Cybersecurity Saturday
From the cybersecurity policy and law enforcement front,
- Federal News Network tells us,
- “The Office of the National Cyber Director is looking to engage industry as it starts to develop a new national cybersecurity strategy.
- “National Cyber Director Sean Cairncross, speaking at a conferenced hosted by Palo Alto Networks in Tyson’s Corner, Va., Thursday, said U.S. cyber efforts of the past have failed to “send a message” to China and other cyber adversaries.
- “A failure to send a message creates an opening for a miscalculation, that opens the door for a larger problem,” Cairncross said. “And so, what we are looking to do is to change that posture, so that that message is clear.” * * *
- “I’m not trying to bring CEOs in and beat them over the head and say, do this, or we’ll regulate, or this is a mandate coming down from on high,” he said. “What I’m looking to do is to say where, where are the regulatory friction points in this domain that you deal with, what’s redundant, what’s become too much of a compliance checklist.”
- “Cairncross said the private sector should have to meet minimum standards for cybersecurity. But he says the White House wants to work with businesses to understand how cybersecurity could be better prioritized against existing regulations.”
- “Working to harmonize that regulatory structure, it’s incumbent on us to do that and work with you all to do that, hopefully as rapidly as we can,” he said. “But I see this as a true partnership between government and industry, and I think if we can get that in a place where everyone is sort of speaking the same language, it will be incredibly useful for hardening our resiliency.”
- “The Trump administration’s cyber strategy will also likely feature a focus on normalizing offensive cyber operations.”
- NextGov/FCW informs us,
- “Criminal hackers, who for years lacked the sophistication and resources of nation-state cyber adversaries, are now on near-equal footing with state-level powers like China and Russia, thanks to advances in artificial intelligence, the head of the FBI’s Cyber Division said Thursday.
- “[AI] allows mid-tier actors to really asymmetrically scale in ways that they can’t have impact otherwise, meaning a lot of these cybercriminal groups now have nation-state-type capabilities that they would not otherwise have because they’re using generative AI,” Brett Leatherman said Thursday at the Palo Alto Networks public sector conference in Virginia.” * * *
- “The FBI has not been as quick to adopt AI in its day-to-day operations because it handles sensitive data that requires stringent protections and oversight to maintain security and legal standards, he said.” * * *
- “The FBI constantly views data logs and other intelligence collected from legal authorities that can help them track hackers and build computer forensic conclusions. Having AI available to quickly parse those logs would be a benefit, he said, although industry partners are already using their own AI instruments to scan data and report those findings to the FBI.”
- Fedscoop adds,
- The Department of Energy is set to deploy a new artificial intelligence supercomputer at Oak Ridge National Laboratory early next year, bringing the machine online at “record speeds” thanks to a new public-private partnership the agency unveiled Monday.
- The deal with Advanced Micro Devices will provide Oak Ridge with the company’s Lux AI cluster, giving the lab expanded “near-term AI capacity” that will accelerate its work on fusion, fission, materials discovery, advanced manufacturing and grid modernization, per a press release announcing the partnership.
- “Winning the AI race requires new and creative partnerships that will bring together the brightest minds and industries American technology and science has to offer,” Energy Secretary Chris Wright said in a statement. “That’s why the Trump administration is announcing the first example of a new commonsense approach to computing partnerships with Lux.”
- Energy also announced plans for the 2028 launch of Discovery, a system built by HPE and powered by AMD processors and accelerators. Discovery, according to the DOE, will “far” outperform Oak Ridge’s Frontier machine — currently the world’s second-largest supercomputer. * * *
- “The Tennessee lab has been ground zero for many of the country’s advances in AI — and the Trump administration has signaled that there’s more to come. In an RFP released earlier this month, the DOE solicited proposals for the buildout and maintenance of AI data centers and energy generation infrastructure at Oak Ridge.”
- Dark Reading reports,
- “As China, Iran, Russia, and the European Union signed onto a new global cybercrime treaty, the United States and a minority of other nations continue to voice concerns over the global agreement’s impact on human rights — and the expansion of covered crimes to including any “serious” offense enabled by information communications technology (ICT).
- “On Monday, more than 70 nations signed on to the treaty — formally, the United Nations Convention Against Cybercrime — pledging to aid in the investigation and prosecution of any “criminal offences … committed through the use of information and communications technology systems,” according to a copy of the document. Signers of the agreement promise to cooperate on “serious” crimes, which includes any violation of law that has a maximum prison time of at least four years.” * * *
- [M]any nations signing the treaty may not have such laudable goals. In 2019, Russia began the process to establish the treaty, when its delegates sponsored a resolution to create a framework for combatting cybercrime. The other signatories included a list of authoritarian countries: Belarus, Cambodia, China, Iran, Myanmar, Nicaragua, Syria, and Venezuela, with the highest-ranking country among the sponsors earning a 2.94 on The Economist’s 10-point Democracy Index for 2024. For comparison, the Index’s most democratic nation, Norway, scored a 9.81. The Nordic country did not sign the UN cybercrime treaty, either.
- “Looking at the group of founders should make any policy watcher skeptical, especially with much of the cybercriminal activity coming from China and Russia, says Zach Edwards, a senior threat analyst with Silent Push, a cyberthreat intelligence firm. He pointed to massive economic costs caused by cybercriminals groups in China and Russia.”
- Per Cyberscoop,
- “A 43-year-old Ukrainian national allegedly involved in the Conti ransomware group pleaded not guilty in federal court Thursday to cybercrime charges that could land him in prison for up to 25 years, according to court documents.
- “Oleksii Oleksiyovych Lytvynenko, also known as Alexsey Alexseevich Litvinenko, was arrested in Ireland in July 2023, extradited to the United States earlier this month and remains in federal custody in Tennessee where at least three of his alleged victims are based.” * * *
- “Lytvynenko and his co-conspirators used Conti ransomware to attack more than 1,000 victims globally, ensnaring victims in 47 states, Washington, Puerto Rico and about 31 countries, according to the Justice Department. The FBI estimates Conti extorted more than $150 million in ransom payments from victims.”
From the cybersecurity vulnerabilities and breaches front,
- Cybersecurity Dive reports,
- “The Cybersecurity and Infrastructure Security Agency issued updated guidance on a critical vulnerability in Windows Server Update Service and urged security teams to immediately apply patches to their systems and check for potential compromise.
- “The vulnerability, tracked as CVE-2025-59287, involves deserialization of untrusted data in WSUS, a tool widely used by IT administrators to deploy Microsoft product updates.
- Security researchers have been tracking a series of exploitation attemptsin recent weeks. An initial patch issued in mid-October fell flat, and Microsoft issued an emergency out-of-band security update late last week.
- “CISA on Wednesday [October 29] issued additional guidance on how to check for potential compromise and warned security teams to take the threat very seriously.
- and
- “At least 50 organizations have been impacted by attacks targeting a critical vulnerability in Windows Server Update Service, with most of them located in the U.S., according to researchers at cybersecurity firm Sophos.
- “The vulnerability, tracked as CVE-2025-59287, involves deserialization of untrusted data. A security update issued by Microsoft in mid-October failed to provide adequate protection, and Microsoft issued an emergency out-of-band patch late last week to address the problem.
- “Sophos’s own telemetry picked up six incidents linked to the exploitation activity, and additional intelligence gathered by researchers shows at least 50 victims, the company told Cybersecurity Dive.”
- CISA added four known exploited vulnerabilities to its catalog this week.
- October 28, 2025
- CVE-2025-6204 Dassault Systèmes DELMIA Apriso Code Injection Vulnerability
- CVE-2025-6205 Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability
- Security Week discusses these KVEs here.
- October 30, 2025
- CVE-2025-24893 XWiki Platform Eval Injection Vulnerability
- CVE-2025-41244 Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability
- October 28, 2025
- Cyberscoop relates,
- “F5 CEO François Locoh-Donou said on a company earnings call that there were two categories of impact on customers following a nation-state attacker’s long-term, persistent access to its systems: widespread emergency updates to BIG-IP software and hardware, and customers whose configuration data was stolen during the attack.
- “We were very impressed frankly, with the speed with which our customers have mobilized resources to be able to make these upgrades and put them in production fairly rapidly,” Locoh-Donou said Monday. F5 helped thousands of customers install critical updates upon disclosure, he added.
- “The vendor’s latest assessment of the prolonged attack, which it became aware of Aug. 9 and disclosed Oct. 15, indicates F5 remains optimistic it has contained and limited exposure from the breach, which prompted a rare emergency directive from federal cyber authorities when it was disclosed in a regulatory filing.”
- Per Dark Reading,
- “A researcher has demonstrated that Windows’ native artificial intelligence (AI) stack can serve as a vector for malware delivery.
- “In a year where clever and complex prompt injection techniques have been growing on trees, security researcher hxr1 identified a much more traditional way of weaponizing rampant AI. In a proof-of-concept (PoC) shared exclusively with Dark Reading, he described a living-off-the-land attack (LotL) using trusted files from the Open Neural Network Exchange (ONNX) to bypass security engines.”
- and
- “A variety of old, abandoned projects, long considered dead, continue to rise up and undermine the cybersecurity posture of the companies who created them.
- “From code to infrastructure to APIs, these so-called “zombie” assets continue to cause security headaches for companies, and sometimes, lead to breaches. Oracle’s “obsolete” servers, abandoned Amazon S3 buckets used by attackers to distribute malware, and the unmonitored API connecting Optus’ customer-identity database to the Internet are all variations of the zombies plaguing enterprises.
- “The lack of attention to forgotten — dare we say, “undead” — services causes cybersecurity headaches in two ways, says Andrew Scott, director of product at cybersecurity firm Palo Alto Networks.
- “If you’ve got a device that has been forgotten, you’re probably not looking after it, so if it were compromised, it may be hard for you to know,” he says. “And two: The longer that those things stay out there, stay unmanaged or not getting the TLC and patch cycles … the more likely that they are vulnerable to risks over time.”
From the ransomware front,
- Health Exec reports,
- “On Oct. 27, Russia-based cybercrime group Qilin posted to the dark web claiming it had successfully hacked pharmacy benefit manager (PBM) MedImpact, with the group releasing screenshots of documents that appear to be billing invoices.
- “In reviewing the post, Cybernews said the snippets are “mostly financial operation details which don’t seem to contain extremely sensitive personal data.” The company later confirmed that what Qilin said was true, releasing a short statement about its ongoing investigation into the incident, which it said is being conducted with the “assistance of one of the nation’s leading cybersecurity firms and is notifying all applicable authorities.”
- “The PBM also confirmed that the attack involved the deployment of ransomware, and that at least part of its infrastructure is still down. It said it deployed containment measures upon noticing the breach, often involving taking all systems offline until the situation is assessed.
- “MedImpact is currently working to restore impacted systems in a new environment that is segregated from the prior infrastructure and protected by multiple layers of defense. Due to these measures, as of today, pharmacy claims for all clients are now adjudicating,” the company wrote.
- “The company apologizes for any disruption this issue may cause its clients and partners,” it added.”
- Per Bleeping Computer,
- “CISA confirmed on Thursday [October 30] that a high-severity privilege escalation flaw in the Linux kernel is now being exploited in ransomware attacks.
- “While the vulnerability (tracked as CVE-2024-1086) was disclosed on January 31, 2024, as a use-after-free weakness in the netfilter: nf_tables kernel component and was fixed via a commit submitted in January 2024, it was first introduced by a decade-old commit in February 2014.
- “Successful exploitation enables attackers with local access to escalate privileges on the target system, potentially resulting in root-level access to compromised devices.
- As Immersive Labs explains, potential impact includes system takeover once root access is gained (allowing attackers to disable defenses, modify files, or install malware), lateral movement through the network, and data theft.
- The Hacker News explains how Russian Ransomware Gangs Weaponize Open-Source AdaptixC2 for Advanced Attacks.
- The HIPAA Journal reports,
- “The ransomware remediation firm Coveware has reported a growing divide in the ransomware landscape, with larger enterprises facing increasingly targeted, high-cost attacks, whereas attacks on mid-market companies continue to be conducted in volume. Ransomware groups conducting high-volume attacks appear to have found the sweet spot, as while the ransom payments they receive are much lower, the attacks are easier to conduct, and a higher percentage of victims pay up. Attacks on larger companies require more effort, although attacks are far more lucrative when a ransom is paid. Coveware reports that larger organizations are increasingly resisting paying ransoms, having realized that there are few payment benefits, but has warned that these targeted attacks are likely to increase due to falling ransom payments.
- “Across the board, there has been a sharp fall in both the average and median ransom payments from a 6-year high in Q2, 2025, to the lowest level since Q1, 2023. In Q3, 2025, the average ransom payment fell by 66% to $376,941, with the median ransom payment down 65% to $140,000. In Q1, 2019, 85% of victims of ransomware attacks chose to pay the ransom, compared to a historic low of 23% in Q3, 2025.”
From the cybersecurity business and defenses front,
- The Wall Street Journal reports,
- “Artificial intelligence and weakening federal demand had dual impacts on this week’s earnings reports from large cybersecurity companies, which generally posted stronger results than the same time last year.
- “Security and network specialist F5 posted a fourth-quarter profit of $190.5 million on Monday, up from $165.3 million last year. Its full-year profit was $692.4 million, compared with $566.8 million last year.
- “However, the company warned of potential sales disruptions stemming from a breach by nation-state hackers. The breach, which was disclosed by F5 in October, was serious: Attackers gained access to the production environment for the company’s most popular products and its database of known software flaws. F5’s products are widely deployed among Fortune 500 companies and the federal government, making the disclosure worthy of briefings by the U.S. Cybersecurity and Infrastructure Security Agency.” * * *
- “Other cybersecurity companies posted encouraging results. Network security vendor Check Point Software Technologies posted a third-quarter profit of $358.7 million, up from $206.9 million last year. The Israeli company closed its acquisition of AI specialist Lakera last week and said it expects AI to inform its acquisition strategy going forward.” * * *
- “Infrastructure security specialist Tenable Holdings swung to a $2.3 million profit in its third quarter from a $9.3 million loss the previous year. Co-Chief Executive Stephen Vintz said the company is seeing a shift in customer spending away from traditional defensive strategies toward more proactive technologies that identify weaknesses before they are exploited, largely due to the use of AI.
- “AI is dramatically reshaping the threat landscape as attacks have become faster, more automated and more sophisticated,” he said on a call with analysts Thursday.
- “Data protection provider Commvault Systems reported $14.7 million profit for its second quarter on Tuesday, though this slipped from $15.6 million in the same quarter last year. Rival data security company Varonis reported a loss of $29.9 million, wider than the $18.3 million loss the previous year.”
- Cyberscoop points out,
- “A new security-focused AI model released Thursday by OpenAI aims to automate bug hunting, patching and remediation.
- “The model, powered by ChatGPT-5 and given the name Aardvark, has been used internally at OpenAI and among external partners. Currently offered in an invite-only Beta, it’s designed to continuously scan source code repositories to find known vulnerabilities and bugs, assess and prioritize their potential severity, then patch and remediate them.
- “In a blog post published on the company’s website, OpenAI claims that Aardvark “does not rely on traditional program analysis techniques like fuzzing or software composition analysis.”
- “Instead, it uses LLM-powered reasoning and tool-use to understand code behavior and identify vulnerabilities,” the blog stated. “Aardvark looks for bugs as a human security researcher might: by reading code, analyzing it, writing and running tests, using tools, and more.”
- Here is a link to Dark Reading’s CISO Corner.