From the cybersecurity policy and law enforcement front,

• Cyberscoop tells us,
  • “A bipartisan Senate duo is reintroducing legislation Thursday that would establish an executive branch panel to align conflicting cybersecurity regulations on the private sector.
  • “Michigan Sen. Gary Peters, the top Democrat on the Homeland Security and Governmental Affairs Committee, is bringing back the Streamlining Federal Cybersecurity Regulations Act with co-sponsor James Lankford, R-Okla.
  • “By reducing the number of duplicative or burdensome reporting requirements, we can give businesses the tools to better secure our critical infrastructure against the serious threat of cyberattacks,” Peters said about the reintroduction of the bill, which CyberScoop is first reporting. “This legislation ensures federal agencies can work collaboratively to create effective cybersecurity standards, enabling businesses to focus on safeguarding their systems rather than navigating a maze of conflicting requirements.”
• and
  • “A bipartisan pair of senators is taking another shot at legislation that would require federal government contractors to follow National Institute of Standards and Technology guidelines on vulnerability disclosure policies.
  • “The Federal Contractor Cybersecurity Vulnerability Reduction Act from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., advanced out of the chamber’s Homeland Security and Governmental Affairs Committee last November but never got a full floor vote.
  • “The companion bill from Reps. Nancy Mace, R-S.C., and Shontel Brown, D-Ohio, meanwhile, was reintroduced in January and passed the House in March.
  • “The re-do from Warner and Lankford would make sure government contractors have the same legal obligations that federal agencies do in abiding by NIST’s recommendations on vulnerability disclosure policies. With VDPs, organizations can receive unsolicited reports on software vulnerabilities and patch them before an attack occurs.” 

• Per a Cybersecurity and Infrastructure Security Agency news release,
  • The Cybersecurity and Infrastructure Security Agency (CISA) is proud to announce the appointment of Madhu Gottumukkala as its new Deputy Director. In this role, he will help lead CISA’s mission to understand, manage, and reduce risk to the cyber and physical infrastructure that the American people rely on every day. 
  • Prior to his appointment as the CISA Deputy Director, Dr. Gottumukkala served as Commissioner and Chief Information Officer for South Dakota’s Bureau of Information and Technology, overseeing statewide technology and cybersecurity initiatives. He assumed this role after serving as South Dakota’s second-ever chief technology officer, focused on innovation through the adoption of emerging technologies, while increasing efficiency by replacing outdated legacy systems.
  • “I am honored to be appointed by Secretary Noem to serve as Deputy Director of CISA. As a former state and local leader, I have seen firsthand the exceptional work CISA does in advancing our nation’s cybersecurity and infrastructure resilience,” said Gottumukkala. “I look forward to building on that foundation by fostering collaboration and strengthening resilience across all levels of government and the private sector. Together, through trusted partnerships, transparency, and shared responsibility, we can better manage systemic risks and safeguard the critical functions that ensure our nation’s safety and prosperity.”

• Cybersecurity Dive reports,
  • “Microsoft’s Digital Crimes Unit (DCU) on Wednesday [May 21] announced an international operation to disrupt Lumma Stealer, a variant of infostealing malware that is popular with criminal gangs and other threat actors worldwide. 
  • “Hackers have used Lumma to steal passwords, credit cards, bank account information and cryptocurrency wallets in major attack campaigns in recent years, Steven Masada, assistant general counsel at Microsoft’s DCU, said in a blog post.
  • “Between March 16 and May 16, Microsoft identified more than 394,000 Windows computers infected with Lumma. After obtaining a court order from the U.S. District Court for the Northern District of Georgia, Microsoft seized 2,300 domains that formed the backbone of Lumma’s infrastructure. The U.S. Department of Justice also seized Lumma’s central command structure and disrupted online marketplaces that sold Lumma.”
• Here is a link to a related CISA advisory.

From the cybersecurity vulnerabilities and breaches front,

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • May 19, 2025
    • CVE-2025-4427 Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
    • CVE-2025-4428 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
    • CVE-2024-11182 MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
    • CVE-2025-27920 Srimax Output Messenger Directory Traversal Vulnerability
    • CVE-2024-27443 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
    • CVE-2023-38950 ZKTeco BioTime Path Traversal Vulnerability
      • Ivanti discusses its KVEs here.
      • Cyber Press discusses the MDaemon KVE here.
      • TechTarget discusses the Srimax KVE here.
      • Syscan discusses the Synacor KVE here.
  • May 22, 2025
    • CVE-2025-4632 Samsung MagicINFO 9 Server Path Traversal Vulnerability
      • The Hacker News discusses this KVE here.

• On May 21, released a joint cybersecurity advisory which
  • highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

• On May 22, CISA released an “Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic).
  
• Security Week relates “The developers of OpenPGP.js have released updates to patch a critical vulnerability that can be exploited to spoof message signature verification.”
  • “OpenPGP.js is an open-source JavaScript implementation of the OpenPGP email encryption library, enabling its use on any device. According to its developers, “The idea is to implement all the needed OpenPGP functionality in a JavaScript library that can be reused in other projects that provide browser extensions or server applications.”
  • “Its website shows that OpenPGP.js is used by projects such as FlowCrypt, Mymail-Crypt, UDC, Encrypt.to, PGP Anywhere, and Passbolt.”

• Dark Reading points out “3 Severe Bugs Patched in Versa’s Concerto Orchestrator. Three zero-days could have allowed an attacker to completely compromise the Concerto application and the host system running it.”

• Per SC Media,
  • “Stolen credentials were the root cause of more than 30% of data breaches last year, according to Verizon’s 2025 Data Breach Investigations Report. Attackers compromised more than 23 million unmanaged and user-controlled devices—including personal laptops and home systems used in remote work settings—to extract login information, often using session cookies to bypass multi-factor authentication and other access controls.
  • “Credentials don’t just manifest—you’re either phishing them, brute forcing them, or stealing them via malware,” said Philippe Langlois, lead data scientist at Verizon and co-author of the 2025 DBIR, speaking at last month’s RSAC 2025.
  • “Those numbers aren’t outliers—they’re symptoms of a deeper failure in enterprise cybersecurity. Identity systems, Langlois noted at RSAC 2025, are now routinely exploited as entry points with attackers relying less on technical exploits—like finding and exploiting software vulnerabilities—and more on credential-based access, where they simply log in using stolen usernames, passwords, or hijacked sessions.”

From the ransomware front,

• Cybersecurity Dive lets us know,
  • “Kettering Health is facing a cyberattack that’s impacting patient care, the Ohio-based health system said on Tuesday [May 20].
  • “The provider was hit by a system-wide technology outage Tuesday morning due to unauthorized access to its network, Kettering said in a press release. 
  • “Elective inpatient and outpatient procedures at the health system’s facilities were canceled Tuesday. Kettering’s call center was also knocked offline and might have been occasionally inaccessible, the provider added.”

• Security Week informs us,
  • “In a data breach notice published on its website, Marlboro-Chesterfield Pathology said it discovered unauthorized activity on some internal IT systems on January 16, 2025. An investigation revealed that the hackers had stolen some files.
  • “The compromised data includes personal information such as name, address, date of birth, medical treatment information, and health insurance information. The stolen information varies by individual. 
  • “MCP informed the US Department of Health and Human Services (HHS) this week that the incident impacted 235,911 individuals.”

• Per Bleeping Computer,
  • “The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks.
  • “Also known as Luna Moth, Chatty Spider, and UNC3753, this threat group has been active since 2022and was also behind BazarCall campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks.
  • “In March 2022, following Conti’s shutdown, the threat actors separated from the cybercrime syndicate and formed their own operation called Silent Ransom Group (SRG).
  • “In recent attacks, SRG impersonates the targets’ IT support in email, fake sites, and phone calls using social engineering tactics to gain access to the targets’ networks.
  • “This extortion group doesn’t encrypt the victims’ systems and is known for demanding ransoms not to leak sensitive information stolen from compromised devices online.”

• Per Dark Reading,
  • “Yet another threat group has embraced the trend of combining email bombing with vishing to gain initial access to systems and deploy ransomware.
  • “This time the adversary employing the technique, first documented as a tactic of Black Basta ransomware group, is the recently emerged 3AM ransomware group, researchers at Sophos revealed in a recent blog post. Sophos spotted an attack in the first quarter this year by 3AM affiliates, which followed the familiar playbook and successfully stole data from the targeted system but did not complete the ransomware attack.”

• Per Fortra’s Tripline,
  • “Health-ISAC recently released their 2025 Health Sector Cyber Threat Landscape Report, a comprehensive outline of the malicious activity aimed at healthcare in the previous year. Not surprisingly, ransomware was cited by security professionals in the industry as the number one threat of 2024 and the top area of concern coming into 2025 (followed by third-party breaches, supply chain attacks, and zero-day exploits). Some things never change.
  • “However, when it comes to ransomware, they do evolve. Take a look at [the Tripline article] some of the reasons ransomware maintains its top spot as the primary plague of healthcare organizations as we move into another threat-filled year.”

From the cybersecurity business and defenses front,

• Cybersecurity Dive reports,
  • “Shares of Palo Alto Networks fell Wednesday after the company reported better-than-expected earnings in the third fiscal quarter but disappointed some investors over its margins. 
  • “The company reported non-GAAP (generally accepted accounting principles) net income of 80 cents a share during the quarter that ended on April 30, up from 66 cents in the same quarter last year. Those earnings beat consensus estimates of 77 cents. 
  • “Revenue grew 15%, to $2.3 billion, in the quarter, compared with $2 billion in the same period last year.”
• and
  • Companies designing AI systems should protect training data from tampering and strictly limit access to its underlying infrastructure, the U.S. and three allies said in a joint guidance document published on Thursday [May 22].
  • The AI security guidance addresses multiple topics, including protecting data throughout the AI systems’ life cycle, supply chain considerations and ways to mitigate possible attacks on large data sets.
  • The multilateral warning reflects concerns in the U.S. and allied nations about powerful AI models containing vulnerabilities that can ripple across critical infrastructure.

• NIST discusses “Cybersecurity and AI: Integrating and Building on Existing NIST Guidelines.”

• The Wall Street Journal explains “How to lock down your finances and online accounts after a data breach spreads your information to the secret corners of the internet.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • Congress moved one step closer to reauthorizing a key cyber threat information-sharing law on Thursday during a hearing that highlighted both the act’s value and potential shortcomings.
  • The House Homeland Security Committee’s cyber subcommittee held the hearing [on May 15] to evaluate the private sector’s satisfaction with the 2015 Cybersecurity Information Sharing Act, which expires on Sept. 30. Witnesses from the tech industry praised the law for encouraging companies to share cyber threat indicators with each other and with federal agencies, but they also offered lawmakers suggestions for how to improve the program.”

• Defensescoop tells us,
  • “The Department of Defense has expanded its number of cyber teams by 12, with two more slated to come online in the next few years, according to a spokesperson.
  • “The cyber mission force began building in 2012, and the initial 133 teams reached full operational capability in 2018. In DOD’s fiscal 2022 budget request, U.S. Cyber Command proposed and was eventually approved for a phased approach to add 14 additional cyber mission force teams beyond the original 133. That request and authorization in 2021 was the first substantial effort to grow that force since it was designed almost a decade ago, long before modern and advanced threats had surfaced.
  • “In 2021, the Secretary of Defense directed the creation of 14 New cyber teams by September 2028. Of the 14 teams, 12 have been established. These teams are spread across Army, Air Force, and Navy Commands,” a Cybercom spokesperson said.
  • “They declined to offer specifics regarding how many additional teams each service received or what types of teams those additional builds provided to each service — such as offensive, defensive or support teams — citing operational security.”

• Per a May 15 HHS press release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Vision Upright MRI, a small California health care provider that conducts magnetic resonance imaging and related services, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification and Security Rules. The settlement resolves an OCR investigation concerning the breach of an unsecured server containing the medical images of 21,778 individuals.” * * *
  • “Under the terms of the resolution agreement, Vision Upright MRI agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $5,000 to OCR.” 
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hhs-ocr-hipaa-racap-vum/index.html“
    
• Cyberscoop informs us,
  • “Federal authorities seized two domains and indicted four foreign individuals for alleged involvement in a long-running botnet service that infected older wireless internet routers, the Justice Department said Friday. 
  • “The malware created for the botnet allowed infected routers to be reconfigured, which granted unauthorized access to third parties and made the routers available for sale as proxy servers on Anyproxy.net and 5socks.net, according to law enforcement officials. Both domains, which were managed by a company headquartered in Virginia and hosted on servers worldwide, now render seizure notices under an effort the DOJ and FBI dubbed “Operation Moonlander.”
  • “The 5socks.net website claimed to be in operation for over 20 years and had more than 7,000 proxies for sale worldwide for a monthly subscription of $9.95 to $110 per month, according to prosecutors. The botnet’s overseas operations were also seized and disabled by law enforcement agencies in the Netherlands and Thailand.
  • “Authorities also indicted the botnet’s alleged administrators and charged them with conspiracy and damage to protected computers, for conspiring with others to maintain, operate and profit from the bot.”
• and
  • Liridon Masurica, the alleged lead administrator of cybercrime marketplace BlackDB.cc, was extradited to the United States on Friday and faces charges that carry a maximum penalty of 55 years in federal prison, the Justice Department said Tuesday. 
  • Masurica, 33, who is also known as “@blackdb,” was arrested by authorities in Kosovo on Dec. 12. He made his initial appearance in federal court in Tampa, Fla., on Tuesday and was ordered detained pending a trial. 
  • Federal prosecutors charged Masurica with one count of conspiracy to commit access device fraud and five counts of fraudulent use of 15 or more unauthorized access devices.
  • Masurica, of Gjilan, Kosovo, is accused of running BlackDB.cc since 2018. The cybercriminal marketplace offered to sell compromised account and server credentials, credit card information and other personally identifiable information of individuals mostly located in the United States, the DOJ said.

From the cybersecurity breaches and vulnerabilities front,

• Cyberscoop reports,
  • “Hundreds of victims are surfacing across the world from zero-day cyberattacks on Europe’s biggest software manufacturer and company, in a campaign that one leading cyber expert is comparing to the vast Chinese government-linked Salt Typhoon and Volt Typhoon breaches of critical infrastructure.
  • “The zero-days — vulnerabilities previously unknown to researchers or companies, but that malicious hackers have discovered — got patches this month and last month, but there are signs it could be getting worse before it gets better, according to Dave DeWalt, CEO of NightDragon, a venture capital and advisory firm. Ransomware gangs are now reported to be exploiting it, beyond the original Chinese government-connected attackers.
  • “The net of it is this is like the Typhoon size, so much like we saw [with] Volt Typhoonand then Salt Typhoon,” DeWalt told CyberScoop. “Once these exploits get into the wild, it’s a race to see who can get more access to it. So initially it looks like three Chinese actors all used it, and now we’re going to see more.”
  • “A number of companies have been tracking the vulnerability and its consequences, including one, Onapsis, that DeWalt’s company invests in, along with EclecticIQ, ReliaQuest and Google’s Mandiant.”
• and
  • “Over the past few years, cybersecurity experts have increasingly said that nation-state operatives and cybercriminals often blur the boundaries between geopolitical and financial motivations. A new report released Wednesday shows how North Korea has flipped that idea on its head. 
  • “North Korea has silently forged a global cyber operation that experts now liken to a mafia syndicate, with tactics and organization far removed from other nation-state actors, according to a comprehensive new report released by DTEX Systems.
  • “The study — based on years of investigations, technical analysis, and work with other open-source intelligence analysts — pulls back the curtain on a highly adaptive regime that has built its cyber capabilities on a survivalist, profit-driven approach. It reveals a hierarchy blending criminality, espionage, and front-line IT work, coordinated by an authoritarian government that rewards loyalty and secrecy while punishing failure.” * * *
  • “You can read the full report on DTEX’s website.”

• Cybersecurity Dive relates.
  • “The FBI is warning about a threat campaign in which malicious actors are impersonating senior U.S. officials using malicious text messages and AI-generated voice messages.
  • “The messages have been sent to current and former federal and state officials and others who may be contacts of those individuals, the bureau said in an alert released Thursday.
  • “The messages are designed to establish a rapport with individuals who might then turn over access to a personal account, according to the alert. These social engineering techniques could be used to reach additional contacts and gain access to additional information or funds.”

• Bleeping Computer lets us know,
  • “A new tool called ‘Defendnot’ can disable Microsoft Defender on Windows devices by registering a fake antivirus product, even when no real AV is installed.
  • “The trick utilizes an undocumented Windows Security Center (WSC) API that antivirus software uses to tell Windows it is installed and is now managing the real-time protection for the device.
  • “When an antivirus program is registered, Windows automatically disables Microsoft Defender to avoid conflicts from running multiple security applications on the same device.
  • “The Defendnot tool, created by researcher es3n1n, abuses this API by registering a fake antivirus product that meets all of Windows’ validation checks. * * *
  • “While Defendnot is considered a research project, the tool demonstrates how trusted system features can be manipulated to turn off security features.
  • “Microsoft Defender is currently detecting and quarantining Defendnot as a ‘Win32/Sabsik.FL.!ml; detection.”
    
• The Cybersecurity and Infrastructure Security Agency (CISA) added nine known exploited vulnerabilities to its catalog this week.
• May 13, 2025
  • “CVE-2025-30400 Microsoft Windows DWM Core Library Use-After-Free Vulnerability
  • “CVE-2025-32701 Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
  • “CVE-2025-32706 Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
  • “CVE-2025-30397 Microsoft Windows Scripting Engine Type Confusion Vulnerability
  • “CVE-2025-32709 Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability”
    • Crowdstrike discusses these KVEs here.
    • Cyberscoop discusses Microsoft’s May 13 Patch Tuesday here.
    • See also Bleeping Computer article titled “Microsoft confirms May Windows 10 updates trigger BitLocker recovery”
• May 14, 2025
  • “CVE-2025-32756 Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability”
    • Rapid 7 discusses this KVE here.
• May 15, 2025
  • “CVE-2024-12987 DrayTek Vigor Routers OS Command Injection Vulnerability
    • This KVE is discussed here.
  • “CVE-2025-4664 Google Chromium Loader Insufficient Policy Enforcement Vulnerability
    • This KVE is discussed here.
  • “CVE-2025-42999 SAP NetWeaver Deserialization Vulnerability”
    • The KVE is discussed here.

• Cyberscoop adds,
  • “Apple rolled out a series of substantial security updates Monday for its major software platforms, with advisories covering iOS, iPadOS, and two versions of macOS lines, addressing more than 30 vulnerabilities in total. 
  • “Among the numerous fixes, iOS 18.5 and iPadOS 18.5 introduce the first security update for Apple’s in-house C1 modem, featured in the newly released iPhone 16e. The patch addresses a baseband vulnerability (CVE-2025-31214) that, according to the company, could have allowed an attacker “in a privileged network position” to intercept network traffic. While the specific details remain undisclosed, the risk highlights concerns about how devices communicate on the hardware level, since baseband processors control things like data transmission, call processing, and other network functions.”

• PC World reports
  • “Malware is a thing you just have to be aware of. But it’s pretty rare that it can actually damage your computer in a permanent sense — wipe the drive if you’re okay with losing local data, and you can generally get up and running in a day or two. But what if the microcode running on your CPU’s tiny integrated memory becomes infected? One security researcher says he’s done it.
  • “Christiaan Beek of Rapid7 says he has created a proof-of-concept ransomware that can hide inside a CPU’s microcode, building on previous work that emerged when Google required AMD processors to always return “4” when asked for a random number. He claims that modifying UEFI firmware can install an unsigned update to the processor, slipping past any kind of conventional antivirus or OS-based security.” * * *
  • “CPU-level ransomware has not been seen “in the wild,” and it seems likely that when and if it emerges, it’ll be a state-level actor that exploits it first. That means your typical user probably won’t be targeted, at least immediately. Still, maybe keep a remote backup of your important files, just in case.”

From the ransomware front,

• Per a news release,
  • “Black Kite, the leader in third-party cyber risk intelligence, today announced its newest report, 2025 Ransomware Report: How Ransomware Wars Threaten Third-Party Cyber Ecosystems, which provides a deep analysis into evolving ransomware trends and threats. The report found that threats have escalated with more actors, less predictability, and deeper entanglement in supply chains, underscoring an urgent need for organizations to implement intelligence-driven defenses and proactive vendor monitoring.”

• Beckers Hospital Review tells us,
  • “From October 2009 to October 2024, ransomware and hacking have increasingly driven healthcare data breaches, a May 14 study published in JAMA Network Open found. 
  • “The study examined ransomware attacks and other hacking incidents across all healthcare organizations covered by HIPAA from October 2009 through October 2024. It analyzed breaches affecting 500 or more patient records that were reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.”

• Cybersecurity Dive reports,
  • “A cybercrime gang believed to be responsible for three attacks in the U.K. in recent weeks has turned its attention toward the U.S. and has been able to compromise multiple targets in the sector, according to researchers from Google Threat Intelligence Group and Google subsidiary Mandiant. 
  • “Researchers said the same threat actors linked to attacks against U.K. companies are now using well-crafted social engineering techniques against U.S. retail companies.  
  • “The threat group, tracked as UNC3944 or Scattered Spider, is widely considered the prime suspect in the attacks on British firms Harrods, Co-op and M&S, but Mandiant and Google have not formally attributed the intrusions to any specific actor. Researchers said, however, that the hackers behind the U.S. attacks share the same techniques and procedures as the intruders in the British incidents.”

• Dark Reading adds,
  • “While dynamic DNS services have been around for many years, they’ve recently emerged as an integral tool in the arsenals of cybercriminal groups like Scattered Spider.
  • “Dynamic DNS (DDNS) services automatically update a domain name’s DNS records in real-time when the Internet service provider changes the IP address. Real-time updating for DNS records wasn’t needed in the early days of the Internet when static IP addresses were the norm.” * * *
  • “In a blog post last month, threat intelligence vendor Silent Push reported that despite some notable arrests of alleged members in 2024, Scattered Spider was actively engaged in new phishing campaigns targeting well-known enterprises. One of the key findings of the report was a shift in tactics from Scattered Spider members that featured the use of rentable subdomains from dynamic DNS providers like it.com Domains LLC.
  • “In an example of an observed attack, Scattered Spider actors established a new subdomain, klv1.it[.]com, designed to impersonate a similar domain, klv1.io, for Klaviyo, a Boston-based marketing automation company.
  • “Silent Push’s report noted that the malicious domain had just five detections on VirusTotal at the time of publication. The company also said the use of publicly rentable subdomains presents challenges for security researchers.”

• Bleeping Computer points out,
  • “Ransomware gang members increasingly use a new malware called Skitnet (“Bossnet”) to perform stealthy post-exploitation activities on breached networks.
  • “The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025.
  • ‘Prodaft told BleepingComputer they have observed multiple ransomware operations deploying Skitnet in real-world attacks, including BlackBasta in Microsoft Teams phishing attacks against the enterprise, and Cactus.”

From the cybersecurity business and defenses front,

• Cyberscoop reports,
  • “Proofpoint has entered into an agreement to acquire Hornetsecurity Group, a Germany-based provider of Microsoft 365 security services, in a deal reportedly valued at more than $1 billion.
  • “The acquisition, described as the largest in Proofpoint’s history, comes amid accelerating consolidation in the cybersecurity industry as companies seek to broaden their offerings to enterprise customers of all sizes. While Proofpoint did not disclose terms, CNBC reports the deal is “well over” $1 billion. 
  • “Hornetsecurity, headquartered in Hannover, Germany, serves more than 12,000 managed service providers (MSPs) and 125,000 small and mid-sized businesses (SMBs) primarily across Europe. According to a press release announcing the deal, Hornetsecurity brings in $160 million in annual recurring revenue, with growth exceeding 20% year over year. 
  • “For Proofpoint, the acquisition provides an entry point into the SMB market through Hornetsecurity’s established MSP network.'” * * *
  • “The transaction comes as Proofpoint, which was taken private by Thoma Bravo in 2021for $12.3 billion, is exploring an IPO, according to the CNBC report.” 
• and
  • “Coinbase responded to a security incident with combative measures Thursday after the company said cybercriminals bribed some of the cryptocurrency exchange’s international support staff to steal data on customers. The unnamed threat group stole personally identifiable information and other sensitive data on less than 1% of Coinbase’s monthly users, the company said in a blog post.
  • “The cybercriminals contacted customers under the guise of an employee at Coinbase in an attempt to dupe people into relinquishing their cryptocurrency. “They then tried to extort Coinbase for $20 million to cover this up. We said no,” the company said.
  • Coinbase flipped the script as part of its response. “Instead of paying this $20 million ransom, we’re turning it around and we’re putting out a $20 million award for any information leading to the arrest and conviction of these attackers,” Coinbase CEO Brian Armstrong said in a video posted on X.
  • “For these would-be extortionists, or anyone seeking to harm Coinbase customers, know that we will prosecute you and bring you to justice,” he added.” 

• Dark Reading shares insights on the recent RSAC conference and of course also offers its CISO Corner.

From the cybersecurity and law enforcement front,

• Cyberscoop reports,
  • “Homeland Security Secretary Kristi Noem outlined her plans Tuesday to refocus the Cybersecurity and Infrastructure Security Agency (CISA) on protecting critical infrastructure from increasingly sophisticated threats — particularly from China — while distancing the agency from what she characterized as mission drift under previous leadership.
  • “Speaking at the 2025 RSAC Conference, Noem provided the most detailed vision yet of how the current administration is pushing CISA to a “back-to-basics” approach aimed at hardening defenses against adversaries who have demonstrated capabilities to infiltrate critical systems.”
• and
  • “Threat intelligence sharing is flowing between the private sector and federal government and remains unimpeded thus far by job losses and budget cuts across federal agencies that support the cyber mission, according to executives at major security firms.
  • “Top brass at Amazon, CrowdStrike, Google and Palo Alto Networks said there’s been no change to interactions with the federal government since President Donald Trump was inaugurated earlier this year.
  • “Across multiple interviews and media briefings during the RSAC 2025 Conference this week, none of the leaders at these top cybersecurity companies conveyed any concern about or experience with communication breakdowns. Each of them dismissed the idea that collaboration has slowed down amid significant workforce reductions and strategic changes across the federal government.”

• Earlier this week, the National Institute of Standards and Technology released its FY 2024 Cybersecurity & Privacy Program Annual Report.

• Federal News Network tells us,
  • “While much of the cybersecurity community’s attention was out west at the annual RSA Conference, the Justice Department announced yet another settlement in its pursuit of contractors who falsely attest to meeting cybersecurity requirements.
  • “DoJ announced today that Raytheon Company, RTX Corporation and Nightwing Group have agreed to pay $8.3 million to settle allegations that Raytheon violated the False Claims Act by falling short of contractually mandated cybersecurity standards.
  • “RTX sold its cybersecurity, intelligence and services business to Nightwing in 2024. DoJ’s case centered on conduct between 2015 and 2021, prior to the acquisition.
  • “The case is another feather in the cap for DoJ’s Civil-Cyber Fraud Initiative. Started under the Biden administration, the goal of the initiative is to enforce cybersecurity requirements that many contractors had been ignoring through the False Claims Act.”

• Per the Hacker News,
  • “The U.S. Department of Justice (DoJ) on Thursday announced charges against a 36-year-old Yemeni national for allegedly deploying the Black Kingdom ransomware against global targets, including businesses, schools, and hospitals in the United States.
  • “Rami Khaled Ahmed of Sana’a, Yemen, has been charged with one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer. Ahmed is assessed to be currently living in Yemen.
  • “From March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin,” the DoJ said in a statement.”

• Cyberscoop adds,
  • “Federal authorities extradited a Ukrainian citizen to the United States on Wednesday to face charges for participating in a series of ransomware cyberattacks on organizations based in the U.S. and multiple European countries. 
  • “Artem Stryzhak, 35, was arrested in Spain in June 2024 and was scheduled to appear for arraignment Thursday in the U.S. District Court for the Eastern District of New York. Stryzhak is accused of conspiracy to commit fraud and related activity, including extortion.
  • “Prosecutors accuse Stryzhak and his co-conspirators of using Nefilim ransomware to encrypt computer networks in the U.S., Canada, France, Germany, Australia, the Netherlands, Norway and Switzerland between late 2018 to late 2021.
  • “As alleged, the defendant was part of an international ransomware scheme in which he conspired to target high-revenue companies in the United States, steal data, and hold data hostage in exchange for payment. If victims did not pay, the criminals then leaked the data online,” John Durham, U.S. attorney for the Eastern District of New York, said in a statement.”

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “Hackers are increasingly using AI in their attacks and defenders should follow suit, Check Point Software Technologies said in a report published Wednesday.
  • “The company’s AI security report, announced at the 2025 RSAC Conference in San Francisco, also found that one in 13 generative AI prompts contained potentially sensitive information, and one in every 80 prompts posed “a high risk of sensitive data leakage.”
  • “Unauthorized AI tools, data loss, and AI platform vulnerabilities topped the list of AI risks for enterprises, according to Check Point.”
• and
  • “In a report published Tuesday, Google said it saw hackers exploit fewer zero-day vulnerabilities in the wild in 2024 than in 2023.
  • “The company attributed the decrease to improvements in secure software development practices.
  • “Still, Google said it is seeing a “slow but steady” increase in the rate of zero-day exploitation over time.”

• CISA added eight known exploited vulnerabilities to its catalog this week.
• “April 28, 2025
  • “CVE-2025-1976 Broadcom Brocade Fabric OS Code Injection Vulnerability
  • “CVE-2025-42599 Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability
  • “CVE-2025-3928 Commvault Web Server Unspecified Vulnerability”
  • Bleeping Computer discusses these KVEs here.
• “April 29, 2025
  • “CVE-2025-31324 SAP NetWeaver Unrestricted File Upload Vulnerability”
  • Cybersecurity Dive discusses this KVE here.
• “May 1, 2025
  • “CVE-2024-38475 Apache HTTP Server Improper Escaping of Output Vulnerability
  • “CVE-2023-44221 SonicWall SMA100 Appliances OS Command Injection Vulnerability
  • Cybersecurity News discusses the Apache KVE here.
  • Bleeping Computer discusses the SonicWall KVE here.
• “May 2, 2025
  • “CVE-2025-34028 Commvault Command Center Path Traversal Vulnerability
  • “CVE-2024-58136 Yiiframework Yii Improper Protection of Alternate Path Vulnerability”
  • Security Affairs discusses these KVEs here.

From the ransomware front,

• Techradar points out,
  • New research has revealed the scale of recent ransomware revolution, warning it remains a dominant threat to organizations worldwide.
  • A Veeam study, which gathered insights from 1,300 CISOs, IT leaders, and security professionals across the Americas, Europe, and Australia, found nearly three-quarters of businesses were impacted by ransomware over the past year.
  • Cybersecurity measures seem to be having some effect, with businesses facing ransomware incidents dropping slightly from 75% to 69% – and ransomware payments are also decreasing, as in 2024, 36% of affected businesses chose not to pay, and 60% of those who did paid less than half of the demanded ransom.

• Dark Reading adds,
  • “Several high-profile retailers based in the UK have suffered cyberattacks in recent weeks, and all signs point to two possible threat actors being behind the campaign.
  • “The National Cyber Security Centre (NCSC), the UK’s primary cyber agency, said on May 1 that it was tracking a series of attacks impacting retailers. NCSC CEO Dr. Richard Horne said in an included statement that the agency was working with affected organizations and that “these incidents should act as a wake-up call to all organizations.”
  • “Co-Op, Marks & Spencer, and Harrods are among the retailers that have confirmed attacks in recent weeks. In an article published May 2, Bloomberg News reported a spokesperson for the DragonForce ransomware gang — a group that emerged as a ransomware-as-a-service (RaaS) player in 2023 — took credit for the attacks against all three retailers.
  • “Last month, researchers from Sophos’ Secureworks reported that DragonForce had an RaaS model where affiliates could create their own “brand,” using DragonForce’s ransomware or using their own tools for extortion attacks.”
• and
  • “The notorious Scattered Spider threat group continues to attack high-value targets despite landing on the receiving end of multiple global law enforcement operations.
  • “Scattered Spider gained notoriety in recent years with high-profile breaches and ransomware attacks against large enterprises, including Las Vegas casino and hotel giants Caesars Entertainment and MGM Resorts in 2023. First emerging in 2022, the group’s members displayed a knack for social engineering schemes that allowed them to steal credentials from targeted organizations and gain privileged access into their networks. * * *
  • Bleeping Computer this week reported that the cyberattack against British retail giant Marks & Spencer was perpetrated by members of the group using DragonForce ransomware. Earlier this month, threat intelligence vendor Silent Push said it had observed significant threat activity, specifically phishing campaigns targeting well-known brands this year, from Chick-fil-A to Louis Vuitton.
• and
  • “RansomHub, an aggressive ransomware-as-a-service (RaaS) operation that gained prominence over the past year in the wake of law enforcement actions against LockBit and ALPHV, appears to have abruptly gone dark earlier this month.
  • “In a new report this week that offers an in-depth look at RansomHub’s affiliate recruitment methods, negotiation tactics, and aggressive extortion strategies, researchers at Group-IB described the operation as inactive since April 1.
  • “Cybercriminals associated with the operation may have migrated to the Russian-language speaking Qilin RaaS operation and are continuing their attacks under that banner, Group-IB said. The security vendor did not offer any explanation for the rapidly growing RansomHub operation’s seemingly sudden and unexpected demise — if that is indeed what it is.”

• TechTarget offers a “look at the [seven] distinct stages of the ransomware lifecycle to better understand how attackers strike — and how defenders might be better able to resist.

From the cybersecurity defense front,

• Cyberscoop reports
  • “Leaders of various federal research agencies and departments outlined a vision Tuesday for the future of critical infrastructure security, emphasizing the promise of combining formal software development methods with large language models (LLMs). 
  • “Acting DARPA Director Rob McHenry told an audience at the RSAC 2025 Conference that such a combination could “virtually eliminate software vulnerabilities” across foundational system infrastructures, a departure from the traditionally accepted risks of software flaws.
  • “We’ve all been trained in a world where we have to accept that there are vulnerabilities in our software, and bad guys exploit those vulnerabilities,” he said. “We try to mitigate the damage and patch them, and we go round on this merry-go-round. That technologically does not need to be true anymore.”
  • “DARPA’s statements came in the context of the AI Cyber Challenge, a public-private collaboration involving industry leaders such as Google, Microsoft, Anthropic and OpenAI. The initiative tests whether advanced AI systems can identify and patch vulnerabilities in open-source software components vital to the electric grid, health care, and transportation.”
• and
  • “Cryptography experts say the race to fend off future quantum-computer attacks has entered a decisive but measured phase, with companies quietly replacing the internet plumbing that the majority of the industry once considered unbreakable.
  • “Speaking at Cloudflare’s Trust Forward Summit on Wednesday, encryption leaders at IBM Research, Amazon Web Services and Cloudflare outlined how organizations are refitting cryptographic tools that safeguard online banking, medical data and government communications. The aim is to stay ahead of quantum machines that, once powerful enough, could decode the math protecting today’s digital traffic.
  • “Over the next five to 10 years you’re going to see a Cambrian explosion of different cryptographic systems,” said Wesley Evans, a product manager for Cloudflare’s research team, referring to an evolutionary period with a rapid diversification of animal life that occurred roughly 540 million years ago.” 

• Dark Reading adds,
  • “Each year, top SANS faculty joins the RSAC conference to present what their community of practitioners and researchers see as the most pressing challenges facing the cybersecurity community for the year to come. This year’s list of top-five threats aren’t merely technical, and tackling them will demand coordinated leadership from the very top of the organization and beyond.
  • “The attack techniques outlined in the SANS RSAC 2025 keynote underscore a common theme: Cybersecurity is no longer confined to the security operations center — it’s a leadership issue that impacts every layer of the enterprise,” according to a SANS media statement. “The threats of tomorrow demand a strategic, integrated response rooted in visibility, agility, and cross-functional alignment.”

• Bleeping Computer notes,
  • “Microsoft has announced that all new Microsoft accounts will be “passwordless by default” to secure them against password attacks such as phishing, brute force, and credential stuffing.
  • “The announcement comes after the company started rolling out updated sign-in and sign-up user experience (UX) flows for web and mobile apps in March, optimized for passwordless and passkey-first authentication.
  • “As part of this simplified UX, we’re changing the default behavior for new accounts. Brand new Microsoft accounts will now be ‘passwordless by default’,” said Joy Chik, Microsoft’s President for Identity & Network Access, and Vasu Jakkal, Corporate Vice President for Microsoft Security.”

• Here is a link to Dark Reading’s CISO Corner.