Exploitation of Microsoft SharePoint Vulnerabilities

• Last Sunday, July 20, the Cybersecurity and Infrastructure Security Agency (CISA) added a known exploited vulnerability to its catalog
  • CVE-2025-53770 Microsoft SharePoint Server Remote Code Execution Vulnerability

• CISA also created an alert on the new KVE, which the agency updated on Tuesday and Thursday.

• The Wall Street Journal reported on July 21,
  • “Microsoft issued an alert about “active attacks” targeting its server software and urged customers to install new security updates that have been released.
  • “Microsoft’s Security Response Center said in a blog post over the weekend that the attacks target on-premises SharePoint server customers and exploit vulnerabilities that were partially addressed by a July security update.
  • “Organizations typically use Microsoft SharePoint to create intranet websites, store and organize information, and facilitate file-sharing among workers. Cloud-based SharePoint Online in Microsoft 365 isn’t affected, the company said.
  • “By Monday, cybersecurity investigators said that the SharePoint attacks were widespread. At least one of the “multiple” hacking groups involved in the attacks was linked to China, according to Google’s Mandiant cybersecurity group.
  • “Microsoft declined to comment beyond its blog post.
  • “Hackers exploiting the SharePoint flaws then stole cryptographic keys that could be used to run commands on the affected server in the future, even if it had been patched, cybersecurity investigators said on Monday.”
• and added on July 24,
  • Last year, Satya Nadella pledged to make security priority number one at Microsoft. A new hack involving China is showing just how difficult that can be.
  • The attack involves several versions of Microsoft’s SharePoint software that serve as a document storage platform for customers who don’t want to use the cloud. Microsoft released patches for a pair of SharePoint bugs earlier this month, but the fixes were quickly bypassed, allowing China-linked hackers to break into hundreds of organizations, according to security researchers.
  • Instead of protecting customers, the faulty patches may have served as a road map for hackers to hone their attacks, the researchers said.
  • It’s the latest in a string of lapses by the technology giant that have benefited China’s vast and global cyber-espionage operations, a top U.S. national security threat. * * *
  • “In the SharePoint attack * * * the issue began in May 2025, at a hacking contest in Berlin where the Vietnamese researcher [and pentester] Dinh Khoa (LinkedIn page) won $100,000 and a laptop.
  • “This is a very hard target so we spent a lot of time digging into it,” Khoa said in an interview posted online after the contest.
  • “To the applause of audience members, he showed how to break into a SharePoint system and was soon escorted into a private room where he explained the bugs to a representative from Microsoft and Dustin Childs, head of threat awareness with cybersecurity company Trend Micro’s Zero Day Initiative. Two months later, on July 8, Microsoft fixed the bugs. They were two of the 130 bugs that Microsoft fixed that month.” * * *
  • “On Saturday [July 19], Microsoft took the unusual step of issuing two emergency patches, which contain “more robust protections” to the bugs that Khoa had found, the company said. SharePoint customers should also change the cryptographic keys used by their servers, a move that—when combined with the new patches—effectively closes the back door created by the attack, Microsoft said.”

• Cyberscoop noted on July 24,
  • The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread nearly a week after zero-day exploits were discovered, setting off alarms across the globe. More than 400 organizations have been actively compromised across four waves of attacks, according to Eye Security.
  • Multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services, have been hit. The California Independent System Operator, which operates some of the state’s wholesale electric grid, was also impacted.
  • As more victims confirm varying levels of compromise from the attack spree, researchers are learning and sharing more details about post-exploit activities. One of the China-based attackers behind the initial wave of attacks, Storm-2603, deployed Warlock ransomware starting July 18, Microsoft Threat Intelligence said Wednesday in an updated blog post.
  • The Chinese government-affiliated threat groups Linen Typhoon and Violet Typhoon — which have been active for at least a decade — are also actively exploiting the zero-day vulnerabilities, Microsoft said. Linen Typhoon has focused on stealing intellectual property and Violet Typhoon is an espionage threat group. Storm is a moniker Microsoft uses for threat groups in development.

• NextGov/FCW discusses the impact of the Sharepoint vulnerabilities on federal government agencie here (Homeland Security, among other agencies affected) and there (Defense Department not affected).

From the cybersecurity breaches and vulnerabilities front,

• Security Week informs us,
  • “The Alcohol & Drug Testing Service (TADTS) is notifying roughly 750,000 people that their personal information was compromised in a July 2024 data breach.
  • “TADTS is based in Texas and was until recently known as the Texas Alcohol and Drug Testing Service. It provides workplace and individual alcohol and drug testing services in Texas and other states.
  • “The incident, TADTS says, was identified on July 9, 2024, and involved unauthorized access to and the theft of data maintained in its systems.
  • “The investigation into the potentially compromised information, conducted with the assistance of a professional data mining team, was concluded only recently, and determined that personal information was included in the stolen data.” * * *
  • “While TADTS did not share details on the type of cyberattack it fell victim to, the infamous BianLian ransomware group took credit for the intrusion on July 14, 2024, claiming the theft of roughly 218 gigabytes of data.
  • “It is unclear whether the hackers released the stolen information publicly, as their Tor-based leak site is currently offline and the group has been quiet for months, with their last known victim announced on March 31.”
• and
  • “Marketing software and services company Cierant Corporation and law firm Zumpano Patricios have independently disclosed data breaches, each impacting more than 200,000 individuals.
  • “What the Cierant and Zumpano Patricios incidents have in common is that the number of impacted people was brought to light in recent days by the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS).
  • “The Zumpano Patricios breach impacts nearly 280,000 individuals. The law firm, which has offices in several major US cities, is representing healthcare providers in disputes with health insurance companies over medical service payments to patients. 
  • “Zumpano Patricios is informing impacted individuals that it had detected an intrusion in its IT network on May 6, 2025, but could not determine the date and time of initial access. 
  • “An investigation revealed that the hackers accessed and possibly exfiltrated files containing information such as patient name, date of birth, Social Security number, provider name, health insurer information, dates of service, and amounts charged by the provider and payments they received.”

• Cybersecurity Dive tells us,
  • “Hackers breached the Philadelphia Indemnity Insurance Company in June and stole customer data, the company said in a filing with the California Attorney General’s office. 
  • “An unauthorized party accessed customer data during an intrusion discovered between June 9 and June 10, according to the disclosure.
  • “The company previously called the incident a network outage, however it said there was no ransomware and no encryption. The company did report the incident to law enforcement and retained outside forensic experts to investigate.”

• In addition to the June 20 addition discussed above, CISA added six known exploited vulnerabilities to its catalog this week.
  • July 22, 2025
    • “CVE-2025-49704 Microsoft SharePoint Code Injection Vulnerability
    • “CVE-2025-49706 Microsoft SharePoint Improper Authentication Vulnerability”
      • Cybersecurity Dive explains,
        • “The [Sharefile] intrusions are exploiting ToolShell, an attack sequence that combines remote code injection and network spoofing vulnerabilities tracked as CVE-2025-49704 and CVE-2025-49706.” 
  • Also July 22, 2025,
    • CVE-2025-54309 CrushFTP Unprotected Alternate Channel Vulnerability
      • Tenable discusses the CrushFTP vulnerability
    • CVE-2025-6558 Google Chromium ANGLE and GPU Improper Input Validation Vulnerability
      • Cyber Security News discusses this KVE.
    • CVE-2025-2776 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
    • CVE-2025-2775 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
      • Security Week discusses the SisAid KVEs.

• Security Week notes,
  • “SonicWall on Wednesday announced patches for a critical vulnerability in Secure Mobile Access (SMA) 100 series secure access gateways, urging organizations to take immediate action in the wake of the recently disclosed Overstep malware attacks.
  • “The newly addressed flaw, tracked as CVE-2025-40599 (CVSS score of 9.1), is described as an arbitrary file upload issue in the SMA 100’s web management interface.
  • “The bug can be exploited by remote attackers to upload arbitrary files to the system, which could lead to remote code execution (RCE). The attackers need administrative privileges to exploit the security defect, SonicWall’s advisory reads.”
• and
  • “The Lumma Stealer has returned after Microsoft and law enforcement caused significant disruption to its infrastructure, Trend Micro reported on Tuesday.” * * *
  • “The ability of Lumma Stealer’s operators to regroup and innovate poses a continued risk to organizations and individuals worldwide,” Trend Micro said. “This emphasizes the need for ongoing vigilance, proactive threat intelligence, and sustained collaboration between law enforcement and the cybersecurity community. Without this, even the most significant takedowns might only offer temporary relief from evolving cyber threats.”

• Per Dark Reading,
  • “A suspected Chinese nation-state threat group is conducting an extensive cyberespionage campaign that takes advantage of vulnerable VMware ESXi and vCenter environments.
  • “Since early 2025, researchers at Sygnia have responded to multiple incidents tied to a cyberespionage campaign they track as “Fire Ant.” According to research published Thursday, Fire Ant actors are establishing initial access in organizations’ VMware systems, which have become popular targets for attackers in recent years.
  • “More importantly, Fire Ant actors used deep knowledge of the target environments and strong capabilities to consistently bypass segmentations and reach isolated portions of the network.”

From the ransomware front,

• In line with this week’s theme, Bleeping Computer points out,
  • “A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain.
  • “Non-profit security organization Shadowserver is currently tracking over 420 SharePoint servers that are exposed online and remain vulnerable to these ongoing attacks.
  • “Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives,” the company said in a Wednesday report.”

• July 22, 2025, CISA issued an alert and advisory on Interlock ransomware.

• Per Bleeping Computer,
  • “Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.
  • “The U.S. Department of Justice confirmed the takedown in an email earlier today, saying the authorities involved in the action executed a court-authorized seizure of the BlackSuit domains.
  • “Earlier today, the websites on the BlackSuit.onion domains were replaced with seizure banners announcing that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.”

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Trump administration’s new AI Action Plan calls for companies and governments to lean into the technology when protecting critical infrastructure from cyberattacks.
  • “But it also recognizes that these systems are themselves vulnerable to hacking and manipulation, and calls for industry adoption of “secure by design” technology design standards to limit their attack surfaces.
  • “The White House plan, released Wednesday, calls for critical infrastructure owners — particularly those with “limited financial resources” — to deploy AI tools to protect their information and operational technologies.
  • “Fortunately, AI systems themselves can be excellent defensive tools,” the plan said. “With continued adoption of AI-enabled cyberdefensive tools, providers of critical infrastructure can stay ahead of emerging threats.” * * *
  • “The Trump plan states that “all use of AI in safety-critical or homeland security applications should entail the use of secure-by-design, robust, and resilient AI systems that are instrumented to detect performance shifts, and alert to potential malicious activities like data poisoning or adversarial example attacks.”
  • “The plan also recommends the creation of a new AI-Information Sharing and Analysis Center (AI-ISAC) led by the Department of Homeland Security to share threat intelligence on AI-related threats.”

• Cybersecurity Dive lets us know,
  • “Sean Plankey, President Donald Trump’s nominee to lead the Cybersecurity and Infrastructure Security Agency, faced sharp questions during a Senate confirmation hearing Thursday about the looming expiration of an information-sharing law and CISA’s work on election security.
  • Plankey — currently a senior adviser to Secretary of Homeland Security Kristi Noem — explained his vision for leading an agency that has experienced major workforce cuts and faces significant budget reductions in Trump’s Fiscal Year 2026 spending proposal.”
  • The Senate Homeland Security and Governmental Affairs Committee will vote on whether to send Mr. Plankey’s nomination to the Senate floor at a business meeting next Thursday.

• Cyberscoop adds,
  • “President Donald Trump’s pick to lead the Cybersecurity and Information Security Agency told senators Thursday that he would prioritize evicting China from the U.S. supply chain, and wouldn’t hesitate to ask for more money for the shrunken agency if he thought it needed it.
  • “If confirmed it will be a priority of mine to remove all Chinese intrusions, exploitations or infestation into the American supply chain,” Sean Plankey told Rick Scott, R-Fla., at his confirmation hearing before the Homeland Security and Governmental Affairs Committee. Scott had asked Plankey about reports of Chinese infiltration of U.S. energy infrastructure.”

• Per a National Institute of Standards and Technology news release,
  • “NIST has issued draft updates to Special Publication (SP) 800-53 to provide additional guidance on how to securely and reliably deploy patches and updates in response to the Executive Order 14306, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. A two-week expedited public comment period on the draft updates is open through August 5, 2025.” 
    
• Per a July 23, 2025, HHS news release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Syracuse ASC, LLC doing business as Specialty Surgery Center of Central New York, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules. Syracuse ASC is a single-facility, ambulatory surgery center located in Liverpool, New York that provides ophthalmic and ENT surgical services and pain management procedures to patients.” * * *
  • “The settlement resolves an OCR investigation concerning a ransomware breach of ePHI that affected 24,891 individuals. OCR initiated the investigation in October 2021 after Syracuse ASC reported to HHS that an unauthorized individual had accessed its network in March 2021. Further investigation revealed that Syracuse ASC was affected by a ransomware attack involving the PYSA ransomware variant, which is a cross-platform cyber weapon known to target the healthcare industry. OCR’s investigation found that Syracuse ASC never conducted an accurate and thorough risk analysis to determine the risks and vulnerabilities to the ePHI it held. OCR also found that Syracuse ASC failed to timely notify affected individuals and the Secretary of the breach.
  • “Under the terms of the resolution agreement, Syracuse ASC agreed to implement a corrective action plan that OCR will monitor for 2 years and paid $250,000 to OCR.”

• Cyberscoop reports,
  • “Ukrainian authorities Tuesday [July 22, 2025] arrested the alleged administrator of XSS.is, a Russian-language cybercrime forum, following a four-year investigation by the Paris public prosecutor’s office. 
  • “Law enforcement officials from France and Europol seized the domain of the influential forum following the arrest. Authorities have not named the suspected administrator of XSS.is.
  • “The forum, which was active since 2013, had more than 50,000 registered users and was a key marketplace for stolen data, malware, access to compromised systems and ransomware services, officials said. “It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit,” Europol said in a news release.”

• Dark Reading alerts us,
  • “A “laptop farmer” [Christina Marie Chapman] in Arizona responsible for enabling North Korean IT worker infiltration into US companies is going to jail for eight and a half years, after raising $17 million in illicit funds for Kim Jong-Un’s regime. That news, however, is merely a drop in the justice bucket, and DPRK’s efforts to siphon salaries off of American companies is unlikely to wane anytime soon. So, US organizations need to wrap their heads around the magnitude of the threat.
  • “North Korea’s multiyear HR-compromise effort has the twin goals of earning money for the hermit kingdom’s nuclear program and other efforts via salaries, as well as gaining a foothold inside corporate networks for the purpose of planting cryptominers or malware for stealing secrets.”

• Cybersecurity Dive adds,
  • “The U.S. Department of the Treasury on Thursday [July 24, 2025] sanctioned three North Koreans and their company for participating in remote IT worker scams and other operations designed to generate revenue for Pyongyang.
  • “The sanctions target the North Korean firm Korea Sobaeksu Trading Co., Sobaeksu employee Kim Se Un, Sobaeksu “IT team leader” Jo Kyong Hun and Kim’s associate Myong Chol Min. 
  • “The Treasury Department calls Sobaeksu a front for North Korea’s Munitions Industry Department, which oversees the country’s nuclear weapons program. North Korea “has previously utilized Sobaeksu to send teams of IT workers overseas, including to Vietnam, in order to generate revenue,” the department said.”

From the cybersecurity defenses front,

• HelpNet Security explains “Why we must go beyond tooling and CVEs to illuminate security blind spots.”

• SC Media discusses “exposure management [, which is] a new blueprint for modern cyber defense.

• The Hacker News considers “From Backup to Cyber Resilience: Why IT Leaders Must Rethink Backup in the Age of Ransomware.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “Congress is set to revisit Stuxnet — the malware that wreaked havoc on Iran’s nuclear program 15 years ago — next week in the hopes that the pioneering attack can guide today’s critical infrastructure policy debate, CyberScoop has learned.
  • “The House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection will hold a hearing July 22 to examine the operation that, according to independent reports, was carried out by the U.S. and Israeli governments and targeted Iran’s nuclear enrichment facilities in Natanz.
  • “Witnesses listed for the hearing are Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition; Kim Zetter, cybersecurity journalist and author of “Countdown to Zero Day”; Dragos CEO Robert Lee; and Nate Gleason, Lawrence Livermore National Laboratory program leader, according to a copy of the notice.”

• The Cybersecurity and Infrastructure Security Agency (CISA) released a blog post titled “Securing Core Cloud Identity Infrastructure: Addressing Advanced Threats through Public-Private Collaboration.”
  • “In recent years, the cloud landscape has faced increasingly sophisticated threat activity targeting identity and authentication systems. As cloud infrastructure has become more ubiquitous—underpinning key government and critical infrastructure data—sophisticated nation-state affiliated actors have exposed limitations in token authentication, key management, logging mechanisms, third-party dependencies, and governance practices. These threats reaffirm the critical role that public-private collaboration plays to safeguard cloud infrastructure and address the evolving technical and security challenges confronting our nation.”  
    
• Cyberscoop informs us,
  • “An international law enforcement operation conducted this week targeted the members of and infrastructure used by NoName057(16), a pro-Russian hacktivist group that has conducted distributed denial-of-service (DDoS) attacks across Europe since early 2022.
  • “Operation Eastwood disrupted over 100 servers worldwide and resulted in two arrests, seven international arrest warrants, and 24 house searches across multiple jurisdictions. The operation, coordinated by Europol and Eurojust with participation from 12 countries, broke up a cybercrime network that had mobilized an estimated 4,000 members who conducted attacks against entities in countries across Europe and in Israel.”
• and
  • “An Armenian national is in federal custody and faces charges stemming from their alleged involvement in a spree of attacks in 2019 and 2020 involving Ryuk ransomware, the Justice Department said Wednesday.
  • “Karen Serobovich Vardanyan, 33, was extradited from Ukraine to the United States on June 18 and pleaded not guilty to the charges in his first appearance in federal court June 20. Vardanyan is awaiting a seven-day jury trial scheduled to begin Aug. 26.”

• Security Week informs us,
  • “A former US soldier accused of hacking into AT&T and Verizon systems and leaking presidential call logs pleaded guilty to fraud and identity theft charges, the US Department of Justice announced.
  • “According to court documents, the individual, Cameron John Wagenius, 21, engaged in hacking and extortion activities between April 2023 and December 2024, while on active duty with the US Army.
  • “Using the nickname ‘kiberphant0m’, Wagenius and his co-conspirators aimed to defraud at least 10 organizations after obtaining login credentials for their networks.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “United Natural Foods, Inc.’s commercial operating capacity has returned to “normalized levels” as of this week following the cyberattack that temporarily brought down its online systems in June, the grocery distributor disclosed Wednesday.
  • “The company expects to lose between $350 million and $400 million in sales as a result of the attack, with the overall operational impact of the incident mostly limited to its current quarter.
  • “Despite the cyberattack, UNFI has modestly raised its sales expectations for its current fiscal year, although the company expects a higher loss than it had earlier projected.”
• and
  • “One in four CISOs has experienced an AI-generated attack on their company’s network in the past year, and AI risks now top their priority lists, according to a report released Thursday from cybersecurity firm Team8.
  • “The true number of companies targeted by AI-powered attacks “may be even higher,” Team8 said in its report, “as most AI-driven threats mimic human activity and are difficult to detect without advanced metrics like time to exploitation and velocity indicators.”
  • “AI outranked vulnerability management, data loss prevention and third-party risk on CISOs’ priority lists, according to the report, which is based on interviews with more than 110 security leaders from major enterprises.”

• Per Dark Reading,
  • “Automated firmware-analysis tools and the falling cost of the technical hardware needed to inspect computer processors and memory are leading to a surge in reports of firmware vulnerabilities and motherboard security weaknesses.
  • “In the latest example, motherboard manufacturer Gigabyte disclosed on July 10 that a set of four firmware vulnerabilities had persisted in its platform, even though the original issues — in the firmware provided by independent BIOS vendor AMI — were patched years ago. The issues affect the System Management Mode (SMM) modules on older Intel-based systems, Gigabyte stated in its disclosure.”
• and
  • “When it comes to managing cybersecurity profiles for office printers, just 36% of IT teams are patching their firmware promptly — leaving a glaring gap in defenses that attackers could exploit to devastating effect.
  • “That’s according to HP Wolf Security, which found evidence of widespread failures across every stage of the printer life cycle in a global survey of 800+ IT and security decision-makers.
  • “Failure to promptly apply firmware updates to printers unnecessarily exposes organizations to threats that could lead to damaging impacts, such as cybercriminals exfiltrating critical data or hijacking devices,” according to the report, released today.”

• Infosecurity Magazine tells us,
  • “Cybercriminals have been observed adopting AI-powered cloaking tools to bypass traditional security measures and keep phishing and malware sites hidden from detection.
  • “According to new research from SlashNext, Platforms like Hoax Tech and JS Click Cloaker are offering “cloaking-as-a-service” (CaaS), allowing threat actors to disguise malicious content behind seemingly benign websites.
  • “Using advanced fingerprinting, machine learning and behavioral targeting, these tools selectively show scam pages only to real users while feeding safe content to automated scanners.
  • “I think that this is a clear example of a technology and set of tools being used in a bad way,” said Andy Bennett, CISO at Apollo Information Systems.”

• Per HelpNet Security,
  • “A new report from Living Security and the Cyentia Institute sheds light on the real human element behind cybersecurity threats, and it’s not what most organizations expect.
  • “The Risky Business: Who Protects & Who Puts You at Risk report analyzes data from over 100 organizations and challenges conventional thinking by revealing that a small portion of users, just 10 percent, are responsible for nearly 73 percent of all risky behavior in the enterprise.
  • “The riskiest users aren’t who and where you think,” the report notes. Surprisingly, remote and part-time workers are often less risky than full-time, in-office employees. Meanwhile, 78 percent of users help reduce cyber risk more than they contribute to it.”

• Dark Reading explains “How Criminal Networks Exploit Insider Vulnerabilities. Criminal networks are adapting quickly, and they’re betting that companies won’t keep pace. Let’s prove them wrong.”

• CISA added two known exploited vulnerabilities to its catalog this week.
  • July 14, 2025
    • CVE-2025-47812 Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
      • Cybersecurity News discusses this KVE here.
  • July 18, 2025
    • CVE-2025-25257 Fortinet FortiWeb SQL Injection Vulnerability
      • The Hacker News discusses this KVE here.

From the ransomware front,

• IT Pro lets us know,
  • “Ransomware attacks come with an average recovery cost of $4.5 million, according to a recent survey, which also found a high proportion of businesses have fallen prey to the malware in the past year.
  • “Data from Absolute Security, which surveyed 500 CISOs based in the US through Censuswide, found 72% of respondents’ firms had dealt with ransomware attacks in the 12 months prior to the survey.
  • “Respondents registered extreme concern over the potential cost of ransomware attacks, with nearly three quarters (73%) indicating a successful ransomware attack could critically incapacitate their business.”

• Chief Healthcare Executive reports,
  • “While hospitals have endured the threat of attacks from ransomware groups for years, other providers are targets for attacks.
  • “Ransomware groups are going after ambulatory surgical centers, physician practices and specialty care groups, says Steve Cagle, the CEO of Clearwater, a cybersecurity firm.
  • “We’ve seen this trend for some time now,” Cagle tells Chief Healthcare Executive®. “It’s more attacks on specialty or ambulatory …. physician practice management, specialty care groups.”
  • “Radiology centers, imaging centers, health clinics and dental clinics are also being targeted for attacks, Cagle says. More than 300 breaches of health data have already been reported to the Department of Health & Human Services in the first half of the year.”

• Cybersecurity Dive points out,
  • “DragonForce, a cyber criminal group connected to a series of attacks against retail firms in recent months, is claiming credit for an attack on the North Carolina-based department store chain Belk.
  • “The group claimed on its leak site that it has approximately 156 gigabytes of data stolen from the company. 
  • “Researchers have linked DragonForce to an April attack on Marks & Spencer, one of the first breaches in a months-long attack spree linked to Scattered Spider. DragonForce claimed credit for the intrusion, but M&S officials believe the group was working with Scattered Spider during the attack.” 

• Morphisec discusses “Matanbuchus [which} is a malware loader that has been available as a Malware-as-a-Service (MaaS) since 2021. It is primarily used to download and execute secondary payloads on compromised Windows systems, making it a critical first step in various cyberattacks.”
  
• Infosecurity Magazine informs us,
  • “The Interlock ransomware gang has been detected targeting organizations with a new remote access trojan (RAT) in a widespread campaign, according to researchers from The DFIR Report in partnership with Proofpoint.
  • “The new malware, observed since June 2025, uses the general-purpose PHP programming language. This differs from the previously identified JavaScript-based ‘NodeSnake’ RAT deployed by Interlock.
  • “In certain cases, the deployment of the PHP variant of the Interlock RAT has led to the deployment of the Node.js version.
  • “PHP is a common web scripting language, which can be leveraged across various platforms and databases.”

• Bleeping Computer reports,
  • “The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files.
  • “Phobos is a ransomware-as-a-service operation that launched in December 2018, enabling other threat actors to join as affiliates and utilize their encryption tool in attacks. In exchange, any ransom payments were split between the affiliate and the operators.
  • “While the ransomware operation did not receive as much media attention as other ransomware operations, Phobos is considered one of the most widely distributed ransomware operations, responsible for many attacks on businesses worldwide.”

From the cybersecurity research front,

• Cyberscoop tells us,
  • “A financially motivated threat group is attacking organizations using fully patched, end-of-life SonicWall Secure Mobile Access 100 series appliances, Google Threat Intelligence Group said in a report released Wednesday [July 16].
  • “The group, which Google identifies as UNC6148, is using previously stolen admin credentials to gain access to SonicWall SMA 100 series appliances, remote access VPN devices the vendor stopped selling and supporting earlier this year. UNC6148 is likely intruding networks to steal data for extortion and possibly deploy ransomware, according to researchers.
  • “The attacks stress the consistent risk SonicWall customers have confronted via exploited vulnerabilities, especially a series of defects affecting the outdated SonicWall SMA 100 series devices.”

• Per Bleeping Computer,
  • “Hackers have adopted the new technique called ‘FileFix’ in Interlock ransomware attacks to drop a remote access trojan (RAT) on targeted systems.
  • “Interlock ransomware operations have increased over the past months as the threat actor started using the KongTuke web injector (aka ‘LandUpdate808’) to deliver payloads through compromised websites.
  • “This shift in modus operandi was observed by researchers at The DFIR Report and Proofpoint since May. Back then, visitors of compromised sites were prompted to pass a fake CAPTCHA + verification, and then paste into a Run dialog content automatically saved to the clipboard, a tactic consistent with ClickFix attacks.”

• Per Cybersecurity Dive,
  • “Microsoft on Wednesday said it has seen the cybercrime group Scattered Spider using new techniques in attacks on the airline, insurance and retail industries since April. 
  • “The hacker group, which Microsoft tracks as Octo Tempest, is still using its trademark social-engineering tactics to gain access to companies by impersonating users and contacting help desks for password resets, according to the Microsoft Defender Security ResearchTeam blog post. 
  • “But the hackers are also abusing short messaging services and using adversary-in-the-middle tactics. And in recent attacks, the threat group has deployed the DragonForce ransomware and concentrated on breaching VMWare ESX hypervisor environments.” 

• Per Dark Reading,
  • “A threat actor known as “PoisonSeed” was credited with a novel attack technique that is able to bypass FIDO-based protections in an organization.
  • “That’s according to a report this week from MDR vendor Expel, titled “PoisonSeed bypassing FIDO keys to ‘fetch’ user accounts.” FIDO, or Fast Identity Online, refers to a technology-agnostic set of specifications for authentication. The technology, which was originally developed by the FIDO Alliance, is considered a gold standard in security, commonly seen in non-password authentication technologies like physical security keys.
  • “Expel’s research concerns a strategy for gaining access to a victim through the cross-device sign-in features available in FIDO security keys in a way that can bypass certain safeguards. Though the report does not concern a vulnerability in FIDO technology itself, it acts as a reminder to the defender that security does not end with a phishing-resistant security key.”

From the cybersecurity defenses front,

• Cybersecurity Dive interviews Mark Ryland who is Amazon’s security director.

• CSO calls attention to “eight tough trade-offs every CISO must navigate.”

• Blocks and Files explains how a “simulated ransomware attack reveals gaps in recovery planning.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • “U.S. government officials said critical infrastructure operators should be on alert for Iranian cyberattacks.
  • “In a threat advisory published Monday [June 30], multiple agencies said Iran might target U.S. firms “for near-term cyber operations” due to “the current geopolitical environment” — a reference to the Trump administration joining Israel’s aerial campaign against Iran’s nuclear program and related assets.
  • “Defense contractors, especially firms that have relationships with Israeli companies, are likely at heightened risk of targeting, according to the advisory.”
• and
  • “The Department of Justice on Monday [June 30] announced a series of actions as part of an investigation into the North Korean government’s deployment of its citizens abroad to pose as IT workers and illicitly earn money for the regime.
  • “Newly unsealed charging documents describe two separate schemes to trick U.S. companies into hiring people who funneled their paychecks to the North Korean government and exploited their access to the companies’ networks to steal sensitive information and cryptocurrency.
  • “Law enforcement officials, who have repeatedly issued alerts about Pyongyang’s IT worker schemes, warned U.S. businesses on Monday to carefully screen their remote employees to avoid falling victim to similar ruses.

• Cyberscoop tells us,
  • “The Chinese hackers behind the massive telecommunications sector breach are “largely contained” and “dormant” in the networks, “locked into the location they’re in” and “not actively infiltrating information,” the top FBI cyber official told CyberScoop.
  • “But Brett Leatherman, new leader of the FBI Cyber division, said in a recent interview that doesn’t mean the hackers, known as Salt Typhoon, no longer pose a threat.
  • “While there’s been some debate about whether Salt Typhoon should be getting more attention than fellow Chinese hackers Volt Typhoon — whom federal officials have said are prepositioned in U.S. critical infrastructure, poised for destructive action in the event of a conflict with the United States — Leatherman said the groups aren’t as different as some think.
  • “Salt Typhoon, even though it was [an] espionage campaign, had access to telecommunications infrastructure,” he said. “You can pivot from access in support of espionage to access in support of destructive action.”
• and
  • “Federal authorities levied sanctions Tuesday on Aeza Group, a bulletproof hosting service provider based in Russia, for allegedly supporting a broad swath of ransomware, malware and infostealer operators.
  • “Aeza Group has provided servers and specialized infrastructure to the Meduza, RedLine and Lumma infostealer operators, BianLian ransomware and BlackSprut, a Russian marketplace for illicit drugs, according to the Treasury Department’s Office of Foreign Assets Control. Lumma infected about 10 million systems before it was dismantled through a coordinated global takedown in May.
  • “The Treasury Department’s action against Aeza Group follows a wave of cybercrime crackdowns across the globe. Prolific cybercriminals have been arrested, and infostealers, malware loaders, counter antivirus and crypting services, cybercrime marketplaces, ransomware infrastructure and DDoS-for-hire operations have all been seized, taken offline or severely disrupted by global coordinated campaigns since May.
  • “Officials accused Aeza Group of helping cybercriminals target U.S. defense companies and technology vendors.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive informs us,
  • “Australian carrier Qantas said hackers who breached one of its call centers stole a significant quantity of customer data.
  • “The airline said on its website that it detected unusual activity on Monday [June 30] on a third-party platform that one of its call centers used. The airline took immediate action and was able to contain the attack, which it blamed on a criminal hacker.
  • “Qantas said it is investigating the extent of the intrusion but warned that the hackers accessed a “significant” amount of customer data, including names, addresses, phone numbers, dates of birth and frequent-flyer numbers. 
  • “The breach did not compromise any credit card details, personal financial information or passport information, Qantas said, because those are stored in a separate system. The intrusion also did not expect login information for customers’ frequent-flyer accounts.
  • “Qantas said it was working with government authorities, including the Australian Cyber Security Centre and the National Cyber Security Coordinator, as well as independent forensic experts to investigate the breach.
  • “All of Qantas’ systems are now secure and the airline is operating normally, according to the company. It said it was in the process of contacting customers to alert them to the incident.” 

• Per Security Week,
  • “Missouri healthcare provider Esse Health is notifying over 263,000 people that their personal information was stolen in a disruptive April 2025 cyberattack.
  • “The incident was discovered on April 21 and impacted the organization’s access to the electronic medical record system, while also taking down its phone system.
  • “By May 13, the healthcare provider had restored certain systems and was able to fulfill scheduled appointments or procedures. The phone systems were restored in early June, along with other primary patient-facing network systems, the organization said in an incident notice.
  • “On June 20, Esse Health said its investigation into the attack determined that a threat actor breached its network on April 21 and stole files containing personal information.
  • “The exfiltrated data included names, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, health information, and health insurance details.”
• and
  • “Benefits and payroll solutions firm Kelly & Associates Insurance Group (dba Kelly Benefits) has informed authorities that a recent data breach impacts more than 550,000 people.
  • “The company revealed in April that hackers had gained access to its systems in December 2024, and an investigation had shown that the threat actor managed to steal files storing personal information.
  • “The incident resulted in the theft of information such as name, date of birth, Social Security number, tax ID number, medical information, health insurance information, and financial account information. 
  • “Kelly Benefits is notifying impacted individuals on behalf of more than 40 affected customers, including Aetna Life Insurance Company, Amergis, Beam Benefits, Beltway Companies, CareFirst, The Guardian Life Insurance Company of America, Fidelity Building Services Group, Intercon Truck of Baltimore, Humana Insurance ACE, Merritt Group, Publishers Circulation Fulfilment, Quantum Real Estate Management, United Healthcare, and Transforming Lives.
  • “Data breach reports submitted by Kelly Benefits to the Maine Attorney General’s Office since early April show that the number of impacted individuals has steadily increased as the company’s investigation progressed.” 

• The Center for Medicare and Medicaid Services announced on June 30,
  • The Centers for Medicare & Medicaid Services (CMS) is notifying Medicare beneficiaries whose personal information may have been involved in a data incident affecting Medicare.gov accounts. CMS identified suspicious activity related to unauthorized creation of certain beneficiary online accounts using personal information obtained from unknown external sources. CMS takes this situation very seriously. The safeguarding and security of personally identifiable information is of the utmost importance to CMS. 
  • Following detection of the incident, CMS worked quickly to deactivate affected accounts, assess the scope and impact of the compromise, and mitigate the effects on impacted individuals. CMS is working closely with appropriate parties to investigate this situation.
  • Approximately 103,000 beneficiaries may have been impacted. Notifications to affected individuals are being mailed, informing them of the incident, outlining steps being taken to protect their information, and providing guidance on actions they may wish to take. 

• The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog this week.
  • June 30, 2025
    •  CVE-2025-6543 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
      • Netscaler explains this KVE here.
  • July 1, 2025
    • CVE-2025-48927 TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
    • CVE-2025-48928 TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
      • Cyber Press explains these KVEs here.
  • July 2, 2025
    • CVE-2025-6554 Google Chromium V8 Type Confusion Vulnerability
      • Bleeping Computer explains this KVE here.

• Dark Reading warns
  • “While browser extensions add useful functionality to Web browsers, such as blocking ads, managing passwords, and taking notes, they also increase the organization’s security and privacy risks.
  • “Browser extensions require certain levels of permissions that are attractive to attackers. Some extensions need access to the user’s location, browsing history, or the user’s clipboard to see what data the user has copied. Some extensions go further, requesting access to nearly all of the data stored on the user’s computer as well as the data accessed while visiting different websites. Attackers can exploit extensions with these heightened permissions to access potentially sensitive information, such as Web traffic, saved credentials, and session cookies.
  • “Even extensions with relatively modest permissions can manipulate those permissions to obtain access to the inner workings of every Web page displayed on a user’s screen, warns LayerX CEO and co-founder Or Eshed. LayerX research shows that 53% of enterprise users have installed extensions labeled with “high” or “critical” permissions scope. This is why browser extensions are a prime avenue for exploitation by threat actors, he adds.  
  • “[Attackers] can use it to copy or rewrite data or exploit Web page permissions for even more access,” Eshed says.”

• Security Week adds,
  • A vulnerability in the Forminator WordPress plugin could allow attackers to take over more than 400,000 impacted websites.
  • A popular form builder plugin with more than 600,000 active installations, Forminator supports the creation of various types of forms, including contact and payment forms, polls, and more.
  • The WordPress plugin was found vulnerable to CVE-2025-6463 (CVSS score of 8.8), an arbitrary file deletion flaw that exists because file paths are not sufficiently validated in a function used to delete a form submission’s uploaded files.

From the ransomware front,

• Bleeping Computer reports,
  • “The Hunters International Ransomware-as-a-Service (RaaS) operation announced today that it has officially closed down its operations and will offer free decryptors to help victims recover their data without paying a ransom.
  • “After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with,” the cybercrime gang says in a statement published on its dark web leak earlier today.
  • “As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.” * * *
  • “Threat intelligence firm Group-IB also revealed in April that Hunters International was rebranding with plans to focus on data theft and extortion-only attacks and had launched a new extortion-only operation known as “World Leaks.”
    
• Security Week advises,
  • The key tool for surviving ransomware, or any attack scenario, is an IR plan. But an IR plan is only worthwhile if it’s comprehensive, current, and tested. IR plans are not “best practices”, nor singular documents stored in a safe place. They are living resources that require attention and maintenance. In this way, the proof of an IR plan’s efficacy is in that organizational muscle memory – most effectively trained through Tabletop exercises.  So, what are the primary “muscles,” and the repetitive “exercises” in which you can train an organization to respond decisively, immediately, confidently, and automatically.”
    • Plan your workout
    • Warm up
    • Train, recover, repeat
    • Measure your gains 

From the cybersecurity defenses and business front,

• Withum offers guidance on how to align your firm’s cybersecurity practices with Labor Department best practices for ERISA plan fiduciaries.

• Per Security Week,
  • Cloudflare has reversed its block on AI-crawling from optional to default, allowing finer grained crawling but only with agreement from all parties concerned.
  • LLMs are what they learn. From their inception the biggest source of learning has been the internet, so there has been a natural tendency for AI developers to scrape the internet as widely as possible.
  • Cloudflare has now introduced an option for their customers to accept or reject website scraping by AI vendors. Hitherto, internet scraping has been a major part of gathering training data for large LLM (gen-AI) developers; but the process has raised questions and objections over legality, copyright infringement, and accuracy.

• Dark Reading lets us know,
  • “How businesses can align cyber defenses with real threats. Companies that understand the motivations of their attackers and position themselves ahead of the competition will be in the best place to protect their business operations, brand reputation, and their bottom line.”
• and
  • “One year after a buggy CrowdStrike update knocked IT systems offline, organizations seeking to strike the right balance between security and productivity have viewed the incident as a learning opportunity.
  • “The cost of the CrowdStrike outage was estimated at $5.4 billion, affecting payment systems, airline reservations, and a variety of other industries. The impact of the outage highlights why many operational technology (OT) teams are as sensitive to patches and other updates in their critical infrastructure, as they are highly averse to outages that can happen if such updates are defective.
  • “But when balancing security and productivity, it is imperative not to view the CrowdStrike outage as a reason to forgo patching completely. The ever-growing volume of vulnerabilities and threats requires organizations to remain resilient and anti-fragile — that is, to have the ability to proactively respond to issues and continuously improve.”

• Per Security Week,
  • “LevelBlue announced on Tuesday [July 1] that it’s acquiring managed detection and response (MDR) services company Trustwave from The Chertoff Group’s MC² Security Fund.
  • “LevelBlue, formerly known as AT&T Cybersecurity, was launched in May 2024 as a joint venture between WillJam Ventures and AT&T. 
  • “The company’s acquisition of Trustwave comes shortly after it announced plans to buy Aon’s cybersecurity consulting business. The deals are part of a plan to become the largest pure-play managed security services provider (MSSP). 
  • “Once the acquisition has been completed, LevelBlue’s expertise in strategic risk management and cybersecurity infrastructure will be integrated with Trustwave’s platform and MDR service.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Federal News Network reports,
  • “House appropriators have advanced a homeland security spending bill that endorses many of the Trump administration’s budget proposals, while rejecting steep cuts to cybersecurity and artificial intelligence personnel.
  • “The fiscal 2026 homeland security appropriations measure includes $66.36 billion in discretionary spending. The GOP-led committee passed the bill Tuesday [June 24, 2025] on a 36-27 vote.
  • “The bill follows the broad contours of Trump administration policies by prioritizing funding for Customs and Border Protection and Immigration and Customs Enforcement. Appropriators are also expecting significant funding for the Department of Homeland Security to be included in the budget reconciliation bill.”

• Cyberscoop tells us,
  • “With time running short before expiration of a cyber information-sharing law highly valued by the private sector, Congress is taking a look at the possibility of a short-term extension.
  • “The 2015 Cybersecurity Information Sharing Act, which provided legal safeguards for companies to share threat data, is due to sunset at the end of September, and Congress doesn’t tend to work much in August.
  • “A bipartisan pair of senators have introduced a bill to simply extend it for another 10 years. But a House bill is still in the works and might take a different approach that involves making changes to the law going forward, industry officials told CyberScoop on Wednesday. Getting competing proposals through both chambers, then settling differences and finalizing a bill to get to the president’s desk, could take significant time.
  • “There are other things that are being considered in the mix,” said John Miller, senior vice president of policy for trust, data and technology and general counsel at the Information Technology Industry Council. One would be attaching language to a continuing resolution funding measure that would extend the 2015 law for a short period of time.”

• Cybersecurity Dive informs us,
  • “Federal officials and private-sector security leaders said Tuesday [June 24, 2025] that they are closely monitoring for cyberattacks related to the Iran conflict but thus far have not observed any significant activity. 
  • “The Department of Homeland Security warned Sunday that Iran-linked actors or hacktivist groups may launch attacks against U.S. critical infrastructure operators, citing a recent history of attacks against poorly configured water utilities and other systems. 
  • “An apparent truce announced late Monday by President Donald Trump appeared to lower international tensions, but officials remain on guard for any potential threat activity.
  • “The Cybersecurity and Infrastructure Security Agency (CISA) “is actively coordinating with government, industry, and international partners to share actionable intelligence and strengthen collective defense,” CISA spokesperson Marci McCarthy said in a statement. “There are currently no specific credible threats against the homeland.”

• NextGov/FCW notes,
  • “Morgan Adamski is leaving her role as executive director of U.S. Cyber Command, handing the reins to Patrick Ware.
  • “After 17 years of service at the National Security Agency, I’ve decided to turn the page to an exciting new chapter in my career. It has been an extraordinary journey contributing to the defense of our Nation and advancing the cybersecurity mission across the U.S. Government,” Adamski wrote in a LinkedIn post Friday [June 27, 2025].
  • “The number three spot in the combatant command is typically held by a civilian on detail from the National Security Agency.
  • “Though Adamski did not clarify where she would be headed next, she noted her commitment to ensuring there were cyber solutions on “both sides of the fence.”

• CISA and the National Security Agency have released a report titled “Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development.’

• The National Institute of Standards and Technology has published final “Special Publication (SP) 800-228, Guidelines for API Protection for Cloud-Native Systems.”

• Per Cyberscoop,
  • Kai West, a prolific cybercriminal better known for operating under the moniker “IntelBroker,” was arrested in France earlier this year and faces federal charges for allegedly stealing data from more than 40 organizations during a two-year period, the Justice Department said Wednesday [June 25, 2025]. 
  • Federal prosecutors unsealed a four-count indictment charging West, a British national, with conspiracy to commit computer intrusions, accessing a protected computer to obtain information and wire fraud. The United States is seeking his extradition for the charges, which each carry maximum sentences of five to 20 years in prison. 

From the cybersecurity breaches and vulnerabilities front,

• Beckers Health IT identifies the top ten states for healthcare data breaches between February 2023 and April 2025.

• CISA added three known exploited vulnerabilities to its catalog this week.
  • June 25, 2025
    • CVE-2024-54085 AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
      • Network World discusses this KVE here.
    • CVE-2024-0769 D-Link DIR-859 Router Path Traversal Vulnerability
      • Cybersecurity News discusses this KVE here.
    • CVE-2019-6693 Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability
      • Cybersecurity News discusses this KVE here.

• Cyberscoop reports,
  • Citrix on Wednesday [June 25, 2025] disclosed an actively exploited zero-day vulnerability affecting multiple versions of NetScaler products, an alarming development from a vendor that’s been widely targeted in previous attack sprees.
  • The zero-day (CVE-2025-6543) was disclosed by Citrix nine days after it issued a security bulletin for a pair of defects (CVE-2025-5777 and CVE-2025-5349) in the same products. All three vulnerabilities affect the company’s networking security appliance NetScaler ADC and its virtual private network NetScaler Gateway. 
  • “Exploits of CVE-2025-6543 on unmitigated appliances have been observed,” Citrix said in a security bulletin for the zero-day. Citrix did not respond to a request for comment. 
  • Citrix described the critical zero-day CVE-2025-6543, which has a base score of 9.2 on the CVSS scale, as a memory overflow defect that attackers can exploit for unintended control flow and denial of service. Exploitation can only occur if targeted NetScaler instances are configured as a gateway or an authentication, authorization and accounting (AAA) virtual server, according to Citrix.”
• and
  • “The aviation industry has seemingly become the latest target of Scattered Spider, a sophisticated cybercriminal group that has shifted its focus from retail and insurance companies to airlines in what cybersecurity experts describe as a coordinated campaign against the sector.
  • “Hawaiian Airlines disclosed a cybersecurity incident Friday [June 27, 2025] affecting some of its IT systems while maintaining that flights continued operating safely and on schedule. The attack, first detected June 23, according to SEC filings, prompted the airline to engage federal authorities and cybersecurity experts for investigation and remediation efforts.
  • “Multiple incident responders have attributed the Hawaiian Airlines attack to Scattered Spider, also known as Muddled Libra or UNC3944. The assessment comes as cybersecurity firms Unit 42 and Mandiant issued warnings about the group’s apparent pivot to targeting aviation companies.
  • “Charles Carmakal, chief technology officer at Mandiant Consulting – Google Cloud, confirmed his company is “aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.” The group has demonstrated a pattern of focusing intensively on single industries before moving to new sectors.”

• Per Hacker News,
  • “Unknown threat actors have been distributing a trojanized version of SonicWall’s SSL VPN NetExtender application to steal credentials from unsuspecting users who may have installed it.
  • “NetExtender enables remote users to securely connect and run applications on the company network,” SonicWall researcher Sravan Ganachari said. “Users can upload and download files, access network drives, and use other resources as if they were on the local network.”
  • “The malicious payload delivered via the rogue VPN software has been code named SilentRoute by Microsoft, which detected the campaign along with the network security company.” * * *
  • “The development comes as G DATA detailed a threat activity cluster dubbed EvilConwi that involves bad actors abusing ConnectWise to embed malicious code using a technique called authenticode stuffing without invalidating the digital signature.
  • “The German cybersecurity company said it has observed a spike in attacks using this technique since March 2025. The infection chains primarily leverage phishing emails as an initial access vector or through bogus sites advertised as artificial intelligence (AI) tools on Facebook.”

From the ransomware front,

• Bleeping Computer notes,
  • “Ahold Delhaize, one of the world’s largest food retail chains, is notifying over 2.2 million individuals that their personal, financial, and health information was stolen in a November ransomware attack that impacted its U.S. systems.
  • “The multinational retailer and wholesale company operates over 9,400 local stores across Europe, the United States, and Indonesia, employing more than 393,000 people and serving approximately 60 million customers each week in-store and online.” * * *
  • “In a Thursday filing with Maine’s Attorney General, the retail giant revealed that the attackers behind the November breach stole the data of 2,242,521 individuals after gaining access to the company’s internal U.S. business systems on November 6, 2024.”Mich
    
• Michigan Health Watch adds,
  • “After 10 months, McLaren Health Care has begun to notify more than 740,000 patients that had sensitive personal data and health records exposed during the hospital system’s August 2024 ransomware attack.
  • “The extent of the data extortion scheme, which delayed critical care for chronically ill patients at the Karmanos Cancer Institute and facilities across the state, came to light in recent days as the 12-hospital system based in Grand Blanc posted notice on its website and informed  state agencies about the incident.”

• Dark Reading reports,
  • “A newly discovered ransomware group dubbed “Dire Wolf” has already taken a bite out of 16 organizations globally since its emergence only last month, mainly across the technology and manufacturing sectors, researchers have found.
  • “The group uses a double extortion tactic with a monthlong turnaround time for paying ransom, and deploys custom encryptors tailored to specific victims, security firm Trustwave revealed in a blog post published June 24. Researchers from Trustwave SpiderLabs recently uncovered and observed a ransomware sample from the emerging threat group and gained insights on how it operates, they said.
  • “So far, the group’s victims have spanned 11 countries, with the US and Thailand reporting the highest numbers of attacks, followed by Taiwan. So far, five of the 16 victims listed on the group’s data leak site have data scheduled to be uploaded by the end of June, presumably because they didn’t pay the ransom, according to the post.”

• Per Cybersecurity Dive,
  • “Only half of ransomware attacks on organizations this year have involved data encryption, once the attack’s defining feature, according to a Sophos report published on Tuesday [June 24, 2025].
  • “Both the average ransom demand and average ransom payment have dropped significantly over the past year (by 34% and 50%, respectively).
  • “Less than a third of respondents in the survey who paid a ransom said the amount matched the attackers’ initial demand, with 53% of victims paying less and 18% paying more.”

From the cybersecurity defenses front,

• Cyberscoop reports,
  • “When a faulty software update from cybersecurity firm CrowdStrike last year caused possibly the largest IT outage in history, Microsoft ended up taking much of the blame.
  • “CrowdStrike’s Falcon endpoint detection and response was on millions of Windows devices worldwide, and like most antivirus products that need broad access to different systems to do their job, the software had direct access to the Windows kernel.
  • “When CrowdStrike’s update crashed, so did millions of Windows-powered systems and devices around the world. A series of security announcements by Microsoft on Thursday [June 26, 2025] are designed to reduce the possibility of future third-party outages and other security threats that can take an organization’s IT out of commission for extended durations.
  • “Among those changes: antivirus software like the kind installed by CrowdStrike and other third-party cybersecurity will no longer have direct access to the Windows kernel. The company will be previewing a new endpoint security platform to vendors next month that requires security updates to go through layers of testing and review before they ship to Windows devices and systems worldwide.”

• Per Cybersecurity Dive,
  • “Cybersecurity insurance premiums declined 2.3% year over year to roughly $7.1 billion in 2024, according to a new report released on Monday [June 23, 2025] by credit rating agency AM Best.
  • “Meanwhile, cyber insurance providers’ loss ratio — the proportion of premiums they use to pay out claims — remained below 50%, indicating that the market remains profitable.
  • “AM Best offered several possible explanations for the slight premium decline.”
• and
  • “Two reports — one that KPMG released on Thursday and one that Thales released last month — illustrate how generative AI is raising security concerns for business leaders.
  • “Business leaders surveyed by KPMG reported prioritizing security oversight in their generative AI budgeting decisions, with 67% saying they plan to spend money on cyber and data security protections for their AI models. Fifty-two percent cited risk and compliance as a budgetary priority.
  • “Those spending decisions reflect corporate executives’ growing worries about AI security. ***

• WEDI is offering a free healthcare cybersecurity webinar on June 15, 2025, at 1:00 pm ET.

• Dark Reading discusses the U.S. military’s refined approach to zero trust and how to create and track a vulnerability debt figure.

• The ISACA Blog considers Proactive Approaches to Identify Cyberthreats.

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity defenses and law enforcement front

• Cyberscoop reports,
  • Congress should use renewal of an expiring [in 2027] terrorism insurance program to create a federal backstop for cybersecurity insurance, according to a report out Tuesday that tries to thread many difficult needles to bolster an industry that its author says isn’t developing fast enough.
  • In an ideal world, cybersecurity insurance can be a valuable tool to protect policyholders and push everyone into adopting better cyber practices, but it will need government intervention to reach its full potential amid an array of challenges, Nick Leiserson writes in a study for the Foundation for Defense of Democracies, a D.C.-based think tank. 
• and
  • “As spring gives way to summer, a wave of cybercrime crackdowns has taken root, with law enforcement and private security companies directing a surge of takedowns, seizures, indictments and arrests.
  • “Prolific infostealers, malware loaders, counter antivirus and encrypting services, cybercrime marketplaces, ransomware infrastructure and DDoS-for-hire operations have all been seized, taken offline or severely disrupted by global coordinated campaigns over the past six weeks.
  • “It’s been really energizing to see the volume and velocity of these takedowns in such a short period of time,” Flashpoint CEO Josh Lefkowitz told CyberScoop. 
  • “I can’t think of such a flurry and rapid succession — and then magnified by complementary takedowns by Europol and international partners,” he added. “It’s been a great couple of weeks for the good guys, and I wouldn’t be surprised if there’s more around the horizon.”

From the cybersecurity vulnerabilities and breaches front,

• Bleeping Computer informs us,
  • “News broke [on June 18] about “one of the largest data breaches in history,” sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.
  • “To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.
  • “Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.
  • “Cybernews, which discovered the briefly exposed datasets of compiled credentials, stated it was stored in a format commonly associated with infostealer malware, though they did not share samples
  • “An infostealer is malware that attempts to steal credentials, cryptocurrency wallets, and other data from an infected device. Over the years, infostealers have become a massive problem, leading to breaches worldwide.”

• Cybersecurity Dive reports,
  • “Major insurance provider Aflac Inc. said Friday [June 20] that it was the target of a cyberattack on June 12 that is linked to a major cybercrime spree focusing on the industry. 
  • “The company said it was able to contain the attack within hours and confirmed its systems remain operational. 
  • “We continue to serve our customers as we respond to this incident and can underwrite policies, review claims and otherwise service our customers as usual,” the company said in a Securities and Exchange Commission filing. 
  • “The incident is part of a larger crime wave targeting the insurance industry that researchers have linked to a collective known as Scattered Spider. The group recently conducted a weeks-long attack campaign against retailers in the U.S. and the U.K.
  • “Erie Insurance Group last week disclosed that it was the target of a cyberattack that began on June 7. The company said Tuesday that it has regained control over its systems and sees no further evidence of malicious activity.”

• Cyberscoop adds,
  • Scattered Spider is an amorphous band of young English-speaking cybercriminals affiliated with the larger sprawling network known as The Com. Scattered Spider associates recently ran roughshod over U.K.- and U.S.-based retailers before pivoting, once again, to insurance companies.
  • The ring of cybercriminals historically focus on one sector at a time, resulting in a wave of extortion attacks on companies in the same industry, which often use similar systems and processes. 
  • Google previously warned that Scattered Spider shifted its attention to U.S. retailers after the group hit multiple retailers and grocery stores in the U.K. in April. The pattern of recent activities attributed to Scattered Spider has been consistent.
  • “We are now seeing incidents in the insurance industry,” John Hultquist, chief analyst at Google Threat Intelligence Group, told CyberScoop on Monday. “Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”

• The Wall Street Journal points out,
  • “Hackers in recent months have disrupted retail sales in the U.K. and U.S. and stolen hundreds of millions of dollars from crypto holders by targeting the outsourced call centers that many American corporations use to save costs.
  • “The hacks are often meticulously researched and use a variety of techniques, but they have one thing in common: low-level workers who staff call centers and have access to the kind of sensitive information that criminals need to commit crimes.
  • “The focus on outside call centers has allowed attackers to trick workers to get around so-called two-factor account authentication techniques that send codes by text to mobile phones. Those methods are commonly used to protect millions of bank and credit-card accounts, as well as a host of other online portals.”

• Security Week lets us know,
  • “Healthcare services firm Episource has been targeted in a cyberattack that resulted in a data breach impacting more than 5.4 million individuals.
  • “Episource provides medical coding and risk adjustment services to doctors, health plans, and other types of healthcare organizations. 
  • “The firm revealed in a data breach notice that it detected unauthorized access to its systems in early February. An investigation showed that “a cybercriminal” was able to view and copy data belonging to some Episource customers between January 27 and February 6, 2025. 
  • “We quickly took steps to stop the activity. We began investigating right away and hired a special team to help us. We also called law enforcement. We turned off our computer systems to help protect the customers we work with and their patients and members,” the company said, noting that it’s not aware of any misuse of the compromised data.”

• Per Dark Reading,
  • Cybercriminals are using fake search engine listings to hijack the results for people looking for tech support from brands like Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal.
  • This type of deceptive scam is common, taking advantage of users’ trust in big name brands, beginning with a sponsored search result on Google — but this time, there’s a twist.
  • According to Pieter Arntz and Jérôme Segura, researchers at Malwarebytes Labs, cybercriminals start by paying for a sponsored ad on Google pretending to be a major brand. This advertisement will then lead people to the fake website.
  • “However, in the cases we recently found, the visitor is taken to the legitimate site with a small difference,” the researchers wrote in a post this week. “Visitors are taken to the help/support section of the brand’s website, but instead of the genuine phone number, the hijackers display their scammy number instead.”
  • “So, while the browser address is legitimate and shows no cause for concern, the fraudsters overlay the actual website with misinformation, directing the user to seek help from a fraudulent source.”

• Cybersecurity Dive tells us,
  • “Researchers are urging Veeam Backup & Replication users to make sure their systems are fully upgraded to the latest version after the company released a patch Tuesday to address a critical remote code execution flaw. 
  • “The vulnerability, tracked as CVE-2025-23121, allows an authenticated domain user to run code on a backup server. 
  • “Researchers at watchTowr and Code White GmbH previously disclosed that a patch to address a prior vulnerability, tracked as CVE-2025-23120, could be bypassed. That disclosure led to the development of the new patch.”
• and
  • “Hackers are exploiting a critical vulnerability in Zyxel’s Internet Key Exchange packet decoder, GreyNoise researchers warned on Monday.
  • “The vulnerability, tracked as CVE-2023-28771, powered a sudden wave of exploitation attempts Monday, with researchers observing 244 unique IP addresses involved in the activity. 
  • “All of the addresses were located in the U.S. and registered to Verizon Business, but researchers caution that because the vulnerability was located over UDP (Port 500), the attackers may have been spoofing those addresses.
  • “Additional analysis suggests that the activity may be related to a variant of the Mirai botnet, researchers said. 
  • “Mirai-linked payloads suggest the activity may be aimed at enrolling devices into botnets for automated attacks like DDoS or scanning,” GreyNoise researchers told Cybersecurity Dive via email.”

• The Cybersecurity and Infrastructure Security Agency (CISA) added three known exploited vulnerabilities to its catalog this week.
  • June 16, 2025
    • CVE-2025-43200 Apple Multiple Products Unspecified Vulnerability
    • CVE-2023-33538 TP-Link Multiple Routers Command Injection Vulnerability
      • NIST discusses the Apple vulnerability here.
      • Security Week discusses the TP-Link KVE here.
  • June 17, 2025
    •  CVE-2023-0386 Linux Kernel Improper Ownership Management Vulnerability 
      • Security Week discusses this KVE here.

From the ransomware front,

• The Hacker News reports,
  • “An emerging ransomware strain has been discovered incorporating capabilities to encrypt files as well as permanently erase them, a development that has been described as a “rare dual-threat.”
  • “The ransomware features a ‘wipe mode,’ which permanently erases files, rendering recovery impossible even if the ransom is paid,” Trend Micro researchers Maristel Policarpio, Sarah Pearl Camiling, and Sophia Nilette Robles said in a report published last week.
  • “The ransomware-as-a-service (RaaS) operation in question is named Anubis, which became active in December 2024, claiming victims across healthcare, hospitality, and construction sectors in Australia, Canada, Peru, and the U.S. Analysis of early, trial samples of the ransomware suggests that the developers initially named it Sphinx, before tweaking the brand name in the final version.”
• and
  • “The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the cybercrime group intensifies its activity and tries to fill the void left by its rivals.
  • “The new feature takes the form of a “Call Lawyer” feature on the affiliate panel, per Israeli cybersecurity company Cybereason.
  • “The development represents a newfound resurgence of the e-crime group as once-popular ransomware groups like LockBit, Black Cat, RansomHub, Everest, and BlackLock have suffered abrupt cessations, operational failures, and defacements. The group, also tracked as Gold Feather and Water Galura, has been active since October 2022.
  • “Data compiled from the dark web leak sites run by ransomware groups shows that Qilin led with 72 victims in April 2025. In May, it is estimated to be behind 55 attacks, putting it behind Safepay (72) and Luna Moth (67). It’s also the third most active group after Cl0p and Akira since the start of the year, claiming a total of 304 victims.”

From the cybersecurity defenses front,

• Cybersecurity Dive reports,
  • “For organizations aiming to deploy generative AI at scale, focusing on the cybersecurity guardrails surrounding the technology can help ease adoption rather than hinder it, according to AWS CISO Amy Herzog. 
  • “Herzog, who took on the CISO role earlier this month, made the case for a closer enterprise focus on security during the company’s annual re:Inforce conference Tuesday. The strategy can pay off by speeding up adoption. 
  • “Security, when done right, can be a true enabler in adopting new technologies,” said Herzog. “What we’re noticing is customers with mature security practices and the ability to innovate while maintaining a high security bar, they’re adopting Gen AI faster.
  • “Companies in highly regulated environments, from finance to healthcare, have been able to rely on their existing security, privacy and data management guardrails to speed up AI adoption, Herzog said. 
  • “This enables them to reduce risks and pragmatically focus on scaling their use cases,” Herzog said.”
• and
  • “Nearly one in 10 publicly accessible cloud-storage buckets contained sensitive data, with virtually all of that data considered confidential or restricted, according to a new report from Tenable based on scans conducted between October 2024 and March 2025.
  • “On the other hand, more than eight in 10 organizations using Amazon Web Services have enabled an important identity-checking service, according to the report, published on Wednesday.
  • ‘The number of organizations with triple-threat cloud instances — “publicly exposed, critically vulnerable and highly privileged” — declined from 38% between January and June 2024 to 29% between October 2024 and March 2025.”

• Per Bleeping Computer,
  • “Microsoft has announced plans to periodically remove legacy drivers from the Windows Update catalog to mitigate security and compatibility risks.
  • “The rationale behind this initiative is to ensure that we have the optimal set of drivers on Windows Update that cater to a variety of hardware devices across the windows ecosystem, while making sure that Microsoft Windows security posture is not compromised,” Microsoft said.
  • “This initiative involves periodic cleanup of drivers from Windows Update, thereby resulting in some drivers not being offered to any systems in the ecosystem.
  • “As the company explained on Thursday, the first phase of this “cleaning up” procedure will involve drivers with newer replacements already published on Windows Update.”
    
• CSO lets us know,
  • “Ransomware tabletop exercises confront participants with an attack scenario, offering them a way to test and improve their organization’s readiness and response capabilities.
  • “During this month’s Infosecurity Europe conference, CSO took part as a media advisor to a blue team, pitched against a red team of attackers in a ransomware tabletop simulation focused on the water industry. The “Operation 999” exercise was devised and run by cybersecurity vendor Semperis, a specialist in protecting Active Directory (AD) and hybrid identity environments.” * * *
  • “The “Operation 999” exercise offered a cybersecurity tabletop simulation designed to allow participants to exercise incident response strategies. The tabletop exercise offered an immersive experience without featuring any hands-on keyboard or analysis of technical data (such as exercise specific log files, or similar).”

• Security Week discusses “Choosing a clear direction in the face of growing cybersecurity demands. In a rapidly changing AI environment, CISOs are worried about investing in the wrong solution or simply not investing because they can’t decide what the best option is.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity and law enforcement front,

• Cyberscoop reports,
  • “A House panel approved a fiscal 2026 funding bill Monday [June 9, 2025] that would cut the Cybersecurity and Infrastructure Security Agency by $135 million from fiscal 2025, significantly less than the Trump administration’s proposed $495 million.
  • “The chairman of the House Appropriations Subcommittee on Homeland Security, Rep. Mark Amodei, said the annual Department of Homeland Security funding measure “responsibly trimmed” the CISA budget. But Illinois Rep. Lauren Underwood, the top Democrat on his panel, said the legislation “fails to address the catastrophic cybersecurity threats facing our critical infrastructure.”
  • “The subcommittee approved the bill by a vote of 8-4.
  • “CISA would get $2.7 billion under the measure, according to a committee fact sheet, or $134.8 million less than the prior year.
  • “While the full committee chairman Tom Cole, R-Okla., said “the bill provides critical support for cybersecurity technology,” Republicans also criticized the agency’s past work.”
• and
  • “A familiar face is being promoted from within to lead the FBI’s Cyber division.
  • “In a LinkedIn post Sunday [June 8, 2025], Brett Leatherman said that FBI Director Kash Patel had selected him as assistant director and lead official for the FBI’s primary division for investigating cybercrimes.  The role is prominent in national security, espionage and counterintelligence investigations.” * * *
  • “Leatherman takes over the reins from Bryan Vorndran, who led the bureau’s Cyber Division from 2021 until this past spring when he left the federal government to take a job as Microsoft’s deputy chief information security officer.”  
    
• The National Institute of Standards and Technology (NIST) illustrates “19 Ways to Build Zero Trust Architectures.”
  • “The traditional approach to cybersecurity, built around the idea of solely securing a perimeter, has given way to the zero-trust approach of continuously evaluating and verifying requests for access.
  • “Zero trust architectures can help organizations protect far-flung digital resources from cyberattacks, but building and implementing the right architectures can be a complex undertaking.
  • “New NIST guidance offers 19 example zero trust architectures using off-the-shelf commercial technologies, giving organizations valuable starting points for building their own architectures.”
    
• Cyberscoop points out,
  • “Federal authorities on Wednesday [June 11, 2025] announced the seizure of about 145 domains and cryptocurrency funds linked to BidenCash, a cybercrime marketplace for stolen credit cards, compromised credentials and other personal information. 
  • “BidenCash was used by more than 117,000 customers, resulting in the trafficking of more than 15 million credit card numbers and personally identifiable information, the Justice Department said. Administrators of the cybercrime platform, which charged a per-transaction fee, generated more than $17 million in illicit revenue since its formation in March 2022, authorities said.
  • “Domains associated with BidenCash now redirect to a server controlled by U.S. law enforcement and display seizure notices. The U.S. Attorney’s Office for the Eastern District of Virginia, which is leading the case, said it seized cryptocurrency funds the BidenCash marketplace used to receive illicit proceeds from its operations.
  • “Authorities did not disclose the value of those seized cryptocurrency funds or identify the physical location of the administrators and infrastructure used by BidenCash. The U.S. Attorney’s Office for the Eastern District of Virginia did not immediately respond to questions.” 

• Cybersecurity Dive adds,
  • “An international law enforcement operation has dismantled the computer infrastructure powering multiple strains of information-stealer malware.
  • “As part of “Operation Secure,” authorities in 26 Asian countries “worked to locate servers, map physical networks and execute targeted takedowns,” Interpol said in a statement. Law enforcement agencies worked with cybersecurity firms Group-IB, Kaspersky and Trend Micro to prepare assessments of their targets and shared that information with “cyber teams across Asia,” according to Interpol, resulting in “in the takedown of 79 percent of identified suspicious IP addresses.”

From the cybersecurity vulnerabilities and breaches front,

• The Wall Street Journal reports,
  • “Supermarket shelves are emptying out at some stores around the country, after a cyberattack hit a major distributor to Whole Foods Market and other chains.
  • “United Natural Foods said it detected unauthorized activity on its systems last week and took certain ones offline proactively.
  • “Disruptions to its operations have followed, United Natural said. Stores around the country have reported being unable to place orders. The company has told suppliers that it hopes to restore normal operations by Sunday, according to a notice viewed by The Wall Street Journal.” 

• CISA added four known exploited vulnerabilities to its catalog this week.
  • June 9, 2025
    • “CVE-2025-32433 Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability 
    • “CVE-2024-42009 RoundCube Webmail Cross-Site Scripting Vulnerability” 
      • The Hacker News discusses these KVEs here.
  • June 10, 2025
    • “CVE-2025-24016 Wazuh Server Deserialization of Untrusted Data Vulnerability
    • “CVE-2025-33053 Web Distributed Authoring and Versioning (WebDAV) External Control of File Name or Path Vulnerability”
      • Akamai discusses the “Wasuh Server” KVE here.
      • Security Week discusses the WebDAV KVE here.

• Cybersecurity Dive adds,
  • “Government agencies are operating with massive amounts of “security debt” — meaning unresolved vulnerabilities — putting them and the public at increased risk of falling victim to hackers, according to a Veracode report released Wednesday [June 11, 2025]. 
  • “Roughly 80% of government agencies have software vulnerabilities that have gone unaddressed for at least a year, and roughly 55% of them have long-standing software flaws that place them at even greater risk, the report found.
  • “Veracode’s research shows that it takes government agencies an average of 315 days to resolve half of their software vulnerabilities, compared to the combined public- and private-sector average of 252 days.
  • “But companies and agencies alike are falling short of the necessary investments and procedures to address insecure software, according to Veracode.”

• Dark Reading warns
  • “Secure Shell (SSH) keys are the backbone of secure remote access. They are everywhere, powering DevOps pipelines, enabling server management, and automating everything from deployments to patching. But despite their ubiquity, SSH keys often remain a blind spot in enterprise security. Why? Because unlike passwords, they don’t expire. They are easy to create, hard to track, and alarmingly simple to forget.
  • “In large enterprises, it is not uncommon to find hundreds of thousands or even millions of unmanaged SSH keys. Many of these grant access to sensitive systems but lack clear ownership or life-cycle oversight, turning what should be a secure authentication method into a major risk factor.
  • “If your organization cannot answer “Who can log in to what, using which key?” you are flying blind.”

• Security Week notes,
  • “More than 40,000 security cameras worldwide are exposed to the internet, cybersecurity firm Bitsight warns.
  • “Operating over HTTP or RTSP (Real-Time Streaming Protocol), the cameras expose their live feed to anyone knowing their IP addresses, directly from the web browser, which makes them unintended tools for cyberattacks, espionage, extortion, and stalking, the company says.
  • “The HTTP-based cameras rely on standard web technologies for video transmission and control and are typically found in homes and small offices.
  • “Of the more than 40,000 cameras exposing their live feed, more than 14,000 are in the US, with Japan ranking second, at roughly 7,000 devices. Austria, Czechia, and South Korea have roughly 2,000 exposed cameras each, while Germany, Italy, and Russia have roughly 1,000 each.
  • “In the US, most of the exposed cameras are in California and Texas, followed by Georgia, New York, and Missouri. Massachusetts and Florida have high concentrations of exposed cameras as well.” * * *
  • “To keep these security cameras protected, users should secure their internet connections, replace default credentials, disable remote access if not needed, keep the devices always updated, and monitor them for unusual login attempts.”
• and
  • “Trend Micro has released patches for ten vulnerabilities in Apex Central and Endpoint Encryption (TMEE) PolicyServer, including critical-severity flaws leading to remote code execution (RCE).
  • “The update for Apex Central resolves two critical bugs leading to RCE, tracked as CVE-2025-49219 and CVE-2025-49220 (CVSS score of 9.8). The security defects are similar, but were discovered in different methods, the company says.
  • “Both vulnerabilities are described as an insecure deserialization operation that could allow remote attackers to execute arbitrary code on affected installations, without authentication.
  • “Endpoint Encryption PolicyServer received fixes for eight flaws, including four critical and four high-severity defects.”

• Per Bleeping Computer,
  • “Cloudflare has confirmed that the massive service outage yesterday was not caused by a security incident, and no data has been lost.
  • “The issue has been largely mitigated. It started 17:52 UTC yesterday [June 12, 2025] when the Workers KV (Key-Value) system went completely offline, causing widespread service losses across multiple edge computing and AI services.
  • “Workers KV is a globally distributed, consistent key-value store used by Cloudflare Workers, the company’s serverless computing platform. It is a fundamental piece in many Cloudflare services, and a failure can cause cascading issues across many components.”
  • “The disruption also impacted other services used by millions, most notably the Google Cloud Platform.”

From the ransomware front,

• The HIPAA Journal informs us,
  • “It has taken three weeks, but Kettering Health has confirmed that it has resumed normal operations for key services following its May 20, 2025, Interlock ransomware attack. Kettering Health has been releasing regular updates on the progress being made restoring its systems, confirming that the core components of its Epic EHR system were restored on the morning on June 2, 2025, which allowed patient data to be entered, and the backlog of data recorded on paper to start to be entered into patient records.
  • “Interlock’s access to its network and system was immediately terminated when the attack was discovered, and Kettering Health confirmed on June 5, 2025, that all of the ransomware group’s tools and persistence mechanisms had been eradicated from its systems. Kettering Health also confirmed that all systems were fully up to date with the latest versions of software installed and patches applied, and security enhancements had been implemented, including network segmentation, enhanced monitoring, and updated access controls. Kettering Health said it is confident that its cybersecurity framework and employee security training are sufficient to mitigate future risks.”

• Cybersecurity Dive reports,
  • “Ransomware gangs have exploited a vulnerability in the SimpleHelp remote support program to breach customers of a utility billing software vendor, the Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday [June 12, 2025].
  • “The government advisory follows an earlier warning from CISA and the FBI that hackers associated with the Play ransomware gang had been targeting critical infrastructure organizations using the flaw in SimpleHelp’s remote management software.
  • “The new CISA alert highlights the risks of vendors not verifying the security of their software before providing it to customers.” * * *
  • “In its Thursday alert, CISA said the breach of the utility payment vendor reflected a “broader pattern” of such attacks.
  • “The agency urged “software vendors, downstream customers, and end users to immediately implement the Mitigations listed in this advisory based on confirmed compromise or risk of compromise.” 
  • “Vendors should isolate vulnerable SimpleHelp instances, update the software and warn customers, according to CISA, while customers should determine whether they are running the SimpleHelp endpoint service, isolate and update those systems and follow SimpleHelp’s additional guidance.’

• Per Bleeping Computer,
  • “Fog ransomware hackers are using an uncommon toolset, which includes open-source pentesting utilities and a legitimate employee monitoring software called Syteca.
  • “The Fog ransomware operation was first observed last year in May leveraging compromised VPN credentials to access victims’ networks.
  • ‘Post-compromise, they used “pass-the-hash” attacks to gain admin privileges, disabled Windows Defender, and encrypted all files, including virtual machine storage.
  • “Later, the threat group was observed exploiting n-day flaws impacting Veeam Backup & Replication (VBR) servers, as well as SonicWall SSL VPN endpoints.”

From the cybersecurity defenses front,

• Cybersecurity Dive lets us know,
  • “The threat of cyberattacks represents the most serious challenge for businesses in the coming year, the advisory firm Kroll said in a report published Thursday [June 12, 2025].
  • “Roughly three-quarters of respondents said their cybersecurity and privacy concerns had increased over the past year, with nearly half citing malware and more than a third citing data extortion as specific fears.
  • “Kroll’s survey of 1,200 respondents from more than 20 countries, conducted in February, provides some measure of how businesses are thinking about and dealing with cyber worries as global tensions escalate.”
• and
  • “Artificial intelligence is poised to transform the work of security operations centers, but experts say humans will always need to be involved in managing companies’ responses to cybersecurity incidents — as well as policing the autonomous systems that increasingly assist them.
  • “AI agents can automate many repetitive and complex SOC tasks, but for the foreseeable future, they will have significant limitations, including an inability to replicate unique human knowledge or understand bespoke network configurations, according to experts who presented here at the Gartner Security and Risk Management Summit.
  • “The promise of AI dominated this year’s Gartner conference, where experts shared how the technology could make cyber defenders’ jobs much easier, even if it has a long way to go before it can replace experienced humans in a SOC.
  • “As the speed, the sophistication, [and] the scale of the attacks [go] up, we can use agentic AI to help us tackle those challenges,” Hammad Rajjoub, director of technical product marketing at Microsoft, said during his presentation. “What’s better to defend at machine speed than AI itself?”

• Dark Reading explains “Why CISOs Must Align Business Objectives & Cybersecurity. This alignment makes a successful CISO, but creating the same sentiment across business leadership creates a culture of commitment and greatly contributes to achieving goals.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Yesterday, the President issued a cybersecurity executive order. Here is a link to related fact sheet.

• Federal News Network adds,
  • “President Donald Trump has signed a new cybersecurity executive order that continues many of the policies of his predecessors, while also marking out some key changes in the approach to software security, digital identity and more.
  • “The new executive order, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity,” modifies many aspects of a cyber EO signed by President Joe Biden in January. It also makes changes to executive orders signed by President Barack Obama to focus federal cybersecurity law enforcement efforts on foreign nationals.
  • “But Trump’s new EO continues key aspects Biden directives, including an effort to strengthen the Cybersecurity and Infrastructure Security Agency’s role in defending civilian federal networks.” * * *
  • “The latest cybersecurity executive order also maintains federal efforts around post-quantum cryptography, Border Gateway Protocol, and advanced encryption.
  • “But it eliminates the January order’s directive for agencies to require federal software vendors to provide evidence of following secure development practices.
  • “Instead, Trump directs the National Institute of Standards and Technology to establish a new consortium with industry “that demonstrates the implementation of secure software development, security, and operations practices” based on NIST’s Secure Software Development Framework.”

• Per Cybersecurity Dive,
  • “Trump’s elimination of Biden’s software security requirements for federal contractors represents a significant government reversal on cyber regulation. Following years of major cyberattacks linked to insecure software, the Biden administration sought to use federal procurement power to improve the software industry’s practices. That effort began with Biden’s 2021 cyber order and gained strength in 2024, and then Biden officials tried to add teeth to the initiative before leaving office in January. But as it eliminated that project on Friday, the Trump administration castigated Biden’s efforts as “imposing unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”
  • “Trump’s order eliminates provisions from Biden’s directive that would have required federal contractors to submit “secure software development attestations,” along with technical data to back up those attestations. Also now eradicated are provisions that would have required the Cybersecurity and Infrastructure Security Agency to verify vendors’ attestations, required the Office of the National Cyber Director to publish the results of those reviews and encouraged ONCD to refer companies whose attestations fail a review to the Justice Department “for action as appropriate.”

• Cyberscoop reports,
  • “Sean Cairncross laid out his vision to senators Thursday for the Office of the National Cyber Director if he is confirmed to lead it.
  • “A goal of mine is to make sure this office sits at the place that this committee and I believe Congress intended in the statute, and that is to lead cyber policy coordination across the federal government,” he told the Homeland Security and Governmental Affairs Committee at his confirmation hearing.
  • “In doing that, working with our interagency partners is vital,” he said. “We’ve been empowered to work with [the Office of Management and Budget] to ensure that budget alignment among the interagency aligns with administration policy, and I think those tools have to be leveraged, and relationships between us and the interagency — it’s making sure that it is monitored and enforced.”

• Cybersecurity Dive adds,
  • “Two coalitions of cybersecurity companies, professional associations and experts have endorsed Sean Plankey and Sean Cairncross, President Donald Trump’s nominees to serve as director of the Cybersecurity and Infrastructure Security Agency and national cyber director, respectively.
  • “Plankey and Cairncross’s backers include executives at cybersecurity firms, former senior government officials from administrations of both parties and leaders of trade groups and think tanks.”

• Per Bleeping Computer,
  • “The U.S. Department of State has announced a reward of up to $10 million for any information on government-sponsored hackers with ties to the RedLine infostealer malware operation and its suspected creator, Russian national Maxim Alexandrovich Rudometov.
  • “The same bounty covers leads on state hackers’ use of this malware in cyber operations targeting critical infrastructure organizations in the United States.
  • “This bounty is posted as part of the Department of State’s Rewards for Justice program established by the 1984 Act to Combat International Terrorism, which rewards informants for tips that help identify or locate foreign government threat actors behind cyberattacks against U.S. entities.”

• Per Cyberscoop,
  • “Federal authorities on Thursday [June 5, 2025] said they seized $7.74 million from North Korean nationals as they attempted to launder cryptocurrency obtained by IT workers who gained illegal employment and funneled the wages to the North Korean regime.
  • “The allegedly illegally obtained funds were linked to Sim Hyon Sop, a representative of North Korean Foreign Trade Bank, and Kim Sang Man, CEO of Chinyong, an outfit associated with North Korea’s Ministry of Defense, the Justice Department said. Both North Korean nationals were added to the Treasury Department’s Office of Foreign Assets Control’s list of sanctioned individuals in 2023.
  • “The cryptocurrency seizure marks another action in a series of long-running law enforcement efforts to identify and prevent North Korean operatives from gaining employment at companies, evading U.S. sanctions, and sending payroll back to the North Korean government.”

• Per Security Week,
  • “German authorities have named Russian national Vitaly Nikolaevich Kovalev as the founder and leader of the TrickBot cybercrime gang.”
  • “Established in 2016, the TrickBot group is believed to have infected millions of computers worldwide, exfiltrating sensitive information such as credentials, banking and credit card details, and personal information, while also enabling the deployment of other malware, such as ransomware.
  • “Authorities targeted TrickBot’s infrastructure in takedown attempts in 2020 and 2024 and announced charges and sanctions against over a dozen group members in 2023, including Kovalev, believed at the time to be a senior figure within the cybercrime ring.”

From the cybersecurity vulnerabilities and breaches front,

• CISA added nine known exploited vulnerabilities to its catalog this week.
  • June 2, 2025
    • CVE-2021-32030 ASUS Routers Improper Authentication Vulnerability
    • CVE-2023-39780 ASUS RT-AX55 Routers OS Command Injection Vulnerability
    • CVE-2024-56145 Craft CMS Code Injection Vulnerability
    • CVE-2025-3935 ConnectWise ScreenConnect Improper Authentication Vulnerability
    • CVE-2025-35939 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
      • CNET explains the ASUS router vulnerabilities here.
      • Cyber Press discusses the Craft KVEs here.
      • CRN discusses the ConnectWise KVE here.
  • June 3, 2025
    • CVE-2025-21479 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
    • CVE-2025-21480 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
    • CVE-2025-27038 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
      • Security Affairs discusses these KVEs here.
  • June 5, 2025
    • CVE-2025-5419 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability 
      • Bleeping Computer and Cyberscoop discuss this KVE.

• Bleeping Computer tells us,
  • “A threat actor has re-released data from a 2021 AT&T breach affecting 70 million customers, this time combining previously separate files to directly link Social Security numbers and birth dates to individual users.
  • “AT&T told BleepingComputer that they are investigating the data but also believe it originates from the known breach and was repackaged into a new leak.
  • “It is not uncommon for cybercriminals to repackage previously disclosed data for financial gain. We just learned about claims that AT&T data is being made available for sale on dark web forums, and we are conducting a full investigation,” AT&T told BleepingComputer.”
• andD
  • “Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions.
  • “The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity’s Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments.
  • “The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments.”

• Dark Reading informs us,
  • “ClickFix campaigns are gaining steam according to various security researchers, with recent campaigns spotted across the globe from a wide swath of cyberattackers. The increasingly popular tactic represents a significant new evolution for social engineering, researchers say — and enterprises need to take note.
  • “ClickFix activity has been snowballing: Darktrace said yesterday that it recently identified multiple ClickFix attacks across customer environments in Europe, the Middle East, and Africa (EMEA), and in the United States; while SlashNext, in a separate report, detailed an unusual version of the attack vector that impersonates Cloudflare Turnstile, which is the Web protection company’s CAPTCHA-like Turing test. Also, this week, Cofense outlined a campaign that spoofed Booking.com CAPTCHAs, targeting hotel chains with remote access Trojans (RATs) and infostealers.”
• and
  • The Federal Burau of Investigation (FBI) warned that cybercriminals are compromising Internet of Things (IoT) devices connected to home networks through the BADBOX 2.0 botnet.
  • The BADBOX 2.0 botnet was discovered several months ago after the original BADBOX campaign was disrupted in 2024. Human Security’s Satori Threat Intelligence and Research team, alongside Google, Trend Micro, the Shadowserver Foundation, and others, were able to partially disrupt the “complex and expansive” BADBOX 2.0 operation, noting that it remains the largest botnet of infected connected TV (CTV) devices ever uncovered.

• Per Cybersecurity Dive,
  • “A financially motivated hacker group has been targeting Salesforce instances for months in a campaign that uses voice phishing to engage in data theft and follow-on extortion attempts, according to Google Threat Intelligence Group. 
  • “The hackers, whom Google tracks as UNC6040, impersonated IT workers and tricked employees at often English-speaking branches of multinational companies into sharing sensitive credentials that were then used to access the organizations’ Salesforce data, Google said in a blog post published Wednesday.
  • “As part of the social engineering campaign, the hackers tricked workers at these companies into visiting the Salesforce-connected app setup page, at which point the attackers used an unauthorized, malicious version of the Salesforce Data Loader app to access and steal sensitive information from the customers’ Salesforce environments. 
  • “Beyond the immediate data thefts, the hackers were able to move laterally within target networks, accessing victims’ other cloud services and moving into internal corporate networks.”

From the ransomware front,

• The American Hospital Association warns,
  • “The FBI, Cybersecurity and Infrastructure Security Agency and Australian Cyber Security Centre June 4 released an advisory on updated actions and tactics used by the Play ransomware group. The group, active since 2022, has impacted a wide range of businesses and critical infrastructure in North America, South America and Europe. As of May, the FBI was aware of about 900 victims allegedly exploited by the group’s efforts.
  • “The threat actors are presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. They employ a double-extortion model that encrypts systems after exfiltrating data. Their ransom notes do not include an initial ransom demand or payment instructions. Instead, victims are instructed to contact the threat actors via email.
  • “Play ransomware was among the most active cyberthreat groups in 2024,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “This report highlights their evolving tactics, and health care cybersecurity teams should be aware of the changes.  As threat actors shift tactics, it is critical that network defenders keep pace. The double-layered extortion model and encryption of systems, as well as theft of data, pose a serious potential risk to hospitals and the delivery of health care.”

• Cybersecurity Dive adds,
  • “Since mid-January, multiple ransomware groups, including initial access brokers affiliated with Play, have targeted vulnerabilities in a remote support tool called SimpleHelp. Researchers disclosed those flaws in January.  
  • “The new advisory updates the government’s original December 2023 warning about the Play ransomware group, which is also known as PlayCrypt. The hackers have previously been blamed for attacks targeting ConnectWise ScreenConnect and Rackspace. 
  • “The recent attacks exploiting SimpleHelp involve three flaws discovered by security firm Horizon3.ai.”

• Bleeping Computer lets us know,
  • “Healthcare giant Kettering Health, which manages 14 medical centers in Ohio, confirmed that the Interlock ransomware group breached its network and stole data in a May cyberattack.
  • “Kettering Health operates over 120 outpatient facilities and employs over 15,000 people, including over 1,800 physicians.
  • “The healthcare network noted in a Thursday statement that its network devices have been secured, and its team is now working on re-establishing communication channels with patients disrupted by the outage triggered by last month’s ransomware attack.”

• Security Week adds,
  • “The Interlock ransomware gang has published 941 GB of data allegedly stolen from the Ohio healthcare network Kettering Health.” * * *
  • “Active since at least October 2024, Interlock is believed to have made roughly 40 victims to date, including kidney dialysis firm DaVita, National Presto Industries, and Texas Tech University. NodeSnake RAT infections at two universities in the UK appearlinked to Interlock as well.”
    
• Per Bleeping Computer,
  • “The Qilin ransomware operation has recently joined attacks exploiting two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely.
  • “Qilin (also tracked as Phantom Mantis) surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the “Agenda” name and has since claimed responsibility for over 310 victims on its dark web leak site.
  • “Its victim list also includes high-profile organizations, such as automotive giant Yangfeng, publishing giant Lee Enterprises, Australia’s Court Services Victoria, and pathology services provider Synnovis. The Synnovis incident impacted several major NHS hospitals in London, which forced them to cancel hundreds of appointments and operations.”

• Security Week adds,
  • “American media company Lee Enterprises revealed this week that the disruptive cyberattack it dealt with earlier this year resulted in a data breach impacting nearly 40,000 individuals.
  • “Lee Enterprises owns 350 weekly and specialty publications across 25 states, and dozens of them suffered disruptions in February as a result of a ransomware attack that involved the encryption of critical applications and the theft of files.
  • “The company informed the Maine Attorney General’s Office this week that it recently completed its investigation into the incident and determined that personal information was compromised.
  • “According to Lee Enterprises, the attackers may have obtained the information of 39,779 people, including their names and Social Security numbers.
  • “Affected individuals are being offered 12 months of free credit monitoring and identity protection services.”

• Honeywell lets us know,
  • “In a growing wave of sophisticated cyber threats against the industrial sector, ransomware attacks jumped by 46% from Q4 2024 to Q1 2025, according to Honeywell’s new 2025 Cybersecurity Threat Report. The research also found that both malware and ransomware increased significantly in this period and included a 3,000% spike in the use of one trojan designed to steal credentials from industrial operators.”
  • “To learn more and download the full report, visit our website.”

From the cybersecurity business and defenses front,

• Cybersecurity Dive reports,
  • “Microsoft and CrowdStrike will lead a cooperative effort to map out the overlapping web of hacker groups that their researchers have disclosed and named, the companies said on Monday. 
  • “Palo Alto Networks and Google and its Mandiant unit have also agreed to join the collaborative effort on streamlining threat group taxonomy.
  • “For years, the companies’ different naming conventions for various criminal and state-linked threat groups have created unnecessary confusion and delays in the sharing of threat intelligence.
  • “Microsoft and CrowdStrike released an initial version of their threat actor matrix on Monday, listing the groups they track and each one’s corresponding aliases from other researchers.
  • “Palo Alto Networks and Google and its Mandiant unit are joining the collaborative effort on streamlining threat group taxonomy.”

• The Wall Street Journal reports,
  • “CrowdStrike swung to a loss in the fiscal first quarter and posted a lower-than-expected outlook, as the costs of its outage last summer continue to weigh on results.
  • “The cybersecurity company said Tuesday its revenue is still being hurt by an incentive program it launched last year to try to retain customers after a widespread software outage in July.
  • “CrowdStrike had implemented a customer-commitment program, which let customers try some products for free, and was weighing on its subscription revenue. The program wrapped up at the end of fiscal-year 2025, but its effects are lingering.”

• Dark Reading tells us,
  • “F5 this week announced the acquisition of Fletch, a San Francisco-based startup with agent-based artificial intelligence (AI) technology that analyzes massive amounts of threat intelligence data and remediates the most severe vulnerabilities in real time.
  • “Terms of the deal were not disclosed, but most of Fletch’s 15 employees have joined F5, which was seeking the technology and expertise to bring agentic AI capabilities to the recently introduced F5 Application Delivery and Security Platform (ADSP).”

• Help Net Security points out,
  • “Cybersecurity leaders and consultants identified AI-driven automation and cost optimization as top organizational priorities, according to Wipro. 
  • “30% of respondents are investing in AI automation to enhance their cybersecurity operations. AI-driven automation can help in detecting and responding to threatsmore quickly and accurately, thereby reducing the need for extensive manual intervention. 
  • ‘26% of respondents are focusing on tools rationalization. This approach involves evaluating and consolidating duplicate security tools across platforms to eliminate redundancies and improve efficiency while reducing costs. 
  • “Another significant area is security and risk management process optimization, with 23% of organizations targeting this for cost savings. Streamlining these processes can lead to more effective risk management and better allocation of resources. Apart from these priorities, 20% are focusing on simplifying operating models to achieve better visibility and faster response across reduced attack surfaces.”
    
• Here is a link to Dark Reading’s CISO Corner.

Cybersecurity policy and law enforcement,

• Helpnet Security tells us,
  • “NIST has introduced a new way to estimate which software vulnerabilities have likely been exploited, and it’s calling on the cybersecurity community to help improve and validate the method.
  • “The new metric, “Likely Exploited Vulnerabilities” (LEV), aims to close a key gap in vulnerability management: identifying which of the thousands of reported flaws each year are actually being used in real-world attacks.
  • “Organizations typically rely on two main tools for this: the Exploit Prediction Scoring System (EPSS), which estimates the chance of future exploitation, and Known Exploited Vulnerability (KEV) lists like the one maintained by CISA. But both have limits. EPSS is predictive and doesn’t account for past exploitation, while KEV lists are confirmed cases but often incomplete.
  • “LEV aims to bridge that gap by calculating the probability that a vulnerability has been exploited in the past, based on historical EPSS data. It’s a statistical estimate, not a confirmation, which is why the whitepaper emphasizes that LEV is meant to augment, not replace, existing methods.” * * *
  • The researchers outline four key ways LEV could be used:
    • 1. Estimate how many vulnerabilities have been exploited.
    • 2. Check how complete KEV lists are.
    • 3. Identify high-risk vulnerabilities missing from those lists.
    • 4. Fix blind spots in EPSS, which sometimes underestimates risk for already-exploited bugs.

• Next Thursday, the Senate Homeland Security and Governmental Affairs Committee will hold a confirmation hearing for the following Department of Homeland Security nominees.
  • Sean Cairncross, of Minnesota, to be National Cyber Director, Robert Law, of the District of Columbia, to be Under Secretary for Strategy, Policy, and Plans, James Percival, of Florida, to be General Counsel, Sean Plankey, of Pennsylvania, to be Director of the Cybersecurity and Infrastructure Security Agency, and Kevin Rhodes, of Florida, to be Administrator for Federal Procurement Policy.

• Federal News Network reports yesterday,
  • “The Trump administration is proposing to cut more than 1,000 positions at the Cybersecurity and Infrastructure Security Agency.
  • “Under the 2026 budget request, CISA would go from approximately 3,732 funded positions today to 2,649 positions next year. The staff reductions are detailed in CISA’s fiscal 2026 budget justification, posted today. They present the most detailed view yet of the Trump administration’s proposal to cut CISA’s budget by nearly $500 million.
  • “The proposed cuts still have to be approved by Congress as part of the 2026 appropriations process. But they come as hundreds of CISA employees have already left under the Trump administration. Meanwhile, more staff could depart through deferred resignations or early retirements offered to DHS staff in April.
  • “The proposed cuts are spread across CISA’s various divisions. CISA’s cybersecurity division would go from 1,267 positions to 1,063 jobs. CISA’s infrastructure security division would go from about 343 positions to 325 jobs.”

• Dark Reading informs us,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) and Australian Cyber Security Centre (ACSC) released new guidance this week on procuring, implementing, and maintaining security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms.
  • “SIEM and SOAR help organizations collect and analyze data from firewalls, endpoints, and applications to better detect and respond to cybersecurity incidents. However, many organizations encounter significant implementation and deployment challenges, including significant costs and ongoing maintenance requirements. The guidance noted these are not “set it and forget it” tools.
  • “These platforms are becoming more essential as organizations store and manage an influx of data that is highly attractive to attackers, particularly personally identifiable information and personal health information. Additionally, increasing infrastructure complexity is creating gaps in visibility and making threat detection more difficult. There are more endpoints to secure, more applications, more third-party vendors, and more remote workers for attackers to exploit.”  
    
• Per HHS Office for Civil Rights news releases,
  • “Today [May 28, 2025], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BayCare Health System (BayCare), a Florida health care provider, concerning several potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an OCR investigation based on a complaint received concerning impermissible access to the complainant’s electronic protected health information (ePHI).” * * *
  • “Under the terms of the settlement, BayCare agreed to implement a corrective action plan that OCR will monitor for two years, and paid OCR $800,000.” * * *
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/hhs-ocr-hipaa-baycare-agreement.pdf, opens in a new tab [PDF, 126 KB]“
• and
  • “Today [May 30, 2025], the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced a settlement with Comstar, LLC (“Comstar”), a Massachusetts company that provides billing, collection, and related services to non-profit and municipal emergency ambulance services, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an OCR investigation concerning a ransomware breach that affected 585,621 individuals.”
  • “Under the terms of the settlement, Comstar agreed to implement a corrective action plan that OCR will monitor for two years, and paid OCR $75,000.”
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hhs-hipaa-agreement-comstar/index.html.”
     
• Cybersecurity Dive points out,
  • “U.S. authorities on Thursday [May 28, 2025] charged 16 defendants in a massive global operation to disrupt the Russia-based cybercrime group behind the DanaBot malware. 
  • “DanaBot infected more than 300,000 computers around the world, facilitating fraud and ransomware and resulting in more than $50 million in damage, according to federal prosecutors. The U.S. coordinated with multiple foreign governments and private cybersecurity firms to dismantle the botnet operators’ infrastructure.
  • “The Department of Justice charged Aleksandr Stepanov, 39, a.k.a. “JimmBee,” with conspiracy, conspiracy to commit wire and bank fraud and additional charges. Artem Aleksandrovich Kalinkin, 34, a.k.a. “Onix,” was charged with conspiracy to gain unauthorized access to a computer to gain information and to defraud, among additional charges. 

• Bleeping Computer lets us know,
  • The Federal Criminal Police Office of Germany (Bundeskriminalamt or BKA) claims that Stern, the leader of the Trickbot and Conti cybercrime gangs, is a 36-year-old Russian named Vitaly Nikolaevich Kovalev.
  • “The subject is suspected of having been the founder of the ‘Trickbot’ group, also known as ‘Wizard Spider,'” BKA said last week [English PDF], after another round of seizures and charges part of Operation Endgame, a joint global law enforcement action targeting malware infrastructure and the threat actors behind it.
  • “The group used the Trickbot malware as well as other malware variants such as Bazarloader, SystemBC, IcedID, Ryuk, Conti and Diavol.
  • “Kovalev is now also wanted in Germany, according to a recently issued Interpol red notice saying he was charged with being the ringleader of an unnamed criminal organization.”
• and
  • “An international law enforcement operation has taken down AVCheck, a service used by cybercriminals to test whether their malware is detected by commercial antivirus software before deploying it in the wild.
  • “The service’s official domain at avcheck.net now displays a seizure banner with the crests of the U.S. Department of Justice, the FBI, the U.S. Secret Service, and the Dutch police (Politie).
  • “According to an announcement on the Politie website, AVCheck was one of the largest counter antivirus (CAV) services internationally, which helped cybercriminals assess the stealthiness and evasion of their malware.
  • “Taking the AVCheck service offline marks an important step in tackling organized cybercrime,” stated Politie’s Matthijs Jaspers.
  • “With this [action], we disrupt cybercriminals as early as possible in their operations and prevent victims.”

• USA Today reports,
  • “An Iranian national pleaded guilty for his role in an international ransomware scheme that targeted the computer networks of Baltimore and other U.S. cities, disrupting services and causing tens of millions of dollars in losses, federal authorities said.
  • “Sina Gholinejad, 37, pleaded guilty May 27 to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud, the Justice Department said in a news release. Gholinejad was arrested Jan. 10 at Raleigh-Durham International Airport in North Carolina, federal court records show.
  • “He faces a maximum penalty of 30 years in prison and is set to be sentenced in August, the Justice Department announced.”

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive informs us,
  • “A previously unknown team of Russian government-backed hackers is targeting critical infrastructure organizations in multiple sectors to collect intelligence for Moscow, Microsoft and the Dutch government said in separate reports published Tuesday.
  • “The group, which Microsoft calls Void Blizzard and the Dutch intelligence services call Laundry Bear, has been using stolen credentials and automated bulk-email collection from cloud services to scoop up data on NATO member states and Ukraine.
  • “Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America,” Microsoft said in a blog post.”
• and
  • “A “highly targeted” spearphishing campaign is attempting to ensnare financial executives at banks, investment firms, energy utilities and insurance companies around the world, Trellix said in a report published Wednesday.
  • “The malicious emails are rigged with installers that allow the hackers to remotely access victim computers.
  • “With this amount of access to legitimate accounts, attackers could steal files or initiate fraudulent money transfers, potentially without raising red flags.”
• and
  • “ConnectWise is investigating suspicious activity — likely associated with a nation-state actor — affecting a limited number of customers that use ScreenConnect. 
  • “In a post on its website, ConnectWise said it has notified all affected customers, alerted law enforcement to the attack and retained Mandiant to help with its investigation. 
  • “A company spokesperson added that ConnectWise issued a patch for ScreenConnect, implemented enhanced monitoring and hardening measures across its environment.” 
• and
  • “More than 9,000 ASUS routers have been compromised in a months-long hacking campaign that researchers from GreyNoise warn may be a prelude to the creation of a botnet.
  • “Hackers are breaching routers through brute-force login attempts and authentication bypasses that rely on a command injection vulnerability, tracked as CVE-2023-39780, to execute system commands, GreyNoise researchers said in a blog post on Wednesday.
  • “GreyNoise first detected suspicious activity in March, when it flagged three suspicious HTTP POST requests made to ASUS routers, according to Matthew Remacle, senior researcher at GreyNoise.
  • “ASUS released a patch for the vulnerability in a recent firmware update, but the initial bypass attempts have not received CVEs, according to GreyNoise. In addition, researchers say, if a router was compromised before the firmware was updated, a backdoor will still remain on the devices unless secure shell protocol access is explicitly disabled.” 

• Per Cyberscoop,
  • “As the internet fills up with clips from AI-video generators, hacking groups are seeding the online landscape with malware-laced programs and fake websites hoping to cash in on the trend.
  • “Tracked by researchers at Mandiant and Google Cloud, the campaign is being carried out by a group identified as “UNC6032.” Since mid-2024, they have spread thousands of advertisements, fake websites and social media posts promising victims access to popular prompt-to-video AI generation tools like Luma AI, Canva Dream Lab and Kling AI.
  • “Those promises lead to phishing pages and malware, with the group deploying infostealers and backdoors on victim devices. Compromised parties saw their login credentials, cookies, credit card data and in some cases Facebook information stolen, and the scheme appears to be impacting a wide range of industries and geographic areas.”
    
• CISA did not add any known exploited vulnerabilities to its catalog this week.

From the ransomware front,

• Dark Reading tells us,
  • “Extortionist-cum-information broker “Everest Group” has pulled off a swath of attacks against large organizations in the Middle East, Africa, Europe, and North America, and is now extorting victims over records stolen from their human resources departments.
  • “This May, the long-overlooked threat actor advertised nine new cyberattacks. Victims ranged from healthcare organizations to construction and facilities management companies. But its biggest win came against Coca-Cola, from which it stole records associated with hundreds of employees, including their personally identifying information (PII) like names and addresses, salary records, and scans of passports and visas.
  • “In each of these leaks, researchers from VenariX found files relating to SAP SuccessFactors, SAP’s cloud-based HR management platform. The researchers believe the attacks to be legitimate and estimate that initial access in each case likely occurred through a third-party SAP service provider called “INK IT Solutions.”

• The Hacker News notes,
  • “The threat actors behind the DragonForce ransomware gained access to an unnamed Managed Service Provider’s (MSP) SimpleHelp remote monitoring and management (RMM) tool and then leveraged it to exfiltrate data and drop the locker on multiple endpoints.
  • “It’s believed that the attackers exploited a trio of security flaws in SimpleHelp (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that were disclosed in January 2025 to access the MSP’s SimpleHelp deployment, according to an analysis from Sophos.
  • “The cybersecurity company said it was alerted to the incident following a suspicious installation of a SimpleHelp installer file, pushed via a legitimate SimpleHelp RMM instance that’s hosted and operated by the MSP for their customers.”
  • The threat actors have also been found to leverage their access through the MSP’s RMM instance to collect information from different customer environments about device names and configuration, users, and network connections.

• Fortra tells us what we need to know about Interlock ransomware.

• Per Bleeping Computer,
  • “Threat actors linked to lesser-known ransomware and malware projects now use AI tools as lures to infect unsuspecting victims with malicious payloads.
  • “This development follows a trend that has been growing since last year, starting with advanced threat actors using deepfake content generators to infect victims with malware.
  • “These lures have become widely adopted by info-stealer malware operators and ransomware operations attempting to breach corporate networks.
  • “Cisco Talos researchers have discovered that the same technique is now followed by smaller ransomware teams known as CyberLock, Lucky_Gh0$t, and a new malware named Numero.
  • “The malicious payloads are promoted via SEO poisoning and malvertising to rank them high in search engine results for specific terms.”

• Per CFO Dive,
  • “About one in four companies targeted in a ransomware incident in the last year did not get all their data back after paying the attacker, cybersecurity firm Delinea said in a report released Wednesday.
  • “Delinea also found that most ransomware today includes data-theft extortion, with 85% of victims saying they were threatened with having their data published or sold.
  • “Paying the ransom doesn’t always bring the desired results,” Delinea said in the report.”

From the cybersecurity business and defenses front,

• Dark Reading notes,
  • “Tenable Security has announced plans to acquire Apex, an Israel-based startup specializing in security solutions driven by artificial intelligence (AI). Apex will be integrated into Tenable One, Tenable’s software-as-a-service-based exposure management platform.
  • “Founded in 2023, Apex helps organizations discover ungoverned AI. Co-founders Matan Derman (CEO) and Tomer Avni (chief product officer) developed a platform designed to surface all AI activities, including shadow apps, AI-generated code, and fake identities. The boutique company of roughly 20 employees competes with Prompt Security, Lasso Security, and Aim Security.”

• Per Cyberscoop,
  • “Zscaler announced Tuesday its intention to acquire Red Canary, a company known for Managed Detection and Response (MDR) services, to boost its ability to integrate artificial intelligence, automation and human expertise into its security offerings. 
  • “The acquisition is positioned around the convergence of Zscaler’s data-driven, AI-centric cloud security and Red Canary’s decade of operational expertise in MDR. Zscaler’s executive leadership emphasizes the blending of large-scale data intelligence and automated, agentic Security Operations Centers (SOCs) with the capabilities of ThreatLabz, its security research division.
  • “The proposed acquisition of Red Canary is a natural expansion of our capabilities into managed detection and response and threat intelligence to accelerate our vision of AI-powered SOC of the future,” Jay Chaudhry, CEO and founder of Zscaler, said in a press release. “By integrating Red Canary with Zscaler, we will deliver to our customers the power of a fully integrated Zero Trust platform and AI-powered security operations.”

• Dark Reading lets us know,
  • “Chief information security officers (CISOs) are being paid better than ever, more likely to be an executive — or report directly to an executive — and have expanding responsibilities. Yet tight security budgets continue to be a major challenge.
  • “Overall, the top cybersecurity professional is doing well at large companies and has proven their value but continually has to work to link security to business opportunities rather than costs, according to two surveys published this week.
  • “The average CISO at large US companies — those with revenue of $1 billion or more — has a current compensation of $532,000, including base salary, bonuses, and equity benefits, according to survey data published by cybersecurity consultancy IANS Research on May 29. Increasing responsibilities come with the high salaries, with CISOs now often charged with assessing business risk, product security, and digital strategy.

• Per Dark Reading explains why “A Defense-in-Depth Approach for the Modern Era By integrating intelligent network policies, zero-trust principles, and AI-driven insights, enterprises can create a robust defense against the next generation of cyber threats.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop tells us,
  • “A bipartisan Senate duo is reintroducing legislation Thursday that would establish an executive branch panel to align conflicting cybersecurity regulations on the private sector.
  • “Michigan Sen. Gary Peters, the top Democrat on the Homeland Security and Governmental Affairs Committee, is bringing back the Streamlining Federal Cybersecurity Regulations Act with co-sponsor James Lankford, R-Okla.
  • “By reducing the number of duplicative or burdensome reporting requirements, we can give businesses the tools to better secure our critical infrastructure against the serious threat of cyberattacks,” Peters said about the reintroduction of the bill, which CyberScoop is first reporting. “This legislation ensures federal agencies can work collaboratively to create effective cybersecurity standards, enabling businesses to focus on safeguarding their systems rather than navigating a maze of conflicting requirements.”
• and
  • “A bipartisan pair of senators is taking another shot at legislation that would require federal government contractors to follow National Institute of Standards and Technology guidelines on vulnerability disclosure policies.
  • “The Federal Contractor Cybersecurity Vulnerability Reduction Act from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., advanced out of the chamber’s Homeland Security and Governmental Affairs Committee last November but never got a full floor vote.
  • “The companion bill from Reps. Nancy Mace, R-S.C., and Shontel Brown, D-Ohio, meanwhile, was reintroduced in January and passed the House in March.
  • “The re-do from Warner and Lankford would make sure government contractors have the same legal obligations that federal agencies do in abiding by NIST’s recommendations on vulnerability disclosure policies. With VDPs, organizations can receive unsolicited reports on software vulnerabilities and patch them before an attack occurs.” 

• Per a Cybersecurity and Infrastructure Security Agency news release,
  • The Cybersecurity and Infrastructure Security Agency (CISA) is proud to announce the appointment of Madhu Gottumukkala as its new Deputy Director. In this role, he will help lead CISA’s mission to understand, manage, and reduce risk to the cyber and physical infrastructure that the American people rely on every day. 
  • Prior to his appointment as the CISA Deputy Director, Dr. Gottumukkala served as Commissioner and Chief Information Officer for South Dakota’s Bureau of Information and Technology, overseeing statewide technology and cybersecurity initiatives. He assumed this role after serving as South Dakota’s second-ever chief technology officer, focused on innovation through the adoption of emerging technologies, while increasing efficiency by replacing outdated legacy systems.
  • “I am honored to be appointed by Secretary Noem to serve as Deputy Director of CISA. As a former state and local leader, I have seen firsthand the exceptional work CISA does in advancing our nation’s cybersecurity and infrastructure resilience,” said Gottumukkala. “I look forward to building on that foundation by fostering collaboration and strengthening resilience across all levels of government and the private sector. Together, through trusted partnerships, transparency, and shared responsibility, we can better manage systemic risks and safeguard the critical functions that ensure our nation’s safety and prosperity.”

• Cybersecurity Dive reports,
  • “Microsoft’s Digital Crimes Unit (DCU) on Wednesday [May 21] announced an international operation to disrupt Lumma Stealer, a variant of infostealing malware that is popular with criminal gangs and other threat actors worldwide. 
  • “Hackers have used Lumma to steal passwords, credit cards, bank account information and cryptocurrency wallets in major attack campaigns in recent years, Steven Masada, assistant general counsel at Microsoft’s DCU, said in a blog post.
  • “Between March 16 and May 16, Microsoft identified more than 394,000 Windows computers infected with Lumma. After obtaining a court order from the U.S. District Court for the Northern District of Georgia, Microsoft seized 2,300 domains that formed the backbone of Lumma’s infrastructure. The U.S. Department of Justice also seized Lumma’s central command structure and disrupted online marketplaces that sold Lumma.”
• Here is a link to a related CISA advisory.

From the cybersecurity vulnerabilities and breaches front,

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • May 19, 2025
    • CVE-2025-4427 Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
    • CVE-2025-4428 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
    • CVE-2024-11182 MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
    • CVE-2025-27920 Srimax Output Messenger Directory Traversal Vulnerability
    • CVE-2024-27443 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
    • CVE-2023-38950 ZKTeco BioTime Path Traversal Vulnerability
      • Ivanti discusses its KVEs here.
      • Cyber Press discusses the MDaemon KVE here.
      • TechTarget discusses the Srimax KVE here.
      • Syscan discusses the Synacor KVE here.
  • May 22, 2025
    • CVE-2025-4632 Samsung MagicINFO 9 Server Path Traversal Vulnerability
      • The Hacker News discusses this KVE here.

• On May 21, released a joint cybersecurity advisory which
  • highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

• On May 22, CISA released an “Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic).
  
• Security Week relates “The developers of OpenPGP.js have released updates to patch a critical vulnerability that can be exploited to spoof message signature verification.”
  • “OpenPGP.js is an open-source JavaScript implementation of the OpenPGP email encryption library, enabling its use on any device. According to its developers, “The idea is to implement all the needed OpenPGP functionality in a JavaScript library that can be reused in other projects that provide browser extensions or server applications.”
  • “Its website shows that OpenPGP.js is used by projects such as FlowCrypt, Mymail-Crypt, UDC, Encrypt.to, PGP Anywhere, and Passbolt.”

• Dark Reading points out “3 Severe Bugs Patched in Versa’s Concerto Orchestrator. Three zero-days could have allowed an attacker to completely compromise the Concerto application and the host system running it.”

• Per SC Media,
  • “Stolen credentials were the root cause of more than 30% of data breaches last year, according to Verizon’s 2025 Data Breach Investigations Report. Attackers compromised more than 23 million unmanaged and user-controlled devices—including personal laptops and home systems used in remote work settings—to extract login information, often using session cookies to bypass multi-factor authentication and other access controls.
  • “Credentials don’t just manifest—you’re either phishing them, brute forcing them, or stealing them via malware,” said Philippe Langlois, lead data scientist at Verizon and co-author of the 2025 DBIR, speaking at last month’s RSAC 2025.
  • “Those numbers aren’t outliers—they’re symptoms of a deeper failure in enterprise cybersecurity. Identity systems, Langlois noted at RSAC 2025, are now routinely exploited as entry points with attackers relying less on technical exploits—like finding and exploiting software vulnerabilities—and more on credential-based access, where they simply log in using stolen usernames, passwords, or hijacked sessions.”

From the ransomware front,

• Cybersecurity Dive lets us know,
  • “Kettering Health is facing a cyberattack that’s impacting patient care, the Ohio-based health system said on Tuesday [May 20].
  • “The provider was hit by a system-wide technology outage Tuesday morning due to unauthorized access to its network, Kettering said in a press release. 
  • “Elective inpatient and outpatient procedures at the health system’s facilities were canceled Tuesday. Kettering’s call center was also knocked offline and might have been occasionally inaccessible, the provider added.”

• Security Week informs us,
  • “In a data breach notice published on its website, Marlboro-Chesterfield Pathology said it discovered unauthorized activity on some internal IT systems on January 16, 2025. An investigation revealed that the hackers had stolen some files.
  • “The compromised data includes personal information such as name, address, date of birth, medical treatment information, and health insurance information. The stolen information varies by individual. 
  • “MCP informed the US Department of Health and Human Services (HHS) this week that the incident impacted 235,911 individuals.”

• Per Bleeping Computer,
  • “The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks.
  • “Also known as Luna Moth, Chatty Spider, and UNC3753, this threat group has been active since 2022and was also behind BazarCall campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks.
  • “In March 2022, following Conti’s shutdown, the threat actors separated from the cybercrime syndicate and formed their own operation called Silent Ransom Group (SRG).
  • “In recent attacks, SRG impersonates the targets’ IT support in email, fake sites, and phone calls using social engineering tactics to gain access to the targets’ networks.
  • “This extortion group doesn’t encrypt the victims’ systems and is known for demanding ransoms not to leak sensitive information stolen from compromised devices online.”

• Per Dark Reading,
  • “Yet another threat group has embraced the trend of combining email bombing with vishing to gain initial access to systems and deploy ransomware.
  • “This time the adversary employing the technique, first documented as a tactic of Black Basta ransomware group, is the recently emerged 3AM ransomware group, researchers at Sophos revealed in a recent blog post. Sophos spotted an attack in the first quarter this year by 3AM affiliates, which followed the familiar playbook and successfully stole data from the targeted system but did not complete the ransomware attack.”

• Per Fortra’s Tripline,
  • “Health-ISAC recently released their 2025 Health Sector Cyber Threat Landscape Report, a comprehensive outline of the malicious activity aimed at healthcare in the previous year. Not surprisingly, ransomware was cited by security professionals in the industry as the number one threat of 2024 and the top area of concern coming into 2025 (followed by third-party breaches, supply chain attacks, and zero-day exploits). Some things never change.
  • “However, when it comes to ransomware, they do evolve. Take a look at [the Tripline article] some of the reasons ransomware maintains its top spot as the primary plague of healthcare organizations as we move into another threat-filled year.”

From the cybersecurity business and defenses front,

• Cybersecurity Dive reports,
  • “Shares of Palo Alto Networks fell Wednesday after the company reported better-than-expected earnings in the third fiscal quarter but disappointed some investors over its margins. 
  • “The company reported non-GAAP (generally accepted accounting principles) net income of 80 cents a share during the quarter that ended on April 30, up from 66 cents in the same quarter last year. Those earnings beat consensus estimates of 77 cents. 
  • “Revenue grew 15%, to $2.3 billion, in the quarter, compared with $2 billion in the same period last year.”
• and
  • Companies designing AI systems should protect training data from tampering and strictly limit access to its underlying infrastructure, the U.S. and three allies said in a joint guidance document published on Thursday [May 22].
  • The AI security guidance addresses multiple topics, including protecting data throughout the AI systems’ life cycle, supply chain considerations and ways to mitigate possible attacks on large data sets.
  • The multilateral warning reflects concerns in the U.S. and allied nations about powerful AI models containing vulnerabilities that can ripple across critical infrastructure.

• NIST discusses “Cybersecurity and AI: Integrating and Building on Existing NIST Guidelines.”

• The Wall Street Journal explains “How to lock down your finances and online accounts after a data breach spreads your information to the secret corners of the internet.”

• Here’s a link to Dark Reading’s CISO Corner.