Cybersecurity Saturday
From the cybersecurity policy and law enforcement front,
- The Wall Street Journal reports,
- “The collapse on Friday [September 19] of an emergency federal funding bill leaves the fate of cybersecurity legislation that provides legal protection for companies sharing cyber-threat intelligence up in the air.
- Without a reprieve of the expiring cyber legislation that had been included in the funding bill, companies face uncertainty on how to communicate about cyber threats as competing reauthorization bills work through a divided House and Senate.
- “Both the private sector and the government need certainty, including the ability to allocate resources for long-term cybersecurity planning and implementation,” said Matthew Eggers, vice president of cybersecurity policy at the U.S. Chamber of Commerce.
- The 2015 Cybersecurity Information Sharing Act, or CISA, is set to expire at the end of September. Friday’s scuttled emergency funding measure, which applied to a number of federal programs and sought to avert a government shutdown, would have given lawmakers more time [until November 21] to iron out critical differences between House and Senate versions of CISA renewal bills. * * *
- “A notable difference in the House bill is the forward-thinking inclusion of artificial intelligence in the renewal,” said Justine Phillips, a partner and co-chair of the data and cyber practice group at law firm Baker McKenzie. Despite these updates, she said, “the House bill is the functional equivalent of extending the act as is, because it leaves the legal liability protections intact.”
- “The cyber bill’s renewal by the Senate may prove more problematic, cybersecurity experts say.”
- Cyberscoop informs us,
- “Federal agencies are increasingly incorporating artificial intelligence into the cyber defenses of government networks, and there’s more still to come, acting Federal Chief Information Security Officer Michael Duffy said Thursday.
- “We’re at an exciting time in the federal government to see that we’re not only putting AI in production, but we’re finding ways to accelerate emerging technology across the government, across all missions and all angles,” Duffy said at FedTalks, produced by Scoop News Group. In his “role overseeing federal cybersecurity policy,” he said, he is “able to see these at the ground level, as agencies bring excitement and enthusiasm and hope for what they can optimize through artificial intelligence.”
- “Cyber attackers are moving faster than ever, and on a much larger scale than before, he said. They’re also using technology in new ways. But it’s not all “doom and gloom” when it comes to the cybersecurity of federal networks, especially because of feds’ move toward AI, Duffy said.
- “I’m pleased to say that the advancements that we’ve made over the past decade in the federal government have brought us to this point: Agencies are poised now, postured, positioned, to take advantage of new capabilities, bring them into federal agencies and make them work for the mission,” he said.”
- In related news, Cybersecurity Dive tells us,
- “The National Institute of Standards and Technology on Thursday [September 18] published guidance describing how implementation of post-quantum cryptography (PQC) both supports and relies on the safeguards in the agency’s major cybersecurity publications.
- “The draft NIST document, derived from the output of the agency’s PQC migration project, is designed to illustrate the connections between the tools required for adopting quantum-resistant encryption and the security practices that NIST recommends in its Cybersecurity Framework and other guidance.
- “The capabilities demonstrated in the project support several security objectives and controls identified” in other NIST guidance documents, the agency said in its new publication. “At the same time, responsible implementation of the demonstrated capabilities is dependent on adherence to several security objectives and controls identified in these risk framework documents.”
- “Collecting information about which technologies use cryptography supports the Cybersecurity Framework practices of creating hardware and software inventories, the document notes. Similarly, analyzing cryptographic weaknesses supports the CSF practice of identifying vulnerabilities in technology assets.”
- A September 19, 2025, NIST news release adds,
- “To help organizations protect their data against possible future attacks from quantum computers, the National Institute of Standards and Technology (NIST) has released a publication offering guidelines for implementing a class of post-quantum cryptography (PQC) algorithms known as key-encapsulation mechanisms, or KEMs.
- “A KEM is a set of algorithms that can be used by two parties to securely establish a shared secret key over a public channel — a sort of first handshake between parties that want to exchange confidential information. Recent examples of KEMs include ML-KEM and HQC.
- The new publication, Recommendations for Key-Encapsulation Mechanisms (NIST Special Publication 800-227), describes the basic definitions, properties and applications of KEMs and provides recommendations for implementing and using KEMs securely.
- Cyberscoop reports,
- “Two teenagers were arrested in the United Kingdom this week, accused of associating with the sprawling criminal collective known as The Com, and participating in many high-profile and damaging cyberattacks on critical infrastructure globally.
- “Thalha Jubair, 19 of London, and Owen Flowers, 18 of Walsall, England, were arrested at their residences Tuesday and charged with crimes related to the cyberattack on the Transport for London in September 2024, the U.K.’s National Crime Agency said.
- “Jubair and Flowers were allegedly highly involved in many other cyberattacks attributed to Scattered Spider, a nebulous offshoot of The Com that commits ransomware and data extortion. The Com is composed of thousands of members, splintered into three primary subsets of interconnected networks that commit swatting, extortion and sextortion of minors, violent crime and various other cybercrimes, according to the FBI.
- “The Justice Department on Thursday unsealed charges against Jubair, a U.K. national, accusing him of participating in at least 120 cyberattacks as part of Scattered Spider’s sweeping extortion scheme from May 2022 to September 2025, including 47 U.S.-based organizations. Victims of those attacks paid at least $115 million in ransom payments, authorities said.”
From the cybersecurity vulnerabilities and breaches front,
- While CISA did not add any known exploited vulnerabilities to its catalog this week, SC Media lets us know,
- “The Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 18 issued a malware analysis report on two sets of malicious code from an organization compromised by threat actors exploiting two bugs in the Ivanti Endpoint Manager Mobile (EPMM) tool.
- “CISA said the malware exploited two CVEs – CVE-2025-4427 and CVE-2025-4428. After exploitation, the malware let the threat actors inject and run arbitrary code on the compromised server.
- “Lawrence Pingree, technical evangelist at Dispersive Holdings, said malware that’s instrumented to target specific vulnerabilities in centralized endpoint management solutions like these Ivanti tools is incredibly important to defend against.
- “Isolating and microsegmenting sensitive systems like this is essential. Patching rapidly, ideally with an automated process, is essential in defending against vulnerabilities,” said Pingree.”
- Per Dark Reading,
- “Security vendor SonicWall suffered a data breach that exposed customer firewall configuration file backups.
- “On Sept. 17, SonicWall, a vendor best known for its network security appliances, published a knowledge base article disclosing what it described as a “cloud backup file incident.” The company said its security teams recently detected “suspicious activity targeting the cloud backup service for firewalls” and confirmed it to be a security event in the past few days.
- “Unidentified threat actors accessed backup firewall preference files stored in the cloud representing “fewer than 5% of our firewall install base,” according to SonicWall. Attackers were able to access encrypted credentials as well as firewall configuration files “that could make it easier for attackers to potentially exploit the related firewall.”
- “We are not presently aware of these files being leaked online by threat actors,” SonicWall said in its disclosure. “This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.”
- Per Cyberscoop,
- “Researchers warned that a maximum-severity vulnerability affecting GoAnywhere MFT bears striking similarities with a widely exploited defect in the same file-transfer service two years ago.
- “Fortra, the cybersecurity vendor behind the product, disclosed and released a patch for the vulnerability — CVE-2025-10035 — Thursday. The deserialization vulnerability “allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection,” the company said in a security advisory.
- “File transfer services are a valuable target for attackers because they store a lot of sensitive data. If cybercriminals exploit these services, they can quickly access information from many users at once, making these services especially attractive for large-scale attacks.
- “Fortra didn’t provide any evidence of active exploitation and researchers from multiple security firms said they haven’t observed exploitation but expect that to change soon. “We believe that it’s just a matter of time and are monitoring the situation closely,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.
- “The vulnerability, which has a CVSS rating of 10, is “virtually identical to the description for CVE-2023-0669,” a zero-day vulnerability exploited by Clop, resulting in attacks on more than 100 organizations, and at least five other ransomware groups, Caitlin Condon, vice president of security research at VulnCheck, said in a blog post.”
- and
- “Apple’s latest operating systems for its most popular devices — iPhones, iPads and Macs — include patches for multiple vulnerabilities, but the company didn’t issue any warnings about active exploitation.
- “Apple patched 27 defects with the release of iOS 26 and iPadOS 26 and 77 vulnerabilities with the release of macOS 26, including some bugs that affected software across all three devices. Apple’s new operating systems, which are now numbered for the year of their release, were published Monday as the company prepares to ship new iPhones later this week.
- “Users that don’t want to upgrade to the latest versions, which adopt a translucent design style Apple dubs “liquid glass,” can patch the most serious vulnerabilities by updating to iOS 18.7 and iPad 18.7 or macOS 15.7. Most Apple devices released in 2019 or earlier are not supported by the latest operating systems.
- “None of the vulnerabilities Apple disclosed this week appear to be under active attack, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop.”
- Cybersecurity Dive points out,
- “Most companies worry their networks aren’t safe against cyberattacks powered by artificial intelligence.
- “Only 31% of IT leaders are at least somewhat confident that they can defend their organizations against AI-powered attacks, according to a Lenovo report published on Thursday.
- “The report delves into why IT and security leaders are worried about hackers’ use of AI — and why they see their companies’ own use of AI systems as vulnerable.”
- and
- “The number of healthcare organizations that have lost more than $200,000 to cyberattacks has quadrupled this year compared with the same period in 2024, data security firm Netwrix said in a report published Thursday [September 19].
- “Nearly half of all healthcare organizations (48%) experienced at least one intrusion between March 2024 and March 2025, the report found.
- “Healthcare organizations experienced more cyberattack-related losses of at least $500,000 than critical infrastructure firms did, on average: 12% of healthcare organizations, compared with 6% of all organizations.”
From the ransomware front,
- Infosecurity Magazine reports,
- “Fifteen well-known ransomware groups, including Scattered Spider, ShinyHunters and Lapsus$, have announced that they are shutting down their operations.
- “The collective announcement was posted on Breachforums, where the groups claimed they had achieved their goals of exposing weaknesses in digital infrastructure rather than profiting through extortion.
- “In their statement, the gangs said they would now shift to “silence,” with some members planning to retire on the money they had accumulated, while others would continue studying and improving the systems people rely on daily.” * * *
- “Organizations should take these announcements with a pinch of salt,” Nivedita Murthy, senior staff consultant at Black Duck, said.
- “It could be possible that some of these groups may have decided to step back and enjoy their payday, [but] it does not stop copycat groups from rising up and taking their place.”
- IT Pro discusses the “top ransomware trends for businesses in 2025. A splintering of top groups and changing attitudes toward payments are changing attacker tactics at speed.”
- Morphisec calls attention to “The Top Exploited Vulnerabilities Leading to Ransomware in 2025 — and How to Stay Ahead.”
From the cybersecurity defenses front,
- The American Hospital Association News reports,
- “Microsoft Sept. 16 announced it had disrupted a growing phishing service that had targeted at least 20 U.S. health care organizations. The company said it used a court order granted by the U.S. District Court for the Southern District of New York to seize 338 websites associated with RaccoonO365, a cyber threat group known for stealing Microsoft 365 credentials through phishing tactics. RaccoonO365 offers subscription-based phishing kits that allow individuals to steal Microsoft credentials by mimicking official Microsoft communications. The company said the phishing kits use Microsoft branding to create fraudulent emails, attachments and websites. Since July 2024, the kits have stolen at least 5,000 Microsoft credentials from individuals in 94 countries. The group was recently observed offering a new artificial intelligence-powered service in an attempt to scale their operations.
- “Credentials stolen through RaccoonO365 enabled ransomware attacks against hospitals, posing a direct threat to patient and community safety,” said John Riggi, AHA national advisor for cybersecurity and risk. “This operation also highlights a disturbing trend — cybercriminals’ increased use of ‘initial access brokers’ to steal credentials and AI to accelerate the effectiveness, sophistication and impact of cyberattacks. The need for continued and evolving social engineering training for staff is essential to defend against the latest deception tactics used by hackers.”
- Cybersecurity Dive tells us,
- “Preemptive cybersecurity solutions will account for about half of all IT security spending by the year 2030, a significant increase from its 5% share in 2024, Gartner said in a report published Thursday.
- “Preemptive cybersecurity will effectively replace standard detection and response technologies as the preferred defense against malicious hacking, Gartner predicted.
- “The technology uses artificial intelligence and machine learning to anticipate threats and then neutralize them before they can compromise their targets, according to researchers.”
- Security Week reflects on the fifteen anniversary of the Zero Trust strategy.
- “The implementation of zero trust is essential for cybersecurity: but after 15 years, we’re still not there. Implementation is like the curate’s egg: good in parts.
- “Zero Trust turned fifteen years old on September 14, 2025. Its invention was announced with Forrester’s publication of John Kindervag’s paper, No More Chewy Centers: Introducing The Zero Trust Model of Information Security, on that date in 2010 (archived here).
- “Zero trust recognizes that treating cybersecurity like an M&M (a hard crunchy shell impenetrable to hackers protecting a soft chewy center where staff can work freely and safely) simply doesn’t work. “Information security professionals must eliminate the soft chewy center by making security ubiquitous throughout the network, not just at the perimeter,” wrote Kindervag.
- “This is the basis of zero trust (or ZT): abandon the old concept of a barrier between two separate networks (one untrusted: the internet; and one trusted: the enterprise). Instead, trust nothing and verify everything, regardless of source or destination. The concept is sound and rapidly gained approval, culminating in EO14028 mandating that federal agencies must move toward a zero trust architecture while private companies should do similar – but never defining how it could be achieved.
- “There’s the rub. Zero trust is fundamentally a concept where implementation will depend on individual different corporate ecospheres.”
- Dark Reading recommends “Transforming Cyber Frameworks to Take Control of Cyber-Risk.”
- Here’s a link to Dark Reading’s CISO Corner.