From the cybersecurity policy and law enforcement front,
- Cyberscoop reports,
- “A bipartisan pair of House lawmakers are seeking to improve private-public coordination for financial institutions amid a surge of ransomware attacks on the sector.
- “The Public and Private Sector Ransomware Response Coordination Act, introduced this week by Reps. Zach Nunn, R-Iowa, and Josh Gottheimer, D-N.J., would direct the Treasury secretary to deliver a report on existing collaboration between federal agencies and private financial companies, examining how those partnerships can be improved to better protect the industry from cyberattacks.
- “The legislation from Nunn and Gottheimer, both members of the House Financial Services Committee, comes as global ransomware attacks jumped 67% from 2023 to 2024, according to the director of national intelligence. And according to Statista, approximately 65% of financial institutions globally reported experiencing a ransomware attack in 2024, up from 34% in 2021.”
- Per a House of Representatives announcement,
- On Wednesday, February 5, 2025, the Committee on Homeland Security will hold a hearing entitled, “Preparing the Pipeline: Examining the State of America’s Cyber Workforce.”
- The Committee will meet at 10:00 a.m. EST in 310 Cannon House Office Building. Witnesses will be by invitation only.
- This event will be streamed live at homeland.house.gov and on YouTube.
- Cyberscoop adds
- “The Federal Bureau of Investigation, along with several other international law enforcement departments, has seized control of several high-profile online platforms linked to cybercrime in a sweeping operation aimed at disrupting digital marketplaces for stolen credentials and hacking tools. The domains of forums Cracked[.]io and Nulled[.]to now redirect to FBI-controlled servers, signaling efforts to dismantle infrastructure that supports cybercriminal activity.
- “As of Wednesday, visitors to the forums — long criticized as hubs for password theft, software piracy, and credential-stuffing attacks — encountered DNS error messages indicating federal intervention. Eagle-eyed cybersecurity researchers discovered Wednesday that the specialized servers that translate IP addresses into domain names redirected visitors to FBI-owned assets, effectively shutting down access.
- “Also seized were domains and services belonging to SellIX, which enabled users to create storefronts for illicit goods, and StarkRDP, a Windows remote desktop hosting service, which was allegedly leveraged by threat actors to anonymize attacks.
- “According to the image on the Cracked and Nulled websites, law enforcement from Australia, France, Germany, Greece, Italy, Spain, and Romania were also involved. Europol also played a role, according to the image.
From the cybersecurity vulnerabilities and breaches front,
- Cyberscoop lets us know,
- Cryptojacking, the tactic of breaking into a device to steal computing resources and mine crypto, is a pervasive, frustrating and expensive problem. But attacks like these can also raise cybersecurity concerns, especially when they happen to the federal government.
- Last fall, the U.S. Agency for International Development learned it was hit by a cryptojacking incident, according to documents viewed by Scoop News Group. The agency was notified by Microsoft that a global administrator account located in a test environment had been breached through a password spray attack — a brute force attempt to enter a system by guessing a series of passwords.
- That account was then used to create another account — and both were then deployed to begin crypto-mining processes through USAID’s Azure resources. The result was around half a million dollars in cloud service charges to the agency.
- Using government resources to break into an agency’s resources for the purpose of mining crypto might sound strange, but it happens.
- Per Cybersecurity Dive,
- “The Food and Drug Administration has released a safety communication about the cybersecurity vulnerabilities of certain patient monitors from Contec and Epsimed.
- “The notice, which the FDA published Thursday [January 30], describes three vulnerabilities that can allow people to gain access to remote monitoring technology and potentially manipulate the devices.
- ‘The FDA is not aware of cybersecurity incidents, injuries or deaths linked to the vulnerabilities but is advising patients, healthcare providers and IT staff to take steps to mitigate the risks.”
- and
- “Threat actors are exploiting a zero-day vulnerability in Zyxel CPE Series devices months after the security flaw was originally reported to the company, researchers at GreyNoise disclosed in a blog post Tuesday.
- “The critical command-injection vulnerability, tracked as CVE-2024-40891, allows an attacker to execute arbitrary commands on a CPE Series device, which can lead to exfiltration of data, infiltration of a computer network or total system compromise.
- “Due to GreyNoise’s first-hand, confirmed mass exploitation attempts for this vulnerability, we chose to disclose this to raise awareness among those who may be impacted,” a spokesperson for GreyNoise said via email. “All decisions to move forward were made in conjunction with VulnCheck and its policies.”
- Dark Reading informs us,
- “Researchers have discovered two new ways to manipulate GitHub’s artificial intelligence (AI) coding assistant, Copilot, enabling the ability to bypass security restrictions and subscription fees, train malicious models, and more.
- “The first trick involves embedding chat interactions inside of Copilot code, taking advantage of the AI’s instinct to be helpful in order to get it to produce malicious outputs. The second method focuses on rerouting Copilot through a proxy server in order to communicate directly with the OpenAI models it integrates with.
- “Researchers from Apex deem these issues vulnerabilities. GitHub disagrees, characterizing them as “off-topic chat responses,” and an “abuse issue,” respectively. In response to an inquiry from Dark Reading, GitHub wrote, “We continue to improve on safety measures in place to prevent harmful and offensive outputs as part of our responsible AI development. Furthermore, we continue to invest in opportunities to prevent abuse, such as the one described in Issue 2, to ensure the intended use of our products.”
- The Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability to its catalog this week.
- The CIS Center for Internet Security adds,
- “Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
- “THREAT INTELLIGENCE:
- Apple is aware of a report that CVE-2025-24085 may have been actively exploited against versions of iOS before iOS 17.2.”
From the ransomware front,
- Forbes reports,
- “With LockBit already stating that Feb. 3 will see it restart operations, the threat is about as real as it gets. So, what do you need to do?
- “The primary mitigations are:
- Install updates for operating systems, software and firmware as soon as they are released.
- Require phishing-resistant, non SMS-based multi-factor authentication.
- “In the face of these challenges, businesses, governments, and individuals must stay vigilant and proactive,” Matt Hull, global head of threat intelligence at NCC Group, warned, and that’s good advice that you would be well-advised to action immediately before the ransomware threat becomes a reality for you.”
- Dark Reading points out,
- “Two healthcare institutions, Frederick [Maryland] Health and New York Blood Center Enterprises (NYBCe), are grappling with disruptions from separate ransomware attacks they faced this past week.
- “Frederick Health posted an update to its website on Jan. 27 noting that it “recently identified a ransomware event” and is working to contain it with third-party cybersecurity experts to get its systems back online.
- “Though most of its facilities remain open and are still providing patient care, Frederick Health reported that its Village Laboratory is closed and that patients may experience some operational delays.
- “New York Blood Center Enterprises, a nonprofit made up of a collection of independent blood centers, first identified suspicious activity affecting its IT systems on Jan. 26. On Jan. 29, it alerted the public that it took its systems offline in an effort to contain the threat, which was attributed to a ransomware attack. NYBCe is working to restore its systems; however, it remains unclear when it will be fully operational again. The organization expects processing times for blood donations at its centers and offsite blood drives may take longer than usual.”
- Bleeping Computer adds,
- “Community Health Center (CHC), a leading Connecticut healthcare provider, is notifying over 1 million patients of a data breach that impacted their personal and health data.
- “The non-profit organization provides primary medical, dental, and mental health services to more than 145,000 active patients.
- “CHC said in a Thursday filing with Maine’s attorney general that unknown attackers gained access to its network in mid-October 2024, a breach discovered more than two months later, on January 2, 2025.
- “While the threat actors stole files containing patients’ personal and health information belonging to 1,060,936 individuals, the healthcare organization says they didn’t encrypt any compromised systems and that the security breach didn’t impact its operations.”
- Hackers News explains how Interlock Ransomware infects healthcare organizations.
From the cybersecurity defenses front,
- Cyberscoop informs us
- “Imagine, for a moment, that your network is hit with ransomware.
- “One of your employees clicked on a malicious link and now your network is compromised, data is encrypted and most of the organization’s systems are locked or offline.
- “Then imagine if instead of assembling an incident response team, notifying the board and contacting law enforcement, the forensic sensors in your device’s firmware spring to life. They begin healing your network, restoring locked files, and communicating with other systems to collect forensic data.
- “The firmware then analyzes the data to identify how the attackers entered and exploited system weaknesses, then blocks those vulnerabilities to prevent future breaches through the same entry points.
- “While it sounds like science fiction, researchers at one of the Pentagon’s top cyber innovation hubs are attempting to prove the idea is more than a pipe dream.
- “Red-C, a new project being rolled out by the Defense Advanced Research Projects Agency, seeks to build new defenses into bus-based computer systems, which are firmware-level systems used in everything from personal computers to weapons systems to vehicles.”
- Cybersecurity Dive tells us,
- “Organizations that have consolidated security spending into integrated platforms have experienced improved cyber resilience and stronger operational efficiencies, according to a study released Tuesday by IBM and Palo Alto Networks.
- “Managing security stacks has been a struggle for organizations, which juggle an average of 83 different security tools from 29 different vendors, according to the study.
- “More importantly, the “platformization” model reduces the time it takes to identify and mitigate security incidents by an average of 74 days and 84 days, respectively, the study found.”
- Per Dark Reading,
- “When automated pen-testing tools appeared a few years ago they prompted an interesting question: How close are they to replacing human pen testers? While the short answer was “not that close — yet,” they definitely had potential and were worth keeping an eye on.
- “As I’ve just had the chance to review the latest iteration of these tools, it’s interesting to see how they’ve evolved and how close are they now are to replacing the human pen tester for offensive security work.” * * *
- “Overall, it’s good to see these tools evolve. The rate of change is glacial, but they now understand cloud environments and can target Web applications, though they are still temperamental, costly, and miss a few things. One could argue humans are the same. For now, however, humans maintain the advantage — but they aren’t mutually exclusive. Just like crowdsourced security and traditional pen testing, automated pen testing is now another tool that can be layered onto your offensive security testing, where it can help you find the exploits that matter to your organization.”
- Here is a link to Dark Reading’s CISO Corner/