” like firewalls and routers that their manufacturers no longer support.
    • “It’s a stab at tackling one of the most persistent and difficult-to-manage avenues of attack for hackers, a vector that has factored into some of the most consequential and most common types of exploits in recent years. New edge-device vulnerabilities surface frequently.
    • “Under the binding operational directive CISA released Thursday, federal civilian executive branch (FCEB) agencies must inventory edge devices in their systems that vendors no longer support within three months, and replace those on a dedicated list with supported devices within one year.”
  • The American Hospital Association News tells us,
    • “The National Institute of Standards and Technology Feb. 2 published details on a critical vulnerability that impacted Notepad++, a free, open-source text and source code program widely used by several industries, including health care. The vulnerability impacted an update component affecting iterations of the program prior to version 8.8.9, and allowed attackers to gaining access to and disrupt the update process. According to the program’s developer, attacks that occurred from June to November 2025 were likely executed by a sophisticated nation-state threat actor.”
  • Cybersecurity Dive informs us,
    • “Cybercrime “began its shift toward an AI-driven future” in 2025, the security firm Malwarebytes said in a report published Tuesday that charted AI’s influence on the rapidly growing hacking ecosystem.
    • “AI is making cyberattacks faster and more effective through deepfakes, vulnerability discovery, autonomous ransomware attacks and growing connectivity between AI models and penetration testing tools, according to the report.
    • “Malwarebytes urged businesses to “shrink their attack surfaces, harden identity systems, close blind spots, accelerate remediation, and adopt continuous monitoring.”
  • and
    • “Hackers working for an Asian government have breached at least 70 government agencies and critical infrastructure organizations in 37 countries over the past year as part of an espionage campaign likely aimed at collecting information about rare earth minerals, trade deals and economic partnerships, Palo Alto Networks said in a reportpublished on Thursday.
    • “While this group might be pursuing espionage objectives,” researchers with the company’s Unit 42 group wrote in the report, “its methods, targets and scale of operations are alarming, with potential long-term consequences for national security and key services.”
    • “The security firm provided indicators of compromise and described the threat actor’s techniques and infrastructure.”
  • CISA added six known exploited vulnerabilities to its catalog this week.
    • February 3, 2026
      • CVE-2021-39935 GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
        • Cyber Press discusses this KVE here.
      • CVE-2025-40551 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
        • Cybersecurity Dive discusses this KVE here.
      • CVE-2019-19006 Sangoma FreePBX Improper Authentication Vulnerability
      • CVE-2025-64328 Sangoma FreePBX OS Command Injection Vulnerability 
        • The Hacker News discusses these KVEs here.
    • February 5, 2026
      • CVE-2025-11953 React Native Community CLI OS Command Injection Vulnerability
        • Security Wek discusses this KVE here.
      • CVE-2026-24423 SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
        • Bleeping Computer discusses this KVE here.
  • Dark Reading points out, “CISA Makes Unpublicized Ransomware Updates to KEV Catalog
    • “A third of the “flipped” CVEs affected network edge devices, leading one researcher to conclude, ‘Ransomware operators are building playbooks around your perimeter.'”
  • Cyberscoop adds,
    • “Attackers are again focusing on a familiar target in the network edge space, actively exploiting two critical zero-day vulnerabilities in Ivanti software that allows administrators to set mobile device and application controls. 
    • “The vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — each carry a CVSS rating of 9.8 and allow unauthenticated users to execute code remotely in Ivanti Endpoint Manager Mobile (EPMM). Ivanti did not say when the earliest known date of exploitation occurred but warned that a “very limited number of customers” were attacked before it disclosed and addressed the defects Thursday [January 29, 2026]. * * *
    • “The Cybersecurity and Infrastructure Security Agency has flagged 31 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 19 defects across Ivanti products have been exploited in the past two years. 
    • “The agency added CVE-2026-1281 to the catalog Thursday, but not CVE-2026-1340. Both defects have been exploited, according to watchTowr. Yet, a spokesperson for Ivanti said the vulnerabilities have not been chained together for exploitation.
    • “The latest code-injection vulnerabilities demonstrate attackers are focusing on EPMM in particular of late. Ivanti disclosed a separate pair of vulnerabilities in the same product in May 2025.” 
  • Cybersecurity Dive informs us,
    • “Two months after a critical vulnerability was disclosed in React Server Components, researchers warn of a significant change in threat activity targeting the flaw. 
    • “The original vulnerability, tracked as CVE-2025-55182, allows an unauthenticated attacker to achieve remote code execution due to unsafe deserialization of payloads. 
    • “The initial wave of attacks in December led to hundreds of systems being compromised as state-linked threat groups and other actors engaged in widespread exploitation. The vulnerability, dubbed React2Shell, has been targeted in a wide range of industries since it was discovered in late November.
    • “Researchers from GreyNoise on Monday reported a distinctive change over the prior seven days, as more than half of the threat activity now emanated from only two IP addresses, according to a blog post. Before the change, there were 1,083 unique sources linked to threat activity, according to researchers.
    • “GreyNoise said its sensors detected more than 1.4 million attempts to exploit CVE-2025-55182 during the seven-day period.
    • “Researchers warned the exploitation appears to be focused on the developer community.” 
  • Per Dark Reading,
    • “Threat actors are using a forensic tool’s Windows kernel driver to kill security products, despite the fact the driver’s digital certificate was revoked more than a decade ago.
    • “In a blog post Wednesday, security researchers at Huntress detailed how the company responded to an intrusion earlier this month in which the threat actor used compromised SonicWall SSL VPN credentials for initial access to the victim’s network. But the real kicker was how the attacker avoided detection: they weaponized the Windows kernel driver of a legitimate forensic toolset called EnCase to disable security products across the network.”
    • “The attack technique is known as bring-your-own-vulnerable-driver (BYOVD), which involves taking advantage of the elevated privileges and kernel-level access of a driver to terminate security processes before an intrusion is detected. Threat actors have increasingly used drivers to disable endpoint detection and response (EDR) platforms, often in ransomware attacks; these tools are commonly known as EDR killers.”  
  • Per SC Media,
    • “More than 300 malicious OpenClaw skills hosted on ClawHub spread malware including the Atomic macOS Stealer (AMOS), keyloggers and backdoors, Koi Security reported Sunday.  
    • OpenClaw, formerly known as Moltbot and Clawdbot, is an open-source AI agent that has recently gained significant popularity as a personal and professional assistant.
    • “ClawHub is an open-source marketplace for OpenClaw “skills,” which are tools OpenClaw agents can install to enable new capabilities or integrations.
    • “Koi Security Researcher Oren Yomtov discovered the malicious skills in collaboration with his own OpenClaw assistant named Alex, according to Koi Security’s blog post, which is written from Alex’s perspective.
    • “Yomtov and Alex audited all 2,857 skills available on ClawHub at the time of their investigation, and discovered that 341 were malicious, with 335 seemingly tied to the same campaign.”
  • Per Security Week,
    • “The big takeaway from 2026 onward is the arrival and increasingly effective use of AI, and especially agentic AI, that will revolutionize the attack scenario. The only question is how quickly.
    • ‘Michael Freeman, head of threat intelligence at Armis, predicts, “By mid-2026, at least one major global enterprise will fall to a breach caused or significantly advanced by a fully autonomous agentic AI system.”
    • “These systems, he continues, “use reinforcement learning and multi-agent coordination to autonomously plan, adapt, and execute an entire attack lifecycle: from reconnaissance and payload generation to lateral movement and exfiltration. They continuously adjust their approach based on real-time feedback. A single operator will now be able to simply point a swarm of agents at a target.”

From the ransomware front,

  • Bleeping Computer reports today,
    • “A major U.S. payment gateway and solutions provider says a ransomware attack has knocked key systems offline, triggering a widespread outage affecting multiple services.” * * *
    • “BridgePay Network Solutions confirmed late Friday that the incident disrupting its payment gateway was caused by ransomware.
    • “In an update posted Feb. 6, the company said it has engaged federal law enforcement, including the FBI and U.S. Secret Service, along with external forensic and recovery teams.
    • “Initial forensic findings indicate that no payment card data has been compromised,” the company said, adding that any accessed files were encrypted and that there is currently “no evidence of usable data exposure.”
  • The Rhode Island Current tells us,
    • “A state vendor and major provider of workers’ compensation insurance in Rhode Island confirmed it was the victim of a cyberattack in January.   
    • “The Beacon Mutual Insurance Company posted about the Jan. 14 incident to its website around noon Thursday, following inquiries from Rhode Island Current earlier in the day. The requests for comment were prompted by Beacon’s appearance on public websites that list and track recent reports of ransomware — a genre of malware characterized by making users’ files encrypted and inaccessible unless they pay a price.
    • “Yes, this was a ransomware attack,” Michelle N. Pelletier, the assistant vice president of marketing and communications at the Warwick company, confirmed over email late Thursday afternoon.
    • “But Pelletier added that not all was lost, and that the company’s production environment — or the live systems that users interact with directly — remained safe from harm.  
    • “Fortunately, our production environment was not encrypted, and we were able to resume normal operations on January 20,” Pelletier wrote.”  
  • Security points out,
    • “If battling ransomware isn’t challenging enough, these attacks have undergone a significant metamorphosis, with attackers shedding their encryption-based model for one of pure exfiltration. The result? A more stealthy, discreet approach that successfully bypasses traditional defenses to snatch sensitive data and employ a double or triple extortion scheme. 
    • “With pure exfiltration, businesses don’t realize they’re a victim until it’s too late.” 
  • Security Week adds,
    • “Data allegedly pertaining to over 5 million Panera Bread customers has emerged online after hackers failed to extort the US bakery-cafe chain.
    • “The ShinyHunters extortion group has claimed the theft of roughly 14 million records from Panera Bread, after compromising a Microsoft Entra single-sign-on (SSO) code.
    • “The attack falls in line with recent ShinyHunters attacks that rely on voice phishing (vishing) and SSO authentication to access victim organizations’ cloud-based software-as-a-service (SaaS) environments.
    • “Last week, ShinyHunters published on its Tor-based leak site a 760GB archive allegedly containing the sensitive information stolen from Panera Bread.
    • “According to the data breach notification site Have I Been Pwned, the data was leaked after the hackers failed to extort the food chain.
    • “The archive includes 5.1 million unique email addresses and likely impacts as many Panera customers. Associated information such as names, addresses and phone numbers was also present in the leak.”
  • Security.com lets us know,
    • “A recent Black Basta attack campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself.
    • “Normally the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software. However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself. 
    • “BYOVD is by far the most frequently used technique for defense impairment these days. Generally, attackers will deploy a signed vulnerable driver to the target network, which they then exploit to elevate privileges and disable security software. Since the vulnerable drivers operate with kernel-mode access, they can be used to terminate processes, making them an effective tool for disrupting security measures. In most cases, the vulnerable driver is deployed along with a malicious executable, which will use the driver to issue commands.”
  • Bleeping Computer relates,
    • “Ransomware operators are hosting and delivering malicious payloads at scale by abusing virtual machines (VMs) provisioned by ISPsystem, a legitimate virtual infrastructure management provider.
    • “Researchers at cybersecurity company Sophos observed the tactic while investigating recent ‘WantToCry’ ransomware incidents. They found the attackers used Windows VMs with identical hostnames, suggesting default templates generated by ISPsystem’s VMmanager.
    • “Diving deeper, the researchers discovered that the same hostnames were present in the infrastructure of multiple ransomware operators, including LockBit, Qilin, Conti, BlackCat/ALPHV, and Ursnif, as well as various malware campaigns involving RedLine and Lummar info-stealers.”
  • Per Dark Reading,
    • “The operators of DragonForce, a ransomware-as-a-service outfit that first surfaced in 2023, appear to be drawing heavily from the organized crime playbook, creating a cartel and attempting to bring mafia-style territorial organization — and a bit of muscle — to the ransomware ecosystem.
    • “A detailed analysis by LevelBlue showed the group has recently shifted its business model to one where customers — or affiliates — of its service can create their own brands while still operating under a blossoming DragonForce cartel umbrella.” * * *
    • DragonForce has established itself as a relatively major player in the ransomware ecosystem since launching activities in 2023. Though not as big as rivals like Akira and Qilin, it has commanded some attention for its aggressive marketing and outreach. As of July 2025, the company had notched at least 250 victims based on its data leak site, according to Check Point Research.”

From the cybersecurity defenses front,

  • Cyberscoop reports,
    • “Following a series of high-profile cyberattacks, boards of directors are now requiring their organizations to take greater responsibility for the risks posed by enterprise resource planning (ERP) systems pose after a series of high-profile cyberattacks. The Jaguar Land Rover (JLR), incident in Sept. 2025 illustrates the severe consequences of such attacks. The cyberattack forced JLR to halt production for six weeks, making it the costliest cyberattack in Britain’s history. The company’s revenue declined 24 percent that quarter, accounting for potentially over a  $1.2 billion drop in earnings, and subsequently reported a 43.3% wholesale sales volume drop the following quarter.
    • “For decades, organizations have treated ERP systems like SAP as back-office workhorses. However, the JLR incident—carried out by executed by the cybercrime group ShinyHunters —has thrust ERP systems into the spotlight. That shift in attention is critical: today, 90% of the Fortune 500 use SAP, making these systems “crown jewel” assets that require the highest level of protection.
    • “The threat is escalating. A recent Google Cloud Security report forecasts that ransomware operations specifically designed to target critical enterprise applications such as ERP systems will emerge in 2026, forcing organizations to make quick ransom payments and sacrifice business resilience. 
    • “In our roles as board members, advisers, and cybersecurity CEOs, we’re witnessing a fundamental shift in how organizations approach ERP security: the conversation has moved from compliance to survival. Organizations are grappling with critical question: Who owns the risk? What is our recovery time? Can we patch critical ERP vulnerabilities within 72 hours? Do we have visibility inside the application?”
  • Help Net Security explains where NSA zero trust guidance aligns with enterprise reality.
  • This HHS Inspector General’s report points out “Security Controls to Enhance Its Ability to Prevent and Detect Cyberattacks.”
  • Tech Target describes “five steps to ensure HIPAA compliance on mobile devices.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *