Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Iranian war front,

  • Cybersecurity Dive reports,
    • “A threat group linked to Iranian intelligence has been running a months-long false-flag operation to hack organizations in the U.S. and other countries under the guise of a criminal ransomware group, according to a report released Wednesday [May 6] by researchers at Rapid7. 
    • “The state-sponsored threat group, tracked as MuddyWater, operated a social engineering campaign beginning in early 2026 that abused Microsoft Teams to harvest credentials and bypass multifactor authentication. 
    • “The attacks were made to look as if they were the work of Chaos, a ransomware-as-a-service group that has been active since 2025. Researchers said the false flag creates ambiguity that could affect how security teams investigate an intrusion. 
    • “If an operation looks like ransomware, defenders may initially treat it as financially motivated cybercrime rather than a state-linked operation,” Christiaan Beek, vice president of cyber intelligence at Rapid7, told Cybersecurity Dive. “That can slow attribution, complicate response, and give the actor plausible deniability.”

From the cybersecurity policy and law enforcement front,

  • Dark Reading reports,
    • “It’s been a brutal 16 months since the Cybersecurity and Infrastructure Security Agency (CISA) has had a Senate-confirmed director. Now, a new name has bubbled up as a possible pick to take over the beleaguered agency: Tom Parker, a low-key, British-born cybersecurity expert known for business savvy, technical expertise, and decades of focus on the delicate economics of cybercrime and cyber defense. 
    • “Reports say that although he has not yet been officially nominated, Parker is a contender to get the nod from new Department of Homeland Security Secretary, Markwayne Mullin. A request for comment from Dark Reading to DHS was referred to the White House, which has not yet responded. 
    • “Parker however tells Dark Reading that despite recent reporting, he has not had any “direct engagement” with the administration on taking on the role, but would welcome the conversation.” 
  • Federal News Network adds,
    • “The Office of Management and Budget (OMB) picked a long-time federal technology manager to take over as the deputy federal CIO. Thomas Flagg is set to assume that role. Federal News Network has learned that Federal CIO Greg Barbaccia made the announcement to agency CIOs yesterday. Flagg, who is the Education Department CIO, will replace Drew Mykelgard, who left in September to join the private sector after three-plus years in the role. Barbaccia wrote in his email that Flagg stood out among a large number of candidates because of the depth and seriousness of his experience across multiple technology leadership roles. Flagg also worked at the Labor Department for 11 years before moving to Education in 2025. 
  • Cybersecurity Dive reports,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) wants to help critical infrastructure operators keep their systems running during a major cyberattack or other serious incident.
    • “CISA on Tuesday [May 5, 2026,] released guidance as part of an international “CI Fortify” initiative focused on activities that infrastructure operators can take to isolate the effects of a cyber intrusion and recover from them.
    • “In a geopolitical crisis, the critical infrastructure organizations Americans rely on must be able to continue delivering—at a minimum—crucial services,” acting CISA Director Nick Andersen said in a statement. “They must be able to isolate vital systems from harm, continue operating in that isolated state, and quickly recover any systems that an adversary may successfully compromise.
    • “The new guidance, modeled on advice that the Australian government published in 2025, comes as intelligence agencies warn that China might sabotage Western critical infrastructure to keep the U.S. and its allies from interfering with Beijing’s long-rumored invasion of Taiwan. China’s Volt Typhoon hacking campaign indicated that Beijing had already begun laying the groundwork for such disruption, prompting U.S. officials to step up warnings about the dangers of interdependencies in operational technology.”
  • and
    • “The U.S. government’s AI security center will evaluate frontier models from Google, Microsoft and xAI before their release to determine whether the models’ advanced capabilities pose cybersecurity risks.
    • The newly announced plan for the National Institute of Standards and Technology’s (NIST) Center for AI Standards and Innovation (CAISI) to conduct “pre-deployment evaluations” represents the U.S. government’s most significant attempt yet to get ahead of security threats from powerful AI systems.
    • “Independent, rigorous measurement science is essential to understanding frontier AI and its national security implications,” CAISI Director Chris Fall said in a statement. “These expanded industry collaborations help us scale our work in the public interest at a critical moment.”
  • The Wall Street Journal adds,
    • “The White House is weighing a new government-review process for artificial-intelligence tools that the government deems to pose cybersecurity risks, a move that could further expand its oversight of AI in response to Anthropic’s powerful Mythos model.
    • “The White House is considering a cybersecurity-focused executive order that could include formalizing a government oversight group to create standards for the most powerful AI models, such as Mythos, people familiar with the discussions said. The goal is to protect consumers and businesses from cyberattacks and other disruptions caused by the premature release of such models, and a range of ideas are being considered, the people said. 
    • ‘The internal conversations show how Mythos has forced the Trump administration to recalibrate aspects of its laissez-faire approach to AI oversight. The administration has unwound Biden administration efforts to implement safety standards and attacked states trying to impose regulations, hoping to ease constraints tech companies face in rolling out new models.” 
  • Cyberscoop notes,
    • “The Cybersecurity and Infrastructure Security Agency has gotten “by far” the biggest gains from artificial intelligence automation in its security operations unit to help analysts sift through threats, but it’s also proven valuable elsewhere within the agency, CISA officials said Tuesday.
    • “It’s “really allowing those analysts to do triage very fast, so they focus on what matters versus the noise,” Tammy Barbour, acting chief of application management at CISA, said. “They’re able to do a lot of real-time, quick looks before events happen in most places.”
    • “Barbour, speaking at the UiPath FUSION Public Sector event hosted by Scoop News Group, said automation has also been a boon to CISA’s Technology Operations Center.
    • “The top analysts are able to quickly respond to customers who are reaching out to talk and asking questions, and be able to get real-time efficiencies with that,” she said.”
  • Security Week tells us,
    • “A Latvian member of the Karakurt ransomware gang was sentenced to 8.5 years in prison in the US for his involvement in extorting victims.
    • “The individual, Deniss Zolotarjovs, 35, of Latvia, was arrested in Georgia in December 2023 and extradited to the US in August 2024. He pleaded guilty in July 2025.
    • “Associated with the infamous Conti group and also known as TommyLeaks, Schoolboys Ransomware Gang, and Blockbit, Karakurt was one of the most notorious ransomware groups half a decade ago.”
  • Cyberscoop informs us,
    • “Two U.S. nationals were sentenced to 18 months in prison for running laptop farms that facilitated North Korea’s expansive remote IT workers scheme, the Justice Department said Wednesday.
    • “Matthew Issac Knoot and Erick Ntekereze Prince both received and hosted laptops at their residences to dupe U.S. companies into thinking remote IT workers they hired were located in the country. The pair’s separate schemes impacted almost 70 U.S. companies and generated a combined $1.2 million in revenue for the North Korean regime.”
  • Bleeping Computer adds,
    • “A 34-year-old Virginia man was found guilty of conspiring to destroy dozens of government databases after getting fired from his job as a federal contractor.
    • “In 2016, Sohaib Akhter and his twin brother and co-defendant Muneeb Akhter were also sentenced to several years in prison after pleading guilty to accessing U.S. State Department systems without authorization and stealing the personal information of dozens of co-workers and a federal law enforcement agent who was investigating their crimes.
    • After serving their sentences, the two brothers were rehired as government contractors by a company that worked with more than 45 federal agencies and hosted government data on servers in Ashburn.
    • “When the company discovered Sohaib Akhter’s felony conviction, it terminated both brothers’ employment during an online remote meeting on Feb. 18, 2025,” the Justice Department said. “Immediately after being fired during this meeting, the brothers sought to harm their employer and its U.S. government customers by accessing computers without authorization, write-protecting databases, deleting databases, and destroying evidence of their unlawful activities.”

From the cybersecurity breaches and vulnerabilities front,

  • Cyberscoop reports,
    • “A defense technology company with Department of Defense contracts exposed user records and military training materials through API endpoints that lacked meaningful authorization checks, according to an account published by Strix, an open-source autonomous security testing project.
    • “The issue affected Schemata, an AI-powered virtual training platform used in military and defense settings. According to Strix, an ordinary low-privilege account was able to access data across multiple tenants, including user listings, organization records, course information, training metadata and direct links to documents hosted on the Schemata’s Amazon Web Services instances.”
  • CISA added three known exploited vulnerabilities (KVES) to its catalog this week.
  • SC Media points out,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) is reportedly considering shortening remediation deadlines for vulnerabilities added to the Known Exploited Vulnerabilities catalog, according to Reuters.
    • “Citing two sources familiar with the matter, Reuters reported Friday [May 1, 2026] that CISA Acting Director Nick Anderson and U.S. National Cyber Director Sean Cairncross were discussing proposals to cut KEV deadlines for federal civilian executive branch agencies from an average of two to three weeks to just three days.
    • The discussion was reportedly spurred by the emergence of advanced AI tools such as Anthropic’s Claude Mythos and OpenAI’s GPT-5.4-Cyber that have the potential to identify and exploit flaws at unprecedented speed.
    • A CISA spokesperson declined to comment on whether such discussions were taking place or whether a decision had been made.
  • Security Week lets us know,
    • “Microsoft has warned organizations in the United States about a sophisticated phishing campaign that uses a “code of conduct review” theme to lure victims to a malicious website.
    • “The tech giant observed more than 35,000 attempts between April 14 and 16. The malicious emails were received by users across roughly 13,000 organizations in 26 countries, but 92% of the targets were in the US. 
    • “Many of the messages were received by users in the healthcare and life sciences, financial services, professional services, and technology and software sectors.” * * *
    • “Enterprises at risk of being targeted in this and similar phishing campaigns have been provided with recommendations for mitigating attacks, as well as threat-hunting queries and indicators of compromise (IoCs).”
  • Cybersecurity Dive relates,
    • “Hackers could exploit vulnerabilities in Progress Software’s MOVEit Automation tool to improperly access businesses’ data, the software maker said in a recent advisory.
    • “Exploitation of the two flaws — an authentication-bypass vulnerability tracked as CVE-2026-4670 and a privilege-escalation vulnerability tracked as CVE-2026-5174 — could “lead to unauthorized access, administrative control, and data exposure,” according to Progress Software’s advisory.
    • “The newly patched flaws represent serious security weaknesses in a widely used managed-file-transfer program that helps organizations transfer data between self-hosted servers, cloud platforms and third-party vendors.
    • “Progress Software urged customers to upgrade to the latest version of the software, which fixes both vulnerabilities.”
  • Per Dark Reading,
    • “Researchers have spotted a modular cloud worm that will clear you of any infections by the dangerous supply chain attacker “TeamPCP,” free of charge. The catch: It wants your secrets.
    • “SentinelLabs named the program “PCPJack” in a new blog post,and described it as “well developed” — effective, with a few inexplicable but superficial oddities. Affected organizations stand to lose secrets associated with their cloud, container, developer, productivity, and financial services, unless they implement cloud security best practices, concealing passwords and keys behind vaults and multifactor checks.”
  • Per Bleeping Computer,
    • “A fake version for the Claude AI website offers a malicious Claude-Pro Relay download that pushes a previously undocumented backdoor for Windows named Beagle.
    • “The threat actor advertises Claude-Pro as a “high-performance relay service designed specifically for Claude-Code” developers.
    • “The fake website is a simplistic attempt at mimicking the legitimate site for the popular Claude large language model (LLM) and an AI assistant, using similar colors and fonts.
    • “However, the facade falls apart when it comes to links, as they are mere redirects to the front page, researchers at cybersecurity company Sophos say in a report today.”

From the ransomware front,

  • Edscoop reports,
    • “ShinyHunters, the prolific criminal hacker and extortion group, on Thursday [May 7, 2026] provided additional details about its recent breach of Canvas, the learning management system developed by Instructure, with hopes of coaxing payments from some of the nearly 9,000 educational institutions it claims are affected.
    • “After announcing on May 1 that it had exfiltrated several terabytes of data containing the personal information of 275 million users, it announced a deadline of Thursday [May 7] before “everything is leaked and there will be no chance at a negociation for anyone. Instructure has not even bothered speaking to us to understand the situation or to even negociate with us to prevent the release of this data. Our demand was not even as high as you might think it is.”
    • “On Thursday, the group presented to Canvas users a second message and extended the deadline for payment until May 12. “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’,” the note reads. The group advised affected schools to consult security professionals and use the Tox messaging protocol to negotiate a “settlement.”
    • “The attached list of affected institutions includes many school districts, along with well-known universities, including Cambridge, Columbia, Cornell, Georgetown, Harvard, MIT and UC Berkeley.”
  • The Wall Street Journal adds on May 8, 2026,
    • Canvas, one of the most widely used education apps, said it had restored services after pulling the plug in the middle of finals week at many colleges to deal with a cybersecurity incident.
    • From Berkeley to Harvard, students at thousands of colleges and high schools temporarily lost access to their coursework on Thursday afternoon after a hacking group posted a ransom note on the platform.  
    • The company behind Canvas, Instructure Inc., said the intruders had accessed some customer data, including names, email addresses and student ID numbers, as well as messages between Canvas users. The company said it hasn’t found that passwords or financial information were involved. The investigation is ongoing and it has notified the Federal Bureau of Investigation.
    • “We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” the company said on its website. “As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts.” 
  • Security Week relates,
    • “The RansomHouse ransomware group has taken credit for the recent attack on the cybersecurity firm Trellix.
    • “The Trellix hack came to light this week when the company announced on its website that part of its source code repository had been breached.
    • “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited,” the company stated.
    • “No other information has been shared by Trellix, but it has promised to release additional details after it completes its investigation.”
  • Industrial Cyber tells us,
    • “New data from BlackFog shows ransomware activity remaining structurally elevated, with attacks continuing to operate at high volume while expanding their data-centric focus across both disclosed and undisclosed incidents. The analysis highlights that threat actors are increasingly prioritising data theft and extortion over traditional encryption-only disruption, reflecting a broader shift in how ransomware operations monetise compromise. It also underscores that incidents continue to span multiple sectors and geographies, reinforcing that ransomware is no longer episodic but persistent, industrialised, and embedded across the global threat landscape.
    • “A total of 264 publicly disclosed ransomware attacks were recorded, representing a 15% decrease compared to the same period the previous year, BlackFog disclosed in its ‘Q1 2026 Ransomware Report.’ Despite this decline, activity remained steady throughout the first quarter, with 91 attacks in January, 83 in February, and 90 in March. Healthcare remained the most targeted sector, accounting for 72 attacks (27%), reflecting the continued focus on organizations with sensitive data and limited tolerance for operational disruption. Government entities experienced 32 attacks (12%), while the technology sector followed with 28 attacks (11%).” 

From the cybersecurity business and defenses front,

  • The Wall Street Journal reports,
    • “OpenAI said it was previewing a powerful artificial-intelligence model capable of finding software vulnerabilities for a limited group of partners, adding to an industry race to give customers the most advanced cyber capabilities.
    • “The ChatGPT maker said it was releasing GPT-5.5-Cyber, a version of its most capable AI model, to a limited group of users that do vital security work. Other versions of GPT-5.5 are available to customers that do broader cyber work or general queries.
    • “The announcement followed consultation with the White House, which is working with top AI companies on the release of models that present national-security risks. Federal agencies and congressional committees have also been briefed on the latest capabilities.
    • “OpenAI Chief Executive Sam Altman said last week that the company was beginning to roll out the model to trusted cyber partners.”
  • Security Boulevard assesses Anthropic’s Project Glasswing.
  • Security Week relates,
    • “Cisco on Monday announced its intent to acquire Astrix Security, a startup focused on securing non-human identities (NHIs) such as API keys, service accounts, and OAuth tokens increasingly used by applications and AI agents.
    • “In a blog post, Cisco said the acquisition is aimed at extending zero trust principles to the emerging “agentic workforce,” where AI agents and machine identities are rapidly expanding the enterprise attack surface. Astrix’s technology is designed to help organizations discover, govern, and secure these identities, including detecting excessive privileges and real-time threats. 
    • “Astrix provides visibility into non-human identities and the activity of AI-driven agents, along with lifecycle management and automated detection and remediation of over-privileged, unnecessary, or malicious access — including compromised credentials and rogue agent behavior. Cisco plans to integrate these capabilities into its broader security platform, including identity intelligence, secure access, and Duo IAM.”
  • Cybersecurity Dive tells us,
    • “Businesses are confident that AI will improve their cybersecurity posture, even as they neglect more fundamental security tools like identity management and zero-trust networking, according to a “State of Workforce Password Security” report that the business software provider Zoho published on Tuesday.
    • “AI confidence also doesn’t match implementation readiness, the report found, with a massive gap between the share of companies expecting AI to help them with security and the share of companies ready to act on that potential.
    • “The report also contains data on the share of companies that experienced recent cyberattacks and the business world’s security spending plans.”
  • Tech Target identifies “top zero-trust use cases in the enterprise.”
    • “When applied correctly, zero trust can minimize an organization’s attack surface. Experts weigh in on the best use cases where zero trust can deliver results.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *