Cybersecurity Saturday - Ermer and Suter PLLC

From the Iranian war front,

Industrial Cyber reports,
- “New data from KELA recognizes that Iranian state-sponsored threat actors have moved well beyond traditional espionage, increasingly blurring the line between nation-state operations and financially motivated cybercrime. Rather than running large-scale ransomware cartels of their own, these groups have embedded themselves into the existing criminal ecosystem, acting as initial access brokers, collaborating with ransomware affiliates, and deploying pseudo-ransomware to mask destructive attacks as extortion campaigns.
- “A key example is Pay2Key, an Iran-linked ransomware operation that has resurfaced as a professionalized RaaS platform operating on the anonymous I2P network, actively recruiting affiliates from Russian cybercrime forums and offering an elevated profit share, bumping the affiliate cut from 70% to 80%, for attacks on U.S. and Israeli targets. The model creates a significant compliance risk for victim organizations: paying what appears to be a routine ransom demand could unknowingly funnel money to OFAC-sanctioned Iranian entities, exposing companies to severe legal and financial penalties.
- “The KELA Cyber Intelligence Center identified in its Monday [March 30] post that one of the more concerning developments is the growing collaboration between Iranian state-linked actors and the broader ransomware ecosystem.”

Security Week relates,
- The FBI has confirmed that threat actors have gained access to an email account belonging to FBI Director Kash Patel, but said no government information has been compromised.
- “The Iran-linked hacker group Handala on Friday [March 27] claimed to have hacked Patel’s email account, releasing files allegedly representing photos, emails, and classified documents taken from the FBI director’s inbox.
- “The so-called ‘impenetrable’ systems of the FBI were brought to their knees within hours by our team,” the hackers wrote.
- However, the account does not appear to be hosted on FBI systems; it is a personal Gmail account. In addition, the stolen information does not seem to be recent.
- It’s unclear when the account was hacked, but it may have been one of the many targeted by Iranian hackers back in 2024 as part of an operation targeting Donald Trump’s presidential campaign.”

Cyberscoop tells us,
- “Medtech company Stryker says it’s back to being “fully operational,” three weeks after it became the most prominent victim to date of Iranian hackers, who said they attacked the Michigan-based company in retaliation over the conflict with the United States and Israel.
- “A March 11 wiper attack from the pro-Palestinian, Iranian government-connected group Handala damaged the company’s order processing, manufacturing and shipping.” * * *
- “Production is moving rapidly toward peak capacity with discipline and stability, supported by restored commercial, ordering and distribution systems,” the company wrote in an update on its website Wednesday. “Overall product supply remains healthy, with strong availability across most product lines, as we continue to meet customer demand and support patient care.”
- “Stryker said it continues to work with outside cyber experts, government agencies and industry partners on its investigation and recovery.” * * *
- “Iranian hackers have been busy since the U.S.-Israel strikes began, but have claimed few successes in the United States. Handala boasted this week about an attack on St. Joseph County, Indiana, where officials said they were investigating a hack of its external fax service.”

From the cybersecurity policy front,

Cybersecurity Dive reports,
- “President Donald Trump on Friday [April 3] proposed significantly slashing the Cybersecurity and Infrastructure Security Agency’s budget.
- “The White House’s fiscal year 2027 budget would reduce CISA’s funding by $707 million, roughly 30% of its FY2025 budget of $2.4 billion.
- “The administration said its proposal “refocuses CISA on its core mission” of protecting federal networks and helping critical infrastructure operators defend themselves from cyberattacks and physical threats.”

Per a March 31 HHS news release,
- “The U.S. Department of Health and Human Services (HHS) today announced that it is reversing a 2024 reorganization that: (1) dually titled the Office of the National Coordinator for Health Information Technology (ONC) as the Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (ASTP/ONC), headed by the Assistant Secretary for Technology Policy, dually titled as the National Coordinator for Health IT; (2) moved three HHS-wide technology roles to ONC from the Office of the Chief Information Officer (OCIO); and (3) shifted specific cybersecurity functions out of OCIO.
- “Today’s action restores a unified, Department‑wide technology leadership model by returning these enterprise responsibilities to OCIO while sharpening ONC’s mission focus on nationwide health IT interoperability and data liquidity.
- “Under this alignment, HHS has ended the Biden administration’s dual management title for the Assistant Secretary for Technology Policy, restored ONC as a singularly titled office, and shifted the roles, responsibilities, and offices of the HHS Chief Technology Officer (CTO), HHS Chief Artificial Intelligence Officer (CAIO), and HHS Chief Data Officer (CDO) back under the HHS Chief Information Officer’s leadership. This structure reinforces OCIO’s statutory responsibility for enterprise IT, cybersecurity, and data operations, while enabling ONC to concentrate on health IT policy, standards, and certification that support better care and lower costs.
- “To better integrate policy and operations, OCIO will organize enterprise roles around three core functions: (1) strategic technology leadership and innovation, led by the CTO; (2) responsible, trustworthy artificial intelligence, led by the CAIO; and (3) enterprise data governance and analytics, led by the CDO. These leaders will work as a unified team under the CIO to deliver secure, scalable platforms and common services that support ONC’s policy work and the Department’s mission programs.
- “This structure allows OCIO to provide an integrated backbone for cloud, cybersecurity, data, and AI that every HHS component can rely on,” said HHS Chief Information Officer Clark Minor. “By bringing CTO, CAIO, and CDO functions together under one roof, we can move faster on shared platforms, protect our systems more effectively, and support ONC and the operating divisions with the technology capabilities they need to innovate for patients.”

Cybersecurity Dive informs us,
- “Federal government leaders are prioritizing cybersecurity improvements as they sketch out their technology-modernization agendas for the year, consulting firm EY said in a survey released this week.
- “Roughly half of survey respondents (56%) said cybersecurity was one of their top modernization priorities, with roughly a third saying that growing cybersecurity threats “are a barrier for their agencies to achieve their modernization goals,” the survey found.
- “EY also presented data on government leaders’ impressions of their agencies’ current security postures and their hopes for AI.”

Bleeping Computer points out,
- “The U.S. Federal Bureau of Investigation (FBI) warned Americans against using foreign-developed mobile applications, particularly those created by Chinese developers.
- “In a public service announcement (PSA) issued via its Internet Crime Complaint Center (IC3) platform this Tuesday [March 31], the FBI warned of privacy and data security risks associated with these apps.
- “As of early 2026, many of the most downloaded and top-grossing apps in the United States are developed and maintained by foreign companies, particularly those based in China,” the bureau warned.”

From the cybersecurity breaches and vulnerabilities front,

Health Exec reports on April 2,
- “A hospital in Texas revealed that it’s fallen victim to a data breach that exposed the personal information of more than 257,000 patients to hackers.
- “Nacogdoches Memorial Hospital—an independent health system in Texas consisting of one emergency-capable facility, several affiliated provider practices, and a rehabilitation center—made the breach public this week.
- “The incident occurred on Jan. 31—or at least, that’s when Nacogdoches Memorial staff became aware of an ongoing cyberattack.
- “At that time, the hospital said it notified law enforcement, initiated an “incident response plan” and began an investigation to find out what happened. As for details such as the nature of the breach and who was responsible, neither a statement from Nacogdoches Memorial nor a report filed with the Office of the Maine Attorney General contain those details.
- “To date, no known listing of the data trove on the dark web exists, and no hacker group has claimed responsibility for the cyberattack. Whether or not the data will eventually end up leaked onto the Internet or put up for sale remains unknown—but given the scope of the breach and the black market value of the stolen information, it’s not out of the realm of possibility.”

Bleeping Computer relates,
- “Telehealth giant Hims & Hers Health is warning that it suffered a data breach after support tickets were stolen from a third-party customer service platform.” * * *
- “It is one of the most successful U.S. brands in the online pharmacy and telehealth space, with strong marketing presence, and annual revenues close to $1 billion.” * * *
- “BleepingComputer learned last month that the ShinyHunters extortion gang conducted the breach.
- “The data was stolen as part of a widespread campaign in which threat actors compromised Okta SSO accounts to gain access to third-party cloud storage services and SaaS platforms to steal data.
- “In this particular attack, BleepingComputer was told that the threat actors used the Okta SSO account to access the His and Hers Zendesk instance, where they stole millions of support tickets.”

Dark Reading notes,
- “The impact of TeamPCP’s high-profile supply chain attacks is rapidly expanding — in more ways than one.
- “Following last month’s spree of compromised open source projects, two victim organizations disclosed breaches related to the attacks this week. On Tuesday, AI startup Mercor said on social media platform X that it was “one of thousands of companies impacted by a supply chain attack involving LiteLLM.”
- “And on Thursday, the EU’s Computer Emergency Response Team (CERT-EU) disclosed that a recent attack on the European Commission’s cloud and Web infrastructure stemmed from the previously reported Trivy supply chain attack,also attributed to TeamPCP. According to CERT-EU, the EC inadvertently installed a compromised version of the Trivy code-scanning security tool, which allowed threat actors to harvest credentials and secrets that they later used to access the organization’s Amazon Web Services (AWS) cloud environment.”

CISA added three known exploited vulnerabilities to its catalog this week.
- March 30, 2026
  - CVE-2026-3055 Citrix NetScaler Out-of-Bounds Read Vulnerability
    - Cybersecurity Dive and Security Week discusses this KVE here.
- April 1. 2026
  - CVE-2026-5281 Google Dawn Use-After-Free Vulnerability
    - The Hacker News discuss this KVE.
- April 2, 2026
  - CVE-2026-3502 TrueConf Client Download of Code Without Integrity Check Vulnerability
    - CyberPress discusses this KVE here.

The American Hospital Association News tells us,
- “The Cybersecurity and Infrastructure Security Agency released an alert March 27 on a vulnerability in F5 BIG-IP Access Policy Manager software that is being exploited for malicious cyber activity. F5 devices and software, used widely by health care and other critical infrastructure, provide app security and management services. The vulnerability was previously disclosed in October 2025 as a denial-of-service issue but was reclassified this month due to new information that found the vulnerability allows malicious actors to perform remote code execution, according to an alert from F5.
- “F5 has determined that this issue is much more severe than previously thought,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “The original patch released last year fixes the larger issue, so if you are using F5’s BIG-IP software, a very common app delivery and security service, ensure that you patch the system as soon as possible.”
Cybersecurity Dive informs us,
- “Security researchers warn that chaining two critical vulnerabilities in Progress Software’s ShareFile service could allow an attacker to achieve remote code execution.
- “The flaws exist in ShareFile Storage Zones Controller, which helps users manage files while they are using the ShareFile software-as-a-service interface, according to researchers at watchTowr Labs.
- “The vulnerabilities include an authentication bypass flaw, tracked as CVE-2026-2699, and a remote code execution flaw, CVE-2026-2701. The vulnerabilities have severity scores of 9.8 and 9.1, respectively.
- “Progress Software warned in a security bulletin released Thursday [April 2] that an attacker could access on-premises Storage Zones Controller configuration pages, allowing them to make changes in system configuration or achieve remote code execution.
- “There is no immediate evidence of exploitation, but researchers urged users to immediately apply security updates.”
and
- “A North Korean threat actor is suspected to be behind a major supply chain attack against a
  Axios, a JavaScript library that is downloaded more than 100 million times per week, according to security researchers.
- “Earlier this week, an attacker compromised the node package manager account for an axios maintainer and introduced a malicious dependency plain-crypto-js. The malicious versions were deleted within a few hours, but, with the widespread use of axios, there was a risk that a large number of users could have downloaded the poisoned version.
- “Researchers from Google Threat Intelligence Group said the malicious dependency is an obfuscated dropper that deploys a backdoor called Waveshaper.v2 across Windows, Linux and Mac environments.”

Bleeping Computer notes,
- “Threat actors are exploiting the recent Claude Code source code leak by using fake GitHub repositories to deliver Vidar information-stealing malware.
- “Claude Code is a terminal-based AI agent from Anthropic, designed to execute coding tasks directly in the terminal and act as an autonomous agent, capable of direct system interaction, LLM API call handling, MCP integration, and persistent memory.
- “On March 31, Anthropic accidentally exposed the full client-side source code of the new tool via a 59.8 MB JavaScript source map included by accident in the published npm package.”
and
- “Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year.
- “In this type of attack, the threat actor sends a device authorization request to a service provider and receives a code, which is sent to the victim under various pretexts.
- “Next, the victim is tricked into entering the code on the legitimate login page, thus authorizing the attacker’s device to access the account through valid access and refresh tokens.

Per Cyberscoop,
- “A new malware-based credential-stealing campaign, which researchers are calling “DeepLoad,” has been infecting enterprise business IT environments.
- “In a report released Monday, ReliaQuest AI researchers Thassanai McCabe and Andrew Currie say the most relevant feature of this attack is the way it uses artificial intelligence and other engineering “to defeat the controls most organizations rely on, turning one user action into persistent, credential-stealing access.”
- “DeepLoad is delivered to victims via “QuickFix” social-engineering techniques, such as fake browser prompts or error pages. If the user falls for the scheme, the malware developers — or more likely their AI tools — put a lot of work into building evasion of security technology “at every stage” of the attack chain.
- “The loader “buries functional code under thousands of meaningless variable assignments,” and the payload runs behind a Windows lock screen process that is “overlooked by security tools” monitoring for threats. ReliaQuest said “the sheer volume” of code padding likely rules out human-only involvement.”

Info Security discusses,
- “A new malware-as-a-service (MaaS) platform dubbed Venom Stealer that automates credential theft and continuous data exfiltration has been identified by cybersecurity researchers.
- “The platform is being sold on cybercrime networks and is designed to go beyond traditional credential harvesting tools by maintaining ongoing access to stolen data even after the initial infection.”

From the ransomware front,

Cisco Talos reflects on ransomware trends in 2025.

Cyberscoop reports,
- “The Akira ransomware group has compromised hundreds of victims over the past year with a well-honed attack lifecycle that has whittled down the time from initial access to encryption of data in less than four hours, according tocybersecurity firm Halcyon.”
Security Week relates,
- “Like an inverted pyramid, the range of different attack modes are now built on top of the single point of identity abuse.
- “Stolen credentials are a major threat. Legitimate credentials illegitimately acquired provide legitimate access to illegitimate actors. Once inside the network, these bad actors have greater ability to move and act in stealth. The continuing rise in ransomware attacks bears testament.
- “The theft and resale of credentials operates on an industrial scale. Fueled by the rise of increasingly more sophisticated infostealers, stolen credentials are packaged into ‘logs’ and sold to criminals on the black market. Ontinue reports, “Listings tied to LummaC2 alone surged by 72%, with high-privilege cloud console credentials selling for $1,000–$15,000+.”
- “Ransomware has been one of the primary beneficiaries of stolen credentials. More than 7,000 incidents and 129 active groups were tracked through 2025. At the same time, ransom payments decreased slightly from $892M in 2024 to $820M in 2025. This apparent contradiction is actually logical.
- “Larger targets, with larger payout potential, will have seen the most aggressive corporate investment (process and technology) mitigating exposure to this attack pattern,” explains Trey Ford, chief strategy and trust officer at Bugcrowd. These larger targets are also more susceptible to government pressure to not pay ransoms, and ransomware income has consequently declined. The ransomware groups have responded with more attacks demanding smaller payments from more but smaller companies.”

From the cybersecurity defenses front,

Dark Reading reports,
- “After some delay, Apple has patched the vulnerabilities associated with the DarkSword exploit chain for all affected customers, even those who aren’t updated to iOS 26 — a boon for organizations trying to get users updated to a new version all at once, and for those with patch management policies that preclude such updates.”
and
- “Joseph Izzo, chief medical information officer for San Joaquin General Hospital, received ransomware training during a downtime period. He practiced responding and maintaining patient care in the event that the facility is forced to operate offline. But when the hospital where he was working was actually hit with ransomware, he realized very quickly how “different it was under pressure.”
- “Izzo shared his story at RSAC 2026 Conference and provided key incident response (IR) recommendations for healthcare organizations, a sector frequently targeted by ransomware gangs due to highly sensitive information. Ransomware doesn’t always cripple hospitals, but partial attacks happen frequently, Izzo explained. Either way, a rapid response is necessary when serving a vulnerable population.
- “Recommendations ranged from identity protection to being prepared to operate with pen and paper in a digital world. Preparation is what really “makes the difference” when healthcare facilities are trying to get past a ransomware incident, Izzo emphasized.”

Cybersecurity Dive tells us,
- “Cybersecurity is one of the leading risks influencing corporate executives’ decisions about AI adoption, the consulting firm KPMG said in a quarterly AI pulse survey released on Tuesday.
- “Three-quarters of senior leaders at large corporations told KPMG that they were worried about the cybersecurity and privacy risk associated with AI tools, according to the report.
- “The survey also asked questions about governance approaches and agentic AI, offering a window into how businesses around the world are wrestling with new security challenges.”

Here is a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog