FEHBlog

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • Congress moved one step closer to reauthorizing a key cyber threat information-sharing law on Thursday during a hearing that highlighted both the act’s value and potential shortcomings.
  • The House Homeland Security Committee’s cyber subcommittee held the hearing [on May 15] to evaluate the private sector’s satisfaction with the 2015 Cybersecurity Information Sharing Act, which expires on Sept. 30. Witnesses from the tech industry praised the law for encouraging companies to share cyber threat indicators with each other and with federal agencies, but they also offered lawmakers suggestions for how to improve the program.”

• Defensescoop tells us,
  • “The Department of Defense has expanded its number of cyber teams by 12, with two more slated to come online in the next few years, according to a spokesperson.
  • “The cyber mission force began building in 2012, and the initial 133 teams reached full operational capability in 2018. In DOD’s fiscal 2022 budget request, U.S. Cyber Command proposed and was eventually approved for a phased approach to add 14 additional cyber mission force teams beyond the original 133. That request and authorization in 2021 was the first substantial effort to grow that force since it was designed almost a decade ago, long before modern and advanced threats had surfaced.
  • “In 2021, the Secretary of Defense directed the creation of 14 New cyber teams by September 2028. Of the 14 teams, 12 have been established. These teams are spread across Army, Air Force, and Navy Commands,” a Cybercom spokesperson said.
  • “They declined to offer specifics regarding how many additional teams each service received or what types of teams those additional builds provided to each service — such as offensive, defensive or support teams — citing operational security.”

• Per a May 15 HHS press release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Vision Upright MRI, a small California health care provider that conducts magnetic resonance imaging and related services, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification and Security Rules. The settlement resolves an OCR investigation concerning the breach of an unsecured server containing the medical images of 21,778 individuals.” * * *
  • “Under the terms of the resolution agreement, Vision Upright MRI agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $5,000 to OCR.” 
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hhs-ocr-hipaa-racap-vum/index.html“
    
• Cyberscoop informs us,
  • “Federal authorities seized two domains and indicted four foreign individuals for alleged involvement in a long-running botnet service that infected older wireless internet routers, the Justice Department said Friday. 
  • “The malware created for the botnet allowed infected routers to be reconfigured, which granted unauthorized access to third parties and made the routers available for sale as proxy servers on Anyproxy.net and 5socks.net, according to law enforcement officials. Both domains, which were managed by a company headquartered in Virginia and hosted on servers worldwide, now render seizure notices under an effort the DOJ and FBI dubbed “Operation Moonlander.”
  • “The 5socks.net website claimed to be in operation for over 20 years and had more than 7,000 proxies for sale worldwide for a monthly subscription of $9.95 to $110 per month, according to prosecutors. The botnet’s overseas operations were also seized and disabled by law enforcement agencies in the Netherlands and Thailand.
  • “Authorities also indicted the botnet’s alleged administrators and charged them with conspiracy and damage to protected computers, for conspiring with others to maintain, operate and profit from the bot.”
• and
  • Liridon Masurica, the alleged lead administrator of cybercrime marketplace BlackDB.cc, was extradited to the United States on Friday and faces charges that carry a maximum penalty of 55 years in federal prison, the Justice Department said Tuesday. 
  • Masurica, 33, who is also known as “@blackdb,” was arrested by authorities in Kosovo on Dec. 12. He made his initial appearance in federal court in Tampa, Fla., on Tuesday and was ordered detained pending a trial. 
  • Federal prosecutors charged Masurica with one count of conspiracy to commit access device fraud and five counts of fraudulent use of 15 or more unauthorized access devices.
  • Masurica, of Gjilan, Kosovo, is accused of running BlackDB.cc since 2018. The cybercriminal marketplace offered to sell compromised account and server credentials, credit card information and other personally identifiable information of individuals mostly located in the United States, the DOJ said.

From the cybersecurity breaches and vulnerabilities front,

• Cyberscoop reports,
  • “Hundreds of victims are surfacing across the world from zero-day cyberattacks on Europe’s biggest software manufacturer and company, in a campaign that one leading cyber expert is comparing to the vast Chinese government-linked Salt Typhoon and Volt Typhoon breaches of critical infrastructure.
  • “The zero-days — vulnerabilities previously unknown to researchers or companies, but that malicious hackers have discovered — got patches this month and last month, but there are signs it could be getting worse before it gets better, according to Dave DeWalt, CEO of NightDragon, a venture capital and advisory firm. Ransomware gangs are now reported to be exploiting it, beyond the original Chinese government-connected attackers.
  • “The net of it is this is like the Typhoon size, so much like we saw [with] Volt Typhoonand then Salt Typhoon,” DeWalt told CyberScoop. “Once these exploits get into the wild, it’s a race to see who can get more access to it. So initially it looks like three Chinese actors all used it, and now we’re going to see more.”
  • “A number of companies have been tracking the vulnerability and its consequences, including one, Onapsis, that DeWalt’s company invests in, along with EclecticIQ, ReliaQuest and Google’s Mandiant.”
• and
  • “Over the past few years, cybersecurity experts have increasingly said that nation-state operatives and cybercriminals often blur the boundaries between geopolitical and financial motivations. A new report released Wednesday shows how North Korea has flipped that idea on its head. 
  • “North Korea has silently forged a global cyber operation that experts now liken to a mafia syndicate, with tactics and organization far removed from other nation-state actors, according to a comprehensive new report released by DTEX Systems.
  • “The study — based on years of investigations, technical analysis, and work with other open-source intelligence analysts — pulls back the curtain on a highly adaptive regime that has built its cyber capabilities on a survivalist, profit-driven approach. It reveals a hierarchy blending criminality, espionage, and front-line IT work, coordinated by an authoritarian government that rewards loyalty and secrecy while punishing failure.” * * *
  • “You can read the full report on DTEX’s website.”

• Cybersecurity Dive relates.
  • “The FBI is warning about a threat campaign in which malicious actors are impersonating senior U.S. officials using malicious text messages and AI-generated voice messages.
  • “The messages have been sent to current and former federal and state officials and others who may be contacts of those individuals, the bureau said in an alert released Thursday.
  • “The messages are designed to establish a rapport with individuals who might then turn over access to a personal account, according to the alert. These social engineering techniques could be used to reach additional contacts and gain access to additional information or funds.”

• Bleeping Computer lets us know,
  • “A new tool called ‘Defendnot’ can disable Microsoft Defender on Windows devices by registering a fake antivirus product, even when no real AV is installed.
  • “The trick utilizes an undocumented Windows Security Center (WSC) API that antivirus software uses to tell Windows it is installed and is now managing the real-time protection for the device.
  • “When an antivirus program is registered, Windows automatically disables Microsoft Defender to avoid conflicts from running multiple security applications on the same device.
  • “The Defendnot tool, created by researcher es3n1n, abuses this API by registering a fake antivirus product that meets all of Windows’ validation checks. * * *
  • “While Defendnot is considered a research project, the tool demonstrates how trusted system features can be manipulated to turn off security features.
  • “Microsoft Defender is currently detecting and quarantining Defendnot as a ‘Win32/Sabsik.FL.!ml; detection.”
    
• The Cybersecurity and Infrastructure Security Agency (CISA) added nine known exploited vulnerabilities to its catalog this week.
• May 13, 2025
  • “CVE-2025-30400 Microsoft Windows DWM Core Library Use-After-Free Vulnerability
  • “CVE-2025-32701 Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
  • “CVE-2025-32706 Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
  • “CVE-2025-30397 Microsoft Windows Scripting Engine Type Confusion Vulnerability
  • “CVE-2025-32709 Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability”
    • Crowdstrike discusses these KVEs here.
    • Cyberscoop discusses Microsoft’s May 13 Patch Tuesday here.
    • See also Bleeping Computer article titled “Microsoft confirms May Windows 10 updates trigger BitLocker recovery”
• May 14, 2025
  • “CVE-2025-32756 Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability”
    • Rapid 7 discusses this KVE here.
• May 15, 2025
  • “CVE-2024-12987 DrayTek Vigor Routers OS Command Injection Vulnerability
    • This KVE is discussed here.
  • “CVE-2025-4664 Google Chromium Loader Insufficient Policy Enforcement Vulnerability
    • This KVE is discussed here.
  • “CVE-2025-42999 SAP NetWeaver Deserialization Vulnerability”
    • The KVE is discussed here.

• Cyberscoop adds,
  • “Apple rolled out a series of substantial security updates Monday for its major software platforms, with advisories covering iOS, iPadOS, and two versions of macOS lines, addressing more than 30 vulnerabilities in total. 
  • “Among the numerous fixes, iOS 18.5 and iPadOS 18.5 introduce the first security update for Apple’s in-house C1 modem, featured in the newly released iPhone 16e. The patch addresses a baseband vulnerability (CVE-2025-31214) that, according to the company, could have allowed an attacker “in a privileged network position” to intercept network traffic. While the specific details remain undisclosed, the risk highlights concerns about how devices communicate on the hardware level, since baseband processors control things like data transmission, call processing, and other network functions.”

• PC World reports
  • “Malware is a thing you just have to be aware of. But it’s pretty rare that it can actually damage your computer in a permanent sense — wipe the drive if you’re okay with losing local data, and you can generally get up and running in a day or two. But what if the microcode running on your CPU’s tiny integrated memory becomes infected? One security researcher says he’s done it.
  • “Christiaan Beek of Rapid7 says he has created a proof-of-concept ransomware that can hide inside a CPU’s microcode, building on previous work that emerged when Google required AMD processors to always return “4” when asked for a random number. He claims that modifying UEFI firmware can install an unsigned update to the processor, slipping past any kind of conventional antivirus or OS-based security.” * * *
  • “CPU-level ransomware has not been seen “in the wild,” and it seems likely that when and if it emerges, it’ll be a state-level actor that exploits it first. That means your typical user probably won’t be targeted, at least immediately. Still, maybe keep a remote backup of your important files, just in case.”

From the ransomware front,

• Per a news release,
  • “Black Kite, the leader in third-party cyber risk intelligence, today announced its newest report, 2025 Ransomware Report: How Ransomware Wars Threaten Third-Party Cyber Ecosystems, which provides a deep analysis into evolving ransomware trends and threats. The report found that threats have escalated with more actors, less predictability, and deeper entanglement in supply chains, underscoring an urgent need for organizations to implement intelligence-driven defenses and proactive vendor monitoring.”

• Beckers Hospital Review tells us,
  • “From October 2009 to October 2024, ransomware and hacking have increasingly driven healthcare data breaches, a May 14 study published in JAMA Network Open found. 
  • “The study examined ransomware attacks and other hacking incidents across all healthcare organizations covered by HIPAA from October 2009 through October 2024. It analyzed breaches affecting 500 or more patient records that were reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.”

• Cybersecurity Dive reports,
  • “A cybercrime gang believed to be responsible for three attacks in the U.K. in recent weeks has turned its attention toward the U.S. and has been able to compromise multiple targets in the sector, according to researchers from Google Threat Intelligence Group and Google subsidiary Mandiant. 
  • “Researchers said the same threat actors linked to attacks against U.K. companies are now using well-crafted social engineering techniques against U.S. retail companies.  
  • “The threat group, tracked as UNC3944 or Scattered Spider, is widely considered the prime suspect in the attacks on British firms Harrods, Co-op and M&S, but Mandiant and Google have not formally attributed the intrusions to any specific actor. Researchers said, however, that the hackers behind the U.S. attacks share the same techniques and procedures as the intruders in the British incidents.”

• Dark Reading adds,
  • “While dynamic DNS services have been around for many years, they’ve recently emerged as an integral tool in the arsenals of cybercriminal groups like Scattered Spider.
  • “Dynamic DNS (DDNS) services automatically update a domain name’s DNS records in real-time when the Internet service provider changes the IP address. Real-time updating for DNS records wasn’t needed in the early days of the Internet when static IP addresses were the norm.” * * *
  • “In a blog post last month, threat intelligence vendor Silent Push reported that despite some notable arrests of alleged members in 2024, Scattered Spider was actively engaged in new phishing campaigns targeting well-known enterprises. One of the key findings of the report was a shift in tactics from Scattered Spider members that featured the use of rentable subdomains from dynamic DNS providers like it.com Domains LLC.
  • “In an example of an observed attack, Scattered Spider actors established a new subdomain, klv1.it[.]com, designed to impersonate a similar domain, klv1.io, for Klaviyo, a Boston-based marketing automation company.
  • “Silent Push’s report noted that the malicious domain had just five detections on VirusTotal at the time of publication. The company also said the use of publicly rentable subdomains presents challenges for security researchers.”

• Bleeping Computer points out,
  • “Ransomware gang members increasingly use a new malware called Skitnet (“Bossnet”) to perform stealthy post-exploitation activities on breached networks.
  • “The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025.
  • ‘Prodaft told BleepingComputer they have observed multiple ransomware operations deploying Skitnet in real-world attacks, including BlackBasta in Microsoft Teams phishing attacks against the enterprise, and Cactus.”

From the cybersecurity business and defenses front,

• Cyberscoop reports,
  • “Proofpoint has entered into an agreement to acquire Hornetsecurity Group, a Germany-based provider of Microsoft 365 security services, in a deal reportedly valued at more than $1 billion.
  • “The acquisition, described as the largest in Proofpoint’s history, comes amid accelerating consolidation in the cybersecurity industry as companies seek to broaden their offerings to enterprise customers of all sizes. While Proofpoint did not disclose terms, CNBC reports the deal is “well over” $1 billion. 
  • “Hornetsecurity, headquartered in Hannover, Germany, serves more than 12,000 managed service providers (MSPs) and 125,000 small and mid-sized businesses (SMBs) primarily across Europe. According to a press release announcing the deal, Hornetsecurity brings in $160 million in annual recurring revenue, with growth exceeding 20% year over year. 
  • “For Proofpoint, the acquisition provides an entry point into the SMB market through Hornetsecurity’s established MSP network.'” * * *
  • “The transaction comes as Proofpoint, which was taken private by Thoma Bravo in 2021for $12.3 billion, is exploring an IPO, according to the CNBC report.” 
• and
  • “Coinbase responded to a security incident with combative measures Thursday after the company said cybercriminals bribed some of the cryptocurrency exchange’s international support staff to steal data on customers. The unnamed threat group stole personally identifiable information and other sensitive data on less than 1% of Coinbase’s monthly users, the company said in a blog post.
  • “The cybercriminals contacted customers under the guise of an employee at Coinbase in an attempt to dupe people into relinquishing their cryptocurrency. “They then tried to extort Coinbase for $20 million to cover this up. We said no,” the company said.
  • Coinbase flipped the script as part of its response. “Instead of paying this $20 million ransom, we’re turning it around and we’re putting out a $20 million award for any information leading to the arrest and conviction of these attackers,” Coinbase CEO Brian Armstrong said in a video posted on X.
  • “For these would-be extortionists, or anyone seeking to harm Coinbase customers, know that we will prosecute you and bring you to justice,” he added.” 

• Dark Reading shares insights on the recent RSAC conference and of course also offers its CISO Corner.