Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cybersecurity Dive reports,
    • “The Trump administration late Thursday removed the scandal-plagued acting director of the Cybersecurity and Infrastructure Security Agency, injecting fresh uncertainty into the operations of an agency already grappling with a morale crisis as it tries to protect the U.S. from sophisticated hacking threats.
    • “The Department of Homeland Security reassigned Madhu Gottumukkala, the deputy CISA director who had led the agency in an acting capacity since last May, to a position at DHS headquarters. Nick Andersen, the executive assistant director for CISA’s Cybersecurity Division and one of the few remaining political appointees at the agency, will step in as acting director.”
  • Federal News Network adds,
    • “Sen. Ron Wyden (D-Ore.) is blocking the Trump administration’s nominee to lead both U.S. Cyber Command and the National Security Agency. Wyden said Lt. Gen. Joshua Rudd, who currently serves as the deputy commander of U.S. Indo-Pacific Command, lacks the experience needed to immediately step into the dual leadership role. The lawmaker added that when it comes to U.S. cybersecurity, “there is simply no time for on-the-job learning, the threat is just too urgent for that.”
  • Gov Info Security relates,
    • “A bipartisan group of senators called on the federal government to update the regulations governing healthcare cybersecurity through a Thursday vote sending a bill aimed at bolstering sector resilience to the full Senate.
    • ‘The Senate Health, Education, Labor and Pensions Committee voted 22 to 1 to advance the Health Care Cybersecurity and Resiliency Act, a bill that requires publishing cybersecurity guidance for rural medical practices and improved coordination between federal agencies.
    • It has the backing of a healthcare cybersecurity working group that includes committee Chair Bill Cassidy, R-La.
    • “The legislation would additionally bolster an apparently stalled effort to update the HIPAA Security Rule that the Department of Health and Human Services published during the final weeks of the Biden administration (see: What’s in HHS’ Proposed HIPAA Security Rule Overhaul?).
    • “The bill would enforce many of the proposed rule’s updates, including requiring HIPAA-covered organizations and business associates to adopt multifactor authentication and encryption, to conduct audits, including penetration testing. It additionally calls for “other minimum cybersecurity standards” to be determined by the HHS secretary, “in consultation with private sector organizations, based on landscape analysis of emerging and existing cybersecurity vulnerabilities and consensus-based best practices.”
    • “The fate of the Biden administration’s proposed HIPAA overhaul is uncertain at this point. The HHS Office of Civil Rights is expected to make some kind of decision in May on whether it will move forward with the proposals, or perhaps issue a revised version of proposed rulemaking.”
  • Cyberscoop notes,
    • “An ex-L3 Harris executive was sentenced to over seven years in prison Tuesday after pleading guilty to selling eight zero-day exploits to a Russian broker in exchange for millions of dollars.
    • “Peter Williams, 39, admitted to two counts of theft of trade secrets in U.S. District Court in Washington, D.C., last year, acknowledging he took at least eight exploits or exploit components while working at Trenchant, a specialized cybersecurity unit owned by L3Harris. Prosecutors said the materials were intended for restricted use by the U.S. government and allied partners.
    • “Authorities said Williams sold the stolen information to a broker that advertised itself as a reseller of hacking tools and described it as serving multiple customers, including the Russian government. In court, the government referred to the buyer as “Company 3,” but details read aloud during the plea hearing pointed to Operation Zero, a Russian exploit broker that publicly markets itself online as a platform for purchasing zero-day vulnerabilities.”

From the cybersecurity breaches and vulnerabilities front,

  • Cybersecurity Dive reports,
    • “Federal agencies have until Friday evening [February 27] to update certain Cisco networking devices that are vulnerable to compromise, the Cybersecurity and Infrastructure Security Agency said on Tuesday [February 24].
    • “In an emergency directive about Cisco’s Software-Defined Wide-Area Networking (SD-WAN) systems, CISA said it was “aware of a cyber threat actor’s ongoing exploitation” of two vulnerabilities in Cisco Catalyst SD-WAN Manager and Catalyst SD-WAN Controller devices and called the activity “an imminent threat to federal networks.”
  • and
    • “The Cybersecurity and Infrastructure Security Agency on Thursday warned that a malware variant previously used in attacks against Ivanti Connect Secure environments may remain undetected on systems. 
    • “In March 2025, CISA issued an alert about the malware, dubbed Resurge, in connection with exploitation of CVE-2025-0282, a stack-based buffer overflow vulnerability in certain versions of Ivanti Connect Secure and other Ivanti products. 
    • “The agency has since analyzed three samples from a critical infrastructure provider’s Ivanti Connect Secure device after hackers exploited the flaw to gain initial access. The analysis shows that Resurge can remain latent on a device until a remote hacker attempts to contact the device.” 
  • Cyberscoop adds,
    • “Would-be attackers spent 2025 swimming in a sea of more than 40,000 newly published vulnerabilities, VulnCheck said in a report released Wednesday, but only 1% of those defects, just 422, were exploited in the wild.
    • “As the deluge of vulnerabilities grows every year, and CVSS ratings lose significance for vulnerability management prioritization, some defenders are turning to research on known exploited vulnerabilities to narrow their scope of work and place more emphasis on verified risks. 
    • “The growth in CVE volume is ludicrous, not necessarily unfounded, but it’s large. Defenders don’t know what to pay attention to,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. “Prioritization is still a huge problem.”
    • “Too many defenders and researchers are paying attention to defects and unsubstantiated exploit concepts that aren’t worth their time, Condon added. “The indicators of risk that used to be semi reliable, now no longer are.”
  • and
    • “Cyberattacks reached victims faster and came from a wider range of threat groups than ever last year, CrowdStrike said in its annual global threat report released Tuesday, adding that cybercriminals and nation-states increasingly relied on predictable tactics to evade detection by exploiting trusted systems.
    • “The average breakout time — how long it took financially-motivated attackers to move from initial intrusion to other network systems — dropped to 29 minutes in 2025, a 65% increase in speed from the year prior. “The fastest breakout time a year ago was 51 seconds. This year it’s 27 seconds,” Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.
    • “Defenders are falling behind because attackers are refining their techniques, using social engineering to access high-privilege systems faster and move through victims’ cloud infrastructure undetected.”
  • Cybersecurity Dive points out,
    • “Hackers are increasingly integrating artificial intelligence into all phases of the cyberattack life cycle, with the technology regularly analyzing target information, generating phishing emails and providing coding assistance, security firm ReliaQuest said in a report published on Tuesday [February 24].
    • “Other recent reports from IBM and cyber insurer Resilience similarly highlight how AI has changed the threat landscape.
    • At the same time, a new Sophos report said it was important to put in perspective AI’s ‘capabilities and impact.”
  • LinkedIn informs us,
    • “One of the largest data breaches in U.S. history is even bigger than was known. The Conduent cyberattack has now affected more than 25 million Americans, according to a recent update. The January 2025 incident exposed Social Security numbers, medical records and other sensitive information. Conduent is one of the largest contractors for the U.S. government, providing mailroom, printing and payment processing services for state government benefit offices — meaning it manages “a large amount of personal information belonging to a large swath of the United States,” per TechCrunch.”
  • Cybersecurity Dive adds,
    • “Hackers working for the Chinese government broke into more than 50 telecommunications companies and government agencies in 42 countries, in a campaign that exploited cloud platforms’ legitimate features to hide the attackers’ tracks.
    • “The attacker was using API calls to communicate with [software-as-a-service] apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign,” researchers at Google’s Threat Intelligence Group and Mandiant said in a report on Wednesday.
    • “Google said the “prolific, elusive” China-linked hacker team, which it tracks as UNC2814, “has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas.”

From the ransomware front,

  • The Mississippi Clarion Ledger reports,
    • “Officials with the University of Mississippi Medical Center stated the hospital system is “getting closer to full functions” following a cyberattack on Feb. 19 that disrupted operations.
    • “UMMC issued a statement Friday, Feb. 27, stating after being able to access patient records, clinics statewide will resume normal operations and scheduled appointments on Monday, March 2.
    • “UMMC also stated that on March 2, clinics will begin reaching out to patients to reschedule appointments that were cancelled. Officials added that UMMC clinics will reopen with extended hours and additional days in order to accommodate patients as soon as possible.
    • “All hospitals and emergency departments located in Jackson, Madison County, Holmes County and Grenada remain open.”
  • Cybersecurity Dive relates,
    • “UFP Technologies, a Massachusetts-based medical device maker, said it is investigating a cyberattack in mid-February that led to some of its company data being stolen or potentially destroyed, according to a regulatory filing
    • “The company said the attack, which was detected Feb. 14, impacted most of its IT network, as well as its billing and label-making capabilities for customer deliveries. The company said it was able to continue operations using data backups and implementing contingency plans.
    • “This was a classic ransomware attack that appeared to have impacted many, but not all, of our IT systems,” Ronald Lataille, chief financial officer at UFP Technologies, said Wednesday on a quarterly conference call with analysts. “Data was taken and then destroyed.”
    • “The company is still trying to figure out how much sensitive information, including personally identifiable data, may have been impacted by the attack, according to the 8-K filing with the Securities and Exchange Commission. However, the company does not currently believe the attack will have a material impact on its financial condition.”
  • The Hacker News adds,
    • “The North Korea-linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, according to a new report by the Symantec and Carbon Black Threat Hunter Team.
    • “Broadcom’s threat intelligence division said it also identified the same threat actors mounting an unsuccessful attack against a healthcare organization in the U.S. Medusa is a ransomware-as-a-service (RaaS) operation launched by a cybercrime group known as Spearwing in 2023. The group has claimed more than 366 attacks to date.
    • “Analysis of the Medusa leak site reveals attacks against four healthcare and non-profit organizations in the U.S. since the beginning of November 2025,” the company said in a report shared with The Hacker News.”
  • The Register informs us,
    • “Ransomware payments cratered in 2025, but it seems like the cybercrooks launching the attacks didn’t get the memo.
    • “That’s the headline from Chainalysis’ 2026 Crypto Crime Report, which shows total on-chain ransomware payments falling for a second straight year, even as victim counts and leak site pressure continue to climb.
    • “Ransomware gangs pulled in about $820 million in 2025, roughly 8 percent less than the year before, as the share of victims paying dropped to an all-time low of 28 percent. That drop might sound like progress if the wider picture weren’t so bleak: the median ransom demand jumped from $12,738 in 2024 to $59,556 in 2025, and the number of publicly claimed attacks climbed along with it.
    • “Despite the relative stability in total payments, ransomware attacks surged across multiple vectors in 2025, with eCrime.ch data showing a 50 percent YoY increase in claimed ransomware victims, marking the most active year on record,” Chainalysis said.”
  • Help Net Security adds,
    • Intrusions continue to center on credential access and timed execution outside standard business hours. The Sophos Active Adversary Report 2026 analyzes 661 incident response and managed detection and response cases handled between November 1, 2024 and October 31, 2025, spanning organizations in 70 countries.
    • “The dataset examines how attackers gain access, how quickly they reach key systems, and when ransomware and data theft occur.” * * *
    • “Timing patterns show that the most disruptive stages of ransomware incidents often occur when organizations are operating with reduced staffing. In 88% of ransomware cases, encryption was deployed during non business hours.
    • “Data exfiltration followed a similar pattern, with 79% of theft activity also occurring outside the typical workday.
    • “Off hours deployment increases the likelihood that encryption or large scale data transfers proceed without immediate interruption. It places emphasis on monitoring coverage that extends beyond standard schedules.”

From the cybersecurity business and defenses front,

  • Dark Reading reports,
    • “The cybersecurity venture capital market experienced unprecedented activity in 2025, driven primarily by the rush to AI-native security solutions and a massive surge in mergers and acquisitions that reached record levels.
    • “In 2025, VC firms invested $119 billion in cybersecurity businesses, with 400 M&A transactions accounting for the majority of funding and another 820 financing deals totaling nearly $21 billion, according to data from Momentum Cyber, a cybersecurity investment bank. The total value of M&A, financing, and IPO activity in 2025 nearly tripled that of deals in the previous year.”
  • and
    • “Cybersecurity experts are calling for a major shift in how companies handle data breaches and security failures, arguing that greater transparency and specific detail disclosure about how and why they occur is essential if the industry hopes to effectively reduce cyber-risk.
    • “At the upcoming RSAC Conference, threat research experts Adam Shostack and Adrian Sanabria will make the case for greater incident transparency and the need for structured feedback loops in cybersecurity, in a session aptly titled “A Failure Is a Terrible Thing to Waste: The Case for Breach Transparency,”scheduled for Monday, March 23.”
  • Cybersecurity Dive informs us,
    • “The AI era is transforming what CISOs do and how they do it, the enterprise software firm Splunk said in a report published on Tuesday [Feburary 24].
    • “Nearly all CISOs have been assigned to manage their organizations’ AI governance responsibilities, the report found, a significant expansion of “their already overwhelming mandates.”
    • CISOs interviewed in the report expressed both an awareness that they needed to use AI and a range of concerns about its potential harms.”
  • Dark Reading relates,
    • “As one ransomware community shutters in RAMP, two more pop up to take its place. 
    • “Rapid7 today published an analysis of that ransomware ecosystem after US authorities seized infrastructure tied to the notorious RAMP cybercrime forum last month. For years, RAMP has been the primary vehicle for acquiring ransomware-as-a-service (RaaS) affiliates, but the Jan. 28 interagency sting led by the FBI forced many cybercrime outfits to find a new means to sell their wares. 
    • “Rapid7’s Alexandra Blia and Efi Sherman in this week’s blog post identified two potential forums where attackers might go next. The bigger takeaway, however, is that the cybercrime ecosystem is fragmenting, and defenders will need to adapt.”
  • and
    • A newly developed method for gauging the impact of an OT cybersecurity incident could pave the way for more accurate measurement and response to an event, and also shine light on risk and business ramifications.
    • The Operational Technology Incident (OTI) Impact Score — which will be unveiled today [February 24] at the ICS/OT industry’s S4x26 Conference in Miami — aims to provide rapid clarity on the actual effects of OT cyber incidents, which often get over- or under-hyped, according to Dale Peterson, co-creator of the OTI model and head of ICS/OT consulting and research firm Digital Bond.
    • The OTI model, inspired by the Richter Scale used for measuring earthquake intensity and impact, is meant for OT business executives, governments, cyber insurers, the media, and the general public, according to Peterson, who is the founder and program chair of S4.
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *