Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Iranian war front,

  • Cybersecurity Dive reports on April 23,
    • “Iran, long considered a steady and persistent cyber threat to the U.S., has raised its game in the months since the two nations went to war in February. 
    • “Iranian-backed cyber threat groups, which range from state-sponsored actors to pro-Iranian hacktivists and financially motivated hackers, appear to have evolved some of their motivations and capabilities in cyber, according to analysts and security researchers. 
    • “What we are seeing are attacks that are aiming to have a more destructive effect,” Annie Fixler, director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies told Cybersecurity Dive. 
    • Specifically, Iran-linked actors have increased the use of data wiping malware in recent attacks against Israel and demonstrated greater capability to evade detection, according to researchers at Palo Alto Networks. 
    • “In another alarming development, Darktrace last week published an analysis of a malware strain called ZionSiphon, to potentially tamper with chlorine levels and pressure controls in Israeli water facilities. The malware was embedded with pro-Iran and Palestinian messaging for additional psychological impact.”
  • Federal News Network commentator shares “what federal leaders need to know about Iran’s cyber campaign.”
    • “To understand the cyber implications of this conflict, federal leaders need to understand how Iran uses cyber as a strategic instrument.”

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports,
    • “Sean Plankey, the long-sidelined nominee to lead the Cybersecurity and Infrastructure Security Agency, asked President Donald Trump on Wednesday to withdraw his nomination.
    • “At this point in time, I am asking the President to remove my nomination from consideration,” he said in a notification letter seen by CyberScoop. “After thirteen months since my initial nomination, it has become clear that the Senate will not confirm me.”
    • “Plankey’s request comes weeks after the Senate confirmed MarkWayne Mullin to lead the Department of Homeland Security, CISA’s parent agency.”
  • and
    • “House Republicans unveiled on Wednesday Congress’ latest effort to tackle comprehensive digital privacy legislation for Americans.
    • “The Secure Data Act would allow consumers to opt out of data collection for individual businesses for the purposes of targeted advertising, selling to third parties or for use in automated decisionmaking.
    • “It would also require companies to inform consumers when their personal data is being collected or used, provide them with a portable version of that data, and give consent rights to parents over the data collection of teenagers.”
  • Per a NIST news release,
    • “The National Institute of Standards and Technology (NIST), in collaboration with the Department of Health and Human Services Office for Civil Rights (HHS OCR), announced the Safeguarding Health Information: Building Assurance through the Health Insurance Portability and Accountability Act (HIPAA) Security 2026 conference, scheduled for September 2–3, 2026, at the NIST campus in Gaithersburg, Maryland. The event will examine the current healthcare cybersecurity landscape and the HIPPA Security Rule, which establishes federal standards to protect the confidentiality, integrity, and availability of electronic protected health information. The conference will highlight practical strategies, tips, and techniques for implementing the HIPAA Security Rule, including required administrative, physical, and technical safeguards for covered entities and their business associates. Sessions will address best practices for managing risks to electronic health information and ensuring technical assurance, along with topics such as cybersecurity risk management, current threats to the healthcare community, and cybersecurity considerations for Internet of Things technologies in healthcare environments. The event will be offered in both in-person and virtual formats, with separate registration fees and timelines for each option. For additional details, visit the Safeguarding Health Information: Building Assurance through HIPAA Security 2026 event page.”
       
  • Per an April 23, 2026, HHS news release,
    • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced settlements with four regulated entities following separate ransomware investigations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Ransomware is malicious software that blocks access to data—typically by encrypting it with a key known only to the attacker—until a ransom is paid. The resolutions announced mark 19 completed investigations from ransomware breaches and 13 completed investigations in OCR’s Risk Analysis Initiative.” * * *
    • “The settlements follow investigations into separate ransomware breaches that collectively affected over 427,000 individuals and involved the exposure of unsecured ePHI. The types of ePHI affected include demographic data, Social Security numbers (SSNs), financial information, lab results, medications, and diagnoses or conditions. Under the settlements, the regulated entities have agreed to implement corrective action plans subject to OCR monitoring for two years and paid a total of $1,165,000 to OCR.”
  • Per an April 20, 2026, Justice Department news release,
    • “A Florida man, formerly employed as a ransomware negotiator, pleaded guilty to conspiring to commit ransomware attacks against U.S. companies in 2023.
    • “According to court documents, Angelo Martino, 41, of Land O’Lakes, Florida, collaborated with the operators of the Blackcat/ALPHV (“BlackCat”) ransomware variant used by cybercriminals to attack and extort institutions and companies. Beginning in April 2023, Martino abused his role at a U.S.-based cyber incident response company to assist BlackCat actors. Working as a negotiator on behalf of five different ransomware victims, Martino provided BlackCat attackers with confidential information about the negotiating position and strategy of his company’s clients without the clients’ or his employer’s knowledge or permission. This confidential information assisted the ransomware actors and maximized the ransoms that the victims were required to pay. The confidential information included the victims’ insurance policy limits and internal negotiation positions. The BlackCat actors paid Martino for this confidential information.” * * *
    • “To date, law enforcement has seized $10 million of assets from Martino, including digital currency, vehicles, a food truck, and a luxury fishing boat that Martino obtained using proceeds of the offense or acquired as a result of the offense.”
  • Cyberscoop adds,
    • “A core leader of the hacker subset of The Com responsible for a series of high-profile phishing attacks and cryptocurrency thefts from September 2021 to April 2023 pleaded guilty to federal charges, the Justice Department said Friday. 
    • “Tyler Robert Buchanan of Dundee, Scotland, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. The 24-year-old was arrested by Spanish police in Palma in 2024 as he attempted to board a charter flight to Naples, Italy. 
    • “Buchanan has been in federal custody since April 2025 and faces up to 22 years in federal prison at his sentencing, which is scheduled for August 21. 
    • “The British national and his co-conspirators, including Noah Michael Urban, who was sentenced to a 10-year federal prison sentence last year, harvested thousands of credentials via phishing and stole more than $8 million in cryptocurrency from U.S. residents via SIM-swapping attacks.”

From the cybersecurity breaches and vulnerabilities front,

  • Cybersecurity Dive reports,
    • “The Cybersecurity and Infrastructure Security Agency on Monday [April 20] released guidance related to the axios supply chain compromise originally disclosed in late March. 
    • “A suspected North Korean actor compromised the node package manager account for an axios maintainer last month. Axios is a Javascript library used widely across the software industry with millions of downloads per week. 
    • “CISA is urging security teams to monitor and review code depositories as well as continuous integration/continuous delivery pipelines that ran npm install or npm update on the compromised axios version, according to the guidance released Monday. 
    • “Security teams should search for cached versions of the affected dependencies in artifact repositories along with dependency management tools, according to the guidance. 
    • “If compromised dependencies are found during the search, organizations should revert the environment back to a known safe state, CISA said.” 
  • and
    • “Vercel, a cloud development platform, said that some of its internal systems were accessed after a third-party tool called Context.ai was compromised while being used by one of Vercel’s employees, according to a blog post released Sunday [April 20].
    • “Vercel is widely known as the creator of Next.js, which is the open-source framework for React. 
    • “The attacker was able to take over the employee’s Vercel Google Workspace account and access certain company “environments and environment variables” that were not designated as “sensitive.”
    • “Vercel said that a limited number of customers had their credentials compromised during the attack, and that they have been notified. They were urged to immediately rotate credentials. 
    • “The company said it believes the attacker is highly sophisticated, based on an assessment of their “operational velocity and detailed understanding of Vercel’s systems.”
  • and
    • “Hackers working for the Chinese government are increasingly hiding their attacks behind ready-made networks of hacked routers and other networking equipment, the U.S. and several allies said on Thursday [April 23].
    • “Attackers’ use of these so-called covert networks is not new, the agencies said in a joint advisory, “but China-nexus cyber actors are now using them strategically, and at scale.”
    • “By funneling their activity through compromised networking equipment — mostly small office and home office (SOHO) routers, but also internet of things devices — hackers can obfuscate their origins and make it harder for defenders to spot reconnaissance, malware deployment and data exfiltration.”
  • Cyberscoop adds,
    • “A state-sponsored hacking group has implanted a custom backdoor on Cisco network security devices that can survive firmware updates and standard reboots, U.S. and British cybersecurity authorities disclosed Thursday, marking a significant escalation in a campaign that has targeted government and critical infrastructure networks since at least late 2025.
    • “The Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre jointly published a malware analysis report identifying the backdoor, code-named Firestarter. Cisco’s threat intelligence division, Talos, attributed the malware to a threat actor it tracks as UAT-4356. The company attributed the same group to a 2024 espionage campaign called ArcaneDoor, which focused on compromising network perimeter devices.
    • “CISA confirmed it discovered Firestarter on a U.S. federal civilian agency’s Cisco Firepower device after identifying suspicious connections through continuous network monitoring. The finding prompted an updated emergency directive issued Thursday, requiring all federal civilian agencies to audit their Cisco firewall infrastructure and submit device memory snapshots for analysis by Friday.”
  • CISA added fourteen known exploited vulnerabilities (KVEs) to its catalog this week.
    • April 20, 2026
      • CVE-2023-27351 PaperCut NG/MF Improper Authentication Vulnerability
      • CVE-2024-27199 JetBrains TeamCity Relative Path Traversal Vulnerability
      • CVE-2025-2749 Kentico Xperience Path Traversal Vulnerability
      • CVE-2025-32975 Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
      • CVE-2025-48700 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
      • CVE-2026-20122 Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability
      • CVE-2026-20128 Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability
      • CVE-2026-20133 Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability
        • The Cybersecurity Express discusses these KVEs here.
        • Cybersecurity Dive discusses the Cisco KVEs here.
    • April 22, 2026
      • CVE-2026-33825 Microsoft Defender Insufficient Granularity of Access Control Vulnerability
        • Bleeping Computer discusses this KVE here.
    • April 23, 2026
      • CVE-2026-39987 Marimo Remote Code Execution Vulnerability
        • Resecurity discusses this KVE here.
    • April 24, 2026
      • CVE-2024-7399 Samsung MagicINFO 9 Server Path Traversal Vulnerability
      • CVE-2024-57726 SimpleHelp Missing Authorization Vulnerability
      • CVE-2024-57728 SimpleHelp Path Traversal Vulnerability
      • CVE-2025-29635 D-Link DIR-823X Command Injection Vulnerability 
        • The Hackers News discusses these KVEs here.
  • Cybersecurity Dive informs us,
    • “Phishing was the most common way hackers breached their targets in the first quarter of 2026, after nearly a year out of the top spot, Cisco’s Talos threat intelligence team said in a report published on Wednesday.
    • “Nearly 20% of Cisco’s incident-response engagements involved the preliminary stages of a ransomware attack, according to the report — significantly lower than in the first two quarters of 2025, when it was 50%.
    • “Cisco also said it saw hackers using AI to improve phishing attacks.”
  • and
    • “Companies using AI to write code are creating serious security risks that not all organizations feel prepared to handle, according to a reportreleased Wednesday by the security testing firm ProjectDiscovery. 
    • “Security personnel want audit trails and access limitations before they integrate AI into their processes, ProjectDiscovery found. “They are not opposed to the technology, but they need it to earn its place.”
    • “The report highlights one of the most fraught aspects of the AI revolution in the corporate world: the tension between AI-assisted coders and the people responsible for protecting their work.”
  • Dark Reading points out,
    • “AI agents can now carry out end-to-end cloud attacks with minimal human guidance, exploiting known misconfigurations and vulnerabilities at a speed no human attacker can match. 
    • “That’s the central finding of a new proof-of-concept (PoC) study by Palo Alto Networks’ Unit 42, where researchers built an autonomous multi-agent system that carried out a complete cloud attack chain in a live environment, using a single natural-language prompt.
    • “The study suggests an intrusion campaign that Anthropic uncovered last year, when a Chinese state-affiliated cyber-espionage group used the company’s Claude AI to automate large portions of an attack chain, was more a preview of things to come rather than an exception.”
  • Cyberscoop notes,
    • “Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations.
    • “Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release. 
    • “Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report.
    • “Researchers determined that the median warning of an impending vulnerability disclosure arrived nine days before the targeted vendor issued a public alert to its customers.”

From the ransomware front,

  • Bleeping Computer reports,
    • “Home security giant ADT has confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid.
    • “In a statement shared today, the company said it detected unauthorized access to customer and prospective customer data on April 20, after which it terminated the intrusion and launched an investigation.
    • “This investigation determined that personal information was stolen during the breach.”
    • “The investigation confirmed that the information involved was limited to names, phone numbers, and addresses,” ADT told BleepingComputer.
    • “In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included. Critically, no payment information — including bank accounts or credit cards — was accessed, and customer security systems were not affected or compromised in any way.”
  • and
    • “Recently observed Trigona ransomware attacks are using a custom, command-line tool to steal data from compromised environments faster and more efficiently.
    • “The utility was emplayed in attacks in March that were attributed to a gang affiliate, likely in an effort to avoid publicly available tools, such as Rclone and MegaSync, that typically trigger security solutions.
    • “Researchers at cybersecurity company Symantec believe that the shift to a custom tool may indicate that the attacker is “investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks.”
  • and
    • “A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption.
    • “Cybersecurity firm Rapid7 retrieved and analyzed two distinct Kyber variants in March 2026 during an incident response. Both variants were deployed on the same network, with one targeting VMware ESXi and the other focusing on Windows file servers.
    • “The ESXi variant is specifically built for VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces,” explains Rapid7.”
  • Dark Reading relates,
    • “A ransomware gang known as “The Gentlemen” has made a name for itself, claiming hundreds of victims in a matter of months.
    • “The Gentlemen is a ransomware-as-a-service (RaaS) outfit that first popped up in mid-2025. While it operates fairly typical double extortion attacks (using both encryption and data leaking as extortion levers), The Gentlemen is known for sophisticated tactics, techniques, and procedures (TTPs), such as antivirus killers and complex infection chains.
    • “Check Point Research this week published its latest findings concerning the gang, noting that it has claimed hundreds of victims and uses malware including something called SystemBC, which researchers described as “a proxy malware frequently leveraged in human‑operated ransomware operations for covert tunneling and payload delivery.”

From the cybersecurity defenses front,

  • TechTarget discusses,
    • “Beyond awareness: Human risk management metrics for CISOs
    • “Traditional security training isn’t keeping threat actors out. As employee awareness programs fall short, Forrester Research suggests a better approach.” * * *
    • “With cybersecurity threats evolving so swiftly, organizations cannot afford to rely on outdated security awareness programs that fail to address the root causes of human vulnerabilities. Human risk management offers a transformative approach, shifting the focus from mere awareness to actionable behavior change.”
  • Dark Reading points out,
    • “When Anthropic announced Project Glasswing this month, most coverage landed on the headline numbers: a 27-year-old OpenBSD vulnerability, a 16-year-old FFmpeg flaw, a Linux kernel exploit chain assembled without human steering. The coalition behind it, including AWS, Apple, Cisco, CrowdStrike, Google, Microsoft, Palo Alto Networks, and others, isn’t there for the optics; they’re there because the model’s capabilities are real, and the coordinated disclosure pipeline matters.
    • “The part worth dwelling on is the FFmpeg result specifically. At least five million automated fuzzer testing passes hit that vulnerable line of code and not one caught it. Mythos Preview read the code, understood what it was doing, and found the flaw.
    • That gap highlights a fundamental security misconception of the past two decades.
    • The industry built enumerators. It needed readers.
    • Automated security tooling has almost always worked the same way at its core: define a pattern, scan to identify the pattern, flag the match. SIEMs ingest event logs and match rules. Static analysis tools check code against known signatures. Vulnerability scanners compare software versions against CVE databases, and so on. These are mostly based on enumeration, and enumeration can only find what you already know to look for.
    • “Five million passes with the industry standard tools, zero catches. These tools knew how to count. But they didn’t know how to read.
    • “Mythos Preview succeeded because it approached the code the way a skilled human analyst would: with an understanding of intent, of relationships between components, of what a sequence of operations does, rather than what it superficially looks like. Security at that depth has been the exclusive domain of rare, expensive human expertise. A model that replicates it at scale is genuinely a different kind of thing, and the industry is right to pay attention.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *