FEHBlog

From the cybersecurity policy and law enforcement front,

• Per a Senate news release,
  • “U.S. Senators Mike Rounds (R-S.D.), Chairman of the Senate Armed Services Committee’s Subcommittee on Cybersecurity, and Gary Peters (D-Mich.) introduced a bipartisan bill to extend the Cybersecurity Information Sharing Act (CISA) of 2015 for an additional ten years.
  • CISA, signed into law in 2015, incentivizes companies to voluntarily share cybersecurity threat indicators, such as software vulnerabilities, malware or malicious IP addresses, with the Department of Homeland Security (DHS). This protects Americans’ personal information and makes certain that both the federal government and companies can take collaborative steps to prevent data breaches or attacks from cybercriminals and foreign adversaries.
  • “The Cybersecurity Information Sharing Act of 2015 has been instrumental in strengthening our nation’s cyber defenses by enabling critical information sharing between the private sector and government,” said Rounds. “Allowing this legislation to lapse would significantly weaken our cybersecurity ecosystem, removing vital liability protections and hampering defensive operations across both the defense industrial base and critical infrastructure sectors.”
  • “As cybersecurity threats grow increasingly sophisticated, information sharing is not just valuable—it remains essential for our national security,” said Peters. “For the past ten years, these critical protections have helped to address rapidly evolving cybersecurity threats, and this bipartisan bill will renew them so we can continue this collaborative partnership between the private sector and government to bolster our nation’s cybersecurity defenses against a wide range of adversaries.”
  • Click HERE to read full text of the bill.

• Cyberscoop reports,
  • “A bipartisan Senate bill would formally ban the use of DeepSeek by federal contractors, part of a larger effort to keep the Chinese-made large language model out of government systems and networks, where lawmakers fear it could pose cybersecurity and national security concerns.
  • “The bill, introduced by Sens. Bill Cassidy, R-La., and Jacky Rosen, D-Nev., would bar federal contractors from using the model to carry out any activity related to a federal contract. It also blocks contractors from using any successor model developed by High Flyer, the Chinese quantitative firm that made DeepSeek.
  • “Cassidy and Rosen cited the potential that the use of DeepSeek — which acknowledges that it sends user data back to China — to carry out contract work may put sensitive federal data in the hands of the Chinese government.
  • “AI is a powerful tool which can be used to enhance things like medicine and education,” Cassidy said in a statement. “But in the wrong hands, it can be weaponized. By feeding sensitive data into systems like DeepSeek, we give China another weapon.” 
• and
  • “Authorities in Poland have arrested four people accused of administrating and selling access to distributed denial of service (DDoS) services, according to a press release from Europol.  
  • “The suspects are believed to have operated six so-called “stresser” or “booter” services that enabled customers across the world to launch thousands of attacks on targets ranging from government offices to businesses and schools. From 2022 to 2025, the platforms — identified as Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut — allegedly allowed users to bombard websites and servers with high volumes of junk traffic, often rendering them inaccessible. 
  • “The services, which offered easy-to-navigate interfaces, required minimal user knowledge: attackers could select a target, choose the attack specifications, and pay as little as 10 euros for each disruption, according to Europol.
  • “The arrests in Poland were part of a coordinated law enforcement response spanning four countries and supported by Europol. In addition to the Central Cybercrime Bureau in Poland, the investigation was supported by German Federal Criminal Police Office, the Prosecutor General’s Office in Frankfurt, the Dutch National Police, and multiple U.S. agencies, including the Department of Justice, FBI, Homeland Security Investigations (HSI), and Defense Criminal Investigative Service (DCIS).” 

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer tells us,
  • “Ascension, one of the largest private healthcare systems in the United States, has revealed that the personal and healthcare information of over 430,000 patients was exposed in a data breach disclosed last month.
  • “As Ascension revealed in breach notification letters sent to affected individuals in April, their information was stolen in a data theft attack that impacted a former business partner in December.
  • “Depending on the impacted patient, the attackers could access personal health information related to inpatient visits, including the physician’s name, admission and discharge dates, diagnosis and billing codes, medical record number, and insurance company name. They could also gain access to personal information, including name, address, phone number(s), email address, date of birth, race, gender, and Social Security numbers (SSNs).” * * *
  • “Our investigation determined on January 21, 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner.” * * *
  • “Although Ascension didn’t share any details regarding the breach affecting its former business partner, the timeline of the breach implies that the attack was part of widespread Clop ransomware data theft attacks that exploited a zero-day flaw in Cleo secure file transfer software.
  • “Last year, Ascension notified almost 5.6 million patients and employees that their personal, financial, insurance, and health information had been stolen in a May 2024 Black Basta ransomware attack.”
• and
  • “Cisco has fixed a maximum severity flaw in IOS XE Software for Wireless LAN Controllers by a hard-coded JSON Web Token (JWT) that allows an unauthenticated remote attacker to take over devices.
  • “This token is meant to authenticate requests to a feature called ‘Out-of-Band AP Image Download.’ Since it’s hard-coded, anyone can impersonate an authorized user without credentials.
  • “The vulnerability is tracked as CVE-2025-20188 and has a maximum 10.0 CVSS score, allowing threat actors to fully compromise devices according to the vendor.”

• Cybersecurity Dive informs us,
  • “A second wave of cyberattacks is targeting a critical vulnerability in SAP NetWeaver Visual Composer, according to researchers.
  • “Following the initial round of threat activity disclosed in April, opportunistic threat actors are leveraging webshells that were previously established through exploitation of CVE-2025-31324. The vulnerability, with a CVSS score of 10, allows unauthenticated attackers to upload arbitrary files and take full control of a system, according to researchers at Onapsis.
  • “Onapsis and Mandiant are tracking hundreds of confirmed compromises worldwide, with the cases spanning across multiple industries, including utilities, manufacturing, oil and gas and other critical infrastructure sectors. 
  • “The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its known exploited vulnerabilities catalog in late April.” 

• Cyberscoop adds,
  • “Vulnerabilities are proliferating in SonicWall devices and software this year, putting the vendor’s customers at risk of intrusion via secure access gateways and firewalls.
  • “The year started off on a sour note for the California-based company when it released security advisories for nine vulnerabilities on Jan. 7. The total number of vulnerabilities publicly disclosed by the company so far in 2025 has grown to 20. 
  • “SonicWall vulnerabilities are also making a consistent appearance on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog. Cyber authorities confirm that attackers exploited four vulnerabilities in SonicWall products so far this year, and 14 total since late 2021.
  • “Eight of those vulnerabilities have been exploited in ransomware campaigns, according to CISA.”

• Bleeping Computer adds,
  • “SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks.
  • “Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances.
  • “The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher.”

• CISA added four known exploited vulnerabilities to its catalog this week.
• May 5, 2025
  • CVE-2025-3248 Langflow Missing Authentication Vulnerability
  • Dark Reading discusses this KVE here.
• May 6, 2025
  • CVE-2025-27363 FreeType Out-of-Bounds Write Vulnerability
  • Hacker News discusses this KVE here.
• May 7, 2025
  • CVE-2024-6047 GeoVision Devices OS Command Injection Vulnerability
  • CVE-2024-11120 GeoVision Devices OS Command Injection Vulnerability
  • SC Media discusses these KVEs here.

From the ransomware front,

• Dark Reading reports,
  • “Email-based attacks continued to cost enterprises big bucks in 2024, according to new cyber-insurance claims data.
  • “Cyber-insurance carrier Coalition published its “2025 Cyber Claims Report” on May 7, showing that business email compromise (BEC) attacks and fund transfer fraud (FTF) accounted for 60% of all the company’s claims last year. BEC attacks were particularly problematic for customers, according to Coalition; claims severity for such threats increased 23%, with incident’s costing organizations, on average, $35,000.
  • “That dollar figure is a far cry from the average loss for ransomware attacks in 2024, which Coalition said was $292,000. However, the claims report, which features data from customers in the US, the UK, Canada, and Australia, offered some encouraging data points, including a 7% drop in ransomware claims severity and a 3% decline in claims frequency.
  • “Additionally, Coalition found that FTF claims severity fell dramatically by 46%, to an average loss of $185,000, while claims frequency dropped 2%. Overall, the cyber-insurance carrier said it observed “remarkable year-over-year (YoY) stability” for claims, despite an intensifying threat landscape where financially motivated attackers continue to develop novel techniques and exploit new vulnerabilities.”

• The Hacker News relates,
  • “Threat actors with ties to the Qilin ransomware family have leveraged malware known as SmokeLoader along with a previously undocumented .NET compiled loader codenamed NETXLOADER as part of a campaign observed in November 2024.
  • “NETXLOADER is a new .NET-based loader that plays a critical role in cyber attacks,” Trend Micro researchers Jacob Santos, Raymart Yambot, John Rainier Navato, Sarah Pearl Camiling, and Neljorn Nathaniel Aguas said in a Wednesday analysis.
  • “While hidden, it stealthily deploys additional malicious payloads, such as Agenda ransomware and SmokeLoader. Protected by .NET Reactor 6, NETXLOADER is difficult to analyze.”
  • “Qilin, also called Agenda, has been an active ransomware threat since it surfaced in the threat landscape in July 2022. Last year, cybersecurity company Halcyon discovered an improved version of the ransomware that it named Qilin.B.”

• Per Bleeping Computer,
  • “The Play ransomware gang has exploited a high-severity Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.
  • “The vulnerability, tracked as CVE-2025-29824, was tagged by Microsoft as exploited in a limited number of attacks and patched during last month’s Patch Tuesday.
  • “The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia,” Microsoft said in April.”

• The Wall Street Journal reports,
  • “The hacking group that once shut down half the Las Vegas Strip has returned and is causing turmoil at U.K. retailers.
  • “The hackers call themselves Star Fraud but are more widely known as Scattered Spider, a collective of largely young men and teenagers that have wreaked havoc across industries in recent years.
  • “U.K. retailers Harrods, Marks & Spencer MKS -1.05%decrease; red down pointing triangle and Co-op have all reported cyber intrusions in the past two weeks. Scattered Spider hasn’t been publicly named as the culprit of the hacks, but is suspected in at least some of them, according to people familiar with the investigation.
  • “The attacks bear all the hallmarks of Scattered Spider attacks, disrupting online sales and certain payments and leading to the theft of customer data. The stores have remained open.
  • “The group’s hackers “typically work their way through a sector, so other retailers should take the opportunity to harden their defenses,” said John Hultquist, chief analyst with Google’s Mandiant cybersecurity investigations group.” 

• Per Cyberscoop,
  • “Five months after education software vendor PowerSchool paid an unnamed threat actor a ransom in exchange for the deletion of sensitive stolen data, some of the company’s customers are now receiving extortion demands. 
  • “A threat actor, who may or not be the same criminal group behind the attack, has contacted four school district customers of PowerSchool in the past few days, CyberScoop has learned, threatening to leak data if they don’t pay. 
  • “The downstream extortion attacks highlight the ongoing risk organizations confront when a vendor is hit by a cyberattack, exposing not just their data but also that of others in their supply chain. The follow-on extortion attempts also underscore that paying ransoms for data does not guarantee stolen data won’t be leaked.”

• Dark Reading reports,
  • “The notorious ransomware gang LockBit appeared to suffer another setback this week after its network was compromised by an unknown adversary.
  • “On May 7, a range of security researchers observed that LockBit’s Dark Web leak site had been altered. Instead of listing victim organizations, the site now features a simple message: “Don’t do crime CRIME IS BAD xoxo from Prague,” along with a link to a zip archive.
  • “The archive, according to analysis from Qualys yesterday, among others, includes a SQL database file from LockBit’s affiliate panel. Coalition researchers, meanwhile, noted the file includes extensive internal data from the ransomware-as-a-service operation, including nearly 60,000 Bitcoin addresses and more than 4,000 chats with victim organizations from between Dec. 19, 2024, and April 29, 2025.
  • “The file also contains information on more than 70 LockBit administrators and affiliates, researchers noted, including plaintext passwords, as well individual builds and configurations of the LockBit ransomware code. However, the leaked data did not include decryptors or private keys.”

From the cybersecurity defenses front,

• CISA announced,
  • “The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and Department of Energy (DOE)—hereafter referred to as “the authoring organizations”—are aware of cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States. The authoring organizations urge critical infrastructure entities to review and act now to improve their cybersecurity posture against cyber threat activities specifically and intentionally targeting internet connected OT and ICS.”
  • Mitigations and resources are included in the announcement.

• Bank Info Security lets us know that “Despite the rise of artificial intelligence and automation, human ingenuity remains a critical asset in defending against cyberthreats, said Kara Sprague, CEO at HackerOne.”
  
• Here is a link to Dark Reading’s CISO Corner.