From the cybersecurity policy and law enforcement front,

• Nextgov/FCW reports,
  • “A top Cybersecurity and Infrastructure Security Agency official said the agency is prepared to accept any extension Congress authorizes for a fundamental cybersecurity threat intelligence-sharing law, which is set to expire Sept. 30 unless renewed by lawmakers.
  • “We’ll take whatever the Congress decides to authorize us, wherever they see fit within their purview, to authorize and to give us our authorities to be able to use,” Nick Andersen, CISA’s executive assistant director for cybersecurity, told reporters Thursday [September 11] on the sidelines of the Billington Cyber Summit.
  • “The Cybersecurity Information Sharing Act of 2015 lets private sector providers freely transmit cyber threat information to government partners with key liability protections in place, shielding firms from lawsuits and regulatory penalties when sharing threat data with the government.
  • “So at this point, I think my primary concern is if it lapses,” Andersen added. “Give us 30 days for the Congress to do what they need to do. Give us two years. Give us ten years. Give us 50. Whatever you take, we’ll take it. Obviously, we love stability for the organization and stability for our partners to understand how we’re going to protect and exchange information. But really, that’s up to Congress.”

• Cyberscoop tells us,
  • “The Cybersecurity and Infrastructure Agency is delaying finalization of a rule until May of next year that will require critical infrastructure owners and operators to swiftly report major cyber incidents to the federal government, according to a recent regulatory notice.
  • “Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, CISA was supposed to produce a final rule enacting the law by October of this year. But last week, the Office of Management and Budget’s Office of Information and Regulatory Affairs published an update that moved the final rule’s arrival to May 2026.
  • “A CISA official told CyberScoop that the move would give the agency time to consider streamlining and reducing the burden on industry of a previously proposed version of the rule, citing public comments in response to that version, as well as harmonizing the law with other agencies’ cyber regulations.”

• Cybersecurity Dive lets know,
  • “National Cyber Director Sean Cairncross said [on September 9] the Trump administration plans a whole-of-nation approach in order to combat the threat of malicious cyberattacks from the U.S.’s top geopolitical rivals. 
  • “Cairncross delivered the opening keynote at the Billington Cybersecurity Summit, saying the administration will push forward an aggressive new posture to counter the risks presented by authoritarian regimes like China.” * * *
  • “The Billington keynote marks the first major public remarks by Cairncross since he won Senate confirmation to lead the Office of the National Cyber Director in August.” 

• FedScoop informs us,
  • “The U.S. government’s acting chief information security officer outlined his three priorities for federal cyber officials over the next year at a cybersecurity event in Washington on Tuesday [September 9], emphasizing the need for collaboration across the government.  
  • “During a fireside chat at the Billington Cybersecurity Summit, acting cyber chief Michael Duffy said focusing enterprise cyber defense, increasing operational resilience, and securing a modern U.S. government are the areas he’s outlined as priorities for the next year in conversations with the federal cyber leaders on the CISO Council. 
  • “He also previewed an upcoming tabletop exercise the CISO Council will be doing in the next month to address operational resilience.” 

• Cybersecurity Dive points out,
  • “The Cybersecurity and Infrastructure Security Agency said it remains firmly committed to supporting and further enhancing the Common Vulnerabilities and Exposures program, which is a critical program for identifying and mitigating software flaws that can expose computer systems to exploitation. 
  • “Nick Andersen, the new executive assistant director for cybersecurity at CISA, expressed staunch support for the CVE program during a discussion on Thursday at the Billington Cybersecurity Summit in Washington, D.C. 
  • “CISA on Wednesday [September 10] released a road map that outlined its priorities for the CVE program, with the full intention to further develop the program and create a plan for robust funding and wider participation. 
  • Andersen told reporters after the presentation that it’s “exceedingly important” for CISA to be able to grow and expand the program.
  • “The feedback that we’ve gotten consistently is people are looking for somebody to call objective balls and strikes out there,” Andersen said. 

• Per Federal News Network,
  • “The Pentagon will soon issue more details on its much-hyped effort to “blow up” the Risk Management Framework used to accredit software.
  • “Katie Arrington, who is performing the duties of the Defense Department chief information officer, said DoD will unveil the “10 commandments” of the “new RMF” in the next couple of weeks. DoD’s work to revamp how it accredits software has been a top discussion point in federal technology circles in recent months.
  • “It’s the 10 tenants of the new RMF,” Arrington said at the Billington Cyber Summit on Thursday.

• Cyberscoop notes,
  • “The Department of Justice unsealed an indictment against a Ukrainian national alleged to be central to a ransomware campaign affecting hundreds of companies worldwide. 
  • “Volodymyr Viktorovych Tymoshchuk, known online as “deadforz,” “Boba,” “msfv,” and “farnetwork,” is accused of developing and deploying ransomware variants Nefilim, LockerGoga, and MegaCortex, all of which have been used in attacks on prominent organizations in the United States, Europe, and elsewhere since at least 2018.
  • “According to the indictment, filed in the Eastern District of New York, Tymoshchuk and his alleged co-conspirators are believed to have extorted more than 250 companies across the U.S. and hundreds more globally, generating tens of millions of dollars in damages. Victims suffered not just the loss of data and disabling of business operations, but high mitigation and recovery costs. * * *
  • “Additionally, the State Department announced rewards totaling up to $10 million for information leading to the arrest or conviction of Tymoshchuk, with a separate reward of up to $1 million for information on other key leaders of the groups deploying the ransomware variants.”

From the cybersecurity vulnerabilities and breaches front,

• CISA added one known exploited vulnerability to its catalog this week.
  • September 11, 2025
    • CVE-2025-5086 Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability
      • Bleeping Computer discusses this KVE here.
        
• Cybersecurity Dive reports,
  • “A sophisticated phishing-as-a-service operation has been targeting Google and Microsoft accounts and can bypass traditional defense mechanisms, including multifactor authentication, researchers at Okta Threat Intelligence warned in a blog post on Thursday, 
  • “The phishing operation, dubbed VoidProxy, uses adversary-in-the-middle techniques to bypass normal authentication flow. 
  • “Researchers first learned of attacks linked to the operation in January, but Dark Web advertisements for VoidProxy appear to have begun as early as August 2024, according to Okta researchers. The attacks are ongoing, and Okta said they have targeted valuable accounts.”  * * *
  • “Google agrees with recommendations in the Okta report that users should adopt passkeys as a strong method to protect against phishing, the spokesperson added.
  • “Microsoft declined to comment, however a spokesperson provided a link with general mitigation guidance.”

• Dark Reading adds,
  • “A recent phishing campaign that used the Salty2FA phishing kit demonstrates how the cybercriminal enterprise continues to evolve to the point where adversarial tools are nearly on par with enterprise-grade software, experts said.
  • “Researchers from Ontinue tracked a campaign using the phishing kit that shows various technical innovations in which cybercriminals are approaching phishing infrastructure “with the same methodical planning that enterprises use for their own systems,” Rhys Downing, an Ontinue threat researcher, wrote in a blog post published Tuesday.”

• CSO tells us,
  • “Attackers are increasingly exploiting generative AI by embedding malicious prompts in macros and exposing hidden data through parsers.
  • “The switch in adversarial tactics — noted in a recent State of File Security study from OPSWAT — calls for enterprises to extend the same type of protection they already apply to software development pipelines into AI environments, according to experts in AI security polled by CSO.
  • “Broadly speaking, this threat vector — ‘malicious prompts embedded in macros’ — is yet another prompt injection method,” Roberto Enea, lead data scientist at cybersecurity services firm Fortra, told CSO. “In this specific case, the injection is done inside document macros or VBA [Visual Basic for Applications] scripts and is aimed at AI systems that analyze files.”
  • “Enea added: “Typically, the end goal is to mislead the AI system into classifying malware as safe.”

• Per InfoSecurity Magazine,
  • “People are often described as one of the biggest security threats to any organization. At first glance, it would be hard to argue with such a sweeping statement.
  • “Whether the result of malice or negligence, the ‘human element’ featured in around 60% of data breaches over the past year, according to Verizon. A recent spate of attacks targeting corporate Salesforce instances highlights the evolving nature of the social engineering threat – and just what’s at stake.
  • “The challenge for CISOs is that insider risk is not just about negligence. Those intent on wrongdoing are usually harder to spot and exact a much heavier toll on their employer. To coincide with International Insider Threat Awareness Month, we take a look at what CISOs can do to push back the tide.”
  • Check it out.

From the ransomware front,

• Here are links to updates on recovery from the ransomware attacks against the State of Nevada and the City of St. Paul, Minnesota.

• Per Security Week,
  • “Ransomware remains the primary digital threat to business. Phishing, often the initial point of failure, further expands into voice triggered transfer fraud.
  • “An analysis of risk based on cyberinsurance claims history provides an accurate overview of the true risk of cybercrime. It doesn’t provide a full global picture of risk since it can only be drawn from known cyberinsurance claims. Resilience is a cyberinsurance provider with a deep knowledge of cybersecurity.
  • “There are three major takeaways from the 2025 Midyear Cyber Risk Report produced by Resilience: vendor-related risk is down but still significant; ransomware remains the main threat; and phishing has leapt to clear prominence as the most common point of failure (aided in scale and sophistication by AI).
  • “The report notes a reduction in vendor-related risk (down from 22% of incurred losses in 2024 to 15% in H1 2025), but stresses that the downstream loss to affected companies remains high. “While incidents dropped in frequency, clients who experienced business interruption from a vendor-related incident had significant losses that rivaled losses from companies directly affected by ransomware.” This is an unseen risk that can only be addressed by continuously monitoring the vendors’ security posture.”

• Per Check Point Research,
  • “First observed on September 5, Yurei is a newly emerged ransomware group that targeted a Sri Lankan food manufacturing company as its first leaked victim. The group follows a double-extortion model: they encrypt the victim’s files and exfiltrate sensitive data and then demand a ransom payment to decrypt and refrain from publishing the stolen information.
  • “Check Point Research (CPR) determined that Yurei’s ransomware is derived with only minor modifications from Prince-Ransomware, an open-source ransomware family written in Go. This highlights how open-source malware significantly lowers the barrier to entry for cybercriminals, enabling even less-skilled threat actors to launch ransomware operations.
  • “Yurei’s ransomware contains a flaw that may allow partial recovery through Shadow Copies, but the group primarily relies on data-theft-based extortion. As they stated on their blog, the fear and implications of data leakage are their main pressure point to get victims to pay the ransom.
  • “Since the first victim was listed on September 5, the number of victims has risen to three so far, pointing to a fast-growing operation.
  • “The investigation revealed hints that the threat actor’s origins may be in Morocco.”

• Per Cyberscoop,
  • “Researchers and authorities are warning that Akira ransomware attacks involving exploits of a year-old vulnerability affecting SonicWall firewalls are on the rise. 
  • “A burst of about 40 attacks linked to CVE-2024-40766 hit SonicWall firewalls between mid-July and early August. Researchers have since observed another wave of ransomware attacks linked to active exploits of the defect, which affects the secure sockets layer (SSL) VPN protocol in multiple versions of SonicWall firewalls, and configuration errors. 
  • “Rapid7 has responded to a “double-digit number of attacks” related to the vulnerability and a series of misconfigurations in victim environments, the company said, expanding on a blog it published earlier this week.
  • “The Australian Cyber Security Centre also issued an advisory Wednesday noting that it, too, is responding to a recent increase in active exploitation of the defect. “We are aware of the Akira ransomware targeting vulnerable Australian organizations through SonicWall SSL VPNs,” the agency said.”

• Per PC World,
  • “It’s a story almost as old as time: malware is wreaking havoc on Android devices again. Usually, Android malware aims to steal sensitive data and passwords in order to gain access to online accounts. Less commonly, it installs ransomware to extort large sums of money from users.
  • “A particularly dangerous malware variant that combines both techniques has now been discovered by security experts at ThreatFabric. Known as RatOn, the Trojan infiltrates an Android phone, accesses data, empties bank accounts, then locks the device to blackmail the owner.” * * *
  • “In the case of RatOn, the Trojan likely lands on Android devices through fake apps. Users are redirected to pages that imitate the Google Play Store, where attackers offer applications disguised as common social media apps like TikTok—except it’s malware.: * * *
  • To protect yourself, you should always check whether an app comes from a trustworthy provider. You should also always activate Google Play Protect in the Google Play Store so that apps are scanned for viruses and malware before they’re installed on your device.

• Bleeping Computer warns,
  • “A recently discovered ransomware strain called HybridPetya can bypass the UEFI Secure Boot feature to install a malicious application on the EFI System Partition.
  • “HybridPetya appears inspired by the destructive Petya/NotPetya malware that encrypted computers and prevented Windows from booting in attacks in 2016 and 2017 but did not provide a recovery option.
  • “Researchers at cybersecurity company ESET found a sample of HybridPetya on VirusTotal. They note that this may be a research project, a proof-of-concept, or an early version of a cybercrime tool still under limited testing.

• Cyberscoop adds,
  • “Researchers at New York University have taken credit for creating a piece of malware found by third-party researchers that uses prompt injection to manipulate a large language model into assisting with a ransomware attack.
  • “Last month, researchers at ESET claimed to have discovered the first piece of “AI-powered ransomware” in the wild, flagging code found on VirusTotal. The code, written in Golang and given the moniker “PromptLock,” also included instructions for an open weight version of OpenAI’s ChatGPT to carry out a series of tasks — such as inspecting file systems, exfiltrating data and writing ransom notes.
  • “ESET researchers told CyberScoop at the time that the code appeared to be unfinished or a proof of concept. Other than knowing it was uploaded by a user in the United States, the company had no further information about the malware’s origin. 
  • “Now, researchers at NYU’s Tandon School of Engineering have confirmed that they created the code as part of a project meant to illustrate the potential harms of AI-powered malware.”
  • In a corresponding academic paper, the researchers call the project “Ransomware 3.0” and describe it as a new attack method. This technique “exploits large language models (LLMs) to autonomously plan, adapt, and execute the ransomware attack lifecycle.”

From the cybersecurity business and defenses front,

• Cyberscoop informs us,
  • “Major cyber intrusions by the Chinese hacking groups known as Salt Typhoon and Volt Typhoon have forced the FBI to change its methods of hunting sophisticated threats, a top FBI cyber official said Wednesday.
  • “U.S. officials, allied governments and threat researchers have identified Salt Typhoon as the group behind the massive telecommunications hack revealed last fall but that could have been ongoing for years. Investigators have pointed at Volt Typhoon as a group that has infiltrated critical infrastructure to cause disruptions in the United States if China invades Taiwan and Americans intervene.
  • “Those hacks were stealthier than in the past, and more patient, said Jason Bilnoski, deputy assistant director of the FBI’s cyber division. The Typhoons have focused on persistent access and gotten better at hiding their infiltration by using “living off the land” techniques that involve using legitimate tools within systems to camouflage their efforts, he said. That in turn has complicated FBI efforts to share indicators of compromise (IOCs).
  • “We’re having to now hunt as if they’re already on the network, and we’re hunting in ways we hadn’t before,” he said at the Billington Cybersecurity Summit. “They’re not dropping tools and malware that we used to see, and perhaps there’s not a lot of IOCs that we’d be able to share in certain situations.”

• The Wall Street Journal reports,
  • “Japanese industrial giant Mitsubishi Electric said Tuesday that it intends to acquire U.S. cybersecurity company Nozomi Networks in a deal valued at about $1 billion.
  • “Nozomi will become a wholly owned subsidiary of Mitsubishi Electric under the terms of the deal and operate independently. The transaction value includes $883 million in cash as well as previous equity.
  • “Nozomi raised $100 million in a 2024 Series E funding round that included several heavyweights in operational technology, such as Mitsubishi Electric and Schneider Electric. Previous investors included Honeywell; the U.S. Central Intelligence Agency’s venture arm, In-Q-Tel; and Johnson Controls. 
  • “Nozomi Chief Executive Edgard Capdevielle said the company will continue to provide services to those prior investors and other companies after the acquisition, which is expected to close in the fourth quarter. 
  • “The fact that we’re now a wholly owned subsidiary of Mitsubishi does not change the fact that we will continue to be vendor-agnostic,” he said.”

• Dark Reading adds,
  • “F5, a software company that improves application speed and security, today announced its plans to acquire CalypsoAI, a provider of adaptive artificial intelligence (AI) security capabilities. CalypsoAI’s technology will be integrated into the F5 Application Delivery and Security Platform (ADSP), F5 said.
  • Founded in 2018, CalypsoAI focuses on real-time protection against threats targeting AI applications and models, such as prompt injection and jailbreaking. The platform brings threat defense, red teaming at scale, and data security to businesses preparing to launch or adopt generative and agentic AI. CalypsoAI came in second place at RSAC Conference’s Innovation Sandbox earlier this year as a company that protects models and agents with prompt firewalls.
  • “By integrating CalypsoAI features into ADSP, F5 hopes to build modern firewalls and point solutions that can secure AI models, agents, and data flows. Traditional options “can’t keep up,” said François Locoh-Donou, president and CEO of F5, in a statement.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• The Wall Street Journal reports,
  • “The clock is ticking on core federal cybersecurity legislation set to expire Sept. 30, as a divided Congress and a looming government shutdown threaten progress on a new bill that seeks to extend provisions encouraging cooperation in fighting hackers. 
  • “The decade-old Cybersecurity Information Sharing Act, or CISA, set the legal framework aimed at protecting companies that voluntarily share cyber threat intelligence with other businesses and the federal government, shielding them from antitrust and liability charges.
  • “Sunsetting the legislation risks weakening cybersecurity defenses, in both business and government, by discouraging information-sharing about hacking tactics and other cyberattacks, cybersecurity experts said.” * * *
  • “On Wednesday [September 3, 2025], the House Homeland Security Committee unanimously approved a revised version of CISA, renaming it the Widespread Information Management for the Welfare of Infrastructure and Government Act, or Wimwag.
  • “The proposed bill, which would extend the legislation until 2035, includes updated language to reflect new hacking tactics, while boosting privacy and liability protections for companies, among other changes.
  • “Democrats had called for an extension of the 2015 law while leaving any changes to be considered after the September deadline. “More improvements will be necessary as the legislative process moves forward,” based on input by cybersecurity experts, Rep. Bennie Thompson (D., Miss.) told the committee.
  • “The bill now moves to the full House for consideration.”

• On Thursday, the federal government’s Spring 2025 semi-annual regulatory and de-regulatory agenda was posted on reginfo.gov. Of note, the Department of Health and Human Services is projecting promulgation of an amended HIPAA Security Rule in May 2026.

• The American Hospital Association News tells us,
  • The Cybersecurity and Infrastructure Security Agency, National Security Agency and international agencies Sept. 3 released joint guidance outlining a “software bill of materials” for organizations to strengthen cybersecurity, reduce risk and decrease costs. An SBOM is a list of all components contained in a software product. 
  • “Whether it’s an application used on a computer or the software that runs a medical device, most software incorporates components to accomplish specific tasks,” said Scott Gee, AHA deputy national advisor of cybersecurity and risk. “It is critical to understand what components are used in a piece of software because if a flaw is discovered in any, it could make the entire piece of software — and the organization’s network— vulnerable to attack. A good analogy is the ingredients list on food packaging — it tells consumers exactly what additives and preservatives are in their food. Without an SBOM, an organization would have no way to determine that the vulnerable component was present in their systems.” 
  • Gee also highlighted the importance of automated monitoring of SBOMs, as they would alert of any vulnerabilities that would require patching and remediation. 
     
• Federal News Network informs us,
  • “The Cybersecurity and Infrastructure Security Agency has named a new top cyber official. Nick Anderson is now serving as executive assistant director of CISA’s cybersecurity division. Anderson is a Marine Corps veteran who previously led the Energy Department’s top cyber office during the first Trump administration. He most recently was president and chief operating officer of Invictus International Consulting. Anderson also was chief information security officer for Lumen Technologies Public Sector.”

From the cybersecurity vulnerabilities and breaches front,

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • September 2, 2025
    • CVE-2020-24363 TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability
    • CVE-2025-55177 Meta Platforms WhatsApp Incorrect Authorization Vulnerability
      • Security Affairs discusses these KVEs here.
  • September 3, 2025
    • CVE-2023-50224 TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
    • CVE-2025-9377 TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
      • Security Affairs discusses these KVEs here.
  • September 5, 2025
    • CVE-2025-38352 Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability
    • CVE-2025-48543 Android Runtime Unspecified Vulnerability
    • CVE-2025-53690 Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
      • Cybersecurity Dive discusses the Sitecore KVE here.
      • Security Week discusses the other two KVEs here.

• Cybersecurity Dive reports,
  • “In separate disclosures, Cloudflare Inc. and Proofpoint Inc. on Tuesday said they were impacted by the August supply chain attacks linked to Salesloft Drift. 
  • “The disclosures mark the latest in a wave of attacks, where a threat actor used compromised credentials linked to the Salesloft Drift AI chatbot to gain access to the Salesforce instances at hundreds of companies. 
  • ‘Cloudflare said it was notified last week of the incident, in which an outside attacker gained access to the text fields of support cases in its Salesforce instances, according to a blog post released Tuesday.
  • “Despite being part of a much larger supply chain attack, the company took full responsibility for the breach and issued an apology. 
  • “We are responsible for the tools we use in support of our business,” company executives said in the blog post. “For that, we sincerely apologize.”
  • ‘The incidents follow disclosures by Palo Alto Networks and Zscaler of their customer Salesforce environments being impacted by the supply chain attack.” 

• Dark Reading relates,
  • “In a blog post Thursday, SecurityBridge said it discovered an exploit for CVE-2025-42957 and confirmed it has been used in the wild. “While widespread exploitation has not yet been reported, SecurityBridge has verified actual abuse of this vulnerability,” the blog post said. “That means attackers already know how to use it – leaving unpatched SAP systems exposed.”
  • “SecurityBridge added that SAP’s patch for CVE-2025-42957 is “relatively easy” to reverse engineer, and that successful exploitation gives attackers access to the operating system and all data in the targeted SAP system.” * * *
  • “Even though an attacker would need a valid user account to exploit CVE-2025-42957, SecurityBridge said the vulnerability was “especially dangerous.” * * *
  • “SecurityBridge urged customers to immediately apply the patch for CVE-2025-42957, which was released in SAP’s August 2025 security updates. To defend against potential exploitation, the company recommended implementing SAP’s Unified Connectivity framework (UCON) to restrict RFC usage, and to monitor logs for suspicious RFC calls and newly created admin accounts.
  • “The exploitation of CVE-2025-42957 follows attacks in the spring on a critical SAP NetWeaver zero-day flaw tracked as CVE-2025-31324. The vulnerability came under subsequent waves of attacks in the weeks following its initial disclosure in late April.”
• and
  • “A young malware-as-a-service (MaaS) operation has been outed, shortly after the debut of its newest custom remote access Trojans (RATs).
  • “In recent weeks, researchers have been slowly, independently piecing together an emerging cybercrime threat cluster. First, they found a malware loader that had been spread hundreds of times and named it “CastleLoader.” Then, they uncovered the broader MaaS service around it, and called it “CastleBot.” Now, they’ve mapped out the infrastructure propping it all up, and identified new variants of its own Trojan, called “CastleRAT” (aka “NightShadeC2“), which various MaaS customers have distributed to victims via boobytrapped GitHub repositories, the ClickFix tactic, malicious websites advertising fake software, and other methods.”
  • “Plenty of questions still remain though, about the group that Recorded Future’s Insikt Group has labeled “TAG-150.” For instance, how has it managed to spread itself so far while maintaining essentially no visible presence on the Dark Web?”
    
• Bleeping Computer points out “six browser-based attacks all security teams should be ready for in 2025.

From the ransomware front,

• Industrial Cyber informs us,
  • “New data from Comparitech shows that of the 18 confirmed ransomware attacks in August, three hit manufacturers, two targeted healthcare companies, and another two struck the food and beverage sector. Overall, worldwide ransomware attacks rose from 473 in July to 506 in August, a 7% increase and the second consecutive month of growth after a decline from March through June 2025. While government systems remain a steady target, manufacturing recorded the sharpest rise, with attack claims surging 57% from 72 in July to 113 in August. Four of these incidents have been confirmed.
  • “August saw a first-of-a-kind attack on the state of Nevada. While hundreds of U.S. government organizations have suffered ransomware attacks, this is the first-ever statewide attack. The attack was first detected on August 24, 2025, and has left many citizens and state agencies without access to essential services. No hackers have claimed the attack as of yet, but if a ransom isn’t paid, it’s likely the group will come forward in the coming days/weeks.
  • “Comparitech reported that the healthcare and education sectors each recorded one confirmed attack in August, though both reported more unconfirmed attack claims compared with July. These numbers are expected to rise as additional incidents are confirmed in the coming weeks.”

• Here are links to updates on the ransomware attacks on the State of Nevada and Pennsylvania Attorney General’s office noted in last week’s Cybersecurity Saturday.

• BitDefender alerts us,
  • “Ransomware groups continue to evolve their tactics, but few have made as sharp an impact in 2025 as SafePay. Once a lesser-known player, the group has surged into prominence by quietly amassing hundreds of victims across the globe. In June, SafePay topped Bitdefender’s Threat Debrief rankings after claiming 73 victim organizations in a single month, and the group followed up with 42 more victims in July—its second-highest monthly tally to date. 
  • “With more than 270 claimed victims so far this year, SafePay’s discreet operations, rejection of the ransomware-as-a-service (RaaS) model, and rapid-fire victim disclosures signal a significant threat that security researchers and teams should understand.”

• CIO explains why “the latest research into cybercrime and those behind it illustrates why businesses must quickly adapt to the rising tide of high-stakes cyber extortion.”

• SC Media discusses “how AI has changed ransomware negotiations.”

From the cybersecurity defenses and business front,

• Cybersecurity Dive reports,
  • “The cyber insurance market is continuing to stall with organic growth slowing and rates declining, according to a report Wednesday from global insurance firm Swiss Re. 
  • “Increased competition among insurers has led to a third consecutive year of reduced rates, according to the report, as the available supply of cyber coverage has exceeded current demand. The market imbalances have forced insurers to make concessions on premiums, cybersecurity controls and coverage limits. 
  • “The insurance industry has grown increasingly concerned in recent years about systemic loss events and the risk of liability over data privacy. That has led to worries over whether additional premium cuts are sustainable.” 

• Cybersecurity Dive also explains how Tampa General Hospital’s “CIO and CISO teamed up to translate security decisions into dollars and cents.”

• HIPAA Journal notes,
  • “Healthcare organizations are relatively unlikely to have serious cybersecurity vulnerabilities compared to other industry sectors, as they are generally good at prevention; however, when vulnerabilities are identified, healthcare lags other sectors when it comes to remediation. These are the findings from a recent analysis of penetration testing data and a survey of 500 U.S. security leaders by the Pentest-as-a-service (PTaaS) firm Cobalt. The findings are published in its State of Pentesting in Healthcare 2025 report.”

• The Wall Street Journal adds,
  • “A study at UCSD Health found cybersecurity training had little effect on employees’ susceptibility to simulated phishing attacks.
  • “On average, four groups of employees who received training designed by the researchers had only a 1.7% lower failure rate than employees who had no training.
  • “Employees often didn’t engage with training, spending less than a minute on training pages over 75% of the time.”

• Per Cyberscoop,
  • “Israeli cybersecurity company Cato Networks has acquired AI security startup Aim Security in its first ever acquisition, reflecting the broader industry rush to address security challenges posed by artificial intelligence adoption.
  • “The deal combines Cato’s Secure Access Service Edge (SASE) networking platform with Aim’s AI security capabilities, allowing the company to protect customers from threats associated with generative AI tools and applications. Financial terms were not disclosed. 
  • “The acquisition underscores how cybersecurity companies are scrambling to develop solutions for AI-related risks as enterprises rapidly adopt AI tools without fully understanding potential vulnerabilities. Aim’s technology addresses three key areas: securing employee use of public AI applications, protecting private AI systems, and managing security throughout AI development lifecycles.”
• and
  • “Varonis has acquired SlashNext, an AI-driven email security company, for up to $150 million in a move that reflects the rising role of artificial intelligence in both attack and defense.
  • “The acquisition, announced Tuesday, brings together Varonis’ focus on data-centric security and threat detection with SlashNext’s technology for blocking phishing and social engineering attacks across email and collaboration platforms. The companies cited a rapidly evolving threat environment, as cybercriminals increasingly use AI to target victims on channels reaching beyond traditional email, including Slack, Microsoft Teams, WhatsApp, and Zoom.
  • “Founded by Atif Mushtaq, who worked on FireEye’s malware detection systems, SlashNext deploys predictive AI models to identify, remove and block socially engineered threats. Its technology leverages computer vision, natural language processing, and virtual browsers to pinpoint signs of compromise.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• The House Committee on Homeland Security will mark up the CISA 2025 reauthorization bill on Wednesday, September 3, at 10 am ET.

• Per a Congressional news release,
  • “U.S. Senators Bill Cassidy, M.D. (R-LA), chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Maggie Hassan (D-NH) requested information from Aflac following a recent cyberattack on their internal data systems.
  • “This comes amid increasing cyberattacks on the health care sector. In 2024, there were over 700 large data breaches that impacted approximately 276 million Americans. These attacks not only threaten Americans’ sensitive health data, but delay lifesaving care to patients.
  • “The recent cybersecurity incident affecting Aflac’s supplemental insurance systems highlights the continuing risk to patients and other stakeholders,” wrote the senators. “While Aflac has stated that it ‘stopped the intrusion within hours,’ additional transparency is needed about whether the intruders accessed private consumer and patient data, how Aflac safeguarded protected health information (PHI) prior to the incident, and steps that the company intends to take going forward.”

• Per a National Institute of Standards and Technology news release,
  • “A revision to NIST’s catalog of security and privacy safeguards [(NIST SP 800-53)] aims to help organizations better manage risks related to software updates and patches. 
  • “The catalog revision is part of NIST’s response to a recent executive order on strengthening the nation’s cybersecurity.
  • “Completed with the help of a real-time commenting system, the revision is available in several different formats, some of which are machine-readable.”

• Dark Reading tells us,
  • “Updated federal agency guidelines for software bills of materials (SBOM) were recently released by the US Cybersecurity and Infrastructure Security Agency (CISA) with rules intended to push for additional transparency among software and component vendors. Experts agree the new rules are a hopeful step forward but worry they overlook some serious issues facing today’s software supply chain. 
  • “Since 2021, when the federal minimum SBOM guidelines initially were released, the idea has been debated in information security circles as a great concept, but just not feasible in the real world. Vendors pushed back, arguing that the regulations are onerous. And in the ensuing years, with federal agencies leading the way, SBOMs have been embraced to varying degrees. The SBOM challenge has been connecting the gorge between the information they provide, and the ability for cyber teams operationalize it. 
  • “CISA recently released its 2025 update to SBOM guidelines for federal agencies, and while experts say they are hopeful things are headed in the right direction, they also acknowledge skepticism across the cybersecurity industry about some aspects of the new guidance.” 

• Per a CISA news release on August 26,
  • “Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the Software Acquisition Guide: Supplier Response Web Tool, a no-cost, interactive resource designed to empower information technology (IT) and industry decision makers, procurement professionals and software suppliers strengthen cybersecurity practices throughout the software procurement lifecycle.
  • “The Web Tool builds on the “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle”, offering a streamlined, digital experience that simplifies how users assess software assurance and supplier risk.
  • “This tool demonstrates CISA’s commitment to offering practical, free solutions for smarter, more secure software procurement,” said CISA Director of Public Affairs, Marci McCarthy. “Transforming the Software Acquisition Guide into an interactive format simplifies integrating cybersecurity into every step of procurement.”

• Per Cyberscoop,
  • “The Treasury Department on Wednesday [August 27] expanded efforts to disrupt the pervasive North Korean technical worker scheme by imposing sanctions on people and organizations serving as facilitators and fronts for the country’s years-long conspiracy effort to defraud businesses and earn money despite international sanctions. 
  • “Vitaly Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology and Korea Sinjin Trading Corp. were all sanctioned by the Treasury Department’s Office of Foreign Assets Control for their alleged roles in the scheme orchestrated by the North Korean government.”

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “Chinese government-backed hackers are targeting critical infrastructure and government computer systems as part of a yearslong campaign that includes the well-known Salt Typhoon activity, the U.S. and 12 other countries said on Wednesday.
  • “The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world,” the allied governments said in a joint advisory.
  • “The China-linked campaign has penetrated organizations in more than 80 countries, including more than 200 targets in the U.S., an FBI spokesperson told Cybersecurity Dive.
  • The advisory describes the attackers’ techniques, from initial access to data exfiltration; describes an incident in which the hackers tried to decrypt network traffic to collect administrator credentials; suggests strategies for threat hunting; and recommends mitigation activities.
• and
  • “Hackers stole user credentials from Salesforce customers in a widespread campaign earlier this month, according to researchers at Google Threat Intelligence Group, who warned that the thefts could lead to follow-up attacks.
  • “A threat actor that Google tracks as UNC6395 targeted Salesforce instances using compromised OAuth tokens that were associated with the customer engagement vendor Salesloft’s Drift AI chat agent.
  • “Researchers believe the hackers’ primary goal was to harvest credentials, as they stole large amounts of data from numerous Salesforce instances.
  • “Google’s Threat Intelligence Group “is aware of over 700 potentially impacted organizations,” Austin Larsen, a principal threat analyst at the company, told Cybersecurity Dive in a statement. “The threat actor used a Python tool to automate the data theft process for each organization that was targeted.”
  • “The attacks did not involve any vulnerability in the Salesforce platform, according to researchers. After stealing the data, the hackers looked for sensitive credentials, including access keys and passwords for Amazon Web Services as well as access tokens for the Snowflake cloud platform. 
  • “The attacks largely occurred between Aug. 8 and Aug. 18, researchers said. By Aug. 20, Salesloft had begun working with Salesforce to revoke all active access and refresh Drift tokens, according to Google.”

• Bleeping Computer adds,
  • “Consumer credit reporting giant TransUnion warns it suffered a data breach exposing the personal information of over 4.4 million people in the United States, with BleepingComputer learning the data was stolen from its Salesforce account.
  • “TransUnion is one of the three major credit bureaus in the United States, alongside Equifax and Experian. It operates in 30 countries, employs 13,000 staff, and has an annual revenue of $3 billion.”

• Per Security Week,
  • “Multiple phishing campaigns deploying ConnectWise ScreenConnect for remote control demonstrate the sophistication, extent, and danger of AI-supercharged social engineering.
  • “An ongoing ScreenConnect threat example highlights primary aspects of modern cybercriminality: AI-enhanced, scaled, and sophisticated social engineering; use of trust and stealth to deceive security controls; and maximum use of the professionalized crime-as-a-service (CaaS) ecosphere.
  • “Current ScreenConnect campaigns differ in their attack details, but all conform to the basic process: a phishing attack leading to deployment of ScreenConnect to allow remote access and potential control of the victim organization. Researchers have found more than 900 targeted enterprises around the world.”

• CISA added five known exploited vulnerabilities to its catalog this week.
  • August 25, 2025
    • CVE-2024-8069 Citrix Session Recording Deserialization of Untrusted Data Vulnerability
    • CVE-2024-8068 Citrix Session Recording Improper Privilege Management Vulnerability
    • CVE-2025-48384 Git Link Following Vulnerability
      • Cyber Press discusses these KVEs here.
      • Cybersecurity Dive adds more details on the Citrix KVEs here.
      • Bleeping Computer adds more details on the Git Link KVE here.
  • August 26, 2025
    • CVE-2025-7775 Citrix NetScaler Memory Overflow Vulnerability
      • Bleeping Computer discusses this KVE here.
  • August 29, 2025
    • CVE-2025-57819 Sangoma FreePBX Authentication Bypass Vulnerability
      • Bleeping Computer discusses this KVE here.

From the ransomware front,

• Cybersecurity Dive reports,
  • “Federal and state authorities are investigating a ransomware attack that has disrupted key services across the state of Nevada.
  • “The Sunday [August 24] attack interrupted multiple government services, including phone systems and state agency websites. 
  • “The attackers were able to exfiltrate data during the intrusion, but officials still don’t know what they took, Tim Galluzi, Nevada chief information officer and executive director of the Governor’s Technology Office, said during a press conference Wednesday.
  • “The process of analyzing the information to determine exactly what was taken is complex, methodical and time consuming,” Galluzi said, adding that it would be reckless to speculate on the nature of the stolen information.
  • “The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are helping Nevada officials respond to the intrusion. In a statement Wednesday [August 27], CISA said its threat hunters are helping analyze Nevada’s computer networks and mitigate any potential impact from the hack.
    
• Security Week adds on August 29,
  • “Four days after the hackers hit the state’s network, certain state offices have resumed working with the public, some Nevada state’s departments have reverted to pen and paper operations to serve the public, and the Nevada Health Authority has restored some of its operations, including Medicaid and the benefits program.
  • “However, the Access Nevada application portal remains inaccessible, certain phone lines are down, the Child Care & Development Program cannot access case files or certifications, and DMV offices were closed on Wednesday, although its website has been restored.
  • “Emergency services and essential operations have remained available throughout the outage. Additional information can be found on this recovery status page.”

• SpotlightPA reports,
  • “The Pennsylvania Office of Attorney General was the victim of a ransomware attack earlier this month, Spotlight PA has learned.
  • “The attack, first reported by the office on Aug. 11 as a “cyber incident,” has impaired many functions of the agency, as some staff and prosecutors remain unable to access archived emails, files, and internal systems crucial to pursuing cases on behalf of the commonwealth.
  • “The office confirmed the attack to Spotlight PA on Friday [August 29].

• KERA News relates,
  • A cybersecurity breach in Greenville [,Texas] has affected the city’s ability to access police and other records.
  • The city’s servers were attacked by a ransomware group on Aug. 5.
  • “Upon identification, the City immediately implemented protective measures, isolated affected systems where appropriate, contacted law enforcement and engaged a third-party cybersecurity firm to mitigate the event and restore services,” the city said in a news release.
  • Greenville’s emergency 911 service was not affected and remains in operation, however, some phone lines may experience intermittent outages or busy signals, the city said.

• Per Cyberscoop,
  • “A financially motivated threat group operating since 2021 has refined its technical tradecraft, honing its focus on cloud-based systems that allow it to expand ransomware operations beyond the scope of on-premises infrastructure, Microsoft Threat Intelligence said in a report released Wednesday [August 27].
  • “By leveraging cloud-native capabilities, Storm-0501 has exfiltrated large volumes of data with speed, destroying data and backups within victim environments and encrypted systems. “This is in contrast to threat actors who may have relied solely on malware deployed to endpoints,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, said in an email.
  • “This evolution is about both a technical shift and a change in impact strategy,” DeGrippo said. “Instead of just encrypting files and demanding ransom for decryption, Storm-0501 now exfiltrates sensitive cloud data, destroys backups, and then extorts victims by threatening permanent data loss or exposure.”
  • “Storm-0501 targets opportunistically by searching for unmanaged devices and security gaps in hybrid cloud environments. By exploiting these vulnerabilities, it can evade detection, escalate its access privileges and sometimes move between user accounts. This approach amplifies the impact of its attacks and raises its chance for a payout, according to Microsoft.”
• and
  • “Researchers at cybersecurity firm ESET claim to have identified the first piece of AI-powered ransomware in the wild.
  • “”The malware, called PromptLock, essentially functions as a hard-coded prompt injection attack on a large language model, causing the model to assist in carrying out a ransomware attack.
  • “Written in Golang programming code, the malware sends its requests through Ollama, an open-source API for interfacing with large language models, and a local version of an open-weights model (gpt-oss:20b) from OpenAI to execute tasks.
  • “Those tasks include inspecting local filesystems, exfiltrating files and encrypting data for Windows, Mac and Linux devices using SPECK 128-bit encryption.
  • “According to senior malware researcher Anton Cherepanov, the code was discovered Aug. 25 by ESET on VirusTotal, an online repository for malware analysis. Beyond knowing that it was uploaded somewhere in the U.S., he had no further details on its origins.
  • “Notably, attackers don’t need to deploy the entire gpt-oss-20b model within the compromised network,” he said. ”Instead, they can simply establish a tunnel or proxy from the affected network to a server running Ollama with the model.”
  • “ESET believes the code is likely a proof of concept, noting that functionality for a feature that destroys data appears unfinished. Notably, Cherepanov told CyberScoop that they have yet to see evidence of the malware being deployed by threat actors in ESET telemetry.”

From the cybersecurity defenses front,

• Cyberscoop lets us know,
  • “Chief information security officers are increasingly concerned about the risk of a cyberattack, and a growing number say they have experienced a material loss of data over the past year, according to a report released Tuesday by Proofpoint. 
  • “Two-thirds of CISOs said their organizations have experienced a material loss of sensitive information over the past year, compared with only 46% in the prior year, according to the report. Meanwhile, three-quarters of CISOs fear they are at risk of a material cyberattack over the next 12 months.
  • “The increase reflects not only heightened risk but also a cultural shift among CISOs, according to Proofpoint.
  • “CISOs are becoming more transparent, especially in light of increased regulatory scrutiny and evolving board expectations,” Patrick Joyce, global resident CISO at Proofpoint, told Cybersecurity Dive.
  • “The annual “Voice of the CISO” report is based on a survey of 1,600 CISOs at organizations in 16 countries. The survey took place during the first quarter of 2025, and all respondents worked at organizations with more than 1,000 employees.”

• Dark Reading offers ransomware defense tips here and cloud security tips here.

• The Wall Street Journal reports,
  • “Cybersecurity concierge services offer tailored protection against online threats for high-profile individuals, including monitoring and data scrubbing.
  • “These services, costing from $1,000 to tens of thousands annually, attract those with substantial assets and a significant digital footprint.
  • “Demand is rising, with wealth managers for cyber protection, especially after experiencing breaches.”

• Here is a link to Dark Reading’s CISO corner.

From the cybersecurity policy and law enforcement front,

• Federal News Network tells us,
  • “The House Homeland Security Committee plans to convene in early September to mark up a reauthorization bill for a soon-to-expire cybersecurity law that’s viewed as critical to cyber collaboration across government and industry.
  • “In a statement, House Homeland Security Committee Chairman Andrew Garbarino (R-N.Y.) confirmed the committee will mark up a reauthorization bill for the Cybersecurity Information Sharing Act of 2015 once Congress returns from August recess.
  • “Reauthorizing the Cybersecurity and Information Sharing Act is essential as the deadline nears and as threats evolve,” Garbarino said. “The House Committee on Homeland Security plans to mark up our legislative text for its reauthorization shortly after Congress returns from recess in September. In a 10-year extension, I will preserve the privacy protections in the law, and I aim to provide enhanced clarity to certain pre-existing provisions to better address the evolving threat landscape.”
  • “CISA 2015, as it’s known, expires at the end of September. The law provides liability protections and privacy guardrails to especially encourage private sector organizations to voluntarily share data with each other and government agencies.”

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) has updated its recommendations for the minimum features of a software bill of materials (SBOM), the latest step in the agency’s campaign to encourage transparency in the software market.
  • “The updates and additions included in this document will better position Federal Government agencies and other SBOM consumers to address a range of use cases, understand the generation process, and improve data quality,” CISA said in the new publication, which it released on Thursday [August 21].” * * *
  • “The publication, which is open for public comment through Oct. 3, is aimed primarily at government agencies but is also designed to help other organizations understand what to expect from their vendors’ SBOMs.”
• and
  • “The National Institute of Standards and Technology [NIST] wants public feedback on a plan to develop guidance for how companies can implement various types of artificial intelligence systems in a secure manner. 
  • “NIST on Thursday [August 14] released a concept paper about creating control overlays for securing AI systems based on the agency’s widely used SP 800-53 framework. The overlays are designed to help ensure that companies implement AI in a way that maintains the integrity and confidentiality of the technology and the data it uses in a series of different test cases. 
  • “The agency also created a Slack channel to collect community feedback on the development of the overlays.”

• Per NIST news releases,
  • “NIST SP 800-171, R3, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems, is a set of recommended security requirements for protecting the confidentiality of CUI.
  • “NIST has released a supplementary small business primer to SP 800-171, R3 to help smaller, under-resourced organizations better protect CUI.” * * * 
  • “This is the first part of an effort to begin breaking down components of 800-171, R3 for the small business community. Future resources will expand upon the primer’s content.”
• and
  • “NIST has released the initial public draft (IPD) of Special Publication (SP) 1331, Quick-Start Guide for Using CSF 2.0 to Improve the Management of Emerging Cybersecurity Risks, for public comment. The document highlights the topic of emerging cybersecurity risks and explains how organizations can improve their ability to address such risks through existing practices within the cyber risk discipline in conjunction with the NIST Cybersecurity Framework (CSF) 2.0. The guide also emphasizes the importance of integrating these practices with organizational enterprise risk management (ERM) to proactively address emerging risks before they occur. 
  • “The comment period is open through September 21, 2025, at 11:59 PM. Please send your feedback about this draft publication to csf@nist.gov.”

• Per an HHS news release,
  • “Today [August 18], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (“BST”), a New York public accounting, business advisory, and management consulting firm, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. BST is a HIPAA business associate and receives financial information that also contains protected health information (PHI) from a HIPAA covered entity.” * * *
  • “The settlement resolves an investigation of BST that OCR initiated after receiving a breach report that BST filed on February 16, 2020. BST reported that on December 7, 2019, BST discovered that part of its network was infected with ransomware, impacting the PHI of its covered entity client. OCR’s investigation determined that BST had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by BST.
  • “Under the terms of the resolution agreement, BST agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $175,000 to OCR.”

• Cybersecurity Dive informs us,
  • “Federal prosecutors on Tuesday [August 19] charged an Oregon man for allegedly running a global botnet-for-hire operation called Rapper Bot that used hacked IoT devices to conduct large-scale distributed denial-of-service (DDoS) attacks.
  • “Authorities charged Ethan Foltz, 22, with one count of aiding and abetting computer intrusions. Police executed a search warrant at Foltz’s house on Aug. 6, shut down the botnet and took control of its infrastructure, according to the U.S. Department of Justice.
  • “Rapper Bot allegedly used between 65,000 and 95,000 infected devices for DDoS attacks that often measured between two and three terabits per second. The largest attack may have exceeded six terabits per second, prosecutors said.
  • “Rapper Bot was “one of the most powerful DDoS botnets to ever exist,” said Michael Heyman, the U.S. attorney in Alaska, where authorities believe the botnet infected at least five devices.”

• Cyberscoop adds,
  • “A 20-year-old Florida man received a 10-year federal prison sentence Wednesday for his role in the notorious Scattered Spider cybercrime organization, marking the first conviction of a member from the group responsible for breaching more than 130 major companies.
  • “Noah Michael Urban, 20, of Palm Coast, Fla., pleaded guilty to conspiracy, wire fraud and aggravated identity theft charges in two separate federal cases spanning Florida and California. A federal judge sentenced Urban to 120 months in prison with three years of supervised release and ordered him to pay $13 million in restitution to victims.
  • “The sentence exceeded federal prosecutors’ recommendation of eight years, reflecting the scope of Urban’s criminal activities that investigators say caused between $9.5 million and $25 million in total losses.”

From the cybersecurity vulnerabilities and breaches front,

• The American Hospital Association News informs us,
  • “The FBI Aug. 20 released an advisory warning of malicious activity by Russian cyber actors targeting end-of-life devices running an unpatched vulnerability in Cisco Smart Install software. The agency said the actors, attributed to the Russian Federal Security Service’s Center 16, have been detected collecting configuration files for thousands of networking devices associated with U.S. entities across critical infrastructure sectors. On some devices, the files were modified to enable unauthorized access to the devices. The vulnerability was initially publicized in 2018.
  • “If you have vulnerable equipment in your network, please pay particular attention to ensuring that it is patched and running as securely as possible,” said Scott Gee, AHA deputy national advisor of cybersecurity and risk. “It is recommended that hospitals also make this equipment a priority for replacement since it’s no longer supported for updates by Cisco. It is also a good time to review the process for patch management and equipment upgrades, particularly focusing on patching known exploited vulnerabilities. The Cybersecurity Infrastructure and Security Agency maintains a catalog of KEVs.”

• CISA added two known exploited vulnerabilities to that catalog this week.
  • August 18, 2025
    • CVE-2025-54948 Trend Micro Apex One OS Command Injection Vulnerability
      • Cybersecurity News discusses this KVE here.
  • August 21, 2025
    • CVE-2025-43300 Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
      • Cyberscoop discusses this KVE here.

• Cyberscoop adds,
  • “The Chinese state-backed threat group Silk Typhoon has raised the pace of attacks targeting government, technology, legal and professional services in North America since late spring, according to CrowdStrike.
  • “We were calling this jokingly, ‘the summer of Murky Panda,’ because we’ve seen so much activity from them over the last couple of months,” said Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, using the firm’s nomenclature for the cyberespionage group.
  • “CrowdStrike has worked on more than a dozen cases involving Murky Panda during the past few months, including two active incident response cases, Meyers said. The group, which has been active since at least 2023, is “one of the top-tier Chinese threats that we’ve been seeing a lot this summer,” he said.
  • “Murky Panda exemplifies how Chinese attackers are gaining access to victim networks and infrastructure via vulnerabilities, unmanaged devices, the cloud and pivots between cloud services. 
  • “The group’s advanced techniques in cloud environments are evident, as it enables prolonged access and lateral movement to downstream victims by abusing delegated administrative privileges in cloud solution providers, CrowdStrike said in a research report released Thursday. [August 21].
    
• Bleeping Computer reports,
  • “Hackers have stolen the personal information of 1.1 million individuals in a Salesforce data theft attack, which impacted U.S. insurance giant Allianz Life in July.
  • “Allianz Life has nearly 2,000 employees in the United States and is a subsidiary of Allianz SE, which has over 128 million customers worldwide and ranks as the world’s 82nd largest company based on revenue.
  • “As the company disclosed last month, information belonging to the “majority” of its 1.4 million customers was stolen by attackers who gained access to a third-party cloud CRM system on July 16th.” * * *
  • “On Monday, data breach notification service Have I Been Pwned revealed the extent of the incident, reporting that the email addresses, names, genders, dates of birth, phone numbers, and physical addresses of 1.1 million Allianz Life customers were stolen during the breach.
  • “Bleeping Computer has also confirmed with multiple people affected by this breach that their data (including their tax IDs, phone numbers, email addresses, and other information) in the leaked files is accurate.
  • “Many other high-profile companies worldwide were also breached in this campaign, including Google, Adidas, Qantas, Louis Vuitton, Dior, Tiffany & Co., Chanel, and, most recently, human resources giant Workday.”

• Cybersecurity Dive notes,
  • The attack [on WorkDay] follows a string of social-engineering intrusions linked to ShinyHunters, a hacker group associated with an underground cybercrime collective known as The Com. The Com also has ties to the notorious hacker team Scattered Spider, which has targeted companies in multiple industries over the past several months, including retail, insurance and aviation. 
  • ShinyHunters has launched numerous attacks in recent months targeting Salesforce instances, according to researchers at Google. The group targeted one of Google’s own Salesforce instances earlier this month. 
  • Reliaquest recently published evidence of possible collaboration between ShinyHunters and Scattered Spider, including ticket-themed phishing domains and Salesforce credential-harvesting pages. 

• Per Dark Reading,
  • “In this interview from Black Hat USA 2025, Philippe Laulheret, a senior vulnerability researcher at Cisco Talos, discusses his discovery of the “ReVault” vulnerability affecting millions of Dell business laptops. 
  • “Laulheret found that the Control Vault (also called a unified secure hub) — a control board connecting peripherals like fingerprint readers and smart card readers to Dell Latitude and Precision laptops — contained multiple security flaws that allow any user to communicate with the board through undocumented APIs, potentially leading to memory corruption, code execution, extraction of secret keys, and permanent firmware modification.”

• Per Bleeping Computer,
  • “Six major password managers with tens of millions of users are currently vulnerable to unpatched clickjacking flaws that could allow attackers to steal account credentials, 2FA codes, and credit card details.
  • “Threat actors could exploit the security issues when victims visit a malicious page or websites vulnerable to cross-site scripting (XSS) or cache poisoning, where attackers overlay invisible HTML elements over the password manager interface.
  • “While users believe they are interacting with harmless clickable elements, they trigger autofill actions that leak sensitive information.
  • “The flaws were presented during the recent DEF CON 33 hacker conference by independent researcher Marek Tóth. Researchers at cybersecurity company Socket later verified the findings and helped inform impacted vendors and coordinate public disclosure.
  • “The researcher tested his attack on certain versions of 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce, and found that all their browser-based variants could leak sensitive info under certain scenarios.”
• and
  • “A new infostealer malware targeting Mac devices, called ‘Shamos,’ is targeting Mac devices in ClickFix attacks that impersonate troubleshooting guides and fixes.
  • “The new malware, which is a variant of the Atomic macOS Stealer (AMOS), was developed by the cybercriminal group “COOKIE SPIDER,” and is used to steal data and credentials stored in web browsers, Keychain items, Apple Notes, and cryptocurrency wallets.
  • “CrowdStrike, which detected Shamos, reports that the malware has attempted infections against over three hundred environments worldwide that they monitor since June 2025.”

From the ransomware front,

• Cybersecurity Dive reports on August 20,
  • “The pharmaceutical and biotechnology company Inotiv Inc. is investigating a cyberattack that led to hackers encrypting the firm’s data, it said in a filing on Monday with the U.S. Securities and Exchange Commission. 
  • “The Aug. 8 attack disrupted access to certain data storage and business applications, according to Innotiv. The company said it is working to bring certain systems back online and has moved some operations to offline alternatives in order to maintain business continuity.  
  • The company has restricted access to its systems, retained third-party experts and notified law enforcement, according to its SEC filing.” * * *
  • “The hackers behind the Qilin ransomware have claimed credit for the attack, according to researchers at Huntress and Kroll.”
    
• Bleeping Computer adds on August 22,
  • “Kidney dialysis firm DaVita has confirmed that a ransomware gang that breached its network stole the personal and health information of nearly 2.7 million individuals.
  • “DaVita serves over 265,400 patients across 3,113 outpatient dialysis centers, 2,660 in the United States, and 453 centers in 13 other countries worldwide. The company reported revenues of over $12 billion in 2024 and of $3.3 billion for the second quarter of 2025.
  • “In April, the healthcare provider revealed in a filing with the U.S. Securities and Exchange Commission (SEC) that its operations were disrupted after attackers partially encrypted its network over the weekend.
  • “According to a dedicated website with more information regarding the resulting data breach, the attackers gained access to DaVita’s network on March 24 and were evicted after the company detected the incident on April 12.” * * *
  • “Although the kidney dialysis firm hasn’t linked the attack to a specific ransomware operation, the Interlock ransomware gang claimed responsibility for the breach in late April.
  • “Interlock also leaked the allegedly stolen data on its dark web portal after negotiations with DaVita had failed, claiming it had stolen roughly 1.5 terabytes of data from the company’s compromised systems, or nearly 700,000 files containing what appeared to be sensitive patient records, insurance details, user account information, and financial data.”

• Dark Reading points out that “Researchers highlight how Warlock, a new ransomware heavyweight, uses its sophisticated capabilities to target on-premises SharePoint instances.”

From the cybersecurity business and defenses front,

• Cybersecurity Dive reports,
  • “Enterprise software spending will sustain double-digit growth through 2029, according to Forrester projections. Vendor revenues grew 11% on average during the first quarter of the year, the analyst firm said in a July report.
  • “Infrastructure software spend will lead the charge, increasing 13.3% over the next four years, as enterprises stock up on cloud services, security tools and AI capabilities. The market for application software, a category that includes IT operations management, enterprise resource planning, and supply chain tools, will see slower growth of 9.5%, the firm said.
  • “Database management services will help shore up software market growth, as enterprises lay the groundwork for generative AI and agentic automation tools. The firm previously estimated off-the-shelf AI governance software spend to more than quadruple from 2024 to 2030, nearing $16 billion and capturing 7% of the software market.”
• and
  • “Many business leaders still aren’t following cybersecurity best practices to protect their organizations from costly intrusions, according to a report that the consulting giant Unisys published on Tuesday [August 21].
  • “Only 62% of organizations have or are setting up a zero-trust network architecture, only 61% are prioritizing post-incident recovery and only 45% deploy or plan to deploy managed detection and response software.
  • “Only 42% of organizations said they use or plan to use digital identity and access management services, which are considered essential for stopping attacks that exploit legitimate credentials.”

• Dark Reading informs us,
  • “Cyber insurers are testing out new ways to hold policyholders accountable for outdated security, limiting payouts when policyholders fall prey to attacks that use older vulnerabilities or take advantage of holes in the organizations’ defenses.
  • “Potential risk-limiting approaches include a sliding scale of accountability — and payouts — based on an unpatched vulnerability’s half-life, or whether a company failed to fix a critical vulnerability within a certain number of days, according to a blog post penned by cyber insurer Coalition, which does not support such approaches. Dubbed CVE exclusions, after the Common Vulnerabilities and Exposures (CVE) system widely used to assign identifiers to software security issues, the tactic is not yet widely adopted, and most examples are from insurers outside the US, the firm stated.
  • The limits could start showing up in companies’ policies, however, if demand for cyber insurance continues to grow, creating a seller’s market, says John Coletti, head of cyber underwriting at Coalition
  • “While we will not name names, there are specific examples of this occurring within the industry,” he says. “A company should be highly skeptical of buying a policy with a CVE exclusion.”
    
• Info-Security Magazine relates,
  • “The US National Institute of Standards and Technology (NIST) has published new guidelines it claims will help organizations optimize their efforts to detect face morphing software.
  • “Face morphing is a type of deepfake technology that enables threat actors to blend the photos of two people into a single image. In doing so, it simplifies identity fraud by tricking face recognition systems into erroneously identifying an image as belonging to both original individuals.
  • “In this way, individual A can assume the identity of individual B and vice versa, NIST said.
  • “The new report, Face Analysis Technology Evaluation (FATE) MORPH 4B: Considerations for Implementing Morph Detection in Operations (NISTIR 8584), offers an introduction to the topic and key detection methods.
  • “It focuses mainly on the pros and cons of various investigatory techniques, and ways to prevent morphs from entering operational systems in locations such as passport application offices and border crossings.”

• Here is a link to Dark Reading’s CISO Corner.