Cybersecurity Saturday

Cybersecurity

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cybersecurity Dive tells us,
    • “The Trump administration should slash cybersecurity regulations and double down on winning the trust of the private sector, the U.S. tech industry’s largest trade group said in a paper published Tuesday [August 12, 2025].
    • “In a report laying out recommendations for the White House’s Office of the National Cyber Director — now helmed by newly confirmed Trump appointee Sean Cairncross — the Information Technology Industry Council said the government should focus on “results-driven action.”
    • “There is a need to prioritize impactful security outcomes, slash red tape, rethink legacy network architectures, invest in secure modern systems, and strengthen trusted partnerships between the public and private sectors,” ITI said.
    • “Achieving results, the group argued, “means empowering defenders with what they need to win: efficiency, appropriate resourcing, and the freedom to focus on real threats, not on navigating a web of regulatory regimes.”
  • Cyberscoop observes,
    • “Two executive orders President Donald Trump has signed in recent months could prove to have a more dramatic impact on cybersecurity than first thought, for better or for worse.
    • Overall, some of Trump’s executive orders have been more about sending a message than spurring lasting change, as there are limits to their powers. Specifically, some of the provisions of the two executive orders with cyber ramifications — one from March on state and local preparedness generally, and one from June explicitly on cybersecurity — are more puzzling to cyber experts than anything else, while others preserve policies of the prior administration which Trump has criticized in harsh terms. Yet others might fall short of the orders’ intentions, in practice.
    • But amid the flurry of personnel changesbudget cuts and other executive branch activity in the first half of 2025 under Trump, the full scope of the two cyber-related executive orders might have been somewhat overlooked. And the effects of some of those orders could soon begin coming to fruition as key top Trump cyber officials assume their posts.
  • Federal News Network reports,
    • “The Cybersecurity and Infrastructure Security Agency has rolled out new guidance to help deal with what some cyber experts say is a rising concern: a lack of visibility into threats to operational technology.
    • CISA on Wednesday [August 13, 2025] published “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators.” CISA developed the guidance in conjunction with other agencies, including the Environmental Protection Agency, the National Security Agency, the FBI and several international partners.
    • The guidance focuses on operational technology, which refers to hardware and software that monitor and control physical processes in industrial settings.
    • “OT systems are essential to the daily lives of all Americans and to national security,” Acting CISA Director Madhu Gottumukkala said in a press release. “They power everything from water systems and energy grids to manufacturing and transportation networks. As cyber threats continue to evolve, CISA through this guidance provides deeper visibility into OT assets as a critical first step in reducing risk and ensuring operational resilience.”
  • Federal News Network also interviews Steve Shirley, Executive director, National Defense Information Sharing and Analysis Center, and J.R. Williamson, “Vice president and chief information security officer, Leidos, about the evolution of zero trust. “Federal agencies are learning that implementing Zero Trust means more than deploying new tools. It requires rethinking how users, devices and data interact across every layer of the enterprise.”
  • The American Hospital Association News informs us,
    • “The Department of Justice Aug. 11 announced a series of actions taken against the BlackSuit ransomware group, also known as “Royal,” including the disruption of four servers and nine domains July 24. BlackSuit attacks have targeted health care and other critical infrastructure sectors, DOJ said. 
    • “There is no doubt that the private sector also contributed information to facilitate this disruption, once again highlighting the value of public private operational engagement,” said John Riggi, AHA national advisor for cybersecurity and risk. “The BlackSuit/Royal ransomware group is directly responsible for multiple disruptive attacks against hospitals and health systems, posing a direct risk to patient and community safety. We hope these aggressive law enforcement operations continue at a pace that will meaningfully degrade foreign cyber adversaries’ abilities to harm the American public.”  

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive reports,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft on Tuesday [August 12, 2025,] updated their mitigation guidance for a high-severity flaw in Exchange Server.
    • The flaw, tracked as CVE-2025-53786, could allow an attacker with administrative privileges for on-premises versions of Exchange to escalate privileges by exploiting vulnerable hybrid joined configurations, Microsoft and CISA said last week
    • In an update on Tuesday, CISA said it still saw no evidence of hackers exploiting the flaw, but it urged organizations to review Microsoft’s updated guidance on identifying Exchange Servers on a network and running the Microsoft Exchange Health Checker.
    • “In its updated security bulletin, Microsoft said an attacker could potentially escalate privileges from an on-premises server to a connected cloud environment without leaving an “easily detectable and auditable trace.” 
  • Bloomberg Law reports,
    • “Russian government hackers lurked in the records system of the US courts for years and stole sensitive documents that judges had ordered sealed from public view, according to two people familiar with the matter and a report seen by Bloomberg News.
    • “The attackers had access to what was supposed to be protected information for multiple years, the report on the breach shows. They gained access by exploiting stolen user credentials and a cybersecurity vulnerability in an outdated server used by the federal judiciary, according to the report, which says the hackers specifically searched for sealed records. 
    • “The report, which was reviewed in part by Bloomberg, doesn’t identify the attackers. But investigators found evidence that they were a Russian state-sponsored hacking group, according to the people, who spoke on condition that they not be named because they were not authorized to discuss the matter.
    • “It’s unclear exactly when the hackers first penetrated the system and when the courts became aware of the breach. Last fall, the judiciary hired a cybersecurity firm to help address it, said one of the people.” * * *
    • “The intrusion was previously reported by Politico, while the New York Times earlier reported that Russia was at least in part behind the cyberattack.
    • “The hackers targeted sealed documents in espionage and other sensitive cases, including ones involving fraud, money laundering and agents of foreign governments, Bloomberg Law reported on Tuesday [August 12, 2025]. Such records often include sensitive information that, in the wrong hands, could be used to compromise criminal and national security investigations, or to identify people who provide information to law enforcement.”
  • Per Cybersecurity Dive,
  • and
    • Virtually all companies have experienced some type of intrusion due to vulnerable code, application security firm Checkmarx said in a report released Thursday [August 14, 2025.
    • Nearly eight in 10 firms reported experiencing such breaches in 2023, but that figure climbed more than 90% last year and reached 98% this year.
    • At the same time, eight in 10 companies said they sometimes or often released software with code they knew was vulnerable, up from two-thirds in 2024. “This isn’t oversight,” Checkmarx said. “It’s strategy.”
  • CISA added five known exploited vulnerabilities to its catalog this week.
  • Per Bleeping Computer,
    • “Security researchers have created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking.
    • “These weaker login channels are vulnerable to adversary-in-the-middle phishing attacks that employ tools like Evilginx, enabling attackers to snatch valid session cookies and hijack the accounts.
    • “Although the attack doesn’t prove a vulnerability in FIDO itself, it shows that the system can be bypassed, which is a crucial weakness.
    • “This is especially worrying considering the increased adoption of FIDO-based authentication in critical environments, a consequence of the technology being touted as extremely phishing-resistant.”
  • and
    • “Cisco is warning about a critical remote code execution (RCE) vulnerability in the RADIUS subsystem of its Secure Firewall Management Center (FMC) software.
    • “Cisco FCM is a management platform for the vendor’s Secure Firewall products, which provides a centralized web or SSH-based interface to allow administrators to configure, monitor, and update Cisco firewalls.
    • ‘RADIUS in FMC is an optional external authentication method that permits connecting to a Remote Authentication Dial-In User Service server instead of local accounts.”

From the ransomware front,

  • Halcyon informs us,
    • “Black Hat 2025 had plenty of shiny new toys and buzzword-heavy sessions, but the real story was hiding in plain sight. No ransomware track. No packed panel on the threat that has cost organizations billions and taken down some of the most secure environments on the planet. The only time it truly took center stage was when Mikko Hyppönen made it impossible to ignore. 
    • “For those paying attention, three truths stood out. Agentic AI will accelerate ransomware campaigns to speeds that will overwhelm unprepared defenders. Ransomware is the next stage in the evolution of malware, and it will only become more capable. Modern security stacks, no matter how mature or expensive, are still being bypassed with troubling ease.” 
  • Bleeping Computer adds,
    • Ransomware and infostealer threats are evolving faster than most organizations can adapt. While security teams have invested heavily in ransomware resilience, particularly through backup and recovery systems, Picus Security’s Blue Report 2025 shows that today’s most damaging attacks aren’t always about encryption.
    • Instead, both ransomware operators and infostealer campaigns often focus on credential theft, data exfiltration, and lateral movement, leveraging old-school stealth and persistence to achieve their objectives with minimal disruption.
    • The evolving adversary tactics are clearly visible when comparing the findings from the Blue Report 2025, based on over 160 million real-world attack simulations, and the Red Report 2025, which analyzes the latest trends in malware, threat actors, and exploitation techniques.
    • The overlap between the two reports reveals a clear and concerning signal: defenders are falling behind on detecting the very tactics that adversaries now favor the most.
  • InfoSecurity Magazine reports,
    • “An ongoing data extortion campaign targeting Salesforce customers could soon turn its attention to financial services firms, security experts have warned.
    • “The notorious ShinyHunters group has been blamed for a series of data breaches impacting big names in the fashion (LVMHChanel, PandoraAdidas) and aviation (Qantas, Air France-KLM) sectors. These victims are typically targeted with vishing for logins to their Salesforce accounts and are sometimes also tricked into downloading a malicious app for similar purposes.”
  • Per Dark Reading,
    • “An emerging ransomware actor is using sophisticated techniques in the style of an advanced persistent threat group (APT) to target organizations with customized ransom demands, posing a significant risk to businesses.
    • “Charon is a new ransomware family (named for the ferryman from Greek mythology who carried souls across the River Styx to Hades); Trend Micro observed it being deployed in a targeted attack in the Middle East’s public sector and aviation industry — the first such record of Charon observed in the wild, according to new research from the firm.
    • “The ransomware leverages techniques such as DLL sideloading, process injection, and anti-EDR capabilities, which are typically the hallmark of advanced threat actors and — in this case — reminiscent of campaigns by the group Earth Baxia, according to a Trend Micro blog post published today.
    • “The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload,” Trend Micro threat researchers wrote in the post.”
  • and
    • “Researchers spotted a new Crypto24 ransomware campaign that they say marks a “dangerous evolution” in the threat landscape.
    • “According to Trend Micro researchers, recent attacks by Crypto24 actors display a combination of advanced evasion techniques and custom tools that can disable EDR solutions — including Trend Micro’s own Vision One platform. Crypto24 was first spotted in 2024 but hadn’t made much of impact until recently, when it became the latest ransomware gang to bypass EDR platforms and security solutions.
    • Trend Micro’s report, published Thursday, details how Crypto24 has demonstrated a high level of skill that sets it apart from other ransomware gangs. For example, researchers noted how “Crypto24 actors deftly deploy a broad range of tools that include legitimate programs like PSExec and AnyDesk for remote access and lateral movement, as well as Google Drive for data exfiltration.
    • “More importantly, Crypto24’s successful deployment of a customized RealBlindingEDR (an open source tool for disabling security solutions) variant that neutralized our security controls shows their capability to maneuver around modern defenses,” the report said. “The threat actor’s customized version employs advanced evasion, likely via unknown vulnerable drivers, showcasing deep technical expertise and ongoing tool refinement.”

From the cybersecurity business and defenses front,

  • Cyberscoop names its Cyberscoop 50 award winners for 2025.
    • “The CyberScoop 50 Awards recognize those who have been honored for their work in protecting vital networks, information and critical infrastructure. Through their hard work, ingenuity, and creativity, they aim to fend off hackers, stay ahead of adversaries and protect American networks.”
  • HelpNet Security lets us know,
    • “Security leaders are rethinking their approach to cybersecurity as digital supply chains expand and generative AI becomes embedded in critical systems. A recent survey of 225 security leaders conducted by Emerald Research found that 68% are concerned about the risks posed by third-party software and components. While most say they are meeting regulatory requirements, 60% admit attackers are evolving too fast to maintain resilience.” * * *
    • Penetration testing is no longer treated as a box to check. It has become a core element of enterprise security programs. Eighty-eight percent of security leaders now consider it vital. Over half say they use pentests to validate their own software. More than half also require third-party pentests before releasing software to customers.
    • “The survey found that 49% plan to use pentesting to identify software supply chain vulnerabilities, and 44% intend to use it to uncover insider threats. The practice is being integrated across the development life cycle and procurement workflows.
    • “Generative AI is emerging as a new and unpredictable risk. Sixty-six percent of respondents say GenAI helps attackers analyze data and evade defenses. More than half worry that AI can automate the entire attack lifecycle, and 62% are concerned that AI development tools may introduce hidden vulnerabilities into codebases.”
  • Dark Reading discusses cybersecurity budgeting here and here.
  • Following the Blackhat Conference, Dark Reading’s CISO Corner is back.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • NextGov/FCW tells us,
    • “The Senate confirmed Sean Cairncross to serve as national cyber director in a 59-35 vote on Saturday night [August 2], making him the first Senate-approved cybersecurity official of President Donald Trump’s second term.
    • “Cairncross is a former Republican National Committee official and was CEO of the Millennium Challenge Corporation agency during Trump’s first term. As national cyber director, he will be tasked with overseeing an office first stood up under the Biden administration, which serves as the key White House cyber policy interlocutor across federal agencies and Capitol Hill.” 
  • Cyberscoop adds,
    • “Sean Cairncross took his post this week as national cyber director at what many agree is a “pivotal” time for the office, giving him a chance to shape its future role in the bureaucracy, tackle difficult policy issues, shore up industry relations and take on key threats.
    • “The former White House official, Republican National Committee leader and head of a federal foreign aid agency became just the third Senate-confirmed national cyber director at an office (ONCD) that’s only four years old. He’s the first person President Donald Trump has assigned to the position after the legislation establishing it became law at the end of his first term.”
  • Cybersecurity Dive informs us,
    • “The Cybersecurity and Infrastructure Security Agency [CISA] has continued its work to protect federal networks and support critical infrastructure providers despite massive job cuts and resource constraints, two senior CISA officials said during the Black Hat USA cybersecurity conference here Thursday.
    • “We are not retreating, we’re advancing in a new direction,” CISA CIO Robert Costello said during a panel discussion.
    • “Chris Butera, the acting head of CISA’s Cybersecurity Division, added that, while the agency “did lose people” to the Trump administration’s downsizing program — roughly a third of its employees — CISA still has “a very talented workforce.” He cited the agency’s around-the-clock response to major vulnerabilities in Microsoft SharePoint as an example of CISA’s continued capacity.”
  • and
    • “The U.S. government is still pushing agencies to adopt zero-trust network designs, continuing a project that gained steam during the Biden administration, a senior cybersecurity policy official said on Wednesday.
    • “It must continue to move forward,” Michael Duffy, the acting federal chief information security officer, said during a panel at the Black Hat cybersecurity conference. “That architectural side of it is very important for us to get right as we integrate new technologies [like] artificial intelligence into the ways we operate.”
    • “Zero-trust networking emphasizes the concept of throwing up hurdles to hackers who penetrate a computer system, limiting the damage they can do by sealing off parts of the network and requiring strict user authentication.”
  • Per Dark Reading,
    • “As the Department of Defense (DoD) continues to make deeper strides in implementing its Cybersecurity Maturity Model Certification (currently CMMC 2.0), we find ourselves at the cusp of what feels like its next iteration, CMMC 3.0, marking the next evolution in its efforts to strengthen cybersecurity across the defense industrial base (DIB). While the updated framework builds on the structure of CMMC 2.0, this new update would include clearer expectations and stricter enforcement, particularly for organizations handling controlled unclassified information (CUI). The DoD’s message is clear: Reducing risk and enhancing resilience are now mission-critical for any company supporting national defense.”
  • Cybersecurity Dive adds,
    • “The Chinese government has such vast hacking resources that it’s targeting tiny companies in the U.S. defense industrial base that never imagined they would end up on Beijing’s radar, a National Security Agency official said here Wednesday.
    • “China’s hacking resources outnumber those of the U.S. and [its] allies combined, and China has stolen more corporate data from the United States than any other nation in the world,” Bailey Bickley, chief of DIB defense at the NSA’s Cybersecurity Collaboration Center, said during a session at the Black Hat USA cybersecurity conference.
    • “Although best known for its intelligence-collection role, the NSA is also responsible for helping defense contractors safeguard their systems. Recently, the agency has been doing that through free security services — including classified information sharing and a protective DNS offering — from the Cybersecurity Collaboration Center.
    • “When we engage with small companies” in the defense industrial base, “they often think that what they do is not important enough to be targeted” by China, Bickley said. “But when you have the significant resources like that to conduct mass scanning and mass exploitation, there is no company and no target too small.”
  • and
    • “The Defense Advanced Research Projects Agency on Friday [August 8] unveiled the winners of a competition to spur the development of artificial intelligence tools designed to autonomously find and fix software vulnerabilities.
    • “Team Atlanta, Trail of Bits and Theori claimed the top three spots in DARPA’s AI Cyber Challenge, agency officials said at the DEF CON cybersecurity conference here. They will receive prizes of $4 million, $3 million and $1.5 million, respectively.
    • “All seven finalist teams will open source their AI tools so that the entire world can use them. Four of the tools debuted on Friday, while the remaining three will be released in the next few weeks.’
  • Cyberscoop reports,
    • “BlackSuit’s technical infrastructure was seized in a globally coordinated takedown operation last month that authorities touted as a significant blow in the fight against cybercrime. The ransomware group’s leak site has displayed a seizure notice since July 24.
    • “The takedown followed a long investigation, which allowed authorities to confiscate “considerable amounts of data,” and identify 184 victims, German officials said in a news release last week. The group’s total extortion demands surpassed $500 million by August 2024, with demands typically in the range of $1 million to $10 million, the Cybersecurity and Infrastructure Security Agency said in an advisory last year. 
    • “U.S. authorities were heavily involved in the operation, but have yet to share details about the investigation or its results. BlackSuit’s extortion site was seized by the Department of Homeland Security’s Homeland Security Investigation department, a unit of U.S. Immigration and Customs Enforcement. 
    • “A spokesperson for ICE told CyberScoop the Justice Department has been waiting for court documents to be unsealed before releasing any information about the law enforcement action dubbed “Operation Checkmate.” The FBI, Secret Service, Europol and cyber authorities from the United Kingdom, Germany, France, Ireland, Ukraine, Lithuania and Romania-based cybersecurity firm Bitdefender were also involved in the operation.” 
  • Dark Reading relates,
    • “Two senior executives and founders of the Samourai Wallet cryptocurrency mixer have pleaded guilty to charges involving washing more than $200 million for cybercriminals and other nefarious types.
    • “CEO Keonne Rodriguez and chief technology officer William Lonergan Hill admitted to operating a money-transmitting business that handled criminal proceeds. They have pleaded guilty to conspiracy and face a maximum sentence of five years in prison in addition to the fine.
    • “The US Department of Justice first arrested Rodriguez and Hill in April of last year on two counts of conspiracy: operating an unlicensed money-transmitting business and money laundering, the latter of which carries a maximum sentence of 20 years.”

From the cybersecurity breaches and vulnerabilities front,

  • FedScoop reports,
    • “The U.S. judiciary announced plans to increase security for sensitive information on its case management system following what it described as “recent escalated cyberattacks of a sophisticated and persistent nature.”
    • “In a Thursday [August 7] statement, the federal judiciary said it’s “taking additional steps to strengthen protections for” that information. It also said it’s “further enhancing security of the system and to block future attacks, and it is prioritizing working with courts to mitigate the impact on litigants.”
    • “The statement from the third branch comes one day after a Politico report revealed that its case filing system had recently been breached. That report cited unnamed sources who were concerned that the identities of confidential court informants may have been compromised.”
  • Cyberscoop tells us,
    • “Federal cyber authorities issued an alert Wednesday evening about a high-severity vulnerability affecting on-premises Microsoft Exchange servers shortly after a researcher presented findings of the defect at Black Hat. 
    • “Microsoft also issued an advisory about the vulnerability — CVE-2025-53786 — and said it’s not aware of exploitation in the wild. 
    • “While the public disclosure and advisories about the defect came late in the day amid one of the largest cybersecurity conferences, Tom Gallagher, VP of engineering at Microsoft Security Response Center, told CyberScoop the timing was coordinated for release following Mollema’s presentation.
    • “Gallagher stressed that exploitation requires an attacker to achieve administrative access to an on-premises Exchange server in a hybrid environment.” 
  • and
    • “SonicWall warned customers to disable encryption services on Gen 7 firewalls in the wake of an active attack spree targeting a yet-to-be identified vulnerability affecting a critical firewall service. Attacks have increased notably since Friday, the company said in a blog post.
    • “Threat hunters and incident responders from Arctic Wolf, Google and Huntress have observed a wave of ransomware attacks beginning as early as July 15. Mounting evidence points to a zero-day vulnerability affecting the secure sockets layer (SSL) VPN protocol as the initial attack vector.
    • “A financially motivated threat actor is actively compromising victim environments and deploying Akira ransomware,” Charles Carmakal, CTO at Mandiant Consulting, said in a LinkedIn post Tuesday. “The speed and scale of the compromises suggests a potential zero-day vulnerability in SonicWall Gen 7 firewalls.”
    • “SonicWall said an ongoing investigation has yet to determine if the attacks involve a previously disclosed vulnerability or a zero-day. “If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop.”
  • Per Bleeping Computer,
    • “Trend Micro has warned customers to immediately secure their systems against an actively exploited remote code execution vulnerability in its Apex One endpoint security platform.
    • Apex One is an endpoint security platform designed to automatically detect and respond to threats, including malicious tools, malware, and vulnerabilities.
    • “This critical security flaw (tracked as CVE-2025-54948 and CVE-2025-54987 depending on the CPU architecture) is due to a command injection weakness in the Apex One Management Console (on-premise) that enables pre-authenticated attackers to execute arbitrary code remotely on systems running unpatched software.
    • “Trend Micro has yet to issue security updates to patch this actively exploited vulnerability, but it has released a mitigation tool that provides short-term mitigation against exploitation attempts.”
  • and
    • “A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware.
    • “The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker.
    • “When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path,” reads the WinRAR 7.13 changelog.”
  • CISA added three known exploited vulnerabilities to its catalog this week.
  • Per SC Media,
    • “Dormant service accounts with privileges were found in more than 70% of enterprise environments according to new research released by BeyondTrust on Aug. 4 at BlackHat in Las Vegas.
    • “The researchers also reported that overly permissive Entra Service Principals create direct pathways to Global Admin privileges, exposing entire Microsoft 365 environments to potential takeover.
    • “According to BeyondTrust, credentials reused across multiple service accounts by human administrators can also let a single compromised password hack numerous non-human accounts.”
    • “Our data shows that many organizations lack the complete story when it comes to their identity attack surface,” said Marc Maiffret, chief technology officer at BeyondTrust. “For many, overlooked hygiene issues silently open the door to attackers. And with the rise of Agentic AI, the stakes have never been higher, especially as most organizations lack visibility into how compromised accounts can be leveraged to seize control of application secrets, which often carry elevated privileges.”
  • Security Week points out,
    • “Five vulnerabilities in the ControlVault3 firmware and the associated Windows APIs expose millions of Dell laptops to persistent implants and Windows login bypasses via physical access, Cisco Talos reports.
    • “The issues, tracked as CVE-2025-24311, CVE-2025-25215, CVE-2025-24922, CVE-2025-25050, and CVE-2025-24919, were initially disclosed on June 13, when Dell announced that patches for them were rolled out for over 100 Dell Pro, Latitude, and Precision models.
    • “The affected component, ControlVault3 (and the ControlVault3+ iteration), is a hardware-based system meant to securely store passwords, biometric information, and security codes.”

From the ransomware front,

  • Bleeping Computer reports,
    • “Ransomware gangs have recently joined ongoing attacks targeting a Microsoft SharePoint vulnerability chain, part of a broader exploitation campaign that has already led to the breach of at least 148 organizations worldwide.
    • “Security researchers at Palo Alto Networks’ Unit 42 have discovered a 4L4MD4R ransomware variant, based on open-source Mauri870 code, while analyzing incidents involving this SharePoint exploit chain (dubbed “ToolShell”).
    • “The ransomware was detected on July 27 after discovering a malware loader that downloads and executes the ransomware from theinnovationfactory[.]it (145.239.97[.]206).
    • “The loader was spotted following a failed exploitation attempt that revealed malicious PowerShell commands designed to disable security monitoring on the targeted device.
    • “Analysis of the 4L4MD4R payload revealed that it is UPX-packed and written in GoLang. Upon execution, the sample decrypts an AES-encrypted payload in memory, allocates memory to load the decrypted PE file, and creates a new thread to execute it,” Unit 42 said.”
  • and
    • “A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of ‘EDRKillShifter,’ developed by RansomHub, has been observed in attacks by eight different ransomware gangs.
    • “Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on the network without being detected. 
    • “According to Sophos security researchers, the new tool, which wasn’t given a specific name, is used by RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.”
  • CISA issued an Analysis report about Exploitation of SharePoint Vulnerabilities on August 6.
  • InfoSecurity Magazine explains how ransomware actors have expanded tactics beyond encryption and exfiltration.
  • Halcyon warns us,
    • “Ransomware remains one of the most destructive and expensive threats facing organizations today. With average ransom demands hitting $3.5M, victims are forced into high-stakes decisions under intense pressure: pay up or risk catastrophic disruption. 
    • “Nearly half of all targeted organizations end up paying, even after negotiations. The impact doesn’t end with encryption: recovery takes weeks, services stall, regulators circle, and trust erodes. Ransomware isn’t just a cybersecurity problem; it’s a full-blown operational crisis.  
    • “The Halcyon team of ransomware experts has put together this extortion group power rankings guide as a quick reference for the extortion threat landscape based on data from throughout Q2-2025, which can be reviewed along with earlier reports here: Power Rankings: Ransomware Malicious Quartile.”
  • MSPP Alert adds,
    • “Ransomware doesn’t play fair—and now, neither are the defenders. Sophos and Halcyon are teaming up with a direct integration that goes far beyond traditional intel feeds or industry sharing forums. This partnership isn’t about exchanging threat data after the fact. It’s about coordinating active defenses in real time, within live customer environments.
    • “What makes this different? According to Simon Reed, Chief Research and Scientific Officer at Sophos, it’s not just another “threat feed” dropped into a dashboard. “Sophos and Halcyon’s approach to threat intelligence sharing shifts the status quo from out-of-context threat intelligence (which is still hugely useful as an industry standard approach) to sharing coordinated, real-time defense that meets attackers head-on,” he told MSSP Alert.
    • “Instead of piecing together siloed signals, both companies are now synchronizing responses against a common adversary.”

From the cybersecurity business and reporting front,

  • Dark Reading reports,
    • “It was a memorable Black Hat 2025 USA for the founders of Prime Security, the winners of this year’s Startup Spotlight competition.
    • “The Startup Spotlight Competition is a pitch competition for cybersecurity startup companies to present their products and solutions in front of a live audience at Black Hat. In the first phase of the competition, startups of all stripes submitted a pitch describing the company and the products and solutions. A panel of judges reviewed submissions for the competition, looking for companies that fit the bill of “most innovative emerging companies in cybersecurity,” before narrowing down to four: FireTail, Keep Aware, Prime Security, and Twine Security. 
    • “Representatives from each of the four companies pitched their companies and products for the final time to a panel of judges at the Black Hat USA conference in Las Vegas, in a Shark Tank-style competition. While the judges deliberated on the winner, the audience also voted on their favorite. Prime Security won both the judges’ votes as well as the audience’s.”
  • Here is a link to Dark Reading’s round up of Black Hat conference news.
  • Also per Dark Reading,
    • “Investing in building a human-centric defense involves a combination of adaptive security awareness training, a vigilant and skeptical culture, and the deployment of layered technical controls.”
  • and
    • “Data Dump from APT Actor Yields Clues to Attacker Capabilities. The tranche of information includes data on recent campaigns, attack tools, compromised credentials, and command files used by a threat actor believed to be acting on behalf of China or North Korea.”

Door prize from the artificial intelligence front

  • Per Security Week,
    • “Red Teams Jailbreak GPT-5 With Ease, Warn It’s ‘Nearly Unusable’ for Enterprise
    • “Researchers demonstrate how multi-turn “storytelling” attacks bypass prompt-level filters, exposing systemic weaknesses in GPT-5’s defenses.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Security Week tells us,
    • “Members of the Senate Homeland Security and Governmental Affairs Committee voted 9-6 [on July 31, 2025] to recommend Sean Plankey ’s nomination for director of the Cybersecurity and Infrastructure Security Agency, known as CISA, which sits under the Department of Homeland Security.”
  • Federal News Network informs us that a “new CISA guide helps agencies with next steps on zero trust.”
  • The American Hospital Association News points out,
    • “The FBI, Cybersecurity and Infrastructure Security Agency and international agencies July 29 released a joint advisory on recent tactics by the Scattered Spider cybercriminal group. The group, observed by federal agencies since November 2023, has members based in the U.S. and U.K. The group has targeted large companies and their IT help desks. Scattered Spider threat actors typically engage in data theft for extortion and also use ransomware variants once in a system to steal information, along with other tactics.  
    • “Scattered Spider often employs tactics like phishing, push bombing and subscriber identity module swap attacks to get credentials, bypass multifactor authentication and gain access to networks,” said Scott Gee, AHA deputy national advisor of cybersecurity and risk. “They have also impersonated company help desks to trick users into divulging credentials. These tactics serve as a reminder of the importance of training to recognize and stop these social engineering attacks. The fact that they are native English speakers can make their social engineering attacks more effective. There have been several arrests of group members recently, but their attacks persist, and their tactics are evolving to evade detection. They are currently targeting Snowflake data storage solutions and stealing customer information.”  
  • Cyberscoop reports,
    • “Federal analysts are still sizing up what the Chinese hackers known as Volt Typhoon, who penetrated U.S. critical infrastructure to maintain access within those networks, might have intended by setting up shop there, a Cybersecurity and Infrastructure Security Agency official said Thursday.
    • “We still don’t actually know what the result of that is going to be,” said Steve Casapulla, acting chief strategy officer at CISA. “They are in those systems. They are in those systems on the island of Guam, as has been talked about publicly. So what [are] the resulting impacts going to be from a threat perspective? That’s the stuff we’re looking really hard at.”
    • “Casapulla made his remarks at a Washington, D.C. event hosted by Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security.”
    • FEHBlog observation: Ruh roh! 
  • Per Cybersecurity Dive,
    • “The Department of Justice on Thursday announced a $9.8 million settlement with Illumina over allegations that the company sold genomic-sequencing systems with software vulnerabilities to federal agencies for multiple years.
    • “Between 2016 and 2023, the government said, the company sold the systems without having an adequate security program and knowingly failed to incorporate cybersecurity into its product design process.
    • “According to prosecutors’ complaint, Illumina is the dominant company in the global market, with a share of roughly 80%.
    • “Companies that sell products to the federal government will be held accountable for failing to adhere to cybersecurity standards and protecting against cybersecurity risks,” Assistant Attorney General Brett Shumate of the DOJ’s Civil Division said in a statement.”

From the cybersecurity vulnerabilities and breaches front,

  • Cyberscoop reports,
    • “Social engineering — an expanding variety of methods that attackers use to trick professionals to gain access to their organizations’ core data and systems — is now the top intrusion point globally, attracting an array of financially motivated and nation-state backed threat groups. 
    • “More than one-third (36%) of the incident response cases Palo Alto Networks’ Unit 42 worked on during the past year began with a social engineering tactic, the company said this week in its global incident response report
    • “Threat groups of assorted motivations and origins are fueling the rise of social engineering. Cybercrime collectives such as Scattered Spider and nation-state operatives, including North Korean technical specialists that have infiltrated the employee ranks at top global companies, have adopted social engineering as the primary hook into IT infrastructure and sensitive data.” 
  • and
    • “The average cost of a data breach for U.S. companies jumped 9% to an all-time high of $10.22 million in 2025, as the global average cost fell 9% to $4.44 million, IBM said in its 20th annual Cost of a Data Breach Report Wednesday [July 30].
    • While shorter investigations are pushing down costs globally, reflecting the first decline in five years, IBM found higher regulatory fines, along with detection and escalation costs, are driving up the ultimate recovery price in the United States. 
    • “This widening gap helps explain why U.S. organizations continue to face the highest breach costs globally, further compounded by more organizations in the U.S. reporting paying steeper regulatory fines,” Troy Bettencourt, global partner and head of IBM X-Force, said in an email.
    • “The report underscores that organizations face an uneven burden in the wake of data breaches, even as detection and containment times improve. On average, it took organizations 241 days to identify and contain a breach through the one-year period ending in February — a nine-year low, according to IBM.”
  • Cybersecurity Dive adds,
    • “A coalition of information-sharing groups urged their members on Wednesday [July 30] to take additional steps to mitigate potential attacks by the cybercrime gang Scattered Spider, which has spent recent months attacking the insurance, retail and airline industries. 
    • “Threat actors such as Scattered Spider are constantly innovating, so organizations must be diligent in continually monitoring their processes and identities to look for new exploits,” the group of information sharing and analysis centers (ISACs) — representing the financial services, food and agriculture, information technology, healthcare, aviation, automotive, retail, maritime and electricity sectors — said in a joint advisory.
    • Their warning came one day after the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that Scattered Spider had developed an evolving set of tactics to conduct social-engineering attacks on its targets.
    • The ISACs said they expect the group to continue to find new ways to evade existing security measures.
  • Bleeping Computer points out,
    • “Researchers have found that in roughly 80% of cases, spikes in malicious activity like network reconnaissance, targeted scanning, and brute-forcing attempts targeting edge networking devices are a precursor to the disclosure of new security vulnerabilities (CVEs) within six weeks.
    • “This has been discovered by threat monitoring firm GreyNoise, which reports these occurrences are not random, but are rather characterized by repeatable and statistically significant patterns.
    • “GreyNoise bases this on data from its ‘Global Observation Grid’ (GOG) collected since September 2024, applying objective statistical thresholds to avoid results-skewing cherry-picking.
    • “After removing noisy, ambiguous, and low-quality data, the firm ended up with 216 events that qualified as spike events, tied to eight enterprise edge vendors.
    • “Across all 216 spike events we studied, 50 percent were followed by a new CVE within three weeks, and 80 percent within six weeks,” explain the researchers.”
  • CISA added three known exploited vulnerabilities to its catalog this week.

From the ransomware front,

  • HIPAA Journal tells us,
    • “A new report from the cybersecurity firm Semperis suggests ransomware attacks have decreased year-over-year, albeit only slightly. The ransomware risk report indicates healthcare is still a major target for ransomware gangs, with 77% of healthcare organizations targeted with ransomware in the past 12 months. 53% of those attacks were successful.
    • “The report is based on a Censuswide survey of 1,500 IT and security professionals across multiple sectors. While attacks are down slightly, 60% of attacked healthcare organizations report suffering multiple attacks. In 30% of cases, they were attacked more than once in the same month, 35% were attacked in the same week, 14% were attacked multiple times on the same day, and 12% faced simultaneous attacks.
    • “A general trend in recent years, as reported by several firms, is fewer victims of ransomware attacks paying ransoms, although across all industry sectors in the U.S., 81% attacked companies paid the ransom, an increase from last year. Ransom payment was far less common in healthcare. According to Semperis, 53% of healthcare victims paid a ransom to either prevent the publication of stolen data, obtain decryption keys, or both. The ransom paid was less than $500,000 for 55% of companies, 39% paid between $500,000 and $1 million, and 5% paid more than $1 million.”
  • Cybersecurity Dive adds,
    • “Manufacturing, information technology and healthcare are top targets of cybercriminals, but ransomware attacks on the oil and gas industry increased dramatically between April 2024 and April 2025, spiking 935%, according to a new report from cybersecurity firm Zscaler.
    • “Oil and gas companies may be facing more attacks because their industrial control systems are increasingly automated and digitized, “expanding the sector’s attack surface,” Zscaler said.
    • “Half of all ransomware attacks listed on leak sites during the April-to-April survey period targeted the United States, and attacks on U.S. targets more than doubled, to 3,671, a figure that exceeds the combined number of ransomware events on the 14 other countries in the top 15 list.”
  • Cybersecurity Dive further reports,
    • “A recent wave of ransomware attacks targeting SonicWall firewall devices may be related to a zero-day vulnerability in the products, according to researchers.
    • “Anomalous firewall activity that began on July 15 and involved VPN access through SonicWall SSL VPNs morphed into intrusions the following week, researchers at Arctic Wolf said.
    • “This appears to be affecting SonicOS devices from what we’ve seen so far,” Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf, told Cybersecurity Dive. “Our investigation is still preliminary, so I’m not able to offer much more detail yet.”
    • “Hackers deployed the Akira ransomware variant in hands-on-keyboard attacks after compromising SonicWall SSL VPNs, according to the researchers.”
  • and
    • “Researchers from Palo Alto Networks say they are investigating a ransomware attack related to the recently disclosed ToolShell vulnerabilities in Microsoft SharePoint
    • “The hackers left the victim a ransom note on Sunday [July 27] claiming they had encrypted files using the 4L4MD4R ransomware. The note warned that any attempt to decrypt the files would result in their deletion.
    • The hackers used PowerShell commands to disable real-time monitoring in Windows Defender, according to Palo Alto Networks researchers. The intruders also bypassed certificate validation.
    • Researchers from Palo Alto Networks say they are investigating a ransomware attack related to the recently disclosed ToolShell vulnerabilities in Microsoft SharePoint
    • The hackers left the victim a ransom note on Sunday claiming they had encrypted files using the 4L4MD4R ransomware. The note warned that any attempt to decrypt the files would result in their deletion.
    • The hackers used PowerShell commands to disable real-time monitoring in Windows Defender, according to Palo Alto Networks researchers. The intruders also bypassed certificate validation.
  • and
    • “Several major ransomware-as-a-service groups have stopped posting victims to popular leak sites, suggesting that the ecosystem is more dispersed than it used to be, according to a new report from Check Point Software Technologies.
    • “At the same time, many smaller groups that used to affiliate with larger players “are operating independently or seeking new partnerships,” Check Point said in its Thursday report.
    • “Established players are actively competing to recruit these ‘orphaned’ affiliates,” according to the report, which cited competition between prominent groups Qilin and DragonForce for affiliates of the now-defunct RansomHub.”
  • Per Bleeping Computer,
    • “A wave of data breaches impacting companies like Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion group, which has been using voice phishing attacks to steal data from Salesforce CRM instances.
    • “In June, Google’s Threat Intelligence Group (GTIG) warned that threat actors tracked as UNC6040 were targeting Salesforce customers in social engineering attacks.
    • “In these attacks, the threat actors impersonated IT support staff in phone calls to targeted employees, attempting to persuade them into visiting Salesforce’s connected app setup page. On this page, they were told to enter a “connection code”, which linked a malicious version of Salesforce’s Data Loader OAuth app to the target’s Salesforce environment.”
  • SC Media tells us,
    • “Epsilon Red ransomware is being spread via a unique ClickFix lure that convinces victims to download and execute HTML Application files.
    • “The campaign impersonates widely used online services such as Twitch, Kick, Rumble, OnlyFans and the popular Discord Captcha Bot, CloudSEK reported recently.
    • “Like other sites using the ClickFix social-engineering method, these impersonation sites display a fake CAPTCHA prompt, but rather than having the victim copy and paste malicious commands, this version directs them to go to a different page to complete “extra verification steps.”
    • “These extra steps include pressing CTRL + S to save a file, renaming the file to verify.hta, opening the file with Microsoft HTML Application Host (mshta.exe), clicking “YES” if a popup appears and then entering a decoy “verification code” on the original CAPTCHA page. This last step is designed to trick the user into believing they have completed a legitimate verification process.”
  • Per InfoSecurity Magazine,
    • “A new ransomware operator called Chaos has launched a wave of intrusions impacting a wide range of sectors, Cisco Talos has reported.
    • “Victims have been predominantly based in the US, with some in the UK, New Zealand India, according to the actor’s data leak site.
    • “Targeting appears to be opportunistic and does not focus on any specific verticals. However, Chaos is focused on “big-game hunting” and uses double-extortion tactics.
    • “In one incident observed by Cisco, the group adopted a novel negotiation strategy, offering an extra ‘reward’ for making payment to the attackers, or additional ‘punishment’ for resisting demands, including the threat of a distributed denial-of-service (DDoS) attack.
    • “The Chaos ransomware actor is a recent and concerning addition to the evolving threat landscape, having shown minimal historical activity before the current wave of intrusions,” the researchers wrote in a blog dated July 24.”
  • Per Trend,
    • “Gunra ransomware’s Linux variant broadens the group’s attack surface, showing the new group’s intent to expand beyond its original scope. 
    • “The Linux variant shows notable features including running up to 100 encryption threads in parallel and supporting partial encryption. It also allows attackers to control how much of each file gets encrypted and allows for the option to keep RSA-encrypted keys in separate keystore files.
    • “Since its first observed activity in April 2025, Gunra ransomware has victimized enterprises from Brazil, Japan, Canada, Turkiye, South Korea, Taiwan, and the United States. Its victims include organizations from the manufacturing, healthcare, IT and agriculture sectors, as well as companies in law and consulting.” 

From the cybersecurity business and defenses front,

  • Cyberscoop reports,
    • “Palo Alto Networks has agreed to acquire identity security firm CyberArk for approximately $25 billion, marking the cybersecurity giant’s largest acquisition and its formal entry into the identity security market as the industry continues consolidating amid rising cyber threats.
    • “The transaction ranks among the largest technology acquisitions this year and underscores the market’s focus on identity security in an era of increasing artificial intelligence adoption.
    • “CyberArk, founded over two decades ago, specializes in privileged access management technology that helps organizations control and monitor access to critical systems and accounts. The company’s customers include major corporations such as Carnival Corp., Panasonic, and Aflac. Its technology addresses what security experts consider one of the most vulnerable aspects of enterprise security: managing privileged credentials for both human users and machine identities.
    • “The acquisition comes as cybersecurity companies face pressure to offer comprehensive solutions rather than point products, with customers seeking to streamline their vendor relationships following high-profile breaches. Recent cyberattacks, including Microsoft’s SharePoint vulnerabilities that affected over 100 organizations including U.S. government agencies, have heightened focus on identity protection and privileged access management.”
  • ISACA discusses “Defending Against Human-Operated Ransomware Attacks.”
  • Per a CISA news release,
    • “Today, the Cybersecurity and Infrastructure Security Agency (CISA) released an Eviction Strategies Tool, a no-cost resource designed to support cyber defenders in their efforts to respond to cyber incidents. CISA contracted with MITRE to develop this tool that enables cyber defenders to create tailored response plans and adversary eviction strategies within minutes. They will also be able to develop customized playbooks aimed at containing and evicting adversaries from compromised systems and networks.
    • “The tool includes COUN7ER, a database of atomic post-compromise countermeasures mapped to adversary tactics, techniques, and procedures (TTPs), and Cyber Eviction Strategies Playbook NextGen, a web-based application that matches incident findings with countermeasures obtained from COUN7ER. Together, these resources help defenders build systematic eviction plans with distinct countermeasures to thwart and evict unique intrusions.”
  • Dark Reading adds,
    • “The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Department of Energy’s Sandia National Laboratories, has released Thorium, an automated malware and forensic analysis platform, to help enterprise defenders quickly assess malware threats.” * * *
    • “Thorium is available from CISA’s official GitHub repository. Organizations interested in using it will need a deployed Kubernetes cluster, block store, and object store. A successful deployment requires familiarity with Docker containers and compute cluster management.
    • “By making this platform publicly available, we empower the broader cybersecurity community to use advanced tools for malware and forensic analysis,” said Jermaine Roebuck, CISA’s associate director for threat hunting, in a statement. “Scalable analysis of binaries and digital artifacts strengthens our ability to identify and fix vulnerabilities in software.”
  • Dark Reading offers Black Hat News. The Black Hat conference starts today in Las Vegas.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

Exploitation of Microsoft SharePoint Vulnerabilities

  • Last Sunday, July 20, the Cybersecurity and Infrastructure Security Agency (CISA) added a known exploited vulnerability to its catalog
    • CVE-2025-53770 Microsoft SharePoint Server Remote Code Execution Vulnerability
  • CISA also created an alert on the new KVE, which the agency updated on Tuesday and Thursday.
  • The Wall Street Journal reported on July 21,
    • Microsoft issued an alert about “active attacks” targeting its server software and urged customers to install new security updates that have been released.
    • Microsoft’s Security Response Center said in a blog post over the weekend that the attacks target on-premises SharePoint server customers and exploit vulnerabilities that were partially addressed by a July security update.
    • “Organizations typically use Microsoft SharePoint to create intranet websites, store and organize information, and facilitate file-sharing among workers. Cloud-based SharePoint Online in Microsoft 365 isn’t affected, the company said.
    • “By Monday, cybersecurity investigators said that the SharePoint attacks were widespread. At least one of the “multiple” hacking groups involved in the attacks was linked to China, according to Google’s Mandiant cybersecurity group.
    • “Microsoft declined to comment beyond its blog post.
    • “Hackers exploiting the SharePoint flaws then stole cryptographic keys that could be used to run commands on the affected server in the future, even if it had been patched, cybersecurity investigators said on Monday.”
  • and added on July 24,
    • Last year, Satya Nadella pledged to make security priority number one at Microsoft. A new hack involving China is showing just how difficult that can be.
    • The attack involves several versions of Microsoft’s SharePoint software that serve as a document storage platform for customers who don’t want to use the cloud. Microsoft released patches for a pair of SharePoint bugs earlier this month, but the fixes were quickly bypassed, allowing China-linked hackers to break into hundreds of organizations, according to security researchers.
    • Instead of protecting customers, the faulty patches may have served as a road map for hackers to hone their attacks, the researchers said.
    • It’s the latest in a string of lapses by the technology giant that have benefited China’s vast and global cyber-espionage operations, a top U.S. national security threat. * * *
    • “In the SharePoint attack * * * the issue began in May 2025, at a hacking contest in Berlin where the Vietnamese researcher [and pentester] Dinh Khoa (LinkedIn page) won $100,000 and a laptop.
    • “This is a very hard target so we spent a lot of time digging into it,” Khoa said in an interview posted online after the contest.
    • “To the applause of audience members, he showed how to break into a SharePoint system and was soon escorted into a private room where he explained the bugs to a representative from Microsoft and Dustin Childs, head of threat awareness with cybersecurity company Trend Micro’s Zero Day Initiative. Two months later, on July 8, Microsoft fixed the bugs. They were two of the 130 bugs that Microsoft fixed that month.” * * *
    • “On Saturday [July 19], Microsoft took the unusual step of issuing two emergency patches, which contain “more robust protections” to the bugs that Khoa had found, the company said. SharePoint customers should also change the cryptographic keys used by their servers, a move that—when combined with the new patches—effectively closes the back door created by the attack, Microsoft said.”
  • Cyberscoop noted on July 24,
    • The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread nearly a week after zero-day exploits were discovered, setting off alarms across the globe. More than 400 organizations have been actively compromised across four waves of attacks, according to Eye Security.
    • Multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services, have been hit. The California Independent System Operator, which operates some of the state’s wholesale electric grid, was also impacted.
    • As more victims confirm varying levels of compromise from the attack spree, researchers are learning and sharing more details about post-exploit activities. One of the China-based attackers behind the initial wave of attacks, Storm-2603, deployed Warlock ransomware starting July 18, Microsoft Threat Intelligence said Wednesday in an updated blog post.
    • The Chinese government-affiliated threat groups Linen Typhoon and Violet Typhoon — which have been active for at least a decade — are also actively exploiting the zero-day vulnerabilities, Microsoft said. Linen Typhoon has focused on stealing intellectual property and Violet Typhoon is an espionage threat group. Storm is a moniker Microsoft uses for threat groups in development.
  • NextGov/FCW discusses the impact of the Sharepoint vulnerabilities on federal government agencie here (Homeland Security, among other agencies affected) and there (Defense Department not affected).

From the cybersecurity breaches and vulnerabilities front,

  • Security Week informs us,
    • “The Alcohol & Drug Testing Service (TADTS) is notifying roughly 750,000 people that their personal information was compromised in a July 2024 data breach.
    • “TADTS is based in Texas and was until recently known as the Texas Alcohol and Drug Testing Service. It provides workplace and individual alcohol and drug testing services in Texas and other states.
    • “The incident, TADTS says, was identified on July 9, 2024, and involved unauthorized access to and the theft of data maintained in its systems.
    • “The investigation into the potentially compromised information, conducted with the assistance of a professional data mining team, was concluded only recently, and determined that personal information was included in the stolen data.” * * *
    • “While TADTS did not share details on the type of cyberattack it fell victim to, the infamous BianLian ransomware group took credit for the intrusion on July 14, 2024, claiming the theft of roughly 218 gigabytes of data.
    • “It is unclear whether the hackers released the stolen information publicly, as their Tor-based leak site is currently offline and the group has been quiet for months, with their last known victim announced on March 31.”
  • and
    • “Marketing software and services company Cierant Corporation and law firm Zumpano Patricios have independently disclosed data breaches, each impacting more than 200,000 individuals.
    • “What the Cierant and Zumpano Patricios incidents have in common is that the number of impacted people was brought to light in recent days by the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS).
    • “The Zumpano Patricios breach impacts nearly 280,000 individuals. The law firm, which has offices in several major US cities, is representing healthcare providers in disputes with health insurance companies over medical service payments to patients. 
    • “Zumpano Patricios is informing impacted individuals that it had detected an intrusion in its IT network on May 6, 2025, but could not determine the date and time of initial access. 
    • “An investigation revealed that the hackers accessed and possibly exfiltrated files containing information such as patient name, date of birth, Social Security number, provider name, health insurer information, dates of service, and amounts charged by the provider and payments they received.”
  • Cybersecurity Dive tells us,
    • “Hackers breached the Philadelphia Indemnity Insurance Company in June and stole customer data, the company said in a filing with the California Attorney General’s office
    • “An unauthorized party accessed customer data during an intrusion discovered between June 9 and June 10, according to the disclosure.
    • “The company previously called the incident a network outage, however it said there was no ransomware and no encryption. The company did report the incident to law enforcement and retained outside forensic experts to investigate.”
  • In addition to the June 20 addition discussed above, CISA added six known exploited vulnerabilities to its catalog this week.
    • July 22, 2025
      • CVE-2025-49704 Microsoft SharePoint Code Injection Vulnerability
      • CVE-2025-49706 Microsoft SharePoint Improper Authentication Vulnerability”
        • Cybersecurity Dive explains,
          • “The [Sharefile] intrusions are exploiting ToolShell, an attack sequence that combines remote code injection and network spoofing vulnerabilities tracked as CVE-2025-49704 and CVE-2025-49706.” 
    • Also July 22, 2025,
      • CVE-2025-54309 CrushFTP Unprotected Alternate Channel Vulnerability
        • Tenable discusses the CrushFTP vulnerability
      • CVE-2025-6558 Google Chromium ANGLE and GPU Improper Input Validation Vulnerability
      • CVE-2025-2776 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
      • CVE-2025-2775 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
  • Security Week notes,
    • “SonicWall on Wednesday announced patches for a critical vulnerability in Secure Mobile Access (SMA) 100 series secure access gateways, urging organizations to take immediate action in the wake of the recently disclosed Overstep malware attacks.
    • “The newly addressed flaw, tracked as CVE-2025-40599 (CVSS score of 9.1), is described as an arbitrary file upload issue in the SMA 100’s web management interface.
    • “The bug can be exploited by remote attackers to upload arbitrary files to the system, which could lead to remote code execution (RCE). The attackers need administrative privileges to exploit the security defect, SonicWall’s advisory reads.”
  • and
    • “The Lumma Stealer has returned after Microsoft and law enforcement caused significant disruption to its infrastructure, Trend Micro reported on Tuesday.” * * *
    • “The ability of Lumma Stealer’s operators to regroup and innovate poses a continued risk to organizations and individuals worldwide,” Trend Micro said. “This emphasizes the need for ongoing vigilance, proactive threat intelligence, and sustained collaboration between law enforcement and the cybersecurity community. Without this, even the most significant takedowns might only offer temporary relief from evolving cyber threats.”
  • Per Dark Reading,
    • “A suspected Chinese nation-state threat group is conducting an extensive cyberespionage campaign that takes advantage of vulnerable VMware ESXi and vCenter environments.
    • “Since early 2025, researchers at Sygnia have responded to multiple incidents tied to a cyberespionage campaign they track as “Fire Ant.” According to research published Thursday, Fire Ant actors are establishing initial access in organizations’ VMware systems, which have become popular targets for attackers in recent years.
    • “More importantly, Fire Ant actors used deep knowledge of the target environments and strong capabilities to consistently bypass segmentations and reach isolated portions of the network.”

From the ransomware front,

  • In line with this week’s theme, Bleeping Computer points out,
    • “A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain.
    • “Non-profit security organization Shadowserver is currently tracking over 420 SharePoint servers that are exposed online and remain vulnerable to these ongoing attacks.
    • “Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives,” the company said in a Wednesday report.”
  • July 22, 2025, CISA issued an alert and advisory on Interlock ransomware.
  • Per Bleeping Computer,
    • “Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.
    • “The U.S. Department of Justice confirmed the takedown in an email earlier today, saying the authorities involved in the action executed a court-authorized seizure of the BlackSuit domains.
    • “Earlier today, the websites on the BlackSuit.onion domains were replaced with seizure banners announcing that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.”

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports,
    • “The Trump administration’s new AI Action Plan calls for companies and governments to lean into the technology when protecting critical infrastructure from cyberattacks.
    • “But it also recognizes that these systems are themselves vulnerable to hacking and manipulation, and calls for industry adoption of “secure by design” technology design standards to limit their attack surfaces.
    • “The White House plan, released Wednesday, calls for critical infrastructure owners — particularly those with “limited financial resources” — to deploy AI tools to protect their information and operational technologies.
    • “Fortunately, AI systems themselves can be excellent defensive tools,” the plan said. “With continued adoption of AI-enabled cyberdefensive tools, providers of critical infrastructure can stay ahead of emerging threats.” * * *
    • “The Trump plan states that “all use of AI in safety-critical or homeland security applications should entail the use of secure-by-design, robust, and resilient AI systems that are instrumented to detect performance shifts, and alert to potential malicious activities like data poisoning or adversarial example attacks.”
    • “The plan also recommends the creation of a new AI-Information Sharing and Analysis Center (AI-ISAC) led by the Department of Homeland Security to share threat intelligence on AI-related threats.”
  • Cybersecurity Dive lets us know,
    • “Sean Plankey, President Donald Trump’s nominee to lead the Cybersecurity and Infrastructure Security Agency, faced sharp questions during a Senate confirmation hearing Thursday about the looming expiration of an information-sharing law and CISA’s work on election security.
    • Plankey — currently a senior adviser to Secretary of Homeland Security Kristi Noem — explained his vision for leading an agency that has experienced major workforce cuts and faces significant budget reductions in Trump’s Fiscal Year 2026 spending proposal.”
    • The Senate Homeland Security and Governmental Affairs Committee will vote on whether to send Mr. Plankey’s nomination to the Senate floor at a business meeting next Thursday.
  • Cyberscoop adds,
    • “President Donald Trump’s pick to lead the Cybersecurity and Information Security Agency told senators Thursday that he would prioritize evicting China from the U.S. supply chain, and wouldn’t hesitate to ask for more money for the shrunken agency if he thought it needed it.
    • “If confirmed it will be a priority of mine to remove all Chinese intrusions, exploitations or infestation into the American supply chain,” Sean Plankey told Rick Scott, R-Fla., at his confirmation hearing before the Homeland Security and Governmental Affairs Committee. Scott had asked Plankey about reports of Chinese infiltration of U.S. energy infrastructure.”
  • Per a National Institute of Standards and Technology news release,
    • “NIST has issued draft updates to Special Publication (SP) 800-53 to provide additional guidance on how to securely and reliably deploy patches and updates in response to the Executive Order 14306Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. A two-week expedited public comment period on the draft updates is open through August 5, 2025.” 
  • Per a July 23, 2025, HHS news release,
    • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Syracuse ASC, LLC doing business as Specialty Surgery Center of Central New York, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules. Syracuse ASC is a single-facility, ambulatory surgery center located in Liverpool, New York that provides ophthalmic and ENT surgical services and pain management procedures to patients.” * * *
    • “The settlement resolves an OCR investigation concerning a ransomware breach of ePHI that affected 24,891 individuals. OCR initiated the investigation in October 2021 after Syracuse ASC reported to HHS that an unauthorized individual had accessed its network in March 2021. Further investigation revealed that Syracuse ASC was affected by a ransomware attack involving the PYSA ransomware variant, which is a cross-platform cyber weapon known to target the healthcare industry. OCR’s investigation found that Syracuse ASC never conducted an accurate and thorough risk analysis to determine the risks and vulnerabilities to the ePHI it held. OCR also found that Syracuse ASC failed to timely notify affected individuals and the Secretary of the breach.
    • “Under the terms of the resolution agreement, Syracuse ASC agreed to implement a corrective action plan that OCR will monitor for 2 years and paid $250,000 to OCR.”
  • Cyberscoop reports,
    • “Ukrainian authorities Tuesday [July 22, 2025] arrested the alleged administrator of XSS.is, a Russian-language cybercrime forum, following a four-year investigation by the Paris public prosecutor’s office. 
    • “Law enforcement officials from France and Europol seized the domain of the influential forum following the arrest. Authorities have not named the suspected administrator of XSS.is.
    • “The forum, which was active since 2013, had more than 50,000 registered users and was a key marketplace for stolen data, malware, access to compromised systems and ransomware services, officials said. “It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit,” Europol said in a news release.”
  • Dark Reading alerts us,
    • “A “laptop farmer” [Christina Marie Chapman] in Arizona responsible for enabling North Korean IT worker infiltration into US companies is going to jail for eight and a half years, after raising $17 million in illicit funds for Kim Jong-Un’s regime. That news, however, is merely a drop in the justice bucket, and DPRK’s efforts to siphon salaries off of American companies is unlikely to wane anytime soon. So, US organizations need to wrap their heads around the magnitude of the threat.
    • “North Korea’s multiyear HR-compromise effort has the twin goals of earning money for the hermit kingdom’s nuclear program and other efforts via salaries, as well as gaining a foothold inside corporate networks for the purpose of planting cryptominers or malware for stealing secrets.”
  • Cybersecurity Dive adds,
    • “The U.S. Department of the Treasury on Thursday [July 24, 2025] sanctioned three North Koreans and their company for participating in remote IT worker scams and other operations designed to generate revenue for Pyongyang.
    • The sanctions target the North Korean firm Korea Sobaeksu Trading Co., Sobaeksu employee Kim Se Un, Sobaeksu “IT team leader” Jo Kyong Hun and Kim’s associate Myong Chol Min. 
    • “The Treasury Department calls Sobaeksu a front for North Korea’s Munitions Industry Department, which oversees the country’s nuclear weapons program. North Korea “has previously utilized Sobaeksu to send teams of IT workers overseas, including to Vietnam, in order to generate revenue,” the department said.”

From the cybersecurity defenses front,

  • HelpNet Security explains “Why we must go beyond tooling and CVEs to illuminate security blind spots.”
  • SC Media discusses “exposure management [, which is] a new blueprint for modern cyber defense.
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports,
    • “Congress is set to revisit Stuxnet — the malware that wreaked havoc on Iran’s nuclear program 15 years ago — next week in the hopes that the pioneering attack can guide today’s critical infrastructure policy debate, CyberScoop has learned.
    • “The House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection will hold a hearing July 22 to examine the operation that, according to independent reports, was carried out by the U.S. and Israeli governments and targeted Iran’s nuclear enrichment facilities in Natanz.
    • “Witnesses listed for the hearing are Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition; Kim Zetter, cybersecurity journalist and author of “Countdown to Zero Day”; Dragos CEO Robert Lee; and Nate Gleason, Lawrence Livermore National Laboratory program leader, according to a copy of the notice.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) released a blog post titled “Securing Core Cloud Identity Infrastructure: Addressing Advanced Threats through Public-Private Collaboration.”
    • “In recent years, the cloud landscape has faced increasingly sophisticated threat activity targeting identity and authentication systems. As cloud infrastructure has become more ubiquitous—underpinning key government and critical infrastructure data—sophisticated nation-state affiliated actors have exposed limitations in token authentication, key management, logging mechanisms, third-party dependencies, and governance practices. These threats reaffirm the critical role that public-private collaboration plays to safeguard cloud infrastructure and address the evolving technical and security challenges confronting our nation.”  
  • Cyberscoop informs us,
    • “An international law enforcement operation conducted this week targeted the members of and infrastructure used by NoName057(16), a pro-Russian hacktivist group that has conducted distributed denial-of-service (DDoS) attacks across Europe since early 2022.
    • “Operation Eastwood disrupted over 100 servers worldwide and resulted in two arrests, seven international arrest warrants, and 24 house searches across multiple jurisdictions. The operation, coordinated by Europol and Eurojust with participation from 12 countries, broke up a cybercrime network that had mobilized an estimated 4,000 members who conducted attacks against entities in countries across Europe and in Israel.”
  • and
    • “An Armenian national is in federal custody and faces charges stemming from their alleged involvement in a spree of attacks in 2019 and 2020 involving Ryuk ransomware, the Justice Department said Wednesday.
    • “Karen Serobovich Vardanyan, 33, was extradited from Ukraine to the United States on June 18 and pleaded not guilty to the charges in his first appearance in federal court June 20. Vardanyan is awaiting a seven-day jury trial scheduled to begin Aug. 26.”
  • Security Week informs us,
    • “A former US soldier accused of hacking into AT&T and Verizon systems and leaking presidential call logs pleaded guilty to fraud and identity theft charges, the US Department of Justice announced.
    • “According to court documents, the individual, Cameron John Wagenius, 21, engaged in hacking and extortion activities between April 2023 and December 2024, while on active duty with the US Army.
    • “Using the nickname ‘kiberphant0m’, Wagenius and his co-conspirators aimed to defraud at least 10 organizations after obtaining login credentials for their networks.”

From the cybersecurity breaches and vulnerabilities front,

  • Cybersecurity Dive reports,
  • and
    • “One in four CISOs has experienced an AI-generated attack on their company’s network in the past year, and AI risks now top their priority lists, according to a report released Thursday from cybersecurity firm Team8.
    • “The true number of companies targeted by AI-powered attacks “may be even higher,” Team8 said in its report, “as most AI-driven threats mimic human activity and are difficult to detect without advanced metrics like time to exploitation and velocity indicators.”
    • “AI outranked vulnerability management, data loss prevention and third-party risk on CISOs’ priority lists, according to the report, which is based on interviews with more than 110 security leaders from major enterprises.”
  • Per Dark Reading,
    • “Automated firmware-analysis tools and the falling cost of the technical hardware needed to inspect computer processors and memory are leading to a surge in reports of firmware vulnerabilities and motherboard security weaknesses.
    • “In the latest example, motherboard manufacturer Gigabyte disclosed on July 10 that a set of four firmware vulnerabilities had persisted in its platform, even though the original issues — in the firmware provided by independent BIOS vendor AMI — were patched years ago. The issues affect the System Management Mode (SMM) modules on older Intel-based systems, Gigabyte stated in its disclosure.”
  • and
    • “When it comes to managing cybersecurity profiles for office printers, just 36% of IT teams are patching their firmware promptly — leaving a glaring gap in defenses that attackers could exploit to devastating effect.
    • “That’s according to HP Wolf Security, which found evidence of widespread failures across every stage of the printer life cycle in a global survey of 800+ IT and security decision-makers.
    • “Failure to promptly apply firmware updates to printers unnecessarily exposes organizations to threats that could lead to damaging impacts, such as cybercriminals exfiltrating critical data or hijacking devices,” according to the report, released today.”
  • Infosecurity Magazine tells us,
    • “Cybercriminals have been observed adopting AI-powered cloaking tools to bypass traditional security measures and keep phishing and malware sites hidden from detection.
    • “According to new research from SlashNext, Platforms like Hoax Tech and JS Click Cloaker are offering “cloaking-as-a-service” (CaaS), allowing threat actors to disguise malicious content behind seemingly benign websites.
    • “Using advanced fingerprinting, machine learning and behavioral targeting, these tools selectively show scam pages only to real users while feeding safe content to automated scanners.
    • “I think that this is a clear example of a technology and set of tools being used in a bad way,” said Andy Bennett, CISO at Apollo Information Systems.”
  • Per HelpNet Security,
    • “A new report from Living Security and the Cyentia Institute sheds light on the real human element behind cybersecurity threats, and it’s not what most organizations expect.
    • “The Risky Business: Who Protects & Who Puts You at Risk report analyzes data from over 100 organizations and challenges conventional thinking by revealing that a small portion of users, just 10 percent, are responsible for nearly 73 percent of all risky behavior in the enterprise.
    • “The riskiest users aren’t who and where you think,” the report notes. Surprisingly, remote and part-time workers are often less risky than full-time, in-office employees. Meanwhile, 78 percent of users help reduce cyber risk more than they contribute to it.”
  • Dark Reading explains “How Criminal Networks Exploit Insider Vulnerabilities. Criminal networks are adapting quickly, and they’re betting that companies won’t keep pace. Let’s prove them wrong.”
  • CISA added two known exploited vulnerabilities to its catalog this week.
    • July 14, 2025
      • CVE-2025-47812 Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability
        • Cybersecurity News discusses this KVE here.
    • July 18, 2025
      • CVE-2025-25257 Fortinet FortiWeb SQL Injection Vulnerability
        • The Hacker News discusses this KVE here.

From the ransomware front,

  • IT Pro lets us know,
    • Ransomware attacks come with an average recovery cost of $4.5 million, according to a recent survey, which also found a high proportion of businesses have fallen prey to the malware in the past year.
    • “Data from Absolute Security, which surveyed 500 CISOs based in the US through Censuswide, found 72% of respondents’ firms had dealt with ransomware attacks in the 12 months prior to the survey.
    • “Respondents registered extreme concern over the potential cost of ransomware attacks, with nearly three quarters (73%) indicating a successful ransomware attack could critically incapacitate their business.”
  • Chief Healthcare Executive reports,
    • “While hospitals have endured the threat of attacks from ransomware groups for years, other providers are targets for attacks.
    • “Ransomware groups are going after ambulatory surgical centers, physician practices and specialty care groups, says Steve Cagle, the CEO of Clearwater, a cybersecurity firm.
    • “We’ve seen this trend for some time now,” Cagle tells Chief Healthcare Executive®. “It’s more attacks on specialty or ambulatory …. physician practice management, specialty care groups.”
    • “Radiology centers, imaging centers, health clinics and dental clinics are also being targeted for attacks, Cagle says. More than 300 breaches of health data have already been reported to the Department of Health & Human Services in the first half of the year.”
  • Cybersecurity Dive points out,
    • “DragonForce, a cyber criminal group connected to a series of attacks against retail firms in recent months, is claiming credit for an attack on the North Carolina-based department store chain Belk.
    • “The group claimed on its leak site that it has approximately 156 gigabytes of data stolen from the company. 
    • “Researchers have linked DragonForce to an April attack on Marks & Spencer, one of the first breaches in a months-long attack spree linked to Scattered Spider. DragonForce claimed credit for the intrusion, but M&S officials believe the group was working with Scattered Spider during the attack.” 
  • Morphisec discusses “Matanbuchus [which} is a malware loader that has been available as a Malware-as-a-Service (MaaS) since 2021. It is primarily used to download and execute secondary payloads on compromised Windows systems, making it a critical first step in various cyberattacks.”
  • Infosecurity Magazine informs us,
    • “The Interlock ransomware gang has been detected targeting organizations with a new remote access trojan (RAT) in a widespread campaign, according to researchers from The DFIR Report in partnership with Proofpoint.
    • “The new malware, observed since June 2025, uses the general-purpose PHP programming language. This differs from the previously identified JavaScript-based ‘NodeSnake’ RAT deployed by Interlock.
    • “In certain cases, the deployment of the PHP variant of the Interlock RAT has led to the deployment of the Node.js version.
    • “PHP is a common web scripting language, which can be leveraged across various platforms and databases.”
  • Bleeping Computer reports,
    • “The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files.
    • “Phobos is a ransomware-as-a-service operation that launched in December 2018, enabling other threat actors to join as affiliates and utilize their encryption tool in attacks. In exchange, any ransom payments were split between the affiliate and the operators.
    • “While the ransomware operation did not receive as much media attention as other ransomware operations, Phobos is considered one of the most widely distributed ransomware operations, responsible for many attacks on businesses worldwide.”

From the cybersecurity research front,

  • Cyberscoop tells us,
    • “A financially motivated threat group is attacking organizations using fully patched, end-of-life SonicWall Secure Mobile Access 100 series appliances, Google Threat Intelligence Group said in a report released Wednesday [July 16].
    • “The group, which Google identifies as UNC6148, is using previously stolen admin credentials to gain access to SonicWall SMA 100 series appliances, remote access VPN devices the vendor stopped selling and supporting earlier this year. UNC6148 is likely intruding networks to steal data for extortion and possibly deploy ransomware, according to researchers.
    • “The attacks stress the consistent risk SonicWall customers have confronted via exploited vulnerabilities, especially a series of defects affecting the outdated SonicWall SMA 100 series devices.”
  • Per Bleeping Computer,
    • “Hackers have adopted the new technique called ‘FileFix’ in Interlock ransomware attacks to drop a remote access trojan (RAT) on targeted systems.
    • “Interlock ransomware operations have increased over the past months as the threat actor started using the KongTuke web injector (aka ‘LandUpdate808’) to deliver payloads through compromised websites.
    • “This shift in modus operandi was observed by researchers at The DFIR Report and Proofpoint since May. Back then, visitors of compromised sites were prompted to pass a fake CAPTCHA + verification, and then paste into a Run dialog content automatically saved to the clipboard, a tactic consistent with ClickFix attacks.”
  • Per Cybersecurity Dive,
    • “Microsoft on Wednesday said it has seen the cybercrime group Scattered Spider using new techniques in attacks on the airline, insurance and retail industries since April. 
    • “The hacker group, which Microsoft tracks as Octo Tempest, is still using its trademark social-engineering tactics to gain access to companies by impersonating users and contacting help desks for password resets, according to the Microsoft Defender Security ResearchTeam blog post. 
    • “But the hackers are also abusing short messaging services and using adversary-in-the-middle tactics. And in recent attacks, the threat group has deployed the DragonForce ransomware and concentrated on breaching VMWare ESX hypervisor environments.” 
  • Per Dark Reading,
    • “A threat actor known as “PoisonSeed” was credited with a novel attack technique that is able to bypass FIDO-based protections in an organization.
    • “That’s according to a report this week from MDR vendor Expel, titled “PoisonSeed bypassing FIDO keys to ‘fetch’ user accounts.” FIDO, or Fast Identity Online, refers to a technology-agnostic set of specifications for authentication. The technology, which was originally developed by the FIDO Alliance, is considered a gold standard in security, commonly seen in non-password authentication technologies like physical security keys.
    • Expel’s research concerns a strategy for gaining access to a victim through the cross-device sign-in features available in FIDO security keys in a way that can bypass certain safeguards. Though the report does not concern a vulnerability in FIDO technology itself, it acts as a reminder to the defender that security does not end with a phishing-resistant security key.”

From the cybersecurity defenses front,

  • Cybersecurity Dive interviews Mark Ryland who is Amazon’s security director.
  • CSO calls attention to “eight tough trade-offs every CISO must navigate.”
  • Blocks and Files explains how a “simulated ransomware attack reveals gaps in recovery planning.”
  • Here’s a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports,
    • “The tax and spending bill Congress sent to President Donald Trump and that he signed into law over the holiday weekend [the One Big Beautiful Act] contains hundreds of millions of dollars for cybersecurity, with a heavy emphasis on military-related spending.
    • “The biggest single pot of money under the “One Big Beautiful Bill” would be for Cyber Command, a $250 million allocation for “artificial intelligence lines of effort.” Another $20 million would go to cybersecurity programs at the Defense Advanced Research Projects Agency.
    • “The U.S. Indo-Pacific Command — which counts among its geographical areas of responsibility territorial waters for cyber adversaries in Russia, China and North Korea — would get $1 million for cyber offensive operations. Cyber offense was something the second Trump administration emphasized when coming into office.”
  • Cybersecurity Dive adds,
    • Congress must reauthorize a cybersecurity threat information sharing law before it expires in October, a group of leading technology companies told lawmakers on Monday.
    • The 2015 Cybersecurity Information Sharing Act “has enabled rapid dissemination of actionable threat intelligence to protect networks before an incident occurs, more coordinated responses to cyber incidents; and improved situational awareness across multiple sectors,” the Hacking Policy Council said in a letter to House and Senate homeland-security committee leaders.
    • “The council’s members include tech giants Google, Microsoft and Intel; security firm Trend Micro; and bug bounty platforms Bugcrowd, HackerOne and Intigriti. The group advocates for policies that improve vulnerability management, security research and penetration testing.
    • “The CISA law, which offers legal protections for companies that share threat information, is set to expire on Sept. 30. There is bipartisan support on Capitol Hill for renewing the law, but lingering questions could complicate its prospects, including whether any lawmakers will press for changes to the program and whether the reauthorization will be attached to a larger must-pass bill or proceed on its own.”
  • The Government Accountability Office released a positive report about the 2015 Cybersecurity Information Sharing Act earlier this week.
  • Per Cybersecurity Dive,
    • “The Securities and Exchange Commission has reached a settlement with SolarWinds and the company’s chief information security officer, Timothy Brown, to resolve charges stemming from the Russian-backed cyberattack on the company’s systems.
    • “The parties “have reached a settlement in principle that would completely resolve this litigation,” the SEC said in a filing last week with the federal judge in New York who is overseeing the commission’s lawsuit against the company.
    • ‘The judge quickly approved the SEC’s request to stay deadlines in the case, including oral arguments previously scheduled for July 22. “The Court congratulates counsel and the parties on this productive development,” the judge said. He gave SolarWinds, Brown and the SEC until Sept. 12 to either file settlement paperwork or provide a status update on the settlement process.” * * *
    • “Adam Hickey, a partner at Mayer Brown and a former federal prosecutor handling cyber and national security cases, said an examination of the eventual settlement terms would reveal “whether and to what extent the SEC is abandoning certain theories or allegations.”
    • “So far, the SEC has not moved to rescind the rule requiring cybersecurity disclosures in annual and periodic reports,” he said. “The settlement may or may not point in that direction.”
  • Per an HHS news release,
    • “Today [July 7, 2025], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Deer Oaks – The Behavioral Health Solution (Deer Oaks), a behavioral health provider, resolving potential violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Deer Oaks provides psychological and psychiatric services to residents of long-term care and assisted living facilities.” * * *
    • The settlement principally related to an August 2023 ransomware attack that affected 171,000 patients.
    • “Under the terms of the resolution agreement, Deer Oaks agreed to implement a corrective action plan that OCR will monitor for two years and paid $225,000 to OCR.” * * *
    • The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-racap-deer-oaks.pdf [PDF, 183 KB]
  • Cybersecurity Dive informs us,
    • “Italian authorities and FBI agents have arrested a Chinese man who allegedly helped Beijing’s Hafnium group conduct a series of high-profile cyberattacks in 2020 and 2021.
    • “Xu Zewei, 33, faces charges of hacking into the computers of U.S. researchers studying the COVID-19 virus and exploiting vulnerabilities in Microsoft Exchange servers that kicked off a global attack spree. The Justice Department announced his indictment and arrest on Tuesday, [July 8,] along with charges against another Chinese man, 44-year-old Zhang Yu, who remains at large.
    • “Both men carried out the attacks on behalf of China’s Ministry of State Security, prosecutors alleged.”
  • Per Cyberscoop,
    • “At the request of the United States, French police arrested a professional Russian basketball player who had a brief tenure at Penn State over accusations that he was part of a ransomware ring, according to overseas reports.
    • “News of the arrest of Daniil Kasatkin came in a court in Paris on Wednesday [July 9]. His lawyer denied to foreign press that he was part of any ransomware ring. * * *
    • “Kasatkin is allegedly part of a hacking outfit that the news outlets did not name, but that American investigators believe has attacked 900 institutions, including two U.S. federal entities, between 2020 and 2022. Authorities said he negotiated ransomware payments on behalf of the ring.”
  • and
    • “Three teenagers and a 20-year-old woman were arrested Thursday by the U.K.’s National Crime Agency for their alleged role in cyberattacks on major retailers Marks & Spencer (M&S), Co-op, and Harrods.
    • “The arrests, comprising British and Latvian nationals, followed sustained investigations into attacks that crippled the retailers’ operations. The NCA’s National Cyber Crime Unit detained all four at their homes and seized their electronic devices.” * * *
    • “The particular incidents that led to these arrests occurred in April, with attackers crippling the online services of Marks & Spencer, a popular retailer in the U.K. The company’s online sales channels were halted, contactless payments and click-and-collect options were disrupted, and in-store product availability suffered. The attack also resulted in the theft of customer information, including names, email addresses, and postal data. Recovery efforts began in June, with the retailer eventually restoring sections of its online business across the U.K.”

From the cybersecurity breaches and vulnerabilities front,

  • Radiology Business reports,
    • “A PET imaging provider was recently impacted by a phishing attack, forcing the company to notify patients about the breach. 
    • “Nashville, Tennessee-based Integrated Oncology Network alerted Health and Human Services in late June about the hacking incident, which occurred in December. Affected locations include PET Imaging of Tulsa, Oklahoma, and similarly branded centers in cities such as Houston, Dallas and Sugar Land, Texas. 
    • “Information accessed by third parties may have included dates of birth, diagnoses, financial account info and (“for a small number of individuals”) Social Security numbers.” * * *
    • “The network notified physicians about the phishing attack on June 13 and started alerting customers on June 27. This after a May investigation determined there was unauthorized access to patient information in a “small number” of email and SharePoint accounts. ION is urging patients to review their statements from providers and insurance plans to see if they find any inconsistencies. It’s also providing additional cybersecurity training to staffers, according to the notice. 
    • Schubert Jonckheer & Kolbe sent a news alert on July 9, with the law firm launching an investigation into the cyber incident. It estimated that nearly 114,000 individuals may have been affected, with the firm now considering filing a suit against Integrated Oncology Network.”
  • Cybersecurity Dive adds,
    • “Mobile phishing scams are becoming an increasingly serious threat, but companies aren’t taking that threat seriously enough, the mobile security firm Lookout said in a report released Thursday.
    • “Nearly six in 10 companies “have experienced incidents due to executive impersonation scams via text or voice” and 77% have experienced at least one such attack in the past six months, Lookout said in the report. Yet despite the pervasiveness of these attacks, “only half of respondents are very concerned” about the threat, the report found.
    • “The findings — based on a survey of more than 700 security leaders — reflect “a dangerous situation that leaves businesses overconfident and more vulnerable to modern threats than they realize,” Lookout said.
    • “Hackers are increasingly relying on mobile voice and text phishing messages to trick workers into handing over their passwords, granting attackers access to computer networks through legitimate accounts that raise fewer red flags on security monitoring platforms.”
  • and
    • “Hackers linked to the Iranian government have escalated attacks against certain U.S. critical infrastructure since the beginning of the Israel-Iran conflict, according to new research.
    • “The Iran-linked threat groups, tracked as MuddyWater, APT33, OilRig, CyberAv3ngers, FoxKitten and Homeland Justice, tried to breach at least 10 U.S. companies, mostly in the transportation and manufacturing sectors, researchers at Nozomi Networks said on Wednesday.
    • “MuddyWater targeted five firms, APT33 targeted three and the others targeted two, according to the research.”
  • The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog this week.
    • July 7, 2025
      • CVE-2014-3931 Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability
      • CVE-2016-10033 PHPMailer Command Injection Vulnerability
      • CVE-2019-5418 Rails Ruby on Rails Path Traversal Vulnerability
      • CVE-2019-9621 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability
        • SC Media discusses these KVEs here.
          • “What made these four bugs of special note were that two date back to 2019, one to 2016, and the fourth was first identified in 2014, underscoring that security teams have to keep tabs on all bugs and continually monitor and stay up-to-date with patching. Two of the four were rated critical.
    • July 10, 2025
      • CVE-2025-5777 Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability.
        • Cybersecurity Dive and Bleeping Computer discuss this KVE.
          • “[CISA] has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway and is giving federal agencies one day to apply fixes.
          • “Such a short deadline for installing the patches is unprecedented since CISA released the Known Exploited Vulnerabilities (KEV) catalog, showing the severity of the attacks exploiting the security issue.
          • “The agency added the flaw to its Known Exploited Vulnerabilities (KEV) catalog yesterday, ordering federal agencies to implement mitigations by the end of today, June 11.”
  • Per SC Media,
    • “A newly disclosed infostealer dubbed “NordDragonScan” executes stealthily on Windows machines using living-off-the-land (LOTL) techniques, Fortinet reports.  
    • “The attack kicks off when users visit a site called secfileshare[.]com, which downloads a RAR archive designed to look like a Ukrainian government document, Fortinet’s FortiGuard Labs Threat Research unit described in a blog post Monday.
    • “A LNK shortcut within the archive invokes the Windows utility mshta.exe to retrieve and execute an HTML Application (HTA) script from the secfileshare[.]com domain, called 1.hta.
    • “This HTA copies the legitimate PowerShell.exe binary to the Documents folder and renames to install.exe to hide its activity. It then downloads a benign decoy document, tricking the victim into believing this is the file they installed while the malicious payload runs in the background.”

From the ransomware front,

  • Dark Reading warns,
    • “Changes are afoot at Pay2Key, a ransomware-as-a-service (RaaS) gang with ties to a notorious Iranian nation-state threat group, and it could spell trouble for the US.
    • “Pay2Key was first observed in 2020, and while it has been one of the lesser-known RaaS gangs, it achieved some notoriety for hack-and-leak attacks on Israeli organizations. Over the years, cybersecurity vendors and US authorities alike have tied the gang to Fox Kitten, an Iranian state-sponsored threat group also known as UNC757.
    • “Now, researchers at Morphisec say Pay2Key has re-emerged with a new approach: targeting Western organizations and offering higher payouts for attacks that meet the gang’s geopolitical goals in the wake of Israel-Iran-US conflict. According to a new report from Morphisec Labs researchers, the gang has raised its affiliate profit-sharing from 70% to 80% for attacks against “the enemies of Iran.”
  • CSO offers us an “anatomy of a Scattered Spider attack: A growing ransomware threat that evolves.”

From the cybersecurity threat research front,

  • Cyberscoop reports,
    • “Cybersecurity researchers have identified four significant security vulnerabilities in a widely used automotive Bluetooth system that could potentially allow remote attackers to execute code on millions of vehicles worldwide.
    • “The vulnerabilities, collectively named PerfektBlue by PCA Cyber Security, affect OpenSynergy’s BlueSDK Bluetooth stack, which is used to implement Bluetooth functionality in embedded systems, with a strong emphasis on automotive applications. The vulnerabilities impact technology used in Mercedes-Benz, Volkswagen, and Skoda automobiles. A fourth manufacturer, which researchers have not publicly identified, is also confirmed to use the affected technology.
    • “The discovery highlights the expanding attack surface in modern connected vehicles, where Bluetooth-enabled infotainment systems have become standard equipment. The researchers found that the four vulnerabilities can be linked together in an exploit chain, potentially allowing attackers to gain unauthorized access to vehicle systems through Bluetooth connections.”
  • Dark Reading adds,
    • “Systemic vulnerabilities in embedded Subscriber Identity Module (eSIM) cards have exposed billions of devices to spying, SIM swaps, and other threats.
    • “For some time now, traditional SIM cards have been slowly ceding to eSIMs. eSIMs allow multiple phone carrier subscriptions to exist on a single device. Unlike traditional SIM cards, you can’t physically remove and replace them, and they tout superior security.
    • “New research suggests, though, that they actually introduce significant security risks. Using a Kigen embedded Universal Integrated Circuit Card (eUICC) card, Adam Gowdiak, founder and CEO of Security Explorations, found that attackers could theoretically breach eSIMs to spy on their users, manipulate their services, and steal valuable information from mobile network operators(MNOs).”
  • Bleeping Computer notes,
    • “A novel tapjacking technique can exploit user interface animations to bypass Android’s permission system and allow access to sensitive data or trick users into performing destructive actions, such as wiping the device.
    • “Unlike traditional, overlay-based tapjacking, TapTrap attacks work even with zero-permission apps to launch a harmless transparent activity on top of a malicious one, a behavior that remains unmitigated in Android 15 and 16.
    • “TapTrap was developed by a team of security researchers at TU Wien and the University of Bayreuth (Philipp Beer, Marco Squarcina, Sebastian Roth, Martina Lindorfer), and will be presented next month at the USENIX Security Symposium.”
  • and
    • “NVIDIA is warning users to activate System Level Error-Correcting Code  mitigation to protect against Rowhammer attacks on graphical processors with GDDR6 memory.
    • “The company is reinforcing the recommendation as new research published by the University of Toronto demonstrates the practicallity of Rowhammer attacks against an NVIDIA A6000 GPU (graphical processing unit).
    • “We ran GPUHammer on an NVIDIA RTX A6000 (48 GB GDDR6) across four DRAM banks and observed 8 distinct single-bit flips, and bit-flips across all tested banks,” describe the researchers.’

From the cybersecurity defenses front,

  • Dark Reading reports,
    • The cyber-insurance market continues to generate profits for underwriters, but competition in the market and softening demand has led to a decline in the total revenue from premiums for the third straight year in a row — a situation that could work in businesses’ favor.
    • Overall, cyber-insurance experts expect premiums to continue to decline in 2025 and likely level off next year, as market economics balance supply and demand. Renewal rates for cyber-insurance policies have declined each quarter for the last three quarters, which is expected to continue, according to credit and economic firm Fitch Ratings.
    • “As businesses shop around for better rates on cyber coverage — or take a pause to reassess — insurers continue to lower rates by mid- to low-single-digit percentages, says Gerry Glombicki, senior director at Fitch Ratings.
    • “Historically, cyber insurance has been pretty profitable — even with 2017” and the damage from WannaCry and NotPetya, he says. “Now, the number of policies they’re selling is down year-over-year, and their pricing is down … because the returns that the insurers have [historically] gotten have been good, so they have to give up some of that.”
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cybersecurity Dive reports,
    • “U.S. government officials said critical infrastructure operators should be on alert for Iranian cyberattacks.
    • “In a threat advisory published Monday [June 30], multiple agencies said Iran might target U.S. firms “for near-term cyber operations” due to “the current geopolitical environment” — a reference to the Trump administration joining Israel’s aerial campaign against Iran’s nuclear program and related assets.
    • “Defense contractors, especially firms that have relationships with Israeli companies, are likely at heightened risk of targeting, according to the advisory.”
  • and
    • “The Department of Justice on Monday [June 30] announced a series of actions as part of an investigation into the North Korean government’s deployment of its citizens abroad to pose as IT workers and illicitly earn money for the regime.
    • “Newly unsealed charging documents describe two separate schemes to trick U.S. companies into hiring people who funneled their paychecks to the North Korean government and exploited their access to the companies’ networks to steal sensitive information and cryptocurrency.
    • “Law enforcement officials, who have repeatedly issued alerts about Pyongyang’s IT worker schemes, warned U.S. businesses on Monday to carefully screen their remote employees to avoid falling victim to similar ruses.
  • Cyberscoop tells us,
    • “The Chinese hackers behind the massive telecommunications sector breach are “largely contained” and “dormant” in the networks, “locked into the location they’re in” and “not actively infiltrating information,” the top FBI cyber official told CyberScoop.
    • “But Brett Leatherman, new leader of the FBI Cyber division, said in a recent interview that doesn’t mean the hackers, known as Salt Typhoon, no longer pose a threat.
    • “While there’s been some debate about whether Salt Typhoon should be getting more attention than fellow Chinese hackers Volt Typhoon — whom federal officials have said are prepositioned in U.S. critical infrastructure, poised for destructive action in the event of a conflict with the United States — Leatherman said the groups aren’t as different as some think.
    • “Salt Typhoon, even though it was [an] espionage campaign, had access to telecommunications infrastructure,” he said. “You can pivot from access in support of espionage to access in support of destructive action.”
  • and
    • “Federal authorities levied sanctions Tuesday on Aeza Group, a bulletproof hosting service provider based in Russia, for allegedly supporting a broad swath of ransomware, malware and infostealer operators.
    • “Aeza Group has provided servers and specialized infrastructure to the Meduza, RedLine and Lumma infostealer operators, BianLian ransomware and BlackSprut, a Russian marketplace for illicit drugs, according to the Treasury Department’s Office of Foreign Assets Control. Lumma infected about 10 million systems before it was dismantled through a coordinated global takedown in May.
    • “The Treasury Department’s action against Aeza Group follows a wave of cybercrime crackdowns across the globe. Prolific cybercriminals have been arrested, and infostealers, malware loaders, counter antivirus and crypting services, cybercrime marketplaces, ransomware infrastructure and DDoS-for-hire operations have all been seized, taken offline or severely disrupted by global coordinated campaigns since May.
    • “Officials accused Aeza Group of helping cybercriminals target U.S. defense companies and technology vendors.”

From the cybersecurity breaches and vulnerabilities front,

  • Cybersecurity Dive informs us,
    • “Australian carrier Qantas said hackers who breached one of its call centers stole a significant quantity of customer data.
    • “The airline said on its website that it detected unusual activity on Monday [June 30] on a third-party platform that one of its call centers used. The airline took immediate action and was able to contain the attack, which it blamed on a criminal hacker.
    • “Qantas said it is investigating the extent of the intrusion but warned that the hackers accessed a “significant” amount of customer data, including names, addresses, phone numbers, dates of birth and frequent-flyer numbers. 
    • “The breach did not compromise any credit card details, personal financial information or passport information, Qantas said, because those are stored in a separate system. The intrusion also did not expect login information for customers’ frequent-flyer accounts.
    • “Qantas said it was working with government authorities, including the Australian Cyber Security Centre and the National Cyber Security Coordinator, as well as independent forensic experts to investigate the breach.
    • “All of Qantas’ systems are now secure and the airline is operating normally, according to the company. It said it was in the process of contacting customers to alert them to the incident.” 
  • Per Security Week,
    • “Missouri healthcare provider Esse Health is notifying over 263,000 people that their personal information was stolen in a disruptive April 2025 cyberattack.
    • “The incident was discovered on April 21 and impacted the organization’s access to the electronic medical record system, while also taking down its phone system.
    • “By May 13, the healthcare provider had restored certain systems and was able to fulfill scheduled appointments or procedures. The phone systems were restored in early June, along with other primary patient-facing network systems, the organization said in an incident notice.
    • “On June 20, Esse Health said its investigation into the attack determined that a threat actor breached its network on April 21 and stole files containing personal information.
    • “The exfiltrated data included names, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, health information, and health insurance details.”
  • and
    • “Benefits and payroll solutions firm Kelly & Associates Insurance Group (dba Kelly Benefits) has informed authorities that a recent data breach impacts more than 550,000 people.
    • “The company revealed in April that hackers had gained access to its systems in December 2024, and an investigation had shown that the threat actor managed to steal files storing personal information.
    • “The incident resulted in the theft of information such as name, date of birth, Social Security number, tax ID number, medical information, health insurance information, and financial account information. 
    • “Kelly Benefits is notifying impacted individuals on behalf of more than 40 affected customers, including Aetna Life Insurance Company, Amergis, Beam Benefits, Beltway Companies, CareFirst, The Guardian Life Insurance Company of America, Fidelity Building Services Group, Intercon Truck of Baltimore, Humana Insurance ACE, Merritt Group, Publishers Circulation Fulfilment, Quantum Real Estate Management, United Healthcare, and Transforming Lives.
    • Data breach reports submitted by Kelly Benefits to the Maine Attorney General’s Office since early April show that the number of impacted individuals has steadily increased as the company’s investigation progressed.” 
  • The Center for Medicare and Medicaid Services announced on June 30,
    • The Centers for Medicare & Medicaid Services (CMS) is notifying Medicare beneficiaries whose personal information may have been involved in a data incident affecting Medicare.gov accounts. CMS identified suspicious activity related to unauthorized creation of certain beneficiary online accounts using personal information obtained from unknown external sources. CMS takes this situation very seriously. The safeguarding and security of personally identifiable information is of the utmost importance to CMS. 
    • Following detection of the incident, CMS worked quickly to deactivate affected accounts, assess the scope and impact of the compromise, and mitigate the effects on impacted individuals. CMS is working closely with appropriate parties to investigate this situation.
    • Approximately 103,000 beneficiaries may have been impacted. Notifications to affected individuals are being mailed, informing them of the incident, outlining steps being taken to protect their information, and providing guidance on actions they may wish to take. 
  • The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog this week.
  • Dark Reading warns
    • “While browser extensions add useful functionality to Web browsers, such as blocking ads, managing passwords, and taking notes, they also increase the organization’s security and privacy risks.
    • “Browser extensions require certain levels of permissions that are attractive to attackers. Some extensions need access to the user’s location, browsing history, or the user’s clipboard to see what data the user has copied. Some extensions go further, requesting access to nearly all of the data stored on the user’s computer as well as the data accessed while visiting different websites. Attackers can exploit extensions with these heightened permissions to access potentially sensitive information, such as Web traffic, saved credentials, and session cookies.
    • “Even extensions with relatively modest permissions can manipulate those permissions to obtain access to the inner workings of every Web page displayed on a user’s screen, warns LayerX CEO and co-founder Or Eshed. LayerX research shows that 53% of enterprise users have installed extensions labeled with “high” or “critical” permissions scope. This is why browser extensions are a prime avenue for exploitation by threat actors, he adds.  
    • “[Attackers] can use it to copy or rewrite data or exploit Web page permissions for even more access,” Eshed says.”
  • Security Week adds,
    • A vulnerability in the Forminator WordPress plugin could allow attackers to take over more than 400,000 impacted websites.
    • A popular form builder plugin with more than 600,000 active installations, Forminator supports the creation of various types of forms, including contact and payment forms, polls, and more.
    • The WordPress plugin was found vulnerable to CVE-2025-6463 (CVSS score of 8.8), an arbitrary file deletion flaw that exists because file paths are not sufficiently validated in a function used to delete a form submission’s uploaded files.

From the ransomware front,

  • Bleeping Computer reports,
    • “The Hunters International Ransomware-as-a-Service (RaaS) operation announced today that it has officially closed down its operations and will offer free decryptors to help victims recover their data without paying a ransom.
    • “After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with,” the cybercrime gang says in a statement published on its dark web leak earlier today.
    • “As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.” * * *
    • “Threat intelligence firm Group-IB also revealed in April that Hunters International was rebranding with plans to focus on data theft and extortion-only attacks and had launched a new extortion-only operation known as “World Leaks.”
  • Security Week advises,
    • The key tool for surviving ransomware, or any attack scenario, is an IR plan. But an IR plan is only worthwhile if it’s comprehensive, current, and tested. IR plans are not “best practices”, nor singular documents stored in a safe place. They are living resources that require attention and maintenance. In this way, the proof of an IR plan’s efficacy is in that organizational muscle memory – most effectively trained through Tabletop exercises.  So, what are the primary “muscles,” and the repetitive “exercises” in which you can train an organization to respond decisively, immediately, confidently, and automatically.”
      • Plan your workout
      • Warm up
      • Train, recover, repeat
      • Measure your gains 

From the cybersecurity defenses and business front,

  • Withum offers guidance on how to align your firm’s cybersecurity practices with Labor Department best practices for ERISA plan fiduciaries.
  • Per Security Week,
    • Cloudflare has reversed its block on AI-crawling from optional to default, allowing finer grained crawling but only with agreement from all parties concerned.
    • LLMs are what they learn. From their inception the biggest source of learning has been the internet, so there has been a natural tendency for AI developers to scrape the internet as widely as possible.
    • Cloudflare has now introduced an option for their customers to accept or reject website scraping by AI vendors. Hitherto, internet scraping has been a major part of gathering training data for large LLM (gen-AI) developers; but the process has raised questions and objections over legality, copyright infringement, and accuracy.
  • Dark Reading lets us know,
    • “How businesses can align cyber defenses with real threats. Companies that understand the motivations of their attackers and position themselves ahead of the competition will be in the best place to protect their business operations, brand reputation, and their bottom line.”
  • and
    • “One year after a buggy CrowdStrike update knocked IT systems offline, organizations seeking to strike the right balance between security and productivity have viewed the incident as a learning opportunity.
    • “The cost of the CrowdStrike outage was estimated at $5.4 billion, affecting payment systems, airline reservations, and a variety of other industries. The impact of the outage highlights why many operational technology (OT) teams are as sensitive to patches and other updates in their critical infrastructure, as they are highly averse to outages that can happen if such updates are defective.
    • “But when balancing security and productivity, it is imperative not to view the CrowdStrike outage as a reason to forgo patching completely. The ever-growing volume of vulnerabilities and threats requires organizations to remain resilient and anti-fragile — that is, to have the ability to proactively respond to issues and continuously improve.”
  • Per Security Week,
    • “LevelBlue announced on Tuesday [July 1] that it’s acquiring managed detection and response (MDR) services company Trustwave from The Chertoff Group’s MC² Security Fund.
    • LevelBlue, formerly known as AT&T Cybersecurity, was launched in May 2024 as a joint venture between WillJam Ventures and AT&T. 
    • “The company’s acquisition of Trustwave comes shortly after it announced plans to buy Aon’s cybersecurity consulting business. The deals are part of a plan to become the largest pure-play managed security services provider (MSSP). 
    • “Once the acquisition has been completed, LevelBlue’s expertise in strategic risk management and cybersecurity infrastructure will be integrated with Trustwave’s platform and MDR service.”
  • Here’s a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Federal News Network reports,
    • “House appropriators have advanced a homeland security spending bill that endorses many of the Trump administration’s budget proposals, while rejecting steep cuts to cybersecurity and artificial intelligence personnel.
    • “The fiscal 2026 homeland security appropriations measure includes $66.36 billion in discretionary spending. The GOP-led committee passed the bill Tuesday [June 24, 2025] on a 36-27 vote.
    • “The bill follows the broad contours of Trump administration policies by prioritizing funding for Customs and Border Protection and Immigration and Customs Enforcement. Appropriators are also expecting significant funding for the Department of Homeland Security to be included in the budget reconciliation bill.”
  • Cyberscoop tells us,
    • “With time running short before expiration of a cyber information-sharing law highly valued by the private sector, Congress is taking a look at the possibility of a short-term extension.
    • “The 2015 Cybersecurity Information Sharing Act, which provided legal safeguards for companies to share threat data, is due to sunset at the end of September, and Congress doesn’t tend to work much in August.
    • “A bipartisan pair of senators have introduced a bill to simply extend it for another 10 years. But a House bill is still in the works and might take a different approach that involves making changes to the law going forward, industry officials told CyberScoop on Wednesday. Getting competing proposals through both chambers, then settling differences and finalizing a bill to get to the president’s desk, could take significant time.
    • “There are other things that are being considered in the mix,” said John Miller, senior vice president of policy for trust, data and technology and general counsel at the Information Technology Industry Council. One would be attaching language to a continuing resolution funding measure that would extend the 2015 law for a short period of time.”
  • Cybersecurity Dive informs us,
    • “Federal officials and private-sector security leaders said Tuesday [June 24, 2025] that they are closely monitoring for cyberattacks related to the Iran conflict but thus far have not observed any significant activity. 
    • The Department of Homeland Security warned Sunday that Iran-linked actors or hacktivist groups may launch attacks against U.S. critical infrastructure operators, citing a recent history of attacks against poorly configured water utilities and other systems. 
    • “An apparent truce announced late Monday by President Donald Trump appeared to lower international tensions, but officials remain on guard for any potential threat activity.
    • “The Cybersecurity and Infrastructure Security Agency (CISA) “is actively coordinating with government, industry, and international partners to share actionable intelligence and strengthen collective defense,” CISA spokesperson Marci McCarthy said in a statement. “There are currently no specific credible threats against the homeland.”
  • NextGov/FCW notes,
    • “Morgan Adamski is leaving her role as executive director of U.S. Cyber Command, handing the reins to Patrick Ware.
    • “After 17 years of service at the National Security Agency, I’ve decided to turn the page to an exciting new chapter in my career. It has been an extraordinary journey contributing to the defense of our Nation and advancing the cybersecurity mission across the U.S. Government,” Adamski wrote in a LinkedIn post Friday [June 27, 2025].
    • “The number three spot in the combatant command is typically held by a civilian on detail from the National Security Agency.
    • “Though Adamski did not clarify where she would be headed next, she noted her commitment to ensuring there were cyber solutions on “both sides of the fence.”
  • CISA and the National Security Agency have released a report titled “Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development.’
  • Per Cyberscoop,
    • Kai West, a prolific cybercriminal better known for operating under the moniker “IntelBroker,” was arrested in France earlier this year and faces federal charges for allegedly stealing data from more than 40 organizations during a two-year period, the Justice Department said Wednesday [June 25, 2025]. 
    • Federal prosecutors unsealed a four-count indictment charging West, a British national, with conspiracy to commit computer intrusions, accessing a protected computer to obtain information and wire fraud. The United States is seeking his extradition for the charges, which each carry maximum sentences of five to 20 years in prison. 

From the cybersecurity breaches and vulnerabilities front,

  • Beckers Health IT identifies the top ten states for healthcare data breaches between February 2023 and April 2025.
  • CISA added three known exploited vulnerabilities to its catalog this week.
    • June 25, 2025
      • CVE-2024-54085 AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
        • Network World discusses this KVE here.
      • CVE-2024-0769 D-Link DIR-859 Router Path Traversal Vulnerability
        • Cybersecurity News discusses this KVE here.
      • CVE-2019-6693 Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability
        • Cybersecurity News discusses this KVE here.
  • Cyberscoop reports,
    • Citrix on Wednesday [June 25, 2025] disclosed an actively exploited zero-day vulnerability affecting multiple versions of NetScaler products, an alarming development from a vendor that’s been widely targeted in previous attack sprees.
    • The zero-day (CVE-2025-6543) was disclosed by Citrix nine days after it issued a security bulletin for a pair of defects (CVE-2025-5777 and CVE-2025-5349) in the same products. All three vulnerabilities affect the company’s networking security appliance NetScaler ADC and its virtual private network NetScaler Gateway. 
    • “Exploits of CVE-2025-6543 on unmitigated appliances have been observed,” Citrix said in a security bulletin for the zero-day. Citrix did not respond to a request for comment. 
    • Citrix described the critical zero-day CVE-2025-6543, which has a base score of 9.2 on the CVSS scale, as a memory overflow defect that attackers can exploit for unintended control flow and denial of service. Exploitation can only occur if targeted NetScaler instances are configured as a gateway or an authentication, authorization and accounting (AAA) virtual server, according to Citrix.”
  • and
    • “The aviation industry has seemingly become the latest target of Scattered Spider, a sophisticated cybercriminal group that has shifted its focus from retail and insurance companies to airlines in what cybersecurity experts describe as a coordinated campaign against the sector.
    • “Hawaiian Airlines disclosed a cybersecurity incident Friday [June 27, 2025] affecting some of its IT systems while maintaining that flights continued operating safely and on schedule. The attack, first detected June 23, according to SEC filings, prompted the airline to engage federal authorities and cybersecurity experts for investigation and remediation efforts.
    • “Multiple incident responders have attributed the Hawaiian Airlines attack to Scattered Spider, also known as Muddled Libra or UNC3944. The assessment comes as cybersecurity firms Unit 42 and Mandiant issued warnings about the group’s apparent pivot to targeting aviation companies.
    • “Charles Carmakal, chief technology officer at Mandiant Consulting – Google Cloud, confirmed his company is “aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.” The group has demonstrated a pattern of focusing intensively on single industries before moving to new sectors.”
  • Per Hacker News,
    • “Unknown threat actors have been distributing a trojanized version of SonicWall’s SSL VPN NetExtender application to steal credentials from unsuspecting users who may have installed it.
    • “NetExtender enables remote users to securely connect and run applications on the company network,” SonicWall researcher Sravan Ganachari said. “Users can upload and download files, access network drives, and use other resources as if they were on the local network.”
    • “The malicious payload delivered via the rogue VPN software has been code named SilentRoute by Microsoft, which detected the campaign along with the network security company.” * * *
    • “The development comes as G DATA detailed a threat activity cluster dubbed EvilConwi that involves bad actors abusing ConnectWise to embed malicious code using a technique called authenticode stuffing without invalidating the digital signature.
    • “The German cybersecurity company said it has observed a spike in attacks using this technique since March 2025. The infection chains primarily leverage phishing emails as an initial access vector or through bogus sites advertised as artificial intelligence (AI) tools on Facebook.”

From the ransomware front,

  • Bleeping Computer notes,
    • “Ahold Delhaize, one of the world’s largest food retail chains, is notifying over 2.2 million individuals that their personal, financial, and health information was stolen in a November ransomware attack that impacted its U.S. systems.
    • “The multinational retailer and wholesale company operates over 9,400 local stores across Europe, the United States, and Indonesia, employing more than 393,000 people and serving approximately 60 million customers each week in-store and online.” * * *
    • “In a Thursday filing with Maine’s Attorney General, the retail giant revealed that the attackers behind the November breach stole the data of 2,242,521 individuals after gaining access to the company’s internal U.S. business systems on November 6, 2024.”Mich
  • Michigan Health Watch adds,
  • Dark Reading reports,
    • “A newly discovered ransomware group dubbed “Dire Wolf” has already taken a bite out of 16 organizations globally since its emergence only last month, mainly across the technology and manufacturing sectors, researchers have found.
    • “The group uses a double extortion tactic with a monthlong turnaround time for paying ransom, and deploys custom encryptors tailored to specific victims, security firm Trustwave revealed in a blog post published June 24. Researchers from Trustwave SpiderLabs recently uncovered and observed a ransomware sample from the emerging threat group and gained insights on how it operates, they said.
    • “So far, the group’s victims have spanned 11 countries, with the US and Thailand reporting the highest numbers of attacks, followed by Taiwan. So far, five of the 16 victims listed on the group’s data leak site have data scheduled to be uploaded by the end of June, presumably because they didn’t pay the ransom, according to the post.”
  • Per Cybersecurity Dive,
    • “Only half of ransomware attacks on organizations this year have involved data encryption, once the attack’s defining feature, according to a Sophos report published on Tuesday [June 24, 2025].
    • “Both the average ransom demand and average ransom payment have dropped significantly over the past year (by 34% and 50%, respectively).
    • “Less than a third of respondents in the survey who paid a ransom said the amount matched the attackers’ initial demand, with 53% of victims paying less and 18% paying more.”

From the cybersecurity defenses front,

  • Cyberscoop reports,
    • “When a faulty software update from cybersecurity firm CrowdStrike last year caused possibly the largest IT outage in history, Microsoft ended up taking much of the blame.
    • “CrowdStrike’s Falcon endpoint detection and response was on millions of Windows devices worldwide, and like most antivirus products that need broad access to different systems to do their job, the software had direct access to the Windows kernel.
    • “When CrowdStrike’s update crashed, so did millions of Windows-powered systems and devices around the world. A series of security announcements by Microsoft on Thursday [June 26, 2025] are designed to reduce the possibility of future third-party outages and other security threats that can take an organization’s IT out of commission for extended durations.
    • “Among those changes: antivirus software like the kind installed by CrowdStrike and other third-party cybersecurity will no longer have direct access to the Windows kernel. The company will be previewing a new endpoint security platform to vendors next month that requires security updates to go through layers of testing and review before they ship to Windows devices and systems worldwide.”
  • Per Cybersecurity Dive,
    • “Cybersecurity insurance premiums declined 2.3% year over year to roughly $7.1 billion in 2024, according to a new report released on Monday [June 23, 2025] by credit rating agency AM Best.
    • “Meanwhile, cyber insurance providers’ loss ratio — the proportion of premiums they use to pay out claims — remained below 50%, indicating that the market remains profitable.
    • “AM Best offered several possible explanations for the slight premium decline.”
  • and
    • “Two reports — one that KPMG released on Thursday and one that Thales released last month — illustrate how generative AI is raising security concerns for business leaders.
    • “Business leaders surveyed by KPMG reported prioritizing security oversight in their generative AI budgeting decisions, with 67% saying they plan to spend money on cyber and data security protections for their AI models. Fifty-two percent cited risk and compliance as a budgetary priority.
    • “Those spending decisions reflect corporate executives’ growing worries about AI security. ***
  • WEDI is offering a free healthcare cybersecurity webinar on June 15, 2025, at 1:00 pm ET.
  • The ISACA Blog considers Proactive Approaches to Identify Cyberthreats.
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity defenses and law enforcement front

  • Cyberscoop reports,
    • Congress should use renewal of an expiring [in 2027] terrorism insurance program to create a federal backstop for cybersecurity insurance, according to a report out Tuesday that tries to thread many difficult needles to bolster an industry that its author says isn’t developing fast enough.
    • In an ideal world, cybersecurity insurance can be a valuable tool to protect policyholders and push everyone into adopting better cyber practices, but it will need government intervention to reach its full potential amid an array of challenges, Nick Leiserson writes in a study for the Foundation for Defense of Democracies, a D.C.-based think tank. 
  • and
    • “As spring gives way to summer, a wave of cybercrime crackdowns has taken root, with law enforcement and private security companies directing a surge of takedowns, seizures, indictments and arrests.
    • “Prolific infostealers, malware loaders, counter antivirus and encrypting services, cybercrime marketplaces, ransomware infrastructure and DDoS-for-hire operations have all been seized, taken offline or severely disrupted by global coordinated campaigns over the past six weeks.
    • “It’s been really energizing to see the volume and velocity of these takedowns in such a short period of time,” Flashpoint CEO Josh Lefkowitz told CyberScoop. 
    • “I can’t think of such a flurry and rapid succession — and then magnified by complementary takedowns by Europol and international partners,” he added. “It’s been a great couple of weeks for the good guys, and I wouldn’t be surprised if there’s more around the horizon.”

From the cybersecurity vulnerabilities and breaches front,

  • Bleeping Computer informs us,
    • “News broke [on June 18] about “one of the largest data breaches in history,” sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.
    • “To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.
    • “Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.
    • “Cybernews, which discovered the briefly exposed datasets of compiled credentials, stated it was stored in a format commonly associated with infostealer malware, though they did not share samples
    • “An infostealer is malware that attempts to steal credentials, cryptocurrency wallets, and other data from an infected device. Over the years, infostealers have become a massive problem, leading to breaches worldwide.”
  • Cybersecurity Dive reports,
    • “Major insurance provider Aflac Inc. said Friday [June 20] that it was the target of a cyberattack on June 12 that is linked to a major cybercrime spree focusing on the industry. 
    • “The company said it was able to contain the attack within hours and confirmed its systems remain operational. 
    • “We continue to serve our customers as we respond to this incident and can underwrite policies, review claims and otherwise service our customers as usual,” the company said in a Securities and Exchange Commission filing
    • “The incident is part of a larger crime wave targeting the insurance industry that researchers have linked to a collective known as Scattered Spider. The group recently conducted a weeks-long attack campaign against retailers in the U.S. and the U.K.
    • “Erie Insurance Group last week disclosed that it was the target of a cyberattack that began on June 7. The company said Tuesday that it has regained control over its systems and sees no further evidence of malicious activity.”
  • Cyberscoop adds,
    • Scattered Spider is an amorphous band of young English-speaking cybercriminals affiliated with the larger sprawling network known as The Com. Scattered Spider associates recently ran roughshod over U.K.- and U.S.-based retailers before pivoting, once again, to insurance companies.
    • The ring of cybercriminals historically focus on one sector at a time, resulting in a wave of extortion attacks on companies in the same industry, which often use similar systems and processes. 
    • Google previously warned that Scattered Spider shifted its attention to U.S. retailers after the group hit multiple retailers and grocery stores in the U.K. in April. The pattern of recent activities attributed to Scattered Spider has been consistent.
    • “We are now seeing incidents in the insurance industry,” John Hultquist, chief analyst at Google Threat Intelligence Group, told CyberScoop on Monday. “Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”
  • The Wall Street Journal points out,
    • “Hackers in recent months have disrupted retail sales in the U.K. and U.S. and stolen hundreds of millions of dollars from crypto holders by targeting the outsourced call centers that many American corporations use to save costs.
    • “The hacks are often meticulously researched and use a variety of techniques, but they have one thing in common: low-level workers who staff call centers and have access to the kind of sensitive information that criminals need to commit crimes.
    • “The focus on outside call centers has allowed attackers to trick workers to get around so-called two-factor account authentication techniques that send codes by text to mobile phones. Those methods are commonly used to protect millions of bank and credit-card accounts, as well as a host of other online portals.”
  • Security Week lets us know,
    • “Healthcare services firm Episource has been targeted in a cyberattack that resulted in a data breach impacting more than 5.4 million individuals.
    • “Episource provides medical coding and risk adjustment services to doctors, health plans, and other types of healthcare organizations. 
    • “The firm revealed in a data breach notice that it detected unauthorized access to its systems in early February. An investigation showed that “a cybercriminal” was able to view and copy data belonging to some Episource customers between January 27 and February 6, 2025. 
    • “We quickly took steps to stop the activity. We began investigating right away and hired a special team to help us. We also called law enforcement. We turned off our computer systems to help protect the customers we work with and their patients and members,” the company said, noting that it’s not aware of any misuse of the compromised data.”
  • Per Dark Reading,
    • Cybercriminals are using fake search engine listings to hijack the results for people looking for tech support from brands like Apple, Bank of AmericaFacebook, HP, Microsoft, Netflix, and PayPal.
    • This type of deceptive scam is common, taking advantage of users’ trust in big name brands, beginning with a sponsored search result on Google — but this time, there’s a twist.
    • According to Pieter Arntz and Jérôme Segura, researchers at Malwarebytes Labs, cybercriminals start by paying for a sponsored ad on Google pretending to be a major brand. This advertisement will then lead people to the fake website.
    • “However, in the cases we recently found, the visitor is taken to the legitimate site with a small difference,” the researchers wrote in a post this week. “Visitors are taken to the help/support section of the brand’s website, but instead of the genuine phone number, the hijackers display their scammy number instead.”
    • “So, while the browser address is legitimate and shows no cause for concern, the fraudsters overlay the actual website with misinformation, directing the user to seek help from a fraudulent source.”
  • Cybersecurity Dive tells us,
    • “Researchers are urging Veeam Backup & Replication users to make sure their systems are fully upgraded to the latest version after the company released a patch Tuesday to address a critical remote code execution flaw. 
    • “The vulnerability, tracked as CVE-2025-23121, allows an authenticated domain user to run code on a backup server. 
    • Researchers at watchTowr and Code White GmbH previously disclosed that a patch to address a prior vulnerability, tracked as CVE-2025-23120, could be bypassed. That disclosure led to the development of the new patch.”
  • and
    • “Hackers are exploiting a critical vulnerability in Zyxel’s Internet Key Exchange packet decoder, GreyNoise researchers warned on Monday.
    • “The vulnerability, tracked as CVE-2023-28771, powered a sudden wave of exploitation attempts Monday, with researchers observing 244 unique IP addresses involved in the activity. 
    • “All of the addresses were located in the U.S. and registered to Verizon Business, but researchers caution that because the vulnerability was located over UDP (Port 500), the attackers may have been spoofing those addresses.
    • “Additional analysis suggests that the activity may be related to a variant of the Mirai botnet, researchers said. 
    • “Mirai-linked payloads suggest the activity may be aimed at enrolling devices into botnets for automated attacks like DDoS or scanning,” GreyNoise researchers told Cybersecurity Dive via email.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) added three known exploited vulnerabilities to its catalog this week.
    • June 16, 2025
      • CVE-2025-43200 Apple Multiple Products Unspecified Vulnerability
      • CVE-2023-33538 TP-Link Multiple Routers Command Injection Vulnerability
        • NIST discusses the Apple vulnerability here.
        • Security Week discusses the TP-Link KVE here.
    • June 17, 2025
      •  CVE-2023-0386 Linux Kernel Improper Ownership Management Vulnerability 
        • Security Week discusses this KVE here.

From the ransomware front,

  • The Hacker News reports,
    • “An emerging ransomware strain has been discovered incorporating capabilities to encrypt files as well as permanently erase them, a development that has been described as a “rare dual-threat.”
    • “The ransomware features a ‘wipe mode,’ which permanently erases files, rendering recovery impossible even if the ransom is paid,” Trend Micro researchers Maristel Policarpio, Sarah Pearl Camiling, and Sophia Nilette Robles said in a report published last week.
    • “The ransomware-as-a-service (RaaS) operation in question is named Anubis, which became active in December 2024, claiming victims across healthcare, hospitality, and construction sectors in Australia, Canada, Peru, and the U.S. Analysis of early, trial samples of the ransomware suggests that the developers initially named it Sphinx, before tweaking the brand name in the final version.”
  • and
    • “The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the cybercrime group intensifies its activity and tries to fill the void left by its rivals.
    • “The new feature takes the form of a “Call Lawyer” feature on the affiliate panel, per Israeli cybersecurity company Cybereason.
    • “The development represents a newfound resurgence of the e-crime group as once-popular ransomware groups like LockBit, Black Cat, RansomHub, Everest, and BlackLock have suffered abrupt cessations, operational failures, and defacements. The group, also tracked as Gold Feather and Water Galura, has been active since October 2022.
    • “Data compiled from the dark web leak sites run by ransomware groups shows that Qilin led with 72 victims in April 2025. In May, it is estimated to be behind 55 attacks, putting it behind Safepay (72) and Luna Moth (67). It’s also the third most active group after Cl0p and Akira since the start of the year, claiming a total of 304 victims.”

From the cybersecurity defenses front,

  • Cybersecurity Dive reports,
    • “For organizations aiming to deploy generative AI at scale, focusing on the cybersecurity guardrails surrounding the technology can help ease adoption rather than hinder it, according to AWS CISO Amy Herzog. 
    • “Herzog, who took on the CISO role earlier this month, made the case for a closer enterprise focus on security during the company’s annual re:Inforce conference Tuesday. The strategy can pay off by speeding up adoption. 
    • “Security, when done right, can be a true enabler in adopting new technologies,” said Herzog. “What we’re noticing is customers with mature security practices and the ability to innovate while maintaining a high security bar, they’re adopting Gen AI faster.
    • “Companies in highly regulated environments, from finance to healthcare, have been able to rely on their existing security, privacy and data management guardrails to speed up AI adoption, Herzog said. 
    • “This enables them to reduce risks and pragmatically focus on scaling their use cases,” Herzog said.”
  • and
    • “Nearly one in 10 publicly accessible cloud-storage buckets contained sensitive data, with virtually all of that data considered confidential or restricted, according to a new report from Tenable based on scans conducted between October 2024 and March 2025.
    • “On the other hand, more than eight in 10 organizations using Amazon Web Services have enabled an important identity-checking service, according to the report, published on Wednesday.
    • ‘The number of organizations with triple-threat cloud instances — “publicly exposed, critically vulnerable and highly privileged” — declined from 38% between January and June 2024 to 29% between October 2024 and March 2025.”
  • Per Bleeping Computer,
    • “Microsoft has announced plans to periodically remove legacy drivers from the Windows Update catalog to mitigate security and compatibility risks.
    • “The rationale behind this initiative is to ensure that we have the optimal set of drivers on Windows Update that cater to a variety of hardware devices across the windows ecosystem, while making sure that Microsoft Windows security posture is not compromised,” Microsoft said.
    • “This initiative involves periodic cleanup of drivers from Windows Update, thereby resulting in some drivers not being offered to any systems in the ecosystem.
    • “As the company explained on Thursday, the first phase of this “cleaning up” procedure will involve drivers with newer replacements already published on Windows Update.”
  • CSO lets us know,
    • “Ransomware tabletop exercises confront participants with an attack scenario, offering them a way to test and improve their organization’s readiness and response capabilities.
    • “During this month’s Infosecurity Europe conference, CSO took part as a media advisor to a blue team, pitched against a red team of attackers in a ransomware tabletop simulation focused on the water industry. The “Operation 999” exercise was devised and run by cybersecurity vendor Semperis, a specialist in protecting Active Directory (AD) and hybrid identity environments.” * * *
    • “The “Operation 999” exercise offered a cybersecurity tabletop simulation designed to allow participants to exercise incident response strategies. The tabletop exercise offered an immersive experience without featuring any hands-on keyboard or analysis of technical data (such as exercise specific log files, or similar).”
  • Security Week discusses “Choosing a clear direction in the face of growing cybersecurity demands. In a rapidly changing AI environment, CISOs are worried about investing in the wrong solution or simply not investing because they can’t decide what the best option is.”
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity and law enforcement front,

  • Cyberscoop reports,
    • “A House panel approved a fiscal 2026 funding bill Monday [June 9, 2025] that would cut the Cybersecurity and Infrastructure Security Agency by $135 million from fiscal 2025, significantly less than the Trump administration’s proposed $495 million.
    • “The chairman of the House Appropriations Subcommittee on Homeland Security, Rep. Mark Amodei, said the annual Department of Homeland Security funding measure “responsibly trimmed” the CISA budget. But Illinois Rep. Lauren Underwood, the top Democrat on his panel, said the legislation “fails to address the catastrophic cybersecurity threats facing our critical infrastructure.”
    • “The subcommittee approved the bill by a vote of 8-4.
    • “CISA would get $2.7 billion under the measure, according to a committee fact sheet, or $134.8 million less than the prior year.
    • “While the full committee chairman Tom Cole, R-Okla., said “the bill provides critical support for cybersecurity technology,” Republicans also criticized the agency’s past work.”
  • and
    • “A familiar face is being promoted from within to lead the FBI’s Cyber division.
    • “In a LinkedIn post Sunday [June 8, 2025], Brett Leatherman said that FBI Director Kash Patel had selected him as assistant director and lead official for the FBI’s primary division for investigating cybercrimes.  The role is prominent in national security, espionage and counterintelligence investigations.” * * *
    • “Leatherman takes over the reins from Bryan Vorndran, who led the bureau’s Cyber Division from 2021 until this past spring when he left the federal government to take a job as Microsoft’s deputy chief information security officer.”  
  • The National Institute of Standards and Technology (NIST) illustrates “19 Ways to Build Zero Trust Architectures.”
    • “The traditional approach to cybersecurity, built around the idea of solely securing a perimeter, has given way to the zero-trust approach of continuously evaluating and verifying requests for access.
    • “Zero trust architectures can help organizations protect far-flung digital resources from cyberattacks, but building and implementing the right architectures can be a complex undertaking.
    • “New NIST guidance offers 19 example zero trust architectures using off-the-shelf commercial technologies, giving organizations valuable starting points for building their own architectures.”
  • Cyberscoop points out,
    • “Federal authorities on Wednesday [June 11, 2025] announced the seizure of about 145 domains and cryptocurrency funds linked to BidenCash, a cybercrime marketplace for stolen credit cards, compromised credentials and other personal information. 
    • “BidenCash was used by more than 117,000 customers, resulting in the trafficking of more than 15 million credit card numbers and personally identifiable information, the Justice Department said. Administrators of the cybercrime platform, which charged a per-transaction fee, generated more than $17 million in illicit revenue since its formation in March 2022, authorities said.
    • “Domains associated with BidenCash now redirect to a server controlled by U.S. law enforcement and display seizure notices. The U.S. Attorney’s Office for the Eastern District of Virginia, which is leading the case, said it seized cryptocurrency funds the BidenCash marketplace used to receive illicit proceeds from its operations.
    • “Authorities did not disclose the value of those seized cryptocurrency funds or identify the physical location of the administrators and infrastructure used by BidenCash. The U.S. Attorney’s Office for the Eastern District of Virginia did not immediately respond to questions.” 
  • Cybersecurity Dive adds,
    • “An international law enforcement operation has dismantled the computer infrastructure powering multiple strains of information-stealer malware.
    • “As part of “Operation Secure,” authorities in 26 Asian countries “worked to locate servers, map physical networks and execute targeted takedowns,” Interpol said in a statement. Law enforcement agencies worked with cybersecurity firms Group-IB, Kaspersky and Trend Micro to prepare assessments of their targets and shared that information with “cyber teams across Asia,” according to Interpol, resulting in “in the takedown of 79 percent of identified suspicious IP addresses.”

From the cybersecurity vulnerabilities and breaches front,

  • The Wall Street Journal reports,
    • “Supermarket shelves are emptying out at some stores around the country, after a cyberattack hit a major distributor to Whole Foods Market and other chains.
    • United Natural Foods said it detected unauthorized activity on its systems last week and took certain ones offline proactively.
    • “Disruptions to its operations have followed, United Natural said. Stores around the country have reported being unable to place orders. The company has told suppliers that it hopes to restore normal operations by Sunday, according to a notice viewed by The Wall Street Journal.” 
  • CISA added four known exploited vulnerabilities to its catalog this week.
    • June 9, 2025
      • CVE-2025-32433 Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability 
      • CVE-2024-42009 RoundCube Webmail Cross-Site Scripting Vulnerability” 
        • The Hacker News discusses these KVEs here.
    • June 10, 2025
      • CVE-2025-24016 Wazuh Server Deserialization of Untrusted Data Vulnerability
      • CVE-2025-33053 Web Distributed Authoring and Versioning (WebDAV) External Control of File Name or Path Vulnerability”
        • Akamai discusses the “Wasuh Server” KVE here.
        • Security Week discusses the WebDAV KVE here.
  • Cybersecurity Dive adds,
    • “Government agencies are operating with massive amounts of “security debt” — meaning unresolved vulnerabilities — putting them and the public at increased risk of falling victim to hackers, according to a Veracode report released Wednesday [June 11, 2025]. 
    • “Roughly 80% of government agencies have software vulnerabilities that have gone unaddressed for at least a year, and roughly 55% of them have long-standing software flaws that place them at even greater risk, the report found.
    • “Veracode’s research shows that it takes government agencies an average of 315 days to resolve half of their software vulnerabilities, compared to the combined public- and private-sector average of 252 days.
    • “But companies and agencies alike are falling short of the necessary investments and procedures to address insecure software, according to Veracode.”
  • Dark Reading warns
    • “Secure Shell (SSH) keys are the backbone of secure remote access. They are everywhere, powering DevOps pipelines, enabling server management, and automating everything from deployments to patching. But despite their ubiquity, SSH keys often remain a blind spot in enterprise security. Why? Because unlike passwords, they don’t expire. They are easy to create, hard to track, and alarmingly simple to forget.
    • “In large enterprises, it is not uncommon to find hundreds of thousands or even millions of unmanaged SSH keys. Many of these grant access to sensitive systems but lack clear ownership or life-cycle oversight, turning what should be a secure authentication method into a major risk factor.
    • “If your organization cannot answer “Who can log in to what, using which key?” you are flying blind.”
  • Security Week notes,
    • “More than 40,000 security cameras worldwide are exposed to the internet, cybersecurity firm Bitsight warns.
    • “Operating over HTTP or RTSP (Real-Time Streaming Protocol), the cameras expose their live feed to anyone knowing their IP addresses, directly from the web browser, which makes them unintended tools for cyberattacks, espionage, extortion, and stalking, the company says.
    • “The HTTP-based cameras rely on standard web technologies for video transmission and control and are typically found in homes and small offices.
    • “Of the more than 40,000 cameras exposing their live feed, more than 14,000 are in the US, with Japan ranking second, at roughly 7,000 devices. Austria, Czechia, and South Korea have roughly 2,000 exposed cameras each, while Germany, Italy, and Russia have roughly 1,000 each.
    • “In the US, most of the exposed cameras are in California and Texas, followed by Georgia, New York, and Missouri. Massachusetts and Florida have high concentrations of exposed cameras as well.” * * *
    • “To keep these security cameras protected, users should secure their internet connections, replace default credentials, disable remote access if not needed, keep the devices always updated, and monitor them for unusual login attempts.”
  • and
    • “Trend Micro has released patches for ten vulnerabilities in Apex Central and Endpoint Encryption (TMEE) PolicyServer, including critical-severity flaws leading to remote code execution (RCE).
    • “The update for Apex Central resolves two critical bugs leading to RCE, tracked as CVE-2025-49219 and CVE-2025-49220 (CVSS score of 9.8). The security defects are similar, but were discovered in different methods, the company says.
    • “Both vulnerabilities are described as an insecure deserialization operation that could allow remote attackers to execute arbitrary code on affected installations, without authentication.
    • “Endpoint Encryption PolicyServer received fixes for eight flaws, including four critical and four high-severity defects.”
  • Per Bleeping Computer,
    • “Cloudflare has confirmed that the massive service outage yesterday was not caused by a security incident, and no data has been lost.
    • “The issue has been largely mitigated. It started 17:52 UTC yesterday [June 12, 2025] when the Workers KV (Key-Value) system went completely offline, causing widespread service losses across multiple edge computing and AI services.
    • “Workers KV is a globally distributed, consistent key-value store used by Cloudflare Workers, the company’s serverless computing platform. It is a fundamental piece in many Cloudflare services, and a failure can cause cascading issues across many components.”
    • “The disruption also impacted other services used by millions, most notably the Google Cloud Platform.”

From the ransomware front,

  • The HIPAA Journal informs us,
    • “It has taken three weeks, but Kettering Health has confirmed that it has resumed normal operations for key services following its May 20, 2025, Interlock ransomware attack. Kettering Health has been releasing regular updates on the progress being made restoring its systems, confirming that the core components of its Epic EHR system were restored on the morning on June 2, 2025, which allowed patient data to be entered, and the backlog of data recorded on paper to start to be entered into patient records.
    • “Interlock’s access to its network and system was immediately terminated when the attack was discovered, and Kettering Health confirmed on June 5, 2025, that all of the ransomware group’s tools and persistence mechanisms had been eradicated from its systems. Kettering Health also confirmed that all systems were fully up to date with the latest versions of software installed and patches applied, and security enhancements had been implemented, including network segmentation, enhanced monitoring, and updated access controls. Kettering Health said it is confident that its cybersecurity framework and employee security training are sufficient to mitigate future risks.”
  • Cybersecurity Dive reports,
    • “Ransomware gangs have exploited a vulnerability in the SimpleHelp remote support program to breach customers of a utility billing software vendor, the Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday [June 12, 2025].
    • “The government advisory follows an earlier warning from CISA and the FBI that hackers associated with the Play ransomware gang had been targeting critical infrastructure organizations using the flaw in SimpleHelp’s remote management software.
    • “The new CISA alert highlights the risks of vendors not verifying the security of their software before providing it to customers.” * * *
    • “In its Thursday alert, CISA said the breach of the utility payment vendor reflected a “broader pattern” of such attacks.
    • “The agency urged “software vendors, downstream customers, and end users to immediately implement the Mitigations listed in this advisory based on confirmed compromise or risk of compromise.” 
    • “Vendors should isolate vulnerable SimpleHelp instances, update the software and warn customers, according to CISA, while customers should determine whether they are running the SimpleHelp endpoint service, isolate and update those systems and follow SimpleHelp’s additional guidance.’
  • Per Bleeping Computer,
    • “Fog ransomware hackers are using an uncommon toolset, which includes open-source pentesting utilities and a legitimate employee monitoring software called Syteca.
    • “The Fog ransomware operation was first observed last year in May leveraging compromised VPN credentials to access victims’ networks.
    • ‘Post-compromise, they used “pass-the-hash” attacks to gain admin privileges, disabled Windows Defender, and encrypted all files, including virtual machine storage.
    • “Later, the threat group was observed exploiting n-day flaws impacting Veeam Backup & Replication (VBR) servers, as well as SonicWall SSL VPN endpoints.”

From the cybersecurity defenses front,

  • Cybersecurity Dive lets us know,
    • “The threat of cyberattacks represents the most serious challenge for businesses in the coming year, the advisory firm Kroll said in a report published Thursday [June 12, 2025].
    • “Roughly three-quarters of respondents said their cybersecurity and privacy concerns had increased over the past year, with nearly half citing malware and more than a third citing data extortion as specific fears.
    • “Kroll’s survey of 1,200 respondents from more than 20 countries, conducted in February, provides some measure of how businesses are thinking about and dealing with cyber worries as global tensions escalate.”
  • and
    • “Artificial intelligence is poised to transform the work of security operations centers, but experts say humans will always need to be involved in managing companies’ responses to cybersecurity incidents — as well as policing the autonomous systems that increasingly assist them.
    • “AI agents can automate many repetitive and complex SOC tasks, but for the foreseeable future, they will have significant limitations, including an inability to replicate unique human knowledge or understand bespoke network configurations, according to experts who presented here at the Gartner Security and Risk Management Summit.
    • “The promise of AI dominated this year’s Gartner conference, where experts shared how the technology could make cyber defenders’ jobs much easier, even if it has a long way to go before it can replace experienced humans in a SOC.
    • “As the speed, the sophistication, [and] the scale of the attacks [go] up, we can use agentic AI to help us tackle those challenges,” Hammad Rajjoub, director of technical product marketing at Microsoft, said during his presentation. “What’s better to defend at machine speed than AI itself?”
  • Dark Reading explains “Why CISOs Must Align Business Objectives & Cybersecurity. This alignment makes a successful CISO, but creating the same sentiment across business leadership creates a culture of commitment and greatly contributes to achieving goals.”
  • Here is a link to Dark Reading’s CISO Corner.