From the Project Glasswing front,

• Politico reports on June 18,
  • “The White House and Anthropic are working on a framework that would assess the severity of security flaws in new AI models and guide potential government intervention, according to a senior White House official and an administration official familiar with the matter granted anonymity to discuss it.
  • “The effort comes after the White House imposed export controls on Anthropic, which forced the company to suspend access for all users to Fable 5 and Mythos 5, its latest powerful AI models over a perceived security flaw, known in the industry as a jailbreak.
  • Administration officials and Anthropic CEO Dario Amodei disagreed over the severity of the jailbreak, POLITICO previously reported, but the technology has outpaced the government infrastructure to define and assess such disputes.
  • “The attempt to create a standardized method to evaluate this and future such incidents underscores how the administration is racing to establish guardrails for new and powerful models that some fear can, if left unchecked, threaten economic and national security.
  • “The negotiations between Anthropic and the administration also reflect an understanding that no AI model can be completely immune to hacking — part of Anthropic’s initial defense of its model — and that government should lay out the rules for companies to measure security risks by, a sentiment relayed by other leading AI companies and country leaders at G7 meetings earlier this week in France.”

• Bloomberg adds also on June 18,
  • “Some firms have preserved their access to a preview version of the Mythos AI model through Project Glasswing, despite a US government order.
  • “Businesses including banks and technology firms are accessing Mythos Preview to hunt for cyber vulnerabilities, with companies like Dragos Inc. and Cisco Systems Inc. confirming they have access.
  • “The US government order led to the shutdown of other versions of the Mythos AI model, but it didn’t explicitly address the Preview version, and Anthropic hasn’t directly addressed its availability.”

• Cyberscoop points out,
  • “While Washington D.C. frets over the potential impact of Anthropic’s Claude Fable 5, security researchers continue to track how the integration of frontier AI tools are transforming the digital security landscape for malicious hackers and defenders alike.
  • “The breakneck speed of model releases may be creating short, silent security gaps for developers who must choose between performance and security, according to a new report.”

• Cybersecurity Dive notes
  • “More than one-fifth of organizations running macOS networks have lost money or experienced a cyberattack because of their use of AI tools, according to a report that network management vendor Jamf released on Tuesday.
  • “Roughly six in 10 macOS-based organizations expect an AI-related incident in the near future, the survey found.
  • “The report, based on interviews with 687 IT and security leaders managing MacOS network environments, also describes system administrators’ AI implementation priorities, the largest areas of risk they face and Jamf’s recommendations for mitigating those risks.”

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • “U.S. cybersecurity resilience in the face of sophisticated threats from China and other adversaries will increasingly depend on critical infrastructure’s ability to weather major disruptions, a top U.S. cyber official said Wednesday.
  • “Each and every one of us is operating right now on the front lines of a war that is never going to be cleared,” Nick Andersen, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), said at ICS Village and the Institute for Security and Technology’s Critical Effect conference.
  • “We are going to see an adversarial disruption of our critical infrastructure,” Andersen said. “It’s going to have significant not just technical impact, it’s going to have a significant psychological impact on the safety of the American people. … We need to start operating like that’s the reality of where we’re at — that we’re not going to be able to keep everything persistently online and available as much as we would like.”
  • “CISA’s emphasis on resilience marks a shift from earlier government cybersecurity doctrines that focused on preventing intrusions. In recent years, advanced nation-state hacking campaigns — especially Beijing’s Volt Typhoon espionage operation — have increasingly convinced government and industry strategists that their primary goal should be ensuring that infrastructure can continue operating during an attack.”

• Federal News Network adds,
  • “A new White House memo aims to strengthen the cybersecurity of sensitive government systems by centralizing oversight of those systems, while also setting aggressive deadlines for updating incident response procedures and other policies.
  • “In a national security presidential memorandum signed out Friday, President Donald Trump re-establishes and updates the Committee on National Security Systems (CNSS), a decades-old interagency body that sets security policies for military and intelligence systems, as well as systems that process classified information. It charges the committee with leading a policy aimed at fostering “a proactive, adaptive, and resilient cybersecurity ecosystem for all NSS to better safeguard the nation against persistent cyber threats from sophisticated adversaries.”
  • “The memo gives the committee the power to establish “baseline cybersecurity requirements” for all national security systems. It formalizes the director of the National Security Agency’s role as the “national manager” for national security systems. That role involves identifying emerging threats and providing minimum security protections, including through emergency directives.
  • “The memo includes the federal chief information officer on the reconstituted CNSS body, along with the deputy national manager at the NSA and the CIOs at the Defense Department and the intelligence community, respectively.
  • “It also mandates that national security systems should meet or exceed the level of cybersecurity standards issued by the National Institute of Standards and Technology.”
    
• Cyberscoop relates,
  • “Authorities on Thursday [June 18] disrupted a botnet, a malware framework and seized infrastructure that Evil Corp and other cybercrime groups used to steal data and break into various networks.
  • “The globally coordinated effort targeted SocGholish, multi-stage malware that has compromised websites, redirected users to traffic distribution systems (TDS) and slipped malware into their networks since 2017.
  • “The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage,” the FBI’s cyber division said in a statement. 
  • “Cybersecurity firms, researchers and officials from the United States, Canada, Germany, the Netherlands and Europol took down 106 servers and remediated nearly 15,000 sites that were infected with the malware. Officials also disabled the botnet and notified victims.
  • “Sites infected with SocGholish, which are primarily hosted on WordPress, were widespread and provided everyday services including restaurants and auto repair shops, according to the Dutch National Police. 
  • “The botnet, also known as “FakeUpdates,” is linked to the Russian cybercrime group Evil Corp. It also provided initial access to other ransomware variants, including DoppelPaymer, WastedLoocker, Hades Ransomware, LockBit, RansomHub and others, according to Infoblox, which participated in the takedown.” 

• Per an HHS news release,
  • “The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) today announced a settlement with Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans (the Plan), the employer-sponsored group health plan of Spencer Gifts LLC, a national retail company, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.” * * *
  • “The settlement resolves an investigation that OCR initiated after the Plan filed a breach report on January 24, 2022. The Plan had received employee complaints that employees were unable to connect to the virtual private network. The Plan discovered that in November 2021, an unauthorized actor accessed the company’s network and deployed ransomware, encrypting data on the company’s systems, including servers storing the Plan’s PHI, and demanding a ransom. The PHI of 10,023 individuals was potentially affected by the breach, including health plan members’ names, addresses, zip codes, phone numbers, email addresses, and Social Security numbers.” * * *
  • “The resolution agreement and corrective action plan can be found at: https://www.hhs.gov/sites/default/files/ocr-ra-cap-spencer.pdf [PDF, 654 KB].”

• Security Week tells us,
  • “A Ukrainian national pleaded guilty in a US court to his role in the notorious Conti ransomware group, the Department of Justice announced.
  • “The man, Oleksii Oleksiyovych Lytvynenko, 44, of Cork, Ireland, was arrested in Ireland in 2023 and was extradited to the US in October 2025 to face Conti-related charges.
  • “Lytvynenko admitted in court to joining the Conti operation in September 2021 and working on the development of a malware loader for the group. He also admitted to possessing data from 12 victims, including eight in the US.
  • “Authorities in the US believe that the Ukrainian national continued to engage in cybercriminal activities after the Conti operation shut down.
  • “Lytvynenko pleaded guilty to wire fraud conspiracy and faces up to 20 years in prison. He is scheduled for sentencing on September 10, 2026.
  • “One of the most prolific ransomware groups half a decade ago, Conti was used in attacks against over 1,000 organizations in the US and abroad between 2020 and 2022.”

From the cybersecurity breaches and vulnerabilities front,

• Tech Target identifies the largest healthcare data breaches so far reported to HHS OCR this year.

• Dark Reading reports,
  • “A recent — and likely massive — breach at Novo Nordisk, where attackers reportedly gained an initial foothold using a single GitHub access token, underscores how code repositories and developer environments have become ground zero for attackers seeking intellectual property, credentials, and software supply chain assets.
  • “Novo Nordisk, the Danish pharmaceutical giant behind blockbuster drugs Ozempic and Wegovy, disclosed the breach June 11 after detecting unauthorized access to what it claimed were a “limited number of its internal IT systems.” 

• Bleeping Computer relates on June 19,
  • “The Texas Parks and Wildlife Department (TPWD) disclosed a data breach at its license system vendor that exposed personal information for more than three million individuals.
  • “The Texas Cyber Command discovered the intrusion and launched an investigation to determine the extent and impact of the unauthorized access. The state authority found that Social Security Numbers (SSNs), dates of birth, or any financial information, such as credit cards, have not been impacted.
  • “However, the threat actor may have obtained personally identifiable information that includes the data types [identified in the article] associated with 3,087,721 Texas hunting and fishing license customers,
• and
  • “The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers to secure their devices after nearly 74,000 firewall and VPN credentials were exposed in a data leak dubbed “FortiBleed.”
  • “This warning comes after threat actors used compromised credentials to target internet-accessible Fortinet devices across government and private-sector organizations worldwide.
  • “CISA is aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials,” it said.
  • “This activity, referred to as FortiBleed, involves the exposure of leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and virtual private network (VPN) gateways.”
  • ‘The agency called on affected FortiGate appliance owners to terminate all SSL VPN and administrative sessions, reset all VPN and administrative passwords, enable phishing-resistant multifactor authentication, and review logs for signs of unauthorized access or lateral movement.
  • “CISA also advised Fortinet customers to store admin credentials using the modern Password-Based Key Derivation Function 2 (PBKDF2) hashing algorithm, and to restrict firewall management interfaces from public internet access and remove any unauthorized accounts to reduce the attack surface as much as possible.”

• CISA added four known exploited vulnerabilities to its catalog this week.
  • June 15, 2026
    • CVE-2026-20262 Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
    • CVE-2026-54420 LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
      • Security Affairs discusses these KVE here.
  • June 16, 2026
    • CVE-2026-48907 Widget Factory Joomla Content Editor Improper Access Control Vulnerability
      • Bleeping Computer discusses this “patch by Sunday June 21” KVE here.
  • June 18, 2026
    • CVE-2026-20253 Splunk Enterprise Missing Authentication for Critical Function Vulnerability
      • Bleeping Computer discusses this “patch by Sunday June 21” KVE here.

• Security Week informs us,
  • Microsoft on Wednesday published an advisory acknowledging the public disclosure of a vulnerability in Defender that could lead to privilege escalation.
  • The security defect, now tracked as CVE-2026-50656 (CVSS score of 7.8), was dropped last week by security researcher Nightmare Eclipse (also known as Chaotic Eclipse).
  • “Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as ‘RoguePlanet’,” the tech giant’s advisory reads.
  • “We are working to provide a high-quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available,” Microsoft adds.
  • RoguePlanet, Nightmare Eclipse explained last week, targets a race condition in Microsoft Defender and allows attackers to gain System privileges.
  • The researcher released a proof-of-concept (PoC) exploit that demonstrates local privilege escalation (LPE) on Windows 11 and Windows 10 systems with the June 2026 patches installed.
• and
  • “Cybersecurity firms Huntress and Recorded Future have disclosed the impact of a supply chain attack that hit market intelligence platform Klue.
  • “The attack started on June 11 and affected systems associated with software platform integrations. The hackers connected to Klue’s backend servers and executed unauthorized commands, pushing a code update to harvest OAuth tokens for customers’ Klue integrations.
  • “Klue notified customers of the incident on June 12, warning that it had deactivated OAuth tokens for all customers and disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.
  • According to ReliaQuest, the hackers abused the Salesforce REST API to exfiltrate large volumes of customer relationship management (CRM) data over a 24-hour window, “including a concentrated burst of nearly a thousand queries in 15 minutes and sustained extraction windows lasting over 6 hours”. * * *
  • “On Thursday [June 18], both Huntress and Recorded Future confirmed that they were among the companies affected by the supply chain attack.”

• The Wall Street Journal reports,
  • “Millions of digital home devices in the U.S. have pre-installed backdoor software, creating residential proxy networks used by nation-state hackers to mask cyberattacks.
  • “Government agencies from nine countries warned that Chinese state-sponsored hackers use these networks to conduct operations, making attribution challenging.
  • “Midnight Blizzard, a Russian hacking group that broke into Microsoft, used residential proxy networks to steal Microsoft 365 credentials by logging in from U.S. home networks.” * * *
  • “This is a bigger problem because of the sheer numbers,” said Noopur Davis, Comcast’s head of information security. It is one of the most worrying problems the telecommunications company has seen, she said.
  • “[This story explains how to protect yourself from a sneaky back door that can let hackers into your home.]”

From the ransomware front,

• Industrial Cyber reports,
  • “CYFIRMA reported that healthcare organizations are facing an increasingly hostile cyber threat environment, with ransomware emerging as the sector’s most significant risk. Over the past 90 days, healthcare accounted for 216 verified ransomware victims, representing 9.05% of ransomware victims globally and ranking the sector third among 14 industries. The report found that ransomware attacks against healthcare increased 8.5% quarter over quarter, with April alone recording 90 victims, well above the sector’s previous six-month average. 
  • “In a new report, CYFIRMA identified healthcare victims in 42 countries, up from 33 in the prior period, while 50 of 81 active ransomware gangs targeted healthcare organizations, highlighting broad criminal interest in hospitals, pharmaceutical firms, and specialized medicine providers. The report also warned that nation-state activity and supply chain risks are compounding the threat landscape. Healthcare organizations appeared in 10 of 33 observed advanced persistent threat (APT) campaigns, up from three of 19 campaigns in the previous reporting period. North Korea-linked Lazarus Group led observed activity, while Russia-, China-, and Iran-linked actors also targeted the sector. 
  • “The researchers further noted that web applications, operating systems, web portals, and access management platforms remain key targets as attackers pursue credential theft and patient data. The company further identified supply chain concentration as a defining structural risk, warning that breaches involving specialized healthcare IT providers can cascade across multiple hospitals and healthcare networks simultaneously, amplifying operational disruption and cyber exposure.” 

• Security Week relates,
  • “Commercial printing and imaging technologies company Kodak has confirmed suffering a data breach after the ShinyHunters cybercrime group claimed to have stolen information from its systems. 
  • “Kodak was named on the ShinyHunters website on June 15, with the hackers claiming to have obtained more than 2.2 million records of customer personal information and other corporate data. 
  • “The hackers threatened to leak the stolen data on June 18 unless the company pays a ransom.
  • Contacted by SecurityWeek, Kodak said it’s conducting an investigation with the aid of external cybersecurity experts and promised to share additional information “as appropriate”.
  • “Kodak recently discovered that an unauthorized third party illegally gained access to a limited amount of company data,” said a spokesperson for Kodak.
  • “Although our investigation is ongoing, we are confident the incident was limited in scope and has been contained and that there is no threat to our systems or operations as a result of the incident,” the spokesperson added. “We have also notified law enforcement and are continuing to support their investigation.”

• Dark Reading tells us,
  • “INC is a ransomware group that has excelled in the ransomware-as-a-service (RaaS) space through doing the basics effectively — alongside a bit of good timing.
  • “Researchers with security vendor Acronis today published a blog post covering RaaS gang INC, a group that emerged in 2023 and has claimed more than 800 victims to date. INC is a ransomware actor that greatly benefited from the shutdown of ALPHV/BlackCat and the disruption of LockBit; this is an attribute shared with other ascendant gangs, such as The Gentlemen.”
  • “And according to the Acronis Threat Research Unit (TRU), the group is one of the most active of its kind right now. On the surface, INC doesn’t stand out so much. It’s a double extortion ransomware actor (meaning it uses encryptionand data leaking to get victims to pay up), drawing victims from manufacturing, legal services, healthcare, technology, construction, and educational sectors, among others. The group appears to have a certain preference for organizations with especially sensitive data to add extra extortion pressure.” 
     
• Bleeping Computer adds,
  • “The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks.
  • “The gang employs a collection of EDR-killing tools, most notably a utility that researchers dubbed GentleKiller. The tool has at least eight variants and impersonates various legitimate security products, including Kaspersky, Valorant, Javelin, and WatchDog.
  • “The gang is using a suite of EDR killers, the most frequently used being a custom tool that researchers named GentleKiller, which has at least eight variants impersonating various legitimate products.
  • The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks.
  • “An EDR killer is typically used to disable defenses in the early phases of an attack, and in ransomware incidents, they ensure that data theft or encryption processes run unencumbered.
  • “These tools work by leveraging the ‘bring your own vulnerable driver’ (BYOVD) technique to elevate privileges and disable security engines.”
• and
  • “DragonForce ransomware used a custom malware named ‘Backdoor.Turn’ to hide command-and-control traffic inside Microsoft Teams relay infrastructure.
  • “The backdoor abuses the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to distribute messages when a direct connection to the client is unavailable (e.g., clients on a private network).
  • “DragonForce is a ransomware operation active since at least 2023, that adopted a cartel-style organizational structure and has been linked to the infamous Scattered Spider threat group.

From the cybersecurity business and defenses front,

• Cyberscoop reports,
  • “Accenture announced Thursday it would acquire a majority stake in industrial cybersecurity firm Dragos for $3.25 billion and purchase two smaller security companies outright, essentially making a $4.18 billion bet that defending the IT networks of power grids, pipelines, factories and critical infrastructure sectors will become one of the defining challenges of the AI era.
  • “The deals — which also include two Austin, Texas-based companies, runZero and NetRise —  represent a significant strategic pivot for Accenture toward operational technology (OT) security,  a segment of the cybersecurity market that has long been underfunded relative to traditional IT defenses. The announcement comes as the consulting giant faces pressure on its core business from the same AI tools reshaping the threat environment it is now moving to address.”

• HIPAA Journal adds,
  • “Compliancy Group has acquired Healthicity in a deal that combines two healthcare compliance software companies and expands Compliancy Group’s platform to include healthcare compliance, workforce compliance, risk assessment, third-party risk management, incident management, provider auditing, coding auditing, and documentation auditing.
  • “The acquisition was announced on June 17, 2026. Financial terms of the transaction were not disclosed. Compliancy Group said the combined organization will serve more than 3,000 healthcare organizations across the United States and selected global markets.”

• Dark Reading advises,
  • “Get Out of Security Debt by Tackling the Exposure Problem.
    • “Teams digging out of security debt need to answer only two simple questions: Which vulnerabilities in our systems are exposed, and how long should they stay that way?”

• Tech Target adds,
  • “It’s time to update incident response for the AI era”
  • “Your latest cybersecurity incident might not be a threat actor, but an internal AI agent doing what it’s authorized to do. Incident response must evolve to accommodate AI.”

• ZDNet offers
  • “10 signs that someone is monitoring or accessing your accounts – how to stop them
    • “Learn how to spot the signs of account monitoring and compromise – and take back control.”
• and
  • “5 steps to ensure HIPAA compliance on mobile devices
    • “HIPAA compliance on mobile devices depends on governing access to PHI across both managed and personal endpoints. Here are five steps to achieving compliance in clinical settings.”

• Security Week lets us know about
  • “AI and Cybersecurity – Everything You Wanted to Know, But Were Afraid to Ask
    • “From defending networks to enabling attacks, artificial intelligence is changing every aspect of cybersecurity. Here’s what dozens of experts say security leaders need to understand now.”

• Here’s a link to Dark Readings’s CISO Corner.

From the Project Glasswing front,

• Tech Crunch reports,
  • “The U.S. government on Friday ordered Anthropic to immediately shut off access to two of its most powerful AI models — Claude Fable 5 and Claude Mythos 5 — citing national security concerns. Anthropic announced on X that it has complied, but it made clear it thinks the government got this one wrong.
  • “The directive, which Anthropic said it received on Friday [June 12] at 5:21 pm ET, forces the company to disable both models for all users worldwide — not just the foreign nationals the government’s export control order was nominally aimed at. Access to Anthropic’s other models isn’t affected.” * * *
  • “Fable 5, released just three days ago, was Anthropic’s answer to the obvious commercial pressure: a version of Mythos fitted with guardrails that block responses in high-risk areas like cybersecurity and biology, making it safe enough for general release, the company argued. It was immediately the most capable AI model available to the public, according to benchmark tests from Vals AI, a company that tracks AI tech performance.” * * *
  • “Anthropic is widely expected to pursue an IPO this year and has staked much of its public identity on being the safety-conscious alternative to its rivals. The irony isn’t lost on observers that the very caution Anthropic displayed in restricting Mythos — which it promoted as a model so dangerous it couldn’t be released publicly — has now apparently attracted exactly the kind of government scrutiny that could disrupt its business most.”

From the cybersecurity policy and law enforcement front,

• Federal News Network reminds us,
  • “The Cybersecurity and Infrastructure Security Agency is restarting public engagements on delayed cyber incident reporting rules that will likely cover tens of thousands of critical infrastructure organizations.
  • “The meetings come as CISA faces pressure to issue the final regulations quickly, while some lawmakers and industry groups also want the agency to amend the draft rules to be less broad and burdensome.
  • “Starting Monday, CISA will host a series of virtual town halls to get feedback on the draft regulations to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The meetings will run through Wednesday.”

• Cyberscoop reports,
  • “The Cybersecurity and Infrastructure Security Agency on Wednesday [June 10] ordered federal agencies to prioritize vulnerabilities based on four criteria, as part of push to “patch smarter, not harder.”
  • “Federal agencies should emphasize patches for vulnerabilities that affect a publicly exposed asset, allow an attacker to fully automate exploitation, give attackers the ability to take over control of a system or relate to evidence of active, real-world exploitation, CISA declared.
  • “CISA acting director Nick Andersen previewed the binding operational directive (BOD) Tuesday [June 9], framing it as a rethinking of vulnerability management more broadly.” * * *
  • “BOD 26-04 sets forth timelines for how quickly agencies must fix a vulnerability based on how many of the four criteria it meets. If it meets all four, for example, agencies need to fix it within three days and carry out a “forensic triage” to assess whether their systems were compromised. 
  • “More generally, agencies must immediately update their vulnerability management policies, including establishing a process for ongoing remediation of known, exploited vulnerabilities (KEVs) on CISA’s “must-patch” list. Within 60 days, agencies need to update their processes for remediating common vulnerabilities, and within 180 days, agencies must meet the order’s remediation timelines.
  • “The directive is motivated in part by how artificial intelligence is shifting the window from vulnerability discovery to weaponization, and CISA said it reflects priorities in an executive order on AI that President Donald Trump signed last week.”
• and
  • “The FBI, along with Google and Lumen Technologies, took down a major cybercrime network based in China that was responsible for an estimated $1.9 billion in losses, officials said Friday. 
  • “Outsider, which provided phishing kits and hosted infrastructure for cybercriminals since July 2023, facilitated a wave of phishing attacks against people and businesses in 55 countries, including the United States, the FBI said in a LinkedIn post.
  • “The jointly coordinated effort dubbed “Operation Ghost Hook” netted the seizure of several domains of the group’s core admin servers, a Shopify storefront, roughly $100,000 from Outsider payment wallets and thousands of domains registered through U.S.-based providers, officials said.
  • “The FBI said it also used an Outsider Telegram bot to access information on the cybercrime network’s customers.”
• and
  • “A longtime former member of Conti, a ransomware group that attacked more than 1,000 organizations globally before it disbanded in 2022, pleaded guilty to participating in some of those attacks in federal court Wednesday [June 10], the Justice Department said.
  • “Oleksii Oleksiyovych Lytvynenko, also known as Alexsey Alexseevich Litvinenko, admitted he joined the prolific cybercrime group in September 2021 and held data on 12 victims, including eight based in the United States. The 44-year-old told the court he developed malware that Conti used in some of its attacks, according to officials.” 

• Bleeping Computer adds,
  • “Law enforcement has dismantled the “AudiA6” cryptocurrency service allegedly used by ransomware actors and other cybercriminals to launder more than $380 million.
  • “Europol says that the service has been linked to more than 15 distinct international investigations of ransomware attacks.
  • “It is believed that the platform acted as a central money laundering hub between 2022 and 2025.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer reports,
  • “Danish pharmaceutical giant Novo Nordisk, the world’s largest producer of insulin, disclosed a data breach affecting patient information from some clinical trials.
  • “Founded in 1923, Novo Nordisk now employs around 67,900 people across 80 offices worldwide and is the maker of viral GLP-1 receptor agonist drugs Wegovy and Ozempic.
  • “The company revealed on Thursday [June 11] that attackers gained access to its internal IT systems and data related to patients participating in some clinical trials, including their patient IDs (random alphanumeric strings) and information on trial participation, sex, year of birth, biomarkers, health/immunogenicity data, and lifestyle factors (e.g., smoking, alcohol use, BMI).
  • “However, Novo Nordisk said that this data was pseudonymized and that the attackers can’t use it to identify any affected patients by name.
  • “While our investigation and response are ongoing, we have discovered that certain non-public data, including personal data, was copied externally without authorisation. We are informing the impacted parties as appropriate,” the company said.”

• HIPAA Journal tells us,
  • “Episource, a provider of medical coding, risk adjustment services, and software solutions, experienced a cyberattack in early 2025, in which files containing patient data were exfiltrated from its network. In June 2025, the forensic investigation had progressed, and it was confirmed that 5.4 million individuals had been affected.
  • “The investigation has since revealed the data breach was more extensive, involving unauthorized access to the electronic protected health information of 6,725,572 individuals, according to updated figures provided to the HHS’ Office for Civil Rights. With more than 6.7 million affected individuals, the data breach currently ranks as the third-largest healthcare data breach of 2025, behind the 13.9 million-record data breach at Aflac and the 62.2 million-record data breach at Conduent Business Services, and ranks as the 16th-largest healthcare data breach of all time. The threat group behind the incident remains unknown.”

• Industrial Cyber relates,
  • “Global cyberattack activity eased in May 2026 following April’s sharp rebound, but the broader threat landscape remained volatile, according to research from Check Point Research. Organizations experienced an average of 2,055 weekly cyberattacks during the month, representing a 2% increase year-over-year despite a 7% decline from April. Education remained the most targeted sector, averaging 4,641 weekly attacks per organization, while government and telecommunications also continued to face elevated attack volumes. 
  • “The report noted notable year-over-year increases in attacks targeting agriculture, hospitality, travel, recreation, and construction sectors as digitalization expands across these industries. The most significant trend was a sharp rise in ransomware activity. Check Point recorded 698 ransomware attacks globally in May, a 48% increase compared to the same month last year and the highest year-over-year growth rate recorded in 2026. Business services accounted for 35% of all ransomware victims, while consumer goods and industrial manufacturing also experienced substantial increases. 
  • “The report found that ransomware activity has become increasingly fragmented, with 61 active groups operating during the month. Qilin emerged as the most active ransomware group, responsible for 14% of published attacks, followed by The Gentlemen and DragonForce.”

• Dark Reading adds,
  • “Phishing attacks are down across most industries, yet researchers argue the phishing threat is higher today than ever, as the fewer attacks that are perpetrated are becoming more dangerous.
  • “In its 2026 annual phishing report, Zscaler researchers framed the trend not as a drop but as a “rebalancing” — threat actors moving from wide spray-and-pray campaigns to more focused attacks with higher conversion rates.”

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • June 8, 2026
    • CVE-2026-42271 BerriAI LiteLLM Command Injection Vulnerability
    • CVE-2026-50751 Check Point Security Gateway Improper Authentication Vulnerability
      • Infosec discusses the BerriAI KVE here.
      • Cybersecurity Dive discusses the Check Point KVE here.
  • June 9, 2026
    • CVE-2026-7473 Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
    • CVE-2026-11645 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
    • CVE-2026-20245 Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability
      • Scorifya discusses the Arista KVE here.
      • Cybersecurity News discusses the Google KVE here.
      • Cybersecurity Dive discusses the Cisco KVE here.
  • June 11, 2026
    • CVE-2026-10520. Ivanti Sentry OS Command Injection Vulnerability
      • Dark Reading discusses this KVE here.
  • June 12, 2026
    • CVE-2026-35273 Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
      • Cybersscoop discusses this KVE here.

• Info Security Magazine informs us,
  • “Cybersecurity software regularly fails to detect and prevent the cyber-attacks they are designed to protect organizations from, especially within the bowser layer, research by Menlo Security has warned.
  • “Published on June 9, Menlo Security’s 2026 Browser Threat Report found that one in five phishing attacks which target the enterprise browser users go completely undetected by the tools which are supposed to protect the network and its users from attacks.
  • “Based on platform telemetry across millions of active browser sessions in enterprise customer environments between January 1 and March 31 2026, the research warned that threat actors are gaining entry to enterprise environments through the browser session layer.
  • “The problem, the paper said, is that attacks via the browser target areas which many traditional enterprise cybersecurity products are not designed to identify or prevent suspicious activity in.

• Cybersecurity Dive points out,
  • “Financial services organizations are widely using AI agents for common business operations, but many of them aren’t sure whether their AI tools have opened the door for hackers, according to a new report.
  • “Sixty-two percent of financial services firms have deployed AI agents, and 93% of those firms have given them some level of autonomy, the Cloud Security Alliance (CSA) said in its Tuesday report.
  • “The report’s authors said the main conclusion from their survey, which consisted of interviews with 340 global IT and security professionals between Jan. 15 and March 1, is that “financial institutions have deployed AI faster than they have secured it.”

• Per Security Week,
  • “Palo Alto Networks drew attention to a high-severity security flaw in the Cortex XSOAR and Cortex XSIAM platforms that could allow attackers to access and modify restricted resources.
  • “Tracked as CVE-2026-0274, the issue is described as the improper validation of credentials in the CommvaultSecurityIQ integration of the affected products and does not require a special configuration to be triggered.
  • “The company also rolled out patches for eight medium and low-severity security defects in PAN-OS, Prisma Access Agent, Cortex XSOAR, and GlobalProtect App.
  • “Palo Alto Networks says it is not aware of any of these vulnerabilities being exploited in the wild.
  • “On Wednesday [June 10], Splunk published a dozen advisories detailing security weaknesses in its products and third-party libraries they use.”

From the ransomware front,

• Health Exec reports,
  • “A health system in Mississippi has revealed a December 2025 data breach of its network resulted in records on 53,888 patients being stolen by hackers. Meanwhile an infamous cybercrime cell has claimed credit for the attack, posting proof on the dark web.
  • “Last month Singing River Health System reported official numbers from the incident to the U.S. Department of Health and Human Services’ Office for Civil Rights, which operates a data breach tracker. This came after an investigation into what it called a “cybersecurity incident” that staff at Singing River discovered a few days after cybercriminals were already inside its network.
  • “According to the health system, which said it worked with a third-party cybersecurity firm on its investigation, its network was compromised from Dec. 19 to 21, 2025, before the unauthorized access was discovered and containment protocols were deployed.” * * *
  • “Researchers at Comparitech released a report last week showing that Anubis—a cybercrime syndicate known for its ransomware attacks against healthcare entities—had claimed credit for the data breach in a post on its own dark web leak site.
  • “The group claims to have 293 GB of data from Singing River, much of it containing sensitive patient information. It posted samples to prove it had the goods, including what Comparitech described as “intimate images of surgeries and injuries.”

• The Hacker News relates,
  • “A new analysis of The Gentlemen operation has revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis).
  • “According to a detailed report published by PRODAFT, the group, which it tracks as Phantom Mantis, is led by a Russian-speaking cybercriminal it calls LARVA-368, who goes by the online aliases hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. The Gentlemen is known to be active since March 2025, claiming a total of 478 victims to date, per data from Ransomware.Live.”

• Cybersecurity Insiders tells us,
  • “In recent years, ransomware has evolved from simple file-encrypting malware into highly sophisticated cyber weapons capable of disrupting entire organizations. Among these emerging threats, Time Bomb Ransomware has gained significant attention due to its ability to remain dormant within systems before launching a coordinated attack. This delayed-execution strategy makes it particularly dangerous for backup engines, which serve as the last line of defense against data loss and cyber incidents.
  • “Time Bomb Ransomware operates by infiltrating an organization’s network and remaining undetected for an extended period. Instead of immediately encrypting files, the malware silently spreads across systems, identifies critical assets, and waits for a predetermined trigger date or condition. 
  • “During this dormant phase, it can infect data backup repositories, storage servers, and disaster recovery environments without raising suspicion. As a result, organizations may unknowingly back up infected data for weeks or even months- depending on the backup engine configuration that can range on weekly to monthly time intervals.
  • “The primary danger lies in the ransomware’s ability to compromise backup engines before activating its payload. Traditional backup solutions are designed to create multiple copies of data to ensure business continuity. However, when ransomware infiltrates these backup systems, it can encrypt, corrupt, or delete backup copies along with the primary data. Consequently, organizations lose their ability to recover information, forcing them to either pay the ransom or suffer significant operational disruptions.”

From the Cybersecurity defenses front,

• The Wall Street Journal reports,
  • “Frontier artificial intelligence models, like Anthropic’s Mythos, are forcing organizations to rethink cybersecurity by rapidly identifying attack chains.
  • “Visa developed a “Mean Time to Adapt” metric and the VVAH framework to automate vulnerability fixing and testing.
  • “Mean Time to Adapt,” measures how quickly an organization identifies, triages and fixes vulnerabilities once discovered.
  • “The rapid AI-driven discovery of flaws creates pressure on organizations, especially smaller vendors and the public sector, to automate defenses.”

• JP Morgan Chase suggests ten actions to take now for AI-ready cyber resilience.
  • Run the Latest Software Versions
  • Manage Assets and Software Components with Reference Data
  • Build and Operate a Robust Vulnerability Management Program
  • Stress Test Incident Response and Resiliency Plans
  • Know Your Major SaaS and Outsourced Dependencies
  • Optimize Change Management for Speed
  • Aggressively Filter Outbound Traffic from Production Systems
  • Remove Standing Privileges from Employee Entitlements
  • Manage Remote Access and Segment Where Possible
  • Embed Security into the AI Development and Deployment Lifecycle

• Bleeping Computer adds,
  • “AI is transforming the speed and scale of cybercrime in ways traditional security operations were never designed to handle.
  • “Gartner predicts AI agents will cut the time it takes to exploit account exposures by 50% by 2027. Phishing campaigns that once took days to craft can now be generated in minutes, free of the telltale errors that once gave them away, while vulnerabilities that once required manual reconnaissance can now be identified and exploited automatically.
  • “For MSPs, the stakes are clear. Those still relying on a fragmented security stack will not just be slower to respond but will also struggle to prove to clients that their environments are fully protected.
  • “Keeping pace with AI-driven threats requires a more unified, AI-powered approach that strengthens security, simplifies operations and delivers greater value without putting additional pressure on margins.’

• CSO raises “15 tough cybersecurity questions every CISO must answer.”

• Here is a link to Dark Reading’s CISO Corner.

From the War with Iran front,

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency, FBI and other federal authorities warned Tuesday [June 2] that hackers have targeted automatic tank gauge systems in threat activity across multiple industry sectors.
  • “Tank gauge, or ATG, systems are used to measure temperature, check fuel or other liquid levels and detect leaks, according to guidance released by the agencies. Hackers have targeted internet-exposed devices and used command execution to disable alerts or otherwise obscure the monitoring of these devices.” * * *
  • “Federal authorities have not attributed the attacks to any specific group, but CNN previously reported an investigation into the hack of ATG systems that serve gas stations in multiple U.S. states. The threat activity is suspected to be connected to Iran-linked hackers, but federal officials are not publicly making that link. 
  • “OT security experts cautioned there are limits to how a hacker might manipulate these devices. 
  • “A malicious actor could take control of an ATG and disrupt its functions, including leak detection, but they cannot cause a leak with an ATG,” said Markus Mueller, field CISO at Nozomi Networks. “Similarly, a malicious actor could disrupt the ability to fill or use a tank to fill a vehicle.” 

From the Project Glasswing front,

• Cybersecurity Dive reports,
  • “Anthropic is significantly expanding the number of organizations that have access to its powerful Claude Mythos Preview AI model, a move that reflects growing interest in Mythos’s vulnerability-hunting capabilities within government agencies and critical infrastructure sectors.
  • “Following several weeks of close collaboration with our Project Glasswing partners, the security industry, open-source software maintainers, and the U.S. government, we’re extending the partnership to approximately 150 new organizations,” Anthropic said in a statement on Tuesday [June 2].
  • “The new organizations, which are based in more than 15 countries, include infrastructure operators in sectors that weren’t represented in Project Glasswing’s membership, such as power, water, healthcare and telecommunications. Other new members include hardware vendors and critical software maintainers, including nonprofit groups.”

• Beckers Hospital Review adds,
  • “Health system leaders told Becker’s they’re encouraged by AI developer Anthropic opening up its Project Glasswing cybersecurity initiative to healthcare.”

• Cybersecurity Dive notes,
  • One of the most important jobs for CISOs in the AI era is to stay calm and carefully assess their organizations’ risk exposure, experts said this week at the annual Gartner Security & Risk Management Summit here.
  • “Don’t panic,” Katell Thielemann, a VP analyst at Gartner, said during a talk on Tuesday about AI’s impact on the security of cyber-physical systems such as industrial control equipment.
  • “Yes, things are changing fast,” Thielemann said, “but there are some low-hanging fruit” that CISOs can tackle, such as disconnecting critical devices from the internet and monitoring remote access to the remaining infrastructure.

From the cybersecurity policy front,

• Cyberscoop reports,
  • “The Trump administration issued a revised executive order Tuesday [June 2] focused on artificial intelligence, offering a significantly pared-back vision for the federal government’s role vetting AI systems compared with a draft version that was spiked weeks ago.
  • “The order keeps in place the administration’s largely voluntary framework for companies to engage with the federal government around testing new models before release, but appears to considerably weaken or loosen provisions that had been opposed by industry.
  • “Under the order, AI companies would voluntarily provide the federal government access to frontier models before release, but now it will be for “up to” 30 days instead of the 90-day timeline included in previous drafts.
  • “It also explicitly states that nothing in the program will be construed as mandatory or part of a federal licensing or permitting regime, and gives AI companies significant influence to help define what models would and would not be covered under for testing.
  • “It also states that all federal testing and access to the models would be subject to “confidentiality, cybersecurity, insider-risk, and intellectual-property protection, use, and nondisclosure requirements.”
    
• Federal News Network relates,
  • During a House Homeland Security Committee hearing on Wednesday June 3, Homeland Security Secretary Markwayne Mullin “said the Cybersecurity and Infrastructure Security Agency needs to hire hundreds of additional staff. CISA’s staff has gone from roughly 3,400 people to 2,200 under the Trump administration, with many taking deferred resignations or early retirements.
  • “We probably need somewhere around [2,800] if we can actually have the partnerships we need with states and to be able to use the grants, the monies that stayed with CISA to be able to invest with local and state municipalities,” Mullin said. “We’re not going to fail on the mission that we have in front of us, and cyber attacks are only getting stronger, and they’re attacking our private partnership the most.”
  • “Mullin’s comments somewhat conflict with the Trump administration’s fiscal 2027 budget request for CISA, which would reduce the agency’s budget by $707 million compared to 2025 spending levels.” * * *
  • “Mullin also teased that Trump may be close to naming a new CISA director nominee. Former DHS official Sean Plankey’s nomination for CISA director was rescinded earlier this year after facing lengthy delays in the Senate.
  • “We’ve got a person soon to be nominated that will be running CISA that has the ability to recruit and focus on the authorities we have,” Mullin said. “We want CISA to be the leader in cybersecurity. They should be, and they will be.”

• The American Hospital Association News tells us,
  • “The Health Sector Coordinating Council’s Cybersecurity Working Group has released a guide to help healthcare organizations establish cyber governance frameworks for secure artificial intelligence implementation. The guide addresses challenges in identifying and mitigating AI-specific cyber risks, including data poisoning, model drift and adversarial attacks, while ensuring compliance with current regulations. It also explores a spectrum of AI technologies used in healthcare, including traditional machine learning models, generative AI and agentic AI systems capable of autonomous action. 
  • “This comprehensive guide is a must-read for all healthcare organizations, vendors and suppliers as the development and implementation of various forms of AI into healthcare settings has become widespread at tremendous speed and scale,” said John Riggi, AHA national advisor for cybersecurity and risk. “The secure-by-design and implementation recommendations offered in this guide will help mitigate unintended cybersecurity risk and consequences of AI use in healthcare and help prevent adversarial exploitation of AI-related technical flaws. Mitigating AI cybersecurity risk is part of cyber safety, and cyber safety is patient safety.” 

From the cybersecurity vulnerabilities and breaches front,

• Bleeping Computer reports,
  • “A data breach at the dental benefits administrator DentaQuest has reportedly exposed the sensitive data of 2.6 million accounts.
  • “The security incident came to light last month, when the infamous extortion group ShinyHunters listed the company on its data leak site and claimed to have stolen more than 234 GB of data.
  • “Following what the threat actor describes as a failure to reach an agreement with the company, the data was publicly leaked.” * * *
  • “On June 2, DentaQuest confirmed on its website that its networks had been breached and the incident caused “limited disruption” in customer service.
  • “DentaQuest is actively managing a cybersecurity incident involving unauthorized access to a limited portion of our network,” reads the statement.” * * *
  • “Yesterday, [June 3], data breach alerting service Have I Been Pwned (HIBP) analyzed the leaked information and found that it contained records for 2.6 million accounts.”

• The HIPAA Journal has been keeping track of all healthcare data breaches since 2009.
  • “There was a sharp increase in data breaches between 2018 and 2021, with data breaches doubling in just three years as cybercriminals aggressively adopted ransomware and actively targeted the healthcare sector. The large annual increases in data breaches came to an end in 2021, increasing by around 4% between 2022 and 2023, and again by around 4% from 2024 to 2025, when a new annual record was set with 772 large data breaches reported.”
    
• CISA added five known exploited vulnerabilities to its catalog this week.
  • June 1, 2026
    • CVE-2024-21182. Oracle WebLogic Server Unspecified Vulnerability
      • Security Week discusses this KVE here.
  • June 2, 2026
    • CVE-2022-0492 Linux Kernel Improper Authentication Vulnerability
    • CVE-2025-48595 Android Framework Integer Overflow Vulnerability
      • Security Week discusses these KVEs here.
  • June 3, 2026
    • CVE-2026-45247 Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability
      • SC Media discusses this KVE here.
  • June 5, 2026
    • CVE-2026-28318 SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability
      • Bleeping Computer discusses this KVE here.

• Cybersecurity Dive adds,
  • “Cisco on Thursday [June 4] warned of a zero-day vulnerability in its Catalyst SD-WAN product that could allow an attacker to execute arbitrary commands as root. 
  • “The vulnerability, tracked as CVE-2026-20245, is the result of insufficient validation of user-supplied input. The flaw, which has a severity score of 7.8, could allow an attacker to conduct command-injection attacks and elevate privileges as the root user. 
  • “The company said it has confirmed a limited number of cases where the flaw was exploited, leading to a configuration change being pushed to edge devices.”
  • “Cisco has thus far not released any patches and has no current workarounds. 
  • “The vulnerability was disclosed by Mandiant.” 
• and
  • “Researchers on Monday [June 1] warned that more than 30 Red Hat npm packages have been compromised in a supply-chain attack that used a credential-stealing worm. 
  • A total of 96 versions across 32 packages have been identified as compromised, according to researchers at Aikido Security. The accumulated downloads exceed 116,000, according to researchers. 
  • “The packages were published through the GitHub Actions OIDC, which indicates the compromise was linked to the continuous integration/continuous delivery pipeline, instead of a npm token, researchers noted.” 

• The American Hospital Association News informs us,
  • “The FBI and international agencies have released an alert on Chinese military intelligence services using professional networking sites and online job platforms to target government, military and any other personnel with access to classified or privileged information. The agencies said intelligence officers or affiliates pose as employees of private consultancies, research institutions or human resources firms, and post job advertisements online for foreign policy and defense analysts. Successful candidates are then pressured to provide “non-public” information for unspecified clients associated with the Chinese government.
  • “This alert is important for healthcare since many individuals in the sector have current or former access to classified information,” said John Riggi, AHA national advisor for cybersecurity and risk. “Many healthcare organizations are also engaged in highly sensitive, taxpayer-funded medical research, innovation and clinical trials. For decades, the Chinese government has been engaged in an aggressive campaign to legitimately acquire, steal or hack the results of this research and innovation for their own strategic national security priorities, economic advantage or weaponization. Use of social media platforms to engage and compromise individuals with access to classified or unclassified, but sensitive information is one of their most effective tactics. As such, we should remain wary of connecting with unknown individuals on these platforms seeking to discuss research, or provide unusually lucrative offers for employment, speaking engagements, opinions or research — especially those which may involve foreign contacts or travel.”

• Dark Reading identifies “4 Critical Threats Where Attackers Have the Advantage
  • “Gartner analysts issued a call to action to bolster defenses against several emerging critical threats, such as deepfakes and prompt injections.”

From the ransomware front,

• Industrial Cyber reports,
  • “Microsoft Threat Intelligence detailed a growing RaaS (ransomware-as-a-service) operation known as The Gentlemen, tracked by Microsoft as Storm-2697, warning that the threat combines strong file encryption with aggressive self-propagation capabilities that can compromise entire enterprise networks. The analysis disclosed that the Go-based ransomware uses per-file ephemeral key encryption built on Curve25519 and XChaCha20, while simultaneously leveraging multiple lateral movement techniques to spread across connected systems, significantly increasing the speed and impact of attacks once initial access is obtained. 
  • “Researchers mentioned that The Gentlemen emerged in mid-2025 before evolving into a RaaS platform that recruits affiliates to conduct attacks at scale. The company noted that the malware’s self-propagation module enables broad network compromise, making it more dangerous than conventional ransomware focused solely on file encryption. The operation has been linked to widespread attacks across multiple sectors and regions, with threat actors using the ransomware alongside data theft and extortion tactics to maximize pressure on victims. 
  • “In addition to using per-file ephemeral Curve25519 keys with XChaCha20 stream cipher, The Gentlemen ransomware attempts to spread across an environment using a series of simultaneous, distinct lateral movement methods, increasing likelihood of widespread impact once initial access is achieved. Microsoft has observed The Gentlemen ransomware impacting organizations across education, transportation, healthcare, and financial industries in North America, South America, Europe, Africa, and Asia.”

• Bleeping Computer relates,
  • “A threat actor is using an AI-built ransomware attack toolkit that automates Active Directory discovery and helps evade endpoint detection and response (EDR) solutions.
  • “Tool and payload development was assisted by Cursor and Claude Opus agents in various stages, including initial coding, analysis, and revisioning. Additionally, some agents were tasked with checking security research posts for various bypass techniques.
  • “Some of the malware created this way was tested in virtual environments against EDR tools from Sophos, CrowdStrike, and Microsoft.
  • “Despite the malware research and development orchestrated using AI technology, the researchers note that the workflow is entirely human-driven.”
    
• Cybersecurity Insiders informs us,
  • “The traditional pattern of ransomware attacks appears to be changing, according to a recent analysis published by Ransomnews. For years, cybersecurity experts observed that many ransomware groups preferred launching attacks during weekends, particularly on Fridays and Sundays, when organizations often operated with reduced staffing levels.
  • “However, new data suggests that cybercriminals have shifted their tactics and are now focusing more heavily on weekdays, especially between Monday and Friday.
  • “The research indicates that ransomware incidents are increasingly occurring during standard European business hours rather than late at night or during weekends. This marks a significant departure from previous attack strategies, which were designed to exploit periods when IT teams and security personnel were less likely to be available to respond quickly.
  • “According to the findings, Sunday has become the least active day for ransomware-related activity. In contrast, October stands out as the busiest month of the year, recording the highest number of ransomware attacks. While the reasons behind the October surge are not entirely clear, experts believe that threat actors may take advantage of increased business activity during the final quarter of the year, when organizations are often focused on meeting annual targets and may have less time to dedicate to cybersecurity preparedness.”

From the cybersecurity business and defenses front,

• Cybersecurity Dive reports,
  • “CrowdStrike reported better-than-expected earnings during the fiscal first quarter, as accelerating demand for AI is pushing more enterprises to focus on tighter cybersecurity controls. 
  • “CrowdStrike CEO George Kurtz said demand for AI and the introduction of Anthropic’s Mythos created an inflection point that demonstrated to the market that cybersecurity is an essential part of the AI ecosystem. 
  • “AI has now directly entered the world of cybersecurity across two dimensions,” Kurtz said during the company earnings call Wednesday. “First, you need cybersecurity to secure AI itself. Deploying AI across the enterprise is simply too risky without cybersecurity from the start.” * * *
  • The company said revenue increased 26%, to $1.39 billion, during the fiscal first quarter ended April 30, compared with year-ago revenue of $1.1 billion. * * *
  • “On Tuesday, CrowdStrike rival Palo Alto Networks reported a 31% increase in revenue, to $3 billion, during the company’s fiscal third quarter. 
  • “These results are materializing as AI fundamentally redefines the enterprise tech stack, elevating cybersecurity to a mission-critical priority for every organization,” Nikesh Arora, chairman and CEO of Palo Alto Networks, said during his company conference call on Tuesday.”

• Dark Reading points out “Cyber Insurance Rates Are Dropping, but Exclusions Widen.”
  • “Cyber insurance coverage is slowly changing, and some policies may not provide coverage for social engineering attacks like ClickFix.”

• Tech Target calls attention to “Lost in translation: Cybersecurity board reporting for CISOs.”
  • “Cybersecurity board reports don’t always land. At the Security and Risk Management Summit 2026, Gartner analysts suggested a novel way to communicate cyber-risk to corporate directors.”

• A Cybersecurity Dive commentator delves into “Turning tension into collaboration: How CIOs and CISOs can lead together.”
  • If properly managed and channeled, age-old friction between IT and cybersecurity can create a more resilient organization.

• Here is a link to Dark Reading’s CISO Corner.

From the Iranian war front,

• Cybersecurity Dive reports,
  • “A threat group linked to Iranian intelligence has been running a months-long false-flag operation to hack organizations in the U.S. and other countries under the guise of a criminal ransomware group, according to a report released Wednesday [May 6] by researchers at Rapid7. 
  • “The state-sponsored threat group, tracked as MuddyWater, operated a social engineering campaign beginning in early 2026 that abused Microsoft Teams to harvest credentials and bypass multifactor authentication. 
  • “The attacks were made to look as if they were the work of Chaos, a ransomware-as-a-service group that has been active since 2025. Researchers said the false flag creates ambiguity that could affect how security teams investigate an intrusion. 
  • “If an operation looks like ransomware, defenders may initially treat it as financially motivated cybercrime rather than a state-linked operation,” Christiaan Beek, vice president of cyber intelligence at Rapid7, told Cybersecurity Dive. “That can slow attribution, complicate response, and give the actor plausible deniability.”

From the cybersecurity policy and law enforcement front,

• Dark Reading reports,
  • “It’s been a brutal 16 months since the Cybersecurity and Infrastructure Security Agency (CISA) has had a Senate-confirmed director. Now, a new name has bubbled up as a possible pick to take over the beleaguered agency: Tom Parker, a low-key, British-born cybersecurity expert known for business savvy, technical expertise, and decades of focus on the delicate economics of cybercrime and cyber defense. 
  • “Reports say that although he has not yet been officially nominated, Parker is a contender to get the nod from new Department of Homeland Security Secretary, Markwayne Mullin. A request for comment from Dark Reading to DHS was referred to the White House, which has not yet responded. 
  • “Parker however tells Dark Reading that despite recent reporting, he has not had any “direct engagement” with the administration on taking on the role, but would welcome the conversation.” 
    
• Federal News Network adds,
  • “The Office of Management and Budget (OMB) picked a long-time federal technology manager to take over as the deputy federal CIO. Thomas Flagg is set to assume that role. Federal News Network has learned that Federal CIO Greg Barbaccia made the announcement to agency CIOs yesterday. Flagg, who is the Education Department CIO, will replace Drew Mykelgard, who left in September to join the private sector after three-plus years in the role. Barbaccia wrote in his email that Flagg stood out among a large number of candidates because of the depth and seriousness of his experience across multiple technology leadership roles. Flagg also worked at the Labor Department for 11 years before moving to Education in 2025. 

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) wants to help critical infrastructure operators keep their systems running during a major cyberattack or other serious incident.
  • “CISA on Tuesday [May 5, 2026,] released guidance as part of an international “CI Fortify” initiative focused on activities that infrastructure operators can take to isolate the effects of a cyber intrusion and recover from them.
  • “In a geopolitical crisis, the critical infrastructure organizations Americans rely on must be able to continue delivering—at a minimum—crucial services,” acting CISA Director Nick Andersen said in a statement. “They must be able to isolate vital systems from harm, continue operating in that isolated state, and quickly recover any systems that an adversary may successfully compromise.
  • “The new guidance, modeled on advice that the Australian government published in 2025, comes as intelligence agencies warn that China might sabotage Western critical infrastructure to keep the U.S. and its allies from interfering with Beijing’s long-rumored invasion of Taiwan. China’s Volt Typhoon hacking campaign indicated that Beijing had already begun laying the groundwork for such disruption, prompting U.S. officials to step up warnings about the dangers of interdependencies in operational technology.”
• and
  • “The U.S. government’s AI security center will evaluate frontier models from Google, Microsoft and xAI before their release to determine whether the models’ advanced capabilities pose cybersecurity risks.
  • “The newly announced plan for the National Institute of Standards and Technology’s (NIST) Center for AI Standards and Innovation (CAISI) to conduct “pre-deployment evaluations” represents the U.S. government’s most significant attempt yet to get ahead of security threats from powerful AI systems.
  • “Independent, rigorous measurement science is essential to understanding frontier AI and its national security implications,” CAISI Director Chris Fall said in a statement. “These expanded industry collaborations help us scale our work in the public interest at a critical moment.”
    
• The Wall Street Journal adds,
  • “The White House is weighing a new government-review process for artificial-intelligence tools that the government deems to pose cybersecurity risks, a move that could further expand its oversight of AI in response to Anthropic’s powerful Mythos model.
  • “The White House is considering a cybersecurity-focused executive order that could include formalizing a government oversight group to create standards for the most powerful AI models, such as Mythos, people familiar with the discussions said. The goal is to protect consumers and businesses from cyberattacks and other disruptions caused by the premature release of such models, and a range of ideas are being considered, the people said. 
  • ‘The internal conversations show how Mythos has forced the Trump administration to recalibrate aspects of its laissez-faire approach to AI oversight. The administration has unwound Biden administration efforts to implement safety standards and attacked states trying to impose regulations, hoping to ease constraints tech companies face in rolling out new models.” 

• Cyberscoop notes,
  • “The Cybersecurity and Infrastructure Security Agency has gotten “by far” the biggest gains from artificial intelligence automation in its security operations unit to help analysts sift through threats, but it’s also proven valuable elsewhere within the agency, CISA officials said Tuesday.
  • “It’s “really allowing those analysts to do triage very fast, so they focus on what matters versus the noise,” Tammy Barbour, acting chief of application management at CISA, said. “They’re able to do a lot of real-time, quick looks before events happen in most places.”
  • “Barbour, speaking at the UiPath FUSION Public Sector event hosted by Scoop News Group, said automation has also been a boon to CISA’s Technology Operations Center.
  • “The top analysts are able to quickly respond to customers who are reaching out to talk and asking questions, and be able to get real-time efficiencies with that,” she said.”

• Security Week tells us,
  • “A Latvian member of the Karakurt ransomware gang was sentenced to 8.5 years in prison in the US for his involvement in extorting victims.
  • “The individual, Deniss Zolotarjovs, 35, of Latvia, was arrested in Georgia in December 2023 and extradited to the US in August 2024. He pleaded guilty in July 2025.
  • “Associated with the infamous Conti group and also known as TommyLeaks, Schoolboys Ransomware Gang, and Blockbit, Karakurt was one of the most notorious ransomware groups half a decade ago.”

• Cyberscoop informs us,
  • “Two U.S. nationals were sentenced to 18 months in prison for running laptop farms that facilitated North Korea’s expansive remote IT workers scheme, the Justice Department said Wednesday.
  • “Matthew Issac Knoot and Erick Ntekereze Prince both received and hosted laptops at their residences to dupe U.S. companies into thinking remote IT workers they hired were located in the country. The pair’s separate schemes impacted almost 70 U.S. companies and generated a combined $1.2 million in revenue for the North Korean regime.”

• Bleeping Computer adds,
  • “A 34-year-old Virginia man was found guilty of conspiring to destroy dozens of government databases after getting fired from his job as a federal contractor.
  • “In 2016, Sohaib Akhter and his twin brother and co-defendant Muneeb Akhter were also sentenced to several years in prison after pleading guilty to accessing U.S. State Department systems without authorization and stealing the personal information of dozens of co-workers and a federal law enforcement agent who was investigating their crimes.
  • After serving their sentences, the two brothers were rehired as government contractors by a company that worked with more than 45 federal agencies and hosted government data on servers in Ashburn.
  • “When the company discovered Sohaib Akhter’s felony conviction, it terminated both brothers’ employment during an online remote meeting on Feb. 18, 2025,” the Justice Department said. “Immediately after being fired during this meeting, the brothers sought to harm their employer and its U.S. government customers by accessing computers without authorization, write-protecting databases, deleting databases, and destroying evidence of their unlawful activities.”

From the cybersecurity breaches and vulnerabilities front,

• Cyberscoop reports,
  • “A defense technology company with Department of Defense contracts exposed user records and military training materials through API endpoints that lacked meaningful authorization checks, according to an account published by Strix, an open-source autonomous security testing project.
  • “The issue affected Schemata, an AI-powered virtual training platform used in military and defense settings. According to Strix, an ordinary low-privilege account was able to access data across multiple tenants, including user listings, organization records, course information, training metadata and direct links to documents hosted on the Schemata’s Amazon Web Services instances.”

• CISA added three known exploited vulnerabilities (KVES) to its catalog this week.
  • May 6, 2026
    • CVE-2026-0300 Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
      • Cybersecurity Dive discusses this KVE here.
  • May 7, 2026
    • CVE-2026-6973 Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability 
      • Cyberscoop discusses this KVE here.
  • May 8, 2026
    • CVE-2026-42208 BerriAI LiteLLM SQL Injection Vulnerability
      • RedPacket Security discusses this KVE here.

• SC Media points out,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) is reportedly considering shortening remediation deadlines for vulnerabilities added to the Known Exploited Vulnerabilities catalog, according to Reuters.
  • “Citing two sources familiar with the matter, Reuters reported Friday [May 1, 2026] that CISA Acting Director Nick Anderson and U.S. National Cyber Director Sean Cairncross were discussing proposals to cut KEV deadlines for federal civilian executive branch agencies from an average of two to three weeks to just three days.
  • The discussion was reportedly spurred by the emergence of advanced AI tools such as Anthropic’s Claude Mythos and OpenAI’s GPT-5.4-Cyber that have the potential to identify and exploit flaws at unprecedented speed.
  • A CISA spokesperson declined to comment on whether such discussions were taking place or whether a decision had been made.

• Security Week lets us know,
  • “Microsoft has warned organizations in the United States about a sophisticated phishing campaign that uses a “code of conduct review” theme to lure victims to a malicious website.
  • “The tech giant observed more than 35,000 attempts between April 14 and 16. The malicious emails were received by users across roughly 13,000 organizations in 26 countries, but 92% of the targets were in the US. 
  • “Many of the messages were received by users in the healthcare and life sciences, financial services, professional services, and technology and software sectors.” * * *
  • “Enterprises at risk of being targeted in this and similar phishing campaigns have been provided with recommendations for mitigating attacks, as well as threat-hunting queries and indicators of compromise (IoCs).”
    
• Cybersecurity Dive relates,
  • “Hackers could exploit vulnerabilities in Progress Software’s MOVEit Automation tool to improperly access businesses’ data, the software maker said in a recent advisory.
  • “Exploitation of the two flaws — an authentication-bypass vulnerability tracked as CVE-2026-4670 and a privilege-escalation vulnerability tracked as CVE-2026-5174 — could “lead to unauthorized access, administrative control, and data exposure,” according to Progress Software’s advisory.
  • “The newly patched flaws represent serious security weaknesses in a widely used managed-file-transfer program that helps organizations transfer data between self-hosted servers, cloud platforms and third-party vendors.
  • “Progress Software urged customers to upgrade to the latest version of the software, which fixes both vulnerabilities.”

• Per Dark Reading,
  • “Researchers have spotted a modular cloud worm that will clear you of any infections by the dangerous supply chain attacker “TeamPCP,” free of charge. The catch: It wants your secrets.
  • “SentinelLabs named the program “PCPJack” in a new blog post,and described it as “well developed” — effective, with a few inexplicable but superficial oddities. Affected organizations stand to lose secrets associated with their cloud, container, developer, productivity, and financial services, unless they implement cloud security best practices, concealing passwords and keys behind vaults and multifactor checks.”

• Per Bleeping Computer,
  • “A fake version for the Claude AI website offers a malicious Claude-Pro Relay download that pushes a previously undocumented backdoor for Windows named Beagle.
  • “The threat actor advertises Claude-Pro as a “high-performance relay service designed specifically for Claude-Code” developers.
  • “The fake website is a simplistic attempt at mimicking the legitimate site for the popular Claude large language model (LLM) and an AI assistant, using similar colors and fonts.
  • “However, the facade falls apart when it comes to links, as they are mere redirects to the front page, researchers at cybersecurity company Sophos say in a report today.”

From the ransomware front,

• Edscoop reports,
  • “ShinyHunters, the prolific criminal hacker and extortion group, on Thursday [May 7, 2026] provided additional details about its recent breach of Canvas, the learning management system developed by Instructure, with hopes of coaxing payments from some of the nearly 9,000 educational institutions it claims are affected.
  • “After announcing on May 1 that it had exfiltrated several terabytes of data containing the personal information of 275 million users, it announced a deadline of Thursday [May 7] before “everything is leaked and there will be no chance at a negociation for anyone. Instructure has not even bothered speaking to us to understand the situation or to even negociate with us to prevent the release of this data. Our demand was not even as high as you might think it is.”
  • “On Thursday, the group presented to Canvas users a second message and extended the deadline for payment until May 12. “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’,” the note reads. The group advised affected schools to consult security professionals and use the Tox messaging protocol to negotiate a “settlement.”
  • “The attached list of affected institutions includes many school districts, along with well-known universities, including Cambridge, Columbia, Cornell, Georgetown, Harvard, MIT and UC Berkeley.”

• The Wall Street Journal adds on May 8, 2026,
  • Canvas, one of the most widely used education apps, said it had restored services after pulling the plug in the middle of finals week at many colleges to deal with a cybersecurity incident.
  • From Berkeley to Harvard, students at thousands of colleges and high schools temporarily lost access to their coursework on Thursday afternoon after a hacking group posted a ransom note on the platform.  
  • The company behind Canvas, Instructure Inc., said the intruders had accessed some customer data, including names, email addresses and student ID numbers, as well as messages between Canvas users. The company said it hasn’t found that passwords or financial information were involved. The investigation is ongoing and it has notified the Federal Bureau of Investigation.
  • “We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts,” the company said on its website. “As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts.” 

• Security Week relates,
  • “The RansomHouse ransomware group has taken credit for the recent attack on the cybersecurity firm Trellix.
  • “The Trellix hack came to light this week when the company announced on its website that part of its source code repository had been breached.
  • “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited,” the company stated.
  • “No other information has been shared by Trellix, but it has promised to release additional details after it completes its investigation.”

• Industrial Cyber tells us,
  • “New data from BlackFog shows ransomware activity remaining structurally elevated, with attacks continuing to operate at high volume while expanding their data-centric focus across both disclosed and undisclosed incidents. The analysis highlights that threat actors are increasingly prioritising data theft and extortion over traditional encryption-only disruption, reflecting a broader shift in how ransomware operations monetise compromise. It also underscores that incidents continue to span multiple sectors and geographies, reinforcing that ransomware is no longer episodic but persistent, industrialised, and embedded across the global threat landscape.
  • “A total of 264 publicly disclosed ransomware attacks were recorded, representing a 15% decrease compared to the same period the previous year, BlackFog disclosed in its ‘Q1 2026 Ransomware Report.’ Despite this decline, activity remained steady throughout the first quarter, with 91 attacks in January, 83 in February, and 90 in March. Healthcare remained the most targeted sector, accounting for 72 attacks (27%), reflecting the continued focus on organizations with sensitive data and limited tolerance for operational disruption. Government entities experienced 32 attacks (12%), while the technology sector followed with 28 attacks (11%).” 

From the cybersecurity business and defenses front,

• The Wall Street Journal reports,
  • “OpenAI said it was previewing a powerful artificial-intelligence model capable of finding software vulnerabilities for a limited group of partners, adding to an industry race to give customers the most advanced cyber capabilities.
  • “The ChatGPT maker said it was releasing GPT-5.5-Cyber, a version of its most capable AI model, to a limited group of users that do vital security work. Other versions of GPT-5.5 are available to customers that do broader cyber work or general queries.
  • “The announcement followed consultation with the White House, which is working with top AI companies on the release of models that present national-security risks. Federal agencies and congressional committees have also been briefed on the latest capabilities.
  • “OpenAI Chief Executive Sam Altman said last week that the company was beginning to roll out the model to trusted cyber partners.”

• Security Boulevard assesses Anthropic’s Project Glasswing.

• Security Week relates,
  • “Cisco on Monday announced its intent to acquire Astrix Security, a startup focused on securing non-human identities (NHIs) such as API keys, service accounts, and OAuth tokens increasingly used by applications and AI agents.
  • “In a blog post, Cisco said the acquisition is aimed at extending zero trust principles to the emerging “agentic workforce,” where AI agents and machine identities are rapidly expanding the enterprise attack surface. Astrix’s technology is designed to help organizations discover, govern, and secure these identities, including detecting excessive privileges and real-time threats. 
  • “Astrix provides visibility into non-human identities and the activity of AI-driven agents, along with lifecycle management and automated detection and remediation of over-privileged, unnecessary, or malicious access — including compromised credentials and rogue agent behavior. Cisco plans to integrate these capabilities into its broader security platform, including identity intelligence, secure access, and Duo IAM.”

• Cybersecurity Dive tells us,
  • “Businesses are confident that AI will improve their cybersecurity posture, even as they neglect more fundamental security tools like identity management and zero-trust networking, according to a “State of Workforce Password Security” report that the business software provider Zoho published on Tuesday.
  • “AI confidence also doesn’t match implementation readiness, the report found, with a massive gap between the share of companies expecting AI to help them with security and the share of companies ready to act on that potential.
  • “The report also contains data on the share of companies that experienced recent cyberattacks and the business world’s security spending plans.”

• Tech Target identifies “top zero-trust use cases in the enterprise.”
  • “When applied correctly, zero trust can minimize an organization’s attack surface. Experts weigh in on the best use cases where zero trust can deliver results.”

• The National Institute of Standards and Technology released this week
  • “NIST Special Publication (SP) 800-234, High-Performance Computing (HPC) Security Overlay, is now available.” and
  • “The final version of NIST Special Publication (SP) 800-70r5 (Revision 5), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, is now available.”

• Here is a link to Dark Reading’s CISO Corner.

From the Iranian war front,

• Cybersecurity Dive reports on April 23,
  • “Iran, long considered a steady and persistent cyber threat to the U.S., has raised its game in the months since the two nations went to war in February. 
  • “Iranian-backed cyber threat groups, which range from state-sponsored actors to pro-Iranian hacktivists and financially motivated hackers, appear to have evolved some of their motivations and capabilities in cyber, according to analysts and security researchers. 
  • “What we are seeing are attacks that are aiming to have a more destructive effect,” Annie Fixler, director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies told Cybersecurity Dive. 
  • Specifically, Iran-linked actors have increased the use of data wiping malware in recent attacks against Israel and demonstrated greater capability to evade detection, according to researchers at Palo Alto Networks. 
  • “In another alarming development, Darktrace last week published an analysis of a malware strain called ZionSiphon, to potentially tamper with chlorine levels and pressure controls in Israeli water facilities. The malware was embedded with pro-Iran and Palestinian messaging for additional psychological impact.”
    
• Federal News Network commentator shares “what federal leaders need to know about Iran’s cyber campaign.”
  • “To understand the cyber implications of this conflict, federal leaders need to understand how Iran uses cyber as a strategic instrument.”

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “Sean Plankey, the long-sidelined nominee to lead the Cybersecurity and Infrastructure Security Agency, asked President Donald Trump on Wednesday to withdraw his nomination.
  • “At this point in time, I am asking the President to remove my nomination from consideration,” he said in a notification letter seen by CyberScoop. “After thirteen months since my initial nomination, it has become clear that the Senate will not confirm me.”
  • “Plankey’s request comes weeks after the Senate confirmed MarkWayne Mullin to lead the Department of Homeland Security, CISA’s parent agency.”
• and
  • “House Republicans unveiled on Wednesday Congress’ latest effort to tackle comprehensive digital privacy legislation for Americans.
  • “The Secure Data Act would allow consumers to opt out of data collection for individual businesses for the purposes of targeted advertising, selling to third parties or for use in automated decisionmaking.
  • “It would also require companies to inform consumers when their personal data is being collected or used, provide them with a portable version of that data, and give consent rights to parents over the data collection of teenagers.”

• Per a NIST news release,
  • “The National Institute of Standards and Technology (NIST), in collaboration with the Department of Health and Human Services Office for Civil Rights (HHS OCR), announced the Safeguarding Health Information: Building Assurance through the Health Insurance Portability and Accountability Act (HIPAA) Security 2026 conference, scheduled for September 2–3, 2026, at the NIST campus in Gaithersburg, Maryland. The event will examine the current healthcare cybersecurity landscape and the HIPPA Security Rule, which establishes federal standards to protect the confidentiality, integrity, and availability of electronic protected health information. The conference will highlight practical strategies, tips, and techniques for implementing the HIPAA Security Rule, including required administrative, physical, and technical safeguards for covered entities and their business associates. Sessions will address best practices for managing risks to electronic health information and ensuring technical assurance, along with topics such as cybersecurity risk management, current threats to the healthcare community, and cybersecurity considerations for Internet of Things technologies in healthcare environments. The event will be offered in both in-person and virtual formats, with separate registration fees and timelines for each option. For additional details, visit the Safeguarding Health Information: Building Assurance through HIPAA Security 2026 event page.”
     
• Per an April 23, 2026, HHS news release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced settlements with four regulated entities following separate ransomware investigations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Ransomware is malicious software that blocks access to data—typically by encrypting it with a key known only to the attacker—until a ransom is paid. The resolutions announced mark 19 completed investigations from ransomware breaches and 13 completed investigations in OCR’s Risk Analysis Initiative.” * * *
  • “The settlements follow investigations into separate ransomware breaches that collectively affected over 427,000 individuals and involved the exposure of unsecured ePHI. The types of ePHI affected include demographic data, Social Security numbers (SSNs), financial information, lab results, medications, and diagnoses or conditions. Under the settlements, the regulated entities have agreed to implement corrective action plans subject to OCR monitoring for two years and paid a total of $1,165,000 to OCR.”

• Per an April 20, 2026, Justice Department news release,
  • “A Florida man, formerly employed as a ransomware negotiator, pleaded guilty to conspiring to commit ransomware attacks against U.S. companies in 2023.
  • “According to court documents, Angelo Martino, 41, of Land O’Lakes, Florida, collaborated with the operators of the Blackcat/ALPHV (“BlackCat”) ransomware variant used by cybercriminals to attack and extort institutions and companies. Beginning in April 2023, Martino abused his role at a U.S.-based cyber incident response company to assist BlackCat actors. Working as a negotiator on behalf of five different ransomware victims, Martino provided BlackCat attackers with confidential information about the negotiating position and strategy of his company’s clients without the clients’ or his employer’s knowledge or permission. This confidential information assisted the ransomware actors and maximized the ransoms that the victims were required to pay. The confidential information included the victims’ insurance policy limits and internal negotiation positions. The BlackCat actors paid Martino for this confidential information.” * * *
  • “To date, law enforcement has seized $10 million of assets from Martino, including digital currency, vehicles, a food truck, and a luxury fishing boat that Martino obtained using proceeds of the offense or acquired as a result of the offense.”
    
• Cyberscoop adds,
  • “A core leader of the hacker subset of The Com responsible for a series of high-profile phishing attacks and cryptocurrency thefts from September 2021 to April 2023 pleaded guilty to federal charges, the Justice Department said Friday. 
  • “Tyler Robert Buchanan of Dundee, Scotland, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. The 24-year-old was arrested by Spanish police in Palma in 2024 as he attempted to board a charter flight to Naples, Italy. 
  • “Buchanan has been in federal custody since April 2025 and faces up to 22 years in federal prison at his sentencing, which is scheduled for August 21. 
  • “The British national and his co-conspirators, including Noah Michael Urban, who was sentenced to a 10-year federal prison sentence last year, harvested thousands of credentials via phishing and stole more than $8 million in cryptocurrency from U.S. residents via SIM-swapping attacks.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency on Monday [April 20] released guidance related to the axios supply chain compromise originally disclosed in late March. 
  • “A suspected North Korean actor compromised the node package manager account for an axios maintainer last month. Axios is a Javascript library used widely across the software industry with millions of downloads per week. 
  • “CISA is urging security teams to monitor and review code depositories as well as continuous integration/continuous delivery pipelines that ran npm install or npm update on the compromised axios version, according to the guidance released Monday. 
  • “Security teams should search for cached versions of the affected dependencies in artifact repositories along with dependency management tools, according to the guidance. 
  • “If compromised dependencies are found during the search, organizations should revert the environment back to a known safe state, CISA said.” 
• and
  • “Vercel, a cloud development platform, said that some of its internal systems were accessed after a third-party tool called Context.ai was compromised while being used by one of Vercel’s employees, according to a blog post released Sunday [April 20].
  • “Vercel is widely known as the creator of Next.js, which is the open-source framework for React. 
  • “The attacker was able to take over the employee’s Vercel Google Workspace account and access certain company “environments and environment variables” that were not designated as “sensitive.”
  • “Vercel said that a limited number of customers had their credentials compromised during the attack, and that they have been notified. They were urged to immediately rotate credentials. 
  • “The company said it believes the attacker is highly sophisticated, based on an assessment of their “operational velocity and detailed understanding of Vercel’s systems.”
• and
  • “Hackers working for the Chinese government are increasingly hiding their attacks behind ready-made networks of hacked routers and other networking equipment, the U.S. and several allies said on Thursday [April 23].
  • “Attackers’ use of these so-called covert networks is not new, the agencies said in a joint advisory, “but China-nexus cyber actors are now using them strategically, and at scale.”
  • “By funneling their activity through compromised networking equipment — mostly small office and home office (SOHO) routers, but also internet of things devices — hackers can obfuscate their origins and make it harder for defenders to spot reconnaissance, malware deployment and data exfiltration.”

• Cyberscoop adds,
  • “A state-sponsored hacking group has implanted a custom backdoor on Cisco network security devices that can survive firmware updates and standard reboots, U.S. and British cybersecurity authorities disclosed Thursday, marking a significant escalation in a campaign that has targeted government and critical infrastructure networks since at least late 2025.
  • “The Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre jointly published a malware analysis report identifying the backdoor, code-named Firestarter. Cisco’s threat intelligence division, Talos, attributed the malware to a threat actor it tracks as UAT-4356. The company attributed the same group to a 2024 espionage campaign called ArcaneDoor, which focused on compromising network perimeter devices.
  • “CISA confirmed it discovered Firestarter on a U.S. federal civilian agency’s Cisco Firepower device after identifying suspicious connections through continuous network monitoring. The finding prompted an updated emergency directive issued Thursday, requiring all federal civilian agencies to audit their Cisco firewall infrastructure and submit device memory snapshots for analysis by Friday.”

• CISA added fourteen known exploited vulnerabilities (KVEs) to its catalog this week.
  • April 20, 2026
    • CVE-2023-27351 PaperCut NG/MF Improper Authentication Vulnerability
    • CVE-2024-27199 JetBrains TeamCity Relative Path Traversal Vulnerability
    • CVE-2025-2749 Kentico Xperience Path Traversal Vulnerability
    • CVE-2025-32975 Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
    • CVE-2025-48700 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
    • CVE-2026-20122 Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability
    • CVE-2026-20128 Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability
    • CVE-2026-20133 Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability
      • The Cybersecurity Express discusses these KVEs here.
      • Cybersecurity Dive discusses the Cisco KVEs here.
  • April 22, 2026
    • CVE-2026-33825 Microsoft Defender Insufficient Granularity of Access Control Vulnerability
      • Bleeping Computer discusses this KVE here.
  • April 23, 2026
    • CVE-2026-39987 Marimo Remote Code Execution Vulnerability
      • Resecurity discusses this KVE here.
  • April 24, 2026
    • CVE-2024-7399 Samsung MagicINFO 9 Server Path Traversal Vulnerability
    • CVE-2024-57726 SimpleHelp Missing Authorization Vulnerability
    • CVE-2024-57728 SimpleHelp Path Traversal Vulnerability
    • CVE-2025-29635 D-Link DIR-823X Command Injection Vulnerability 
      • The Hackers News discusses these KVEs here.

• Cybersecurity Dive informs us,
  • “Phishing was the most common way hackers breached their targets in the first quarter of 2026, after nearly a year out of the top spot, Cisco’s Talos threat intelligence team said in a report published on Wednesday.
  • “Nearly 20% of Cisco’s incident-response engagements involved the preliminary stages of a ransomware attack, according to the report — significantly lower than in the first two quarters of 2025, when it was 50%.
  • “Cisco also said it saw hackers using AI to improve phishing attacks.”
• and
  • “Companies using AI to write code are creating serious security risks that not all organizations feel prepared to handle, according to a reportreleased Wednesday by the security testing firm ProjectDiscovery. 
  • “Security personnel want audit trails and access limitations before they integrate AI into their processes, ProjectDiscovery found. “They are not opposed to the technology, but they need it to earn its place.”
  • “The report highlights one of the most fraught aspects of the AI revolution in the corporate world: the tension between AI-assisted coders and the people responsible for protecting their work.”

• Dark Reading points out,
  • “AI agents can now carry out end-to-end cloud attacks with minimal human guidance, exploiting known misconfigurations and vulnerabilities at a speed no human attacker can match. 
  • “That’s the central finding of a new proof-of-concept (PoC) study by Palo Alto Networks’ Unit 42, where researchers built an autonomous multi-agent system that carried out a complete cloud attack chain in a live environment, using a single natural-language prompt.
  • “The study suggests an intrusion campaign that Anthropic uncovered last year, when a Chinese state-affiliated cyber-espionage group used the company’s Claude AI to automate large portions of an attack chain, was more a preview of things to come rather than an exception.”

• Cyberscoop notes,
  • “Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations.
  • “Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release. 
  • “Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report.
  • “Researchers determined that the median warning of an impending vulnerability disclosure arrived nine days before the targeted vendor issued a public alert to its customers.”

From the ransomware front,

• Bleeping Computer reports,
  • “Home security giant ADT has confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid.
  • “In a statement shared today, the company said it detected unauthorized access to customer and prospective customer data on April 20, after which it terminated the intrusion and launched an investigation.
  • “This investigation determined that personal information was stolen during the breach.”
  • “The investigation confirmed that the information involved was limited to names, phone numbers, and addresses,” ADT told BleepingComputer.
  • “In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included. Critically, no payment information — including bank accounts or credit cards — was accessed, and customer security systems were not affected or compromised in any way.”
• and
  • “Recently observed Trigona ransomware attacks are using a custom, command-line tool to steal data from compromised environments faster and more efficiently.
  • “The utility was emplayed in attacks in March that were attributed to a gang affiliate, likely in an effort to avoid publicly available tools, such as Rclone and MegaSync, that typically trigger security solutions.
  • “Researchers at cybersecurity company Symantec believe that the shift to a custom tool may indicate that the attacker is “investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks.”
• and
  • “A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption.
  • “Cybersecurity firm Rapid7 retrieved and analyzed two distinct Kyber variants in March 2026 during an incident response. Both variants were deployed on the same network, with one targeting VMware ESXi and the other focusing on Windows file servers.
  • “The ESXi variant is specifically built for VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces,” explains Rapid7.”

• Dark Reading relates,
  • “A ransomware gang known as “The Gentlemen” has made a name for itself, claiming hundreds of victims in a matter of months.
  • “The Gentlemen is a ransomware-as-a-service (RaaS) outfit that first popped up in mid-2025. While it operates fairly typical double extortion attacks (using both encryption and data leaking as extortion levers), The Gentlemen is known for sophisticated tactics, techniques, and procedures (TTPs), such as antivirus killers and complex infection chains.
  • “Check Point Research this week published its latest findings concerning the gang, noting that it has claimed hundreds of victims and uses malware including something called SystemBC, which researchers described as “a proxy malware frequently leveraged in human‑operated ransomware operations for covert tunneling and payload delivery.”

From the cybersecurity defenses front,

• TechTarget discusses,
  • “Beyond awareness: Human risk management metrics for CISOs
  • “Traditional security training isn’t keeping threat actors out. As employee awareness programs fall short, Forrester Research suggests a better approach.” * * *
  • “With cybersecurity threats evolving so swiftly, organizations cannot afford to rely on outdated security awareness programs that fail to address the root causes of human vulnerabilities. Human risk management offers a transformative approach, shifting the focus from mere awareness to actionable behavior change.”

• Dark Reading points out,
  • “When Anthropic announced Project Glasswing this month, most coverage landed on the headline numbers: a 27-year-old OpenBSD vulnerability, a 16-year-old FFmpeg flaw, a Linux kernel exploit chain assembled without human steering. The coalition behind it, including AWS, Apple, Cisco, CrowdStrike, Google, Microsoft, Palo Alto Networks, and others, isn’t there for the optics; they’re there because the model’s capabilities are real, and the coordinated disclosure pipeline matters.
  • “The part worth dwelling on is the FFmpeg result specifically. At least five million automated fuzzer testing passes hit that vulnerable line of code and not one caught it. Mythos Preview read the code, understood what it was doing, and found the flaw.
  • That gap highlights a fundamental security misconception of the past two decades.
  • The industry built enumerators. It needed readers.
  • Automated security tooling has almost always worked the same way at its core: define a pattern, scan to identify the pattern, flag the match. SIEMs ingest event logs and match rules. Static analysis tools check code against known signatures. Vulnerability scanners compare software versions against CVE databases, and so on. These are mostly based on enumeration, and enumeration can only find what you already know to look for.
  • “Five million passes with the industry standard tools, zero catches. These tools knew how to count. But they didn’t know how to read.
  • “Mythos Preview succeeded because it approached the code the way a skilled human analyst would: with an understanding of intent, of relationships between components, of what a sequence of operations does, rather than what it superficially looks like. Security at that depth has been the exclusive domain of rare, expensive human expertise. A model that replicates it at scale is genuinely a different kind of thing, and the industry is right to pay attention.”
    
• Here is a link to Dark Reading’s CISO Corner.

From the Iranian war front,

• The New York Times reports on April 16,
  • “The exchange of bombs and missiles in the Middle East between Iran and its foes has been paused for more than a week now. Iran’s hackers, however, have remained active on the digital battlefield.
  • “Iran has continued its cyberspace operations since the cease-fire with the United States began on April 8, according to Western cybersecurity experts and former U.S. intelligence officials. In doing so, Tehran is trying to keep up pressure on the United States and Israel but also positioning itself to mount a bigger retaliation if peace talks do not resume.” * * *
  • “This is a time, more than ever, we should worry about Iran,” said Evan Peña, a co-founder of the cybersecurity firm Armadin. “In cyberwarfare there isn’t really a cease-fire.”
  • “Mr. Peña said that if the cease-fire or negotiations collapsed, Iran would want to be in a strong position to retaliate, potentially by attacking critical infrastructure in the United States. Tehran has done so in the past but generally with limited impact. More than a decade ago, Iranian hackers targeted a small dam in upstate New York, but by happenstance the dam’s sluice-gate controls had been taken offline for maintenance, much to the relief of U.S. investigators at the time.
  • “Iran, Mr. Peña said, is going to be more aggressive and devote more resources to trying to get access to American companies as the war rages on.” * * *
  • “Josh Zweig, the chief executive of Zip Security, which secures small and midsize enterprises, said Iran was specifically looking for less well-defended targets, like municipal-run water and energy facilities.
  • “He also said small firms that make investment decisions for wealthy individuals and families have been targeted.”

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “National Cyber Director Sean Cairncross expects more executive orders coming from the White House as part of implementing the national cybersecurity strategy, he said Wednesday [April 15].
  • “Staffers on Capitol Hill and others in the cyber world have been awaiting the implementation guidance the Trump administration had proclaimed would come to accompany the strategy  published last month.
  • “Asked at a Semafor event about whether that would include executive orders, Cairncross answered, “I think that that’s the case.”
  • “Cairncross touted American ingenuity for producing an artificial intelligence model like Anthropic’s Claude Mythos, rather than it developing under U.S. cyber rivals like China or Russia. He acknowledged reports about the administration holding meetings about the cyber risks and benefits of something like Mythos — “the model right now that everyone’s talking about” — adding that the administration is looking to balance the dangers and positive capabilities of AI in cyberspace.”
• and
  • “The federal agency tasked with analyzing security vulnerabilities is overwhelmed as it and other authorities struggle to keep pace with a flood of defects that grows every year. The National Institute of Standards and Technology announced Wednesday that it has capitulated to that deluge and narrowed the priorities for its National Vulnerability Database.
  • “NIST said it will only prioritize analysis for CVEs that appear in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, software used in the federal government and critical software defined under Executive Order 14028.
  • “The federal agency’s goal with the change is to achieve long-term sustainability and stabilize the NVD program, which has encountered previous challenges, notably a funding lapse in early 2024 that forced NIST to temporarily stop providing key metadata for many vulnerabilities in the database.” * * *
  • “NIST said CVEs that don’t fit its more narrow criteria will still be listed in the NVD, but they won’t be automatically enriched with additional details. 
  • “This will allow us to focus on CVEs with the greatest potential for widespread impact,” the agency said. “While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.”

• Dark Reading adds,
  • [C]ybersecurity teams will need to move to make up for the loss of enrichment data, according to Shane Fry, chief technology officer at RunSafe Security. 
  • “Anthropic’s Mythos highlights why NIST is making this move in the first place,” Fry says. “They have already seen a surge in CVE submissions over the past year and have not been able to keep up. Mythos and other tools for AI-assisted vulnerability will only add to the volume of vulnerabilities disclosed. It’s a problem the industry has been aware of for some time.” 
  • “So without the ability to keep up with the sheer volume of CVEs cyber teams need to pivot, Fry adds. 
  • “The way forward will have to emphasize building defenses into software itself to prevent the exploit of bugs and zero-days even before patches are available or the vulnerability is disclosed,” he advises.” 

• Federal News Network tells us,
  • “The [U.S.] Office of Personnel Management announced this week that it will be expanding its Tech Force hiring program to include opportunities for agencies to hire cybersecurity specialists. That’s on top of the program’s existing recruitment efforts for software engineers, data scientists and product managers.
  • “The newly added cybersecurity roles will focus on “protecting critical systems, strengthening federal cybersecurity capabilities and safeguarding the digital infrastructure relied on by millions of Americans,” OPM said in a press release.
  • “The federal government depends on strong cybersecurity to protect critical systems and maintain public trust,” OPM Director Scott Kupor said Monday. “Through Tech Force, we’re recruiting highly skilled cybersecurity professionals to take on real challenges and strengthen the government’s defenses where it matters most.”

• Cyberscoop informs us,
  • “Authorities from 21 countries took down 53 domains and arrested four people allegedly involved in distributed denial-of-service operations used by more than 75,000 cybercriminals, Europol said Thursday. 
  • “The globally coordinated effort dubbed “Operation PowerOFF” disrupted booter services and seized and dismantled infrastructure, including servers and databases, that supported the DDoS-for-hire services, officials said.
  • “Law enforcement agencies obtained data on more than 3 million alleged criminal user accounts from the seized databases, and ultimately sent more than 75,000 emails and letters to participants, warning them to halt their activities.”
• and
  • “Two New Jersey men were sentenced Wednesday for facilitating North Korea’s long-running scheme to plant operatives inside U.S. businesses as employees, generating more than $5 million in illicit revenue for the regime, the Justice Department said. 
  • “The U.S. nationals — Kejia Wang, also known as Tony Wang, and Zhenxing Wang, also known as Danny Wang — were part of a years-long conspiracy that placed operatives in jobs at more than 100 U.S. companies, including many Fortune 500 companies, based in 27 states and the District of Columbia. * * *
  • “Both men previously pleaded guilty to an assortment of crimes. Kejia Wang was sentenced to nine years in prison for conspiracy to commit wire and mail fraud, money laundering and identity theft. Zhenxing Wang was sentenced to 92 months in prison for conspiracy to commit wire and mail fraud and money laundering. 
  • “The pair were also ordered to forfeit a combined $600,000, of which two-thirds has already been paid, officials said.”

From the cybersecurity breaches and vulnerabilities front,

• Health Exec reports,
  • “Healthcare IT infrastructure and electronic health record company CareCloud confirmed in a regulatory filing that it’s suffered a data breach, said to have impacted one of its six patient record stores, with hackers inside its network for “approximately eight hours.”
  • “The “cybersecurity incident” was disclosed in a filing with the U.S. Securities and Exchange Commission, and said the incident occurred on March 16. The company said that, while intruders did access patient medical records, it wasn’t clear if any data was stolen.
  • “An investigation into the data breach is still ongoing, and CareCloud said it’s working with a third-party cybersecurity organization to gather the details. After some downtime, CareCloud said it believes the invasion has been thwarted and that criminals no longer have a way inside its network.
  • “Systems were taken down and restored the same day. Details such as how the cyberattack was conducted and if any ransomware was deployed was not revealed. It’s also not clear if any notable cybercrime syndicate was behind the data breach, nor whether those responsible made any demands. 
  • “The filing with the SEC was released on March 24, and there hasn’t been any real update from the company since.”

• The Cybersecurity and Infrastructure Security Agency added ten known exploited vulnerabilities (KVEs) to its catalog this week.
  • April 13, 2026
    • CVE-2012-1854 Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
    • CVE-2020-9715 Adobe Acrobat Use-After-Free Vulnerability
    • CVE-2023-21529 Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
    • CVE-2023-36424 Microsoft Windows Out-of-Bounds Read Vulnerability
    • CVE-2025-60710 Microsoft Windows Link Following Vulnerability
    • CVE-2026-21643 Fortinet SQL Injection Vulnerability
    • CVE-2026-34621 Adobe Acrobat and Reader Prototype Pollution Vulnerability
      • Security Week discusses these KVEs here.
  • April 14, 2026
    • CVE-2009-0238 Microsoft Office Remote Code Execution Vulnerability
    • CVE-2026-32201 Microsoft SharePoint Server Improper Input Validation Vulnerability 
      • Security Week discusses both KVEs here.
      • Cybersecurity Dive discusses the Microsoft SharePoint KVE here.
    • April 16, 2026
      • CVE-2026-34197 Apache ActiveMQ Improper Input Validation Vulnerability
        • Bleeping Computer discusses this KVE here.

• Cybersecurity Dive tells us,
  • “Hackers are attempting to exploit a high-severity flaw found in several end-of-life routers from TP-Link, according to a blog post published Friday [April 17] by Palo Alto Networks’ Unit 42. 
  • “Researchers warn the observed payloads share similarities to those found in malware used in Mirai-like botnets. Such activity would involve attempts to download the malware and execute on vulnerable devices, according to researchers. 
  • “The vulnerability was originally disclosed in June 2023, and proof of concept exploits appeared prior to the disclosure, wrote Unit 42 researchers. 
  • “The Cybersecurity and Infrastructure Security Agency previously added the command injection vulnerability, tracked as CVE-2023-33538, to its Known Exploited Vulnerabilities catalog in July 2025.” 

From the ransomware front,

• The HIPAA Journal reports,
  • Brockton Hospital in Massachusetts is continuing [as of April 15] to grapple with a cybersecurity incident that took many of its electronic systems offline on April 6, 2026, and forced the hospital to divert ambulances to alternate facilities and cancel scheduled cancer treatments. An investigation into the cyberattack is ongoing, and the hospital is working with federal and state officials. While some systems have been brought back online, the hospital is continuing to use its downtime procedures, with staff members working off paper rather than computers. A Signature Healthcare spokesperson told Boston 25 News that the hospital would continue under downtime procedures for the next two weeks. * * *
  • “The Anubis ransomware-as-a-service group claimed responsibility for the attack. Anubis engages in double extortion, stealing data and encrypting files. A ransom must be paid to prevent the release of stolen data and obtain the keys to recover encrypted files. According to SuspectFile, which was contacted by a member of the Anubis group, files were encrypted in the attack. The Anubis spokesperson told SuspectFile that only non-critical systems were encrypted, and 2TB of data was stolen in the attack, including a large volume of patient data.
  • “Anubis is attempting to pressure Signature Healthcare into paying the ransom by adding the hospital to its data leak site, along with a countdown clock when the stolen data will be published. Signature Healthcare has yet to confirm the extent of data theft, which may not be known for some time. The priority continues to be patient care, remediating the attack, and bringing systems back online when it is safe to do so.”

• Govtech relates,
  • “Ransomware continues to pose a serious threat to U.S. critical infrastructure, with more than 2,100 related incidents reported to federal authorities in 2025, according to the latest FBI Internet Crime Complaint Center (IC3) report.
  • “To put that number in perspective, IC3 reported roughly 1,100 data breach threats to critical infrastructure, which includes sectors such as health care, critical manufacturing, financial services, energy and agriculture, among others. Ransomware attacks directed at critical infrastructure are serious, possessing as they do the potential to disrupt operations, expose sensitive data and affect the delivery of public services.
  • “Those incidents have implications for state and local government organizations, which operate or support many of these systems. The nation’s critical infrastructure spans 16 sectors whose disruption would have a debilitating effect on the United States. Of these, the health-care and public health services sector reported the highest number of incidents, the report shows.”

• SC Media adds,
  • “Analysis by Check Point researchers showed that out of the 672 ransomware attacks reported in March 2026, Qilin alone accounted for 20%, followed by Akira, which was responsible for 12% of the attacks, and Dragonforce RaaS, which was responsible for 8% of the incidents, reports Infosecurity News.”
• and
  • “Suspected former Black Basta ransomware affiliates are ramping up targeting of senior-level executives with social-engineering attacks designed to deploy remote monitoring and management (RMM) software, ReliaQuest reported Tuesday.
  • “Black Basta, a previously notorious Russia-linked ransomware-as-a-service (RaaS), became defunct last year following leaked chats exposing its infrastructure and techniques. However, attacks leveraging the group’s distinct tactics, techniques and procedures (TTPs) have continued into 2026, with ReliaQuest noting an accelerating volume and increased targeting of company leadership.
  • “For example, Microsoft Teams-based phishing — a staple of Black Basta’s playbook — is becoming more prevalent, with 56% of all Teams phishing over the last year occurring within the last quarter, and nearly a third happening in March 2026 alone.”
    
• Industrial Cyber notes,
  • “New data from Cyfirma disclosed that ransomware activity in March reflects a continuation of the sector’s shift toward structured, repeatable extortion models, where encryption is paired with data theft to maximize pressure on victims. The findings show that growing fragmentation of extortion groups suggests that smaller or emerging threat actor groups could adopt automation, AI-assisted reconnaissance, and data-driven victim profiling to scale operations efficiently. These campaigns rely heavily on coercive messaging, warning against third-party recovery attempts and reinforcing the risk of permanent data loss, underscoring how psychological pressure remains central to payment conversion strategies. 
  • “At the operational level, ransomware actors in March continue to refine rather than reinvent their tactics, prioritizing efficiency, scalability, and consistency across attacks. Cyfirma assesses that groups are likely to enhance encryption speed, standardize extortion workflows, and expand double extortion practices, while relying on common intrusion vectors such as phishing and exposed services. The broader trajectory points to incremental evolution within a mature ecosystem, where innovation is less about novel techniques and more about optimizing execution and monetization across a globally opportunistic threat landscape.” 

• Security Boulevard informs us,
  • “Double extortion is bad enough—that’s the current tactic favored by ransomware groups—but the emerging quadruple extortion promises to further complicate mitigation and response by targeted organizations, prompting an escalation in extortion payments.  
  • “Yet that’s just one piece of evidence that ransomware continues to evolve despite high-profile takedowns by law enforcement—they just reincarnate or rebrand as new groups, new research by Akamai shows. Of course, the biggest game-changer is GenAI, as RasS operators like Black Basta and FunkSec press LLMs into service to generate code and greatly improve the social engineering techniques that give bad actors a foot in the door and to scale up attacks, opening the door for even less sophisticated actors to execute damaging attacks. 
  • “Ransomware groups continue to seek additional ways to generate profit, such as by pressuring victims and weaponizing compliance,”  researchers at Akamai note in their Ransomware Report 2025. 
  • “Noting that ransomware tactics have moved “away from traditional encryption-centric ransomware tactics towards more sophisticated and advanced extortion methods,” Nathaniel Jones, vice president, security and AI strategy and field CISO at Darktrace, says, “rather than relying solely on encrypting a target’s data for ransom, threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met.” 

From the cybersecurity defenses front,

• The Wall Street Journal reports,
  • “The software bug was capable of crashing an operating system used by firewalls, servers and network appliances. It went undetected for over 27 years.
  • “Last month, it was caught by Mythos, the latest AI model from Anthropic that has spooked the White House, banking executives and cybersecurity professionals around the world.
  • Welcome to the bug armageddon. AI models like Mythos and others are finding bugs in older software at a rate never seen before.
  • “While most of the coding issues may be minor, their sheer volume has amplified the risk that smaller software developers will become overwhelmed with reports of bugs such as the one Mythos found. Thanks to AI, hackers will be able to leverage those bugs more quickly than ever before.
  • “The 1998 bug in the OpenBSD operating system was one of thousands Mythos found last month. Anthropic said last week that it is working with about 50 technology companies and organizations to find and fix bugs and currently has no plans to release Mythos to the general public.
  • “We need to know that we can release it safely, and it’s not exactly clear how we can do that with full confidence,” said Logan Graham, the head of Anthropic’s Frontier Red Team, which evaluates AI for risks.”

• Security Week relates,
  • “To help security teams prepare for this future, the Cloud Security Alliance has developed and published The ‘AI Vulnerability Storm’: Building a ‘Mythos-ready’ Security Program. The report does not provide a solution, but it will help readers understand what is coming, and what they must do in preparation.
  • “Mythos will not fundamentally change the nature of cybersecurity. It primarily provides a step change in the pace of attacks, and the biggest single change will be the asymmetric advantage to the attacker increasing dramatically. Cybersecurity itself doesn’t change – it just needs to cope with a new ferocious pace. Best practice fundamentally remains the same, but its importance becomes more critical.
  • “Focus on the basics and harden your environment further,” say the CSA report authors. “Segmentation, egress filtering, multifactor authentication, and defense-in-depth/breadth all increase the difficulty for attackers.” Nothing there is new, but many firms have not done it adequately – and must rapidly start doing it effectively”
• and
  • “OpenAI announced that it’s scaling its Trusted Access for Cyber program to thousands of verified defenders and hundreds of security teams. They will be given access to GPT-5.4-Cyber, a fine-tuned variant of GPT-5.4 that relaxes the usual guardrails for legitimate cybersecurity work. 
  • “GPT-5.4-Cyber also provides new capabilities such as binary reverse engineering, which enables users to analyze compiled executable software for vulnerabilities and malicious behavior.
  • “The new AI model is initially being offered on a limited, iterative basis to vetted security vendors, organizations, and researchers.
  • “Individual defenders who want to enroll into the Trusted Access for Cyber program and test GPT‑5.4‑Cyber can apply through chatgpt.com/cyber via an identity verification process, while enterprise teams must go through their OpenAI account representative.” 

• Cyberscoop adds,
  • “A joint report from the Cloud Security Alliance (CSA), the SANS Institute and the Open Worldwide Application Security Project (OWASP) concludes that in the near term, organizations are “likely to be overwhelmed” by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them.
  • “While those organizations can use AI tools to speed up their own defenses, attackers “still face a heavier relative burden due to the inherent limitations of patching. This in turn leads to “asymmetric benefits” for attackers who can afford to adopt the technology without the same caution and bureaucracy as a multi-billion dollar business.
  • “The cost and capability floor to exploit discovery is dropping, the time between disclosure and weaponization is compressing toward zero, and capabilities that previously required nation-state resources are now becoming broadly accessible,” wrote Robert Lee, SANS Institute’s Chief AI Officer, Gadi Evron, CEO of Knostic and Rich Mogull, chief analyst at CSA, who served as the primary authors.”

• TechTarget tells us, “How CIOs can beat AI challenges: A top researcher’s view.”
  • “CIOs are grappling with moving AI from the pilot stage to genuine implementation, and many are encountering organizational pitfalls that are stalling the delivery of real value.”

• Healthexec informs us,
  • “Hospitals have always had to rely on multitudes of healthcare vendors to keep operations humming. In recent years the arrangement’s inherent management challenge has only grown more complex. 
  • “That’s largely because myriad AI technologies have changed daily life for provider organizations and industry partners alike. Arguably the biggest single difficulty to emerge from the transformation is the risk of cybersecurity breaches. 
  • “The Health Sector Coordinating Council (HSCC) is taking a crack at helping cybersecurity leaders, teams and stakeholders clear a path through the thicket. The assistance comes in the form of a 109-page document titled Third-Party AI Risk and Supply Chain Transparency Guide.
  • “The guidebook is authored by members of an HSCC working group focused on cybersecurity. The team’s guiding aim for the project was to “address the growing gaps in discovery and disclosure processes that make AI supply chain risk so difficult to manage.”

• A NIST press release announced
  • “NIST SP 800-133 Rev. 3 (Initial Public Draft) Recommendation for Cryptographic Key Generation
  • “Proposed changes in this revision include the following:
    • “Asymmetric key-pair generation has been expanded to include methods for deriving randomness during key-pair generation.
    • “Key-pair generation now has options for derivation similar to symmetric keys and new methods for “seed expansion,” which allows for the limited use of SHAKE and deterministic random bit generators (DRBGs).
    • “Key-encapsulation mechanisms (KEMs) are discussed as a key-establishment option for symmetric key generation, and post-quantum cryptography (PQC) references have been added throughout (e.g., the new PQC signatures).
    • “Text has been reworded to address random number generation in alignment with SP 800-90C.
  • “Comments are especially requested regarding:
    • “Hardware security module (HSM) design — How do these requirements align with common practice and existing systems using a root seed/secret value?
    • “PQC implementations and protocol — How do these requirements fit with storing keys as seeds (e.g., for ML-KEM) and performing hybrid (i.e., combined classical and post-quantum) implementations?”

• Here is a link to Dark Reading’s CISO Corner.