From the cybersecurity policy and law enforcement front,

• Health ISAC reminds us,
  • “Despite widespread public and private interest in reauthorizing the U.S. Cybersecurity Information Sharing Act of 2015 (“CISA 2015”)[i], we are rapidly approaching September 30th, the date when the Act is set to expire barring congressional action to extend it. With time running short, let’s assess the options still being considered and breakdown how and why reauthorization is going down to the wire.” * * *
  • “The current most likely path for a CISA 2015 reauthorization is not a simple standalone bill that is quickly passed by both chambers. Instead, the most likely path runs through a short term extension as part of a continuing resolution (“CR”) and then through the National Defense Authorization Act (“NDAA”).
  • “For those who are unfamiliar, a CR is a “temporary spending [bill] that [allows] federal government operations to continue when final appropriations have not been approved by Congress and the President. Without final appropriations or a CR, there could be a lapse in funding that results in a government shutdown.”[ii] The NDAA is an annual end of year bill that provides appropriations for the Department of Defense (“DOD”). It is generally considered to be a “must pass” piece of legislation that lawmakers attempt to add otherwise unrelated policy matters.”

• Nextgov/FCW tells us,
  • “Greg Barbaccia, the federal chief information officer, says that the Office of Management and Budget is backing the General Services Administration’s overhaul of FedRAMP, the government’s cloud security assessment and authorization program. 
  • “GSA launched FedRAMP 20x — meant to use more automation in place of annual assessments, cut red tape and speed up authorizations — in March. It announced its phase two pilot on Wednesday.
  • “Barbaccia acknowledged the past problems with FedRAMP at a Wednesday event held by the Alliance for Digital Innovation. 
  • “I have done FedRAMP in my past life,” said Barbaccia, who previously worked at Palantir and more recently at a machine-learning enabled asset manager. “What a pain in the butt.”
  • “The FedRAMP program is planning on pursuing 10 pilot authorizations at the Moderate security level as part of the new phase of FedRAMP 20x, said FedRAMP Director Pete Waterman.”

• Per a Cybersecurity and Infrastructure Security Agency (“CISA”) news release,
  • Today [September 23, 2025], the Cybersecurity and Infrastructure Security Agency (CISA) announced the appointment of Stephen L. Casapulla as the Executive Assistant Director for Infrastructure Security.
  • “I am pleased to have Steve expand his role on CISA’s leadership team,” said Acting Director Madhu Gottumukkala. “With his extensive experience in critical infrastructure security and working with stakeholders, he is perfectly poised to lead our efforts in securing the nation’s critical infrastructure. I look forward to working with him on this important mission.”
  • Prior to joining CISA, Casapulla served as the Director for Critical Infrastructure Cybersecurity in the Office of the National Cyber Director. He previously spent over thirteen years at CISA and its predecessor, holding a variety of senior roles. His prior federal service includes work at the Small Business Administration and at the Department of State in Iraq. He also serves as an officer in the U.S. Navy Reserve, with over twenty years of service and multiple overseas deployments.

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency on Thursday [September 25, 2025,] ordered U.S. government agencies to patch multiple vulnerabilities in Cisco networking products, saying an “advanced threat actor” was using them in a “widespread” campaign.
  • “This activity presents a significant risk to victim networks,” CISA said in an emergency directive that laid out a mandatory timeline for agencies to identify, analyze and patch vulnerable devices.
  • “The hacking campaign — an extension of the sophisticated “ArcaneDoor” operation that Cisco first revealed in April 2024 — has compromised multiple federal agencies, two U.S. officials told Cybersecurity Dive. Both officials requested anonymity to discuss a sensitive and evolving investigation.”

• Cyberscoop adds,
  • “Cisco said it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May. The vendor, which attributes the attacks to the same threat group behind an early 2024 campaign targeting Cisco devices it dubbed “ArcaneDoor,” said the new zero-days were exploited to “implant malware, execute commands, and potentially exfiltrate data from the compromised devices.” 
  • “Cisco disclosed three vulnerabilities affecting its Adaptive Security Appliances — CVE-2025-20333, CVE-2025-20363 and CVE-2025-20362 — but said “evidence collected strongly indicates CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign.” 
  • “The Cybersecurity and Infrastructure Security Agency said those two zero-days pose an “unacceptable risk” to federal agencies and require immediate action.”

• Dark Reading points out,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) this week disclosed that threat actors breached a federal agency last year by exploiting a critical vulnerability in the open source GeoServer mapping server.
  • “In the advisory, CISA said it conducted incident response at a large, unnamed federal civilian executive branch (FCEB) agency after malicious activity was flagged by the agency’s endpoint detection and response (EDR) platform, but found the agency’s response playbook to be lacking; so lacking in fact that it hampered CISA’s investigation and allowed the attackers to burrow deeper into the network unchecked.

• Cybersecurity Dive adds,
  • “[On September 23, 2025,] the Cybersecurity and Infrastructure Security Agency urged security teams to monitor their systems following a massive supply chain attack that struck the Node Package Manager ecosystem. 
  • “The attack, tracked under the name Shai-Hulud, involved a self-replicating worm that compromised more than 500 software packages, according to StepSecurity. 
  • “After gaining access, a malicious attacker injected malware and scanned the environment for sensitive credentials. The credentials included GitHub Personal Access Tokens and application programming interface keys for various cloud services, including Amazon Web Services, Google Cloud Platform and Microsoft Azure. 
  • “The stolen credentials were uploaded to an endpoint controlled by the attacker and then uploaded to a public repository called Shai-Hulud. 
  • “Researchers at Palo Alto Networks said the attacker used an LLM to write the malicious script, according to an updated blog post released Tuesday.” 

• CISA added one known exploited vulnerability to its catalog this week.
  • September 23, 2025
    • CVE-2025-10585 Google Chromium V8 Type Confusion Vulnerability
      • Cybersecurity News discusses this KVE here.

• Cybersecurity Dive relates,
  • “Hackers are conducting brute force attacks against the MySonicWall.com portal in order to access the company’s cloud backup service for firewalls, SonicWall and federal authorities warned in advisories released Monday [September 22, 2025].
  • “SonicWall said its investigation found that hackers gained access to 5% of backup firewall preference files. The company warned that while credentials inside the files were encrypted, the files contained other information that could help attackers exploit the firewall, according to the advisory.  
  • “SonicWall also released a video explaining the scope of the incident. 
  • “In an advisory on Monday, the Cybersecurity and Infrastructure Security Agency urged customers to log into their accounts to determine whether their devices are at risk.” 

• Cyberscoop reports,
  • “The Secret Service said Tuesday [September 23, 2025] that it disrupted a network of electronic devices in the New York City area that posed imminent telecommunications-based threats to U.S. government officials and potentially the United Nations General Assembly meeting currently underway.
  • “The range of threats included enabling encrypted communications between threat groups and criminals or disabling cell towers and conducting denial-of-service attacks to shut down cell communications in the region. Matt McCool, special agent in charge of the Secret Service’s New York field office, said the agency’s early analysis of the network indicated “cellular communications between foreign actors and individuals that are known to federal law enforcement.”
  • “In all, the agency said it discovered more than 300 servers and 100,000 SIM cards spread across multiple sites within 35 miles of the U.N. meeting. The Secret Service announcement came the same day President Donald Trump was scheduled to deliver a speech to the General Assembly.
  • “The potential for disruption to our country’s telecommunications posed by this network of devices cannot be overstated,” U.S. Secret Service Director Sean Curran said in a news release.”

• Cyberscoop warns,
  • “Ambitious, suspected Chinese hackers with a slew of goals — stealing intellectual property, mining intelligence on national security and trade, developing avenues for future advanced cyberattacks — have been setting up shop inside U.S. target networks for exceptionally long stretches of time, in a breach that the researchers who uncovered it said could present problems for years to come.
  • “Mandiant and Google Threat Intelligence Group (GTIG) researchers described the campaign as exceptionally sophisticated, stealthy and complex, calling those behind it a “next-level threat.” But they don’t yet have a full handle on who the hackers are behind the malware they’ve dubbed Brickstorm, or how far it stretches. A blog post the company posted Wednesday sheds light on the group.
  • “The primary targets are legal services organizations and tech companies that provide security services, the researchers said. But the hackers aren’t limiting their interest to the primary targets, since they’ve used that access to infiltrate “downstream” customers. The researchers declined to describe those downstream customers or say whether U.S. federal agencies are among those targeted. A great many of them don’t know yet that they’re victims, they said.
  • “By stealing intellectual property from security-as-a-service (SaaS) firms, the hackers aim to find future zero-day vulnerabilities, a kind of vulnerability that is previously unknown and unpatched and thus highly prized, in order to enable more attacks down the line, the researchers from Mandiant and its parent company Google said.”

• Per Dark Reading,
  • “Salesforce Web forms can be manipulated by the company’s “Agentforce” autonomous agent into exfiltrating customer relationship management (CRM) data — a concerning development as legacy software-as-a-service (SaaS) providers race to integrate agentic AI into their platforms to zhuzh up the user experience and generate buzz among investors.
  • “Agentforce is an agentic AI platform built into the Salesforce ecosystem, which allows users to spin up autonomous agents for most conceivable tasks. As the story often goes though, the autonomous technology appears to be the victim of the complexity of AI prompt training, according to researchers at Noma Security. 
  • “To wit: The researchers have identified a critical vulnerability chain in Agentforce, carrying a 9.4 out of 10 score on the CVSS vulnerability-severity scale. In essence it’s a cross-site scripting (XSS) play for the AI era — an attacker plants a malicious prompt into an online form, and when an agent later processes it, it leaks internal data. In keeping with all of the other prompt injection proofs-of-concept (PoCs) coming out these days, Noma has named its trick “ForcedLeak.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “RTX Corp., the parent firm of Collins Aerospace, confirmed that ransomware was used in the hack of its airline passenger processing software, in a filing with federal regulators. 
  • “The attack, discovered on Sept. 19, has disrupted flights across Europe since last week, including at London’s Heathrow Airport, Brussels Airport, and airports in Berlin and Dublin. 
  • “The Multi-User System Environment software, known as MUSE, is used by multiple airlines to check-in and board passengers and is also used to track baggage, according to the filing with the U.S. Securities and Exchange Commission. 
  • “Virginia-based RTX said the MUSE system operates on a customer-specific network outside of the company’s enterprise network.
  • “U.K. authorities said Wednesday that a man in his 40s had been arrested on suspicion of violating the Computer Misuse Act. The police investigation is ongoing.” 

• Dark Reading points out,
  • “Volvo Group North America (Volvo NA) has been breached via a third-party human resources (HR) software provider.
  • “At the root of the story is Miljödata, a Swedish company specializing in occupational software-as-a-service (SaaS), whose cloud infrastructure was breached in August. Thanks to its centralized, multi-tenant arrangement, hundreds of customers and millions of individuals have been affected. In a recent letter to its staff, Volvo NA, whose parent company is based in Sweden, revealed itself to be one such victim.
  • “Like other Miljödata customers, Volvo NA’s systems were untouched by the attack. Still, its employees’ names and Social Security numbers (SSNs) were stolen, and potentially published to the Dark Web. According to its website, Volvo NA employs just shy of 20,000 people.
  • “For municipalities, universities, and even big corporations like Volvo, this isn’t just a security issue, it’s an integrity issue,” says Anders Askasen, vice president of product marketing at Radiant Logic. “People suddenly wonder whether the systems handling their most sensitive data are fit for the purpose, and with good reason. That loss of confidence is as damaging as the leak itself.”

• Industrial Cyber tells us,
  • “The Rhysida ransomware gang claimed responsibility for a late-August data breach at the Maryland Transit Administration. Exposed data includes names, surnames, dates of birth, driver’s licenses, SSNs, passports, and confidential information.
  • “The group is said to have demanded a ransom of 30 bitcoin, around US $3.4 million at the time of writing, to be paid within seven days. To support its claim, Rhysida posted images of documents allegedly stolen from the MTA, including scans of a Social Security card, driver’s license, passport, and several other records.
  • “Comparitech identified that to prove its claim, Rhysida posted images of what it says are documents stolen from the MTA. They include scans of a Social Security card, driver’s license, passport, and several other documents. 
  • “The Maryland Transit Administration is a division of the state’s Department of Transportation. It operates buses, light rail, subways, commuter trains, taxis, and a paratransit system. The MTA specifically mentioned the paratransit system, MobilityLink, being disrupted by the cyber attack.”

• Per the Record,
  • “Ransomware hackers stole Social Security numbers, financial information and more during a recent cyberattack on Union County in Ohio. 
  • “The county government began sending out breach notifications to 45,487 local residents and county employees this week. The letters say ransomware was detected on the county’s network on May 18, prompting officials to hire cybersecurity experts and notify federal law enforcement agencies.  
  • “The hackers stole documents that had names, Social Security numbers, driver’s license numbers, financial account information, fingerprint data, medical information, passport numbers and more.  
  • “No ransomware gang has taken credit for the attack publicly, and the letters said the county has been monitoring internet sources but have not found any indication the stolen information was released or offered for sale.  
  • “The county has about 71,000 residents and is 45 minutes outside of Columbus — which dealt with its own ransomware attack one year ago.” 

• HIPAA Journal lets us know,
  • “There’s good and bad news on the ransomware front. Attacks are down year-over-year; however, successful attacks are proving even costlier to mitigate, according to the Mid-Year Risk Report from the cyber risk management company Resilience. The company saw a 53% reduction in cyber insurance claims in the first half of the year, which indicates organizations are getting better at preventing attacks; however, when ransomware attacks succeed, they have been causing increased financial harm, with losses 17% year-over-year. While ransomware accounted for just 9.6% of claims in H1, 2025, ransomware attacks accounted for 91% of incurred losses.
  • “On average, a successful ransomware attack causes $1.18 million in damages, up from $1.01 million in 2024, and the cost is even higher in healthcare. Resilience’s healthcare clients suffered average losses of $1.3 million in 2024, and in the first half of 2025, some healthcare providers faced extortion demands as high as $4 million. While it is too early to tell what the severity of claims will be in 2025 until claims are settled, Resilience said there are indications that the average severity of incurred losses for healthcare ransomware attacks this year could be $2 million, up from an average of $705,000 in 2024 and $1.6 million in 2023.”

From the cybersecurity defenses front,

• Cyberscoop advises,
  • “Artificial intelligence is no longer a future concept; it is being integrated into critical infrastructure, enterprise operations and security missions around the world. As we embrace AI’s potential and accelerate its innovation, we must also confront a new reality: the speed of cybersecurity conflict now exceeds human capacity. The timescale for effective threat response has compressed from months or days to mere seconds. 
  • “This acceleration requires removing humans from the tactical security loop. To manage this profound shift responsibly, we must evolve our thinking from abstract debates on “AI safety” to the practical, architectural challenge of “AI security.” The only way to harness the power of probabilistic AI is to ground it with deterministic controls.”

• A Dark Reading commentator recommends that “With the emergence of AI-driven attacks and quantum computing, and the explosion of hyperconnected devices, zero trust remains a core strategy for security operations.”

• Per a CISA news releases,
  • “In today’s increasingly interconnected industrial landscape, operational technology (OT) systems are no longer isolated islands of automation—they’re deeply entwined with information technology and business networks, making them prime targets for cyber threats. Recognizing this growing risk, the Cybersecurity and Infrastructure Security Agency (CISA) collaborated with three U.S. federal agencies and five international partners and received contributions from twelve private sector stakeholders to develop and publish, “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators”.
  • “This key resource helps owners and operators of OT systems create stronger, more secure infrastructures by building a clear inventory and classification of their assets. By identifying, organizing, and managing OT assets effectively, organizations can not only improve cybersecurity but also enhance operational reliability, safety, and resilience.”

• Per National Institute of Standards news releases,
  • “NIST has released Special Publication (SP) 800-88r2 (Revision 2), Guidelines for Media Sanitization.
  • “Media sanitization is a process that renders access to the target data on media infeasible for a given level of effort. This guide will assist organizations and system owners in setting up a media sanitization program with proper and applicable methods and controls for sanitization and disposal based on the sensitivity of their information.”
• and
  • “NIST has released Special Publication (SP) 800-90C, Recommendation for Random Bit Generator (RBG) Constructions. It is the final document in the SP 800-90 series, which supports the generation of high-quality random bits for cryptographic and non-cryptographic use.
  • “SP 800-90C specifies constructions for implementing random bit generators (RBGs) that include deterministic random bit generator (DRBG) mechanisms as specified in SP 800-90A and use entropy sources as specified in SP 800-90B.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• The Wall Street Journal reports,
  • “The collapse on Friday [September 19] of an emergency federal funding bill leaves the fate of cybersecurity legislation that provides legal protection for companies sharing cyber-threat intelligence up in the air.
  • Without a reprieve of the expiring cyber legislation that had been included in the funding bill, companies face uncertainty on how to communicate about cyber threats as competing reauthorization bills work through a divided House and Senate.
  • “Both the private sector and the government need certainty, including the ability to allocate resources for long-term cybersecurity planning and implementation,” said Matthew Eggers, vice president of cybersecurity policy at the U.S. Chamber of Commerce. 
  • The 2015 Cybersecurity Information Sharing Act, or CISA, is set to expire at the end of September. Friday’s scuttled emergency funding measure, which applied to a number of federal programs and sought to avert a government shutdown, would have given lawmakers more time [until November 21] to iron out critical differences between House and Senate versions of CISA renewal bills. * * *
  • “A notable difference in the House bill is the forward-thinking inclusion of artificial intelligence in the renewal,” said Justine Phillips, a partner and co-chair of the data and cyber practice group at law firm Baker McKenzie. Despite these updates, she said, “the House bill is the functional equivalent of extending the act as is, because it leaves the legal liability protections intact.”
  • “The cyber bill’s renewal by the Senate may prove more problematic, cybersecurity experts say.”

• Cyberscoop informs us,
  • “Federal agencies are increasingly incorporating artificial intelligence into the cyber defenses of government networks, and there’s more still to come, acting Federal Chief Information Security Officer Michael Duffy said Thursday.
  • “We’re at an exciting time in the federal government to see that we’re not only putting AI in production, but we’re finding ways to accelerate emerging technology across the government, across all missions and all angles,” Duffy said at FedTalks, produced by Scoop News Group. In his “role overseeing federal cybersecurity policy,” he said, he is “able to see these at the ground level, as agencies bring excitement and enthusiasm and hope for what they can optimize through artificial intelligence.”
  • “Cyber attackers are moving faster than ever, and on a much larger scale than before, he said. They’re also using technology in new ways. But it’s not all “doom and gloom” when it comes to the cybersecurity of federal networks, especially because of feds’ move toward AI, Duffy said.
  • “I’m pleased to say that the advancements that we’ve made over the past decade in the federal government have brought us to this point: Agencies are poised now, postured, positioned, to take advantage of new capabilities, bring them into federal agencies and make them work for the mission,” he said.”

• In related news, Cybersecurity Dive tells us,
  • “The National Institute of Standards and Technology on Thursday [September 18] published guidance describing how implementation of post-quantum cryptography (PQC) both supports and relies on the safeguards in the agency’s major cybersecurity publications.
  • “The draft NIST document, derived from the output of the agency’s PQC migration project, is designed to illustrate the connections between the tools required for adopting quantum-resistant encryption and the security practices that NIST recommends in its Cybersecurity Framework and other guidance.
  • “The capabilities demonstrated in the project support several security objectives and controls identified” in other NIST guidance documents, the agency said in its new publication. “At the same time, responsible implementation of the demonstrated capabilities is dependent on adherence to several security objectives and controls identified in these risk framework documents.”
  • “Collecting information about which technologies use cryptography supports the Cybersecurity Framework practices of creating hardware and software inventories, the document notes. Similarly, analyzing cryptographic weaknesses supports the CSF practice of identifying vulnerabilities in technology assets.”

• A September 19, 2025, NIST news release adds,
  • “To help organizations protect their data against possible future attacks from quantum computers, the National Institute of Standards and Technology (NIST) has released a publication offering guidelines for implementing a class of post-quantum cryptography (PQC) algorithms known as key-encapsulation mechanisms, or KEMs.
  • “A KEM is a set of algorithms that can be used by two parties to securely establish a shared secret key over a public channel — a sort of first handshake between parties that want to exchange confidential information. Recent examples of KEMs include ML-KEM and HQC.
  • The new publication, Recommendations for Key-Encapsulation Mechanisms (NIST Special Publication 800-227), describes the basic definitions, properties and applications of KEMs and provides recommendations for implementing and using KEMs securely.

• Cyberscoop reports,
  • “Two teenagers were arrested in the United Kingdom this week, accused of associating with the sprawling criminal collective known as The Com, and participating in many high-profile and damaging cyberattacks on critical infrastructure globally.
  • “Thalha Jubair, 19 of London, and Owen Flowers, 18 of Walsall, England, were arrested at their residences Tuesday and charged with crimes related to the cyberattack on the Transport for London in September 2024, the U.K.’s National Crime Agency said.
  • “Jubair and Flowers were allegedly highly involved in many other cyberattacks attributed to Scattered Spider, a nebulous offshoot of The Com that commits ransomware and data extortion. The Com is composed of thousands of members, splintered into three primary subsets of interconnected networks that commit swatting, extortion and sextortion of minors, violent crime and various other cybercrimes, according to the FBI.
  • “The Justice Department on Thursday unsealed charges against Jubair, a U.K. national, accusing him of participating in at least 120 cyberattacks as part of Scattered Spider’s sweeping extortion scheme from May 2022 to September 2025, including 47 U.S.-based organizations. Victims of those attacks paid at least $115 million in ransom payments, authorities said.”

From the cybersecurity vulnerabilities and breaches front,

• While CISA did not add any known exploited vulnerabilities to its catalog this week, SC Media lets us know,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 18 issued a malware analysis report on two sets of malicious code from an organization compromised by threat actors exploiting two bugs in the Ivanti Endpoint Manager Mobile (EPMM) tool.
  • “CISA said the malware exploited two CVEs – CVE-2025-4427 and CVE-2025-4428. After exploitation, the malware let the threat actors inject and run arbitrary code on the compromised server.
  • “Lawrence Pingree, technical evangelist at Dispersive Holdings, said malware that’s instrumented to target specific vulnerabilities in centralized endpoint management solutions like these Ivanti tools is incredibly important to defend against.
  • “Isolating and microsegmenting sensitive systems like this is essential. Patching rapidly, ideally with an automated process, is essential in defending against vulnerabilities,” said Pingree.”

• Per Dark Reading,
  • “Security vendor SonicWall suffered a data breach that exposed customer firewall configuration file backups.
  • “On Sept. 17, SonicWall, a vendor best known for its network security appliances, published a knowledge base article disclosing what it described as a “cloud backup file incident.” The company said its security teams recently detected “suspicious activity targeting the cloud backup service for firewalls” and confirmed it to be a security event in the past few days.
  • “Unidentified threat actors accessed backup firewall preference files stored in the cloud representing “fewer than 5% of our firewall install base,” according to SonicWall. Attackers were able to access encrypted credentials as well as firewall configuration files “that could make it easier for attackers to potentially exploit the related firewall.”
  • “We are not presently aware of these files being leaked online by threat actors,” SonicWall said in its disclosure. “This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.”
    
• Per Cyberscoop,
  • “Researchers warned that a maximum-severity vulnerability affecting GoAnywhere MFT bears striking similarities with a widely exploited defect in the same file-transfer service two years ago.
  • “Fortra, the cybersecurity vendor behind the product, disclosed and released a patch for the vulnerability — CVE-2025-10035 — Thursday. The deserialization vulnerability “allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection,” the company said in a security advisory.
  • “File transfer services are a valuable target for attackers because they store a lot of sensitive data. If cybercriminals exploit these services, they can quickly access information from many users at once, making these services especially attractive for large-scale attacks. 
  • “Fortra didn’t provide any evidence of active exploitation and researchers from multiple security firms said they haven’t observed exploitation but expect that to change soon. “We believe that it’s just a matter of time and are monitoring the situation closely,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.
  • “The vulnerability, which has a CVSS rating of 10, is “virtually identical to the description for CVE-2023-0669,” a zero-day vulnerability exploited by Clop, resulting in attacks on more than 100 organizations, and at least five other ransomware groups, Caitlin Condon, vice president of security research at VulnCheck, said in a blog post.”
• and
  • “Apple’s latest operating systems for its most popular devices — iPhones, iPads and Macs — include patches for multiple vulnerabilities, but the company didn’t issue any warnings about active exploitation. 
  • “Apple patched 27 defects with the release of iOS 26 and iPadOS 26 and 77 vulnerabilities with the release of macOS 26, including some bugs that affected software across all three devices. Apple’s new operating systems, which are now numbered for the year of their release, were published Monday as the company prepares to ship new iPhones later this week.
  • “Users that don’t want to upgrade to the latest versions, which adopt a translucent design style Apple dubs “liquid glass,” can patch the most serious vulnerabilities by updating to iOS 18.7 and iPad 18.7 or macOS 15.7. Most Apple devices released in 2019 or earlier are not supported by the latest operating systems.
  • “None of the vulnerabilities Apple disclosed this week appear to be under active attack, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop.”

• Cybersecurity Dive points out,
  • “Most companies worry their networks aren’t safe against cyberattacks powered by artificial intelligence.
  • “Only 31% of IT leaders are at least somewhat confident that they can defend their organizations against AI-powered attacks, according to a Lenovo report published on Thursday.
  • “The report delves into why IT and security leaders are worried about hackers’ use of AI — and why they see their companies’ own use of AI systems as vulnerable.”
• and
  • “The number of healthcare organizations that have lost more than $200,000 to cyberattacks has quadrupled this year compared with the same period in 2024, data security firm Netwrix said in a report published Thursday [September 19].
  • “Nearly half of all healthcare organizations (48%) experienced at least one intrusion between March 2024 and March 2025, the report found.
  • “Healthcare organizations experienced more cyberattack-related losses of at least $500,000 than critical infrastructure firms did, on average: 12% of healthcare organizations, compared with 6% of all organizations.”

From the ransomware front,

• Infosecurity Magazine reports,
  • “Fifteen well-known ransomware groups, including Scattered Spider, ShinyHunters and Lapsus$, have announced that they are shutting down their operations.
  • “The collective announcement was posted on Breachforums, where the groups claimed they had achieved their goals of exposing weaknesses in digital infrastructure rather than profiting through extortion.
  • “In their statement, the gangs said they would now shift to “silence,” with some members planning to retire on the money they had accumulated, while others would continue studying and improving the systems people rely on daily.” * * *
  • “Organizations should take these announcements with a pinch of salt,” Nivedita Murthy, senior staff consultant at Black Duck, said.
  • “It could be possible that some of these groups may have decided to step back and enjoy their payday, [but] it does not stop copycat groups from rising up and taking their place.”

• IT Pro discusses the “top ransomware trends for businesses in 2025. A splintering of top groups and changing attitudes toward payments are changing attacker tactics at speed.”

• Morphisec calls attention to “The Top Exploited Vulnerabilities Leading to Ransomware in 2025 — and How to Stay Ahead.” 

From the cybersecurity defenses front,

• The American Hospital Association News reports,
  • “Microsoft Sept. 16 announced it had disrupted a growing phishing service that had targeted at least 20 U.S. health care organizations. The company said it used a court order granted by the U.S. District Court for the Southern District of New York to seize 338 websites associated with RaccoonO365, a cyber threat group known for stealing Microsoft 365 credentials through phishing tactics. RaccoonO365 offers subscription-based phishing kits that allow individuals to steal Microsoft credentials by mimicking official Microsoft communications. The company said the phishing kits use Microsoft branding to create fraudulent emails, attachments and websites. Since July 2024, the kits have stolen at least 5,000 Microsoft credentials from individuals in 94 countries. The group was recently observed offering a new artificial intelligence-powered service in an attempt to scale their operations.
  • “Credentials stolen through RaccoonO365 enabled ransomware attacks against hospitals, posing a direct threat to patient and community safety,” said John Riggi, AHA national advisor for cybersecurity and risk. “This operation also highlights a disturbing trend — cybercriminals’ increased use of ‘initial access brokers’ to steal credentials and AI to accelerate the effectiveness, sophistication and impact of cyberattacks. The need for continued and evolving social engineering training for staff is essential to defend against the latest deception tactics used by hackers.”

• Cybersecurity Dive tells us,
  • “Preemptive cybersecurity solutions will account for about half of all IT security spending by the year 2030, a significant increase from its 5% share in 2024, Gartner said in a report published Thursday.
  • “Preemptive cybersecurity will effectively replace standard detection and response technologies as the preferred defense against malicious hacking, Gartner predicted.
  • “The technology uses artificial intelligence and machine learning to anticipate threats and then neutralize them before they can compromise their targets, according to researchers.”

• Security Week reflects on the fifteen anniversary of the Zero Trust strategy.
  • “The implementation of zero trust is essential for cybersecurity: but after 15 years, we’re still not there. Implementation is like the curate’s egg: good in parts.
  • “Zero Trust turned fifteen years old on September 14, 2025. Its invention was announced with Forrester’s publication of John Kindervag’s paper, No More Chewy Centers: Introducing The Zero Trust Model of Information Security, on that date in 2010 (archived here).
  • “Zero trust recognizes that treating cybersecurity like an M&M (a hard crunchy shell impenetrable to hackers protecting a soft chewy center where staff can work freely and safely) simply doesn’t work. “Information security professionals must eliminate the soft chewy center by making security ubiquitous throughout the network, not just at the perimeter,” wrote Kindervag.
  • “This is the basis of zero trust (or ZT): abandon the old concept of a barrier between two separate networks (one untrusted: the internet; and one trusted: the enterprise). Instead, trust nothing and verify everything, regardless of source or destination. The concept is sound and rapidly gained approval, culminating in EO14028 mandating that federal agencies must move toward a zero trust architecture while private companies should do similar – but never defining how it could be achieved.
  • “There’s the rub. Zero trust is fundamentally a concept where implementation will depend on individual different corporate ecospheres.”

• Dark Reading recommends “Transforming Cyber Frameworks to Take Control of Cyber-Risk.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Nextgov/FCW reports,
  • “A top Cybersecurity and Infrastructure Security Agency official said the agency is prepared to accept any extension Congress authorizes for a fundamental cybersecurity threat intelligence-sharing law, which is set to expire Sept. 30 unless renewed by lawmakers.
  • “We’ll take whatever the Congress decides to authorize us, wherever they see fit within their purview, to authorize and to give us our authorities to be able to use,” Nick Andersen, CISA’s executive assistant director for cybersecurity, told reporters Thursday [September 11] on the sidelines of the Billington Cyber Summit.
  • “The Cybersecurity Information Sharing Act of 2015 lets private sector providers freely transmit cyber threat information to government partners with key liability protections in place, shielding firms from lawsuits and regulatory penalties when sharing threat data with the government.
  • “So at this point, I think my primary concern is if it lapses,” Andersen added. “Give us 30 days for the Congress to do what they need to do. Give us two years. Give us ten years. Give us 50. Whatever you take, we’ll take it. Obviously, we love stability for the organization and stability for our partners to understand how we’re going to protect and exchange information. But really, that’s up to Congress.”

• Cyberscoop tells us,
  • “The Cybersecurity and Infrastructure Agency is delaying finalization of a rule until May of next year that will require critical infrastructure owners and operators to swiftly report major cyber incidents to the federal government, according to a recent regulatory notice.
  • “Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, CISA was supposed to produce a final rule enacting the law by October of this year. But last week, the Office of Management and Budget’s Office of Information and Regulatory Affairs published an update that moved the final rule’s arrival to May 2026.
  • “A CISA official told CyberScoop that the move would give the agency time to consider streamlining and reducing the burden on industry of a previously proposed version of the rule, citing public comments in response to that version, as well as harmonizing the law with other agencies’ cyber regulations.”

• Cybersecurity Dive lets know,
  • “National Cyber Director Sean Cairncross said [on September 9] the Trump administration plans a whole-of-nation approach in order to combat the threat of malicious cyberattacks from the U.S.’s top geopolitical rivals. 
  • “Cairncross delivered the opening keynote at the Billington Cybersecurity Summit, saying the administration will push forward an aggressive new posture to counter the risks presented by authoritarian regimes like China.” * * *
  • “The Billington keynote marks the first major public remarks by Cairncross since he won Senate confirmation to lead the Office of the National Cyber Director in August.” 

• FedScoop informs us,
  • “The U.S. government’s acting chief information security officer outlined his three priorities for federal cyber officials over the next year at a cybersecurity event in Washington on Tuesday [September 9], emphasizing the need for collaboration across the government.  
  • “During a fireside chat at the Billington Cybersecurity Summit, acting cyber chief Michael Duffy said focusing enterprise cyber defense, increasing operational resilience, and securing a modern U.S. government are the areas he’s outlined as priorities for the next year in conversations with the federal cyber leaders on the CISO Council. 
  • “He also previewed an upcoming tabletop exercise the CISO Council will be doing in the next month to address operational resilience.” 

• Cybersecurity Dive points out,
  • “The Cybersecurity and Infrastructure Security Agency said it remains firmly committed to supporting and further enhancing the Common Vulnerabilities and Exposures program, which is a critical program for identifying and mitigating software flaws that can expose computer systems to exploitation. 
  • “Nick Andersen, the new executive assistant director for cybersecurity at CISA, expressed staunch support for the CVE program during a discussion on Thursday at the Billington Cybersecurity Summit in Washington, D.C. 
  • “CISA on Wednesday [September 10] released a road map that outlined its priorities for the CVE program, with the full intention to further develop the program and create a plan for robust funding and wider participation. 
  • Andersen told reporters after the presentation that it’s “exceedingly important” for CISA to be able to grow and expand the program.
  • “The feedback that we’ve gotten consistently is people are looking for somebody to call objective balls and strikes out there,” Andersen said. 

• Per Federal News Network,
  • “The Pentagon will soon issue more details on its much-hyped effort to “blow up” the Risk Management Framework used to accredit software.
  • “Katie Arrington, who is performing the duties of the Defense Department chief information officer, said DoD will unveil the “10 commandments” of the “new RMF” in the next couple of weeks. DoD’s work to revamp how it accredits software has been a top discussion point in federal technology circles in recent months.
  • “It’s the 10 tenants of the new RMF,” Arrington said at the Billington Cyber Summit on Thursday.

• Cyberscoop notes,
  • “The Department of Justice unsealed an indictment against a Ukrainian national alleged to be central to a ransomware campaign affecting hundreds of companies worldwide. 
  • “Volodymyr Viktorovych Tymoshchuk, known online as “deadforz,” “Boba,” “msfv,” and “farnetwork,” is accused of developing and deploying ransomware variants Nefilim, LockerGoga, and MegaCortex, all of which have been used in attacks on prominent organizations in the United States, Europe, and elsewhere since at least 2018.
  • “According to the indictment, filed in the Eastern District of New York, Tymoshchuk and his alleged co-conspirators are believed to have extorted more than 250 companies across the U.S. and hundreds more globally, generating tens of millions of dollars in damages. Victims suffered not just the loss of data and disabling of business operations, but high mitigation and recovery costs. * * *
  • “Additionally, the State Department announced rewards totaling up to $10 million for information leading to the arrest or conviction of Tymoshchuk, with a separate reward of up to $1 million for information on other key leaders of the groups deploying the ransomware variants.”

From the cybersecurity vulnerabilities and breaches front,

• CISA added one known exploited vulnerability to its catalog this week.
  • September 11, 2025
    • CVE-2025-5086 Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability
      • Bleeping Computer discusses this KVE here.
        
• Cybersecurity Dive reports,
  • “A sophisticated phishing-as-a-service operation has been targeting Google and Microsoft accounts and can bypass traditional defense mechanisms, including multifactor authentication, researchers at Okta Threat Intelligence warned in a blog post on Thursday, 
  • “The phishing operation, dubbed VoidProxy, uses adversary-in-the-middle techniques to bypass normal authentication flow. 
  • “Researchers first learned of attacks linked to the operation in January, but Dark Web advertisements for VoidProxy appear to have begun as early as August 2024, according to Okta researchers. The attacks are ongoing, and Okta said they have targeted valuable accounts.”  * * *
  • “Google agrees with recommendations in the Okta report that users should adopt passkeys as a strong method to protect against phishing, the spokesperson added.
  • “Microsoft declined to comment, however a spokesperson provided a link with general mitigation guidance.”

• Dark Reading adds,
  • “A recent phishing campaign that used the Salty2FA phishing kit demonstrates how the cybercriminal enterprise continues to evolve to the point where adversarial tools are nearly on par with enterprise-grade software, experts said.
  • “Researchers from Ontinue tracked a campaign using the phishing kit that shows various technical innovations in which cybercriminals are approaching phishing infrastructure “with the same methodical planning that enterprises use for their own systems,” Rhys Downing, an Ontinue threat researcher, wrote in a blog post published Tuesday.”

• CSO tells us,
  • “Attackers are increasingly exploiting generative AI by embedding malicious prompts in macros and exposing hidden data through parsers.
  • “The switch in adversarial tactics — noted in a recent State of File Security study from OPSWAT — calls for enterprises to extend the same type of protection they already apply to software development pipelines into AI environments, according to experts in AI security polled by CSO.
  • “Broadly speaking, this threat vector — ‘malicious prompts embedded in macros’ — is yet another prompt injection method,” Roberto Enea, lead data scientist at cybersecurity services firm Fortra, told CSO. “In this specific case, the injection is done inside document macros or VBA [Visual Basic for Applications] scripts and is aimed at AI systems that analyze files.”
  • “Enea added: “Typically, the end goal is to mislead the AI system into classifying malware as safe.”

• Per InfoSecurity Magazine,
  • “People are often described as one of the biggest security threats to any organization. At first glance, it would be hard to argue with such a sweeping statement.
  • “Whether the result of malice or negligence, the ‘human element’ featured in around 60% of data breaches over the past year, according to Verizon. A recent spate of attacks targeting corporate Salesforce instances highlights the evolving nature of the social engineering threat – and just what’s at stake.
  • “The challenge for CISOs is that insider risk is not just about negligence. Those intent on wrongdoing are usually harder to spot and exact a much heavier toll on their employer. To coincide with International Insider Threat Awareness Month, we take a look at what CISOs can do to push back the tide.”
  • Check it out.

From the ransomware front,

• Here are links to updates on recovery from the ransomware attacks against the State of Nevada and the City of St. Paul, Minnesota.

• Per Security Week,
  • “Ransomware remains the primary digital threat to business. Phishing, often the initial point of failure, further expands into voice triggered transfer fraud.
  • “An analysis of risk based on cyberinsurance claims history provides an accurate overview of the true risk of cybercrime. It doesn’t provide a full global picture of risk since it can only be drawn from known cyberinsurance claims. Resilience is a cyberinsurance provider with a deep knowledge of cybersecurity.
  • “There are three major takeaways from the 2025 Midyear Cyber Risk Report produced by Resilience: vendor-related risk is down but still significant; ransomware remains the main threat; and phishing has leapt to clear prominence as the most common point of failure (aided in scale and sophistication by AI).
  • “The report notes a reduction in vendor-related risk (down from 22% of incurred losses in 2024 to 15% in H1 2025), but stresses that the downstream loss to affected companies remains high. “While incidents dropped in frequency, clients who experienced business interruption from a vendor-related incident had significant losses that rivaled losses from companies directly affected by ransomware.” This is an unseen risk that can only be addressed by continuously monitoring the vendors’ security posture.”

• Per Check Point Research,
  • “First observed on September 5, Yurei is a newly emerged ransomware group that targeted a Sri Lankan food manufacturing company as its first leaked victim. The group follows a double-extortion model: they encrypt the victim’s files and exfiltrate sensitive data and then demand a ransom payment to decrypt and refrain from publishing the stolen information.
  • “Check Point Research (CPR) determined that Yurei’s ransomware is derived with only minor modifications from Prince-Ransomware, an open-source ransomware family written in Go. This highlights how open-source malware significantly lowers the barrier to entry for cybercriminals, enabling even less-skilled threat actors to launch ransomware operations.
  • “Yurei’s ransomware contains a flaw that may allow partial recovery through Shadow Copies, but the group primarily relies on data-theft-based extortion. As they stated on their blog, the fear and implications of data leakage are their main pressure point to get victims to pay the ransom.
  • “Since the first victim was listed on September 5, the number of victims has risen to three so far, pointing to a fast-growing operation.
  • “The investigation revealed hints that the threat actor’s origins may be in Morocco.”

• Per Cyberscoop,
  • “Researchers and authorities are warning that Akira ransomware attacks involving exploits of a year-old vulnerability affecting SonicWall firewalls are on the rise. 
  • “A burst of about 40 attacks linked to CVE-2024-40766 hit SonicWall firewalls between mid-July and early August. Researchers have since observed another wave of ransomware attacks linked to active exploits of the defect, which affects the secure sockets layer (SSL) VPN protocol in multiple versions of SonicWall firewalls, and configuration errors. 
  • “Rapid7 has responded to a “double-digit number of attacks” related to the vulnerability and a series of misconfigurations in victim environments, the company said, expanding on a blog it published earlier this week.
  • “The Australian Cyber Security Centre also issued an advisory Wednesday noting that it, too, is responding to a recent increase in active exploitation of the defect. “We are aware of the Akira ransomware targeting vulnerable Australian organizations through SonicWall SSL VPNs,” the agency said.”

• Per PC World,
  • “It’s a story almost as old as time: malware is wreaking havoc on Android devices again. Usually, Android malware aims to steal sensitive data and passwords in order to gain access to online accounts. Less commonly, it installs ransomware to extort large sums of money from users.
  • “A particularly dangerous malware variant that combines both techniques has now been discovered by security experts at ThreatFabric. Known as RatOn, the Trojan infiltrates an Android phone, accesses data, empties bank accounts, then locks the device to blackmail the owner.” * * *
  • “In the case of RatOn, the Trojan likely lands on Android devices through fake apps. Users are redirected to pages that imitate the Google Play Store, where attackers offer applications disguised as common social media apps like TikTok—except it’s malware.: * * *
  • To protect yourself, you should always check whether an app comes from a trustworthy provider. You should also always activate Google Play Protect in the Google Play Store so that apps are scanned for viruses and malware before they’re installed on your device.

• Bleeping Computer warns,
  • “A recently discovered ransomware strain called HybridPetya can bypass the UEFI Secure Boot feature to install a malicious application on the EFI System Partition.
  • “HybridPetya appears inspired by the destructive Petya/NotPetya malware that encrypted computers and prevented Windows from booting in attacks in 2016 and 2017 but did not provide a recovery option.
  • “Researchers at cybersecurity company ESET found a sample of HybridPetya on VirusTotal. They note that this may be a research project, a proof-of-concept, or an early version of a cybercrime tool still under limited testing.

• Cyberscoop adds,
  • “Researchers at New York University have taken credit for creating a piece of malware found by third-party researchers that uses prompt injection to manipulate a large language model into assisting with a ransomware attack.
  • “Last month, researchers at ESET claimed to have discovered the first piece of “AI-powered ransomware” in the wild, flagging code found on VirusTotal. The code, written in Golang and given the moniker “PromptLock,” also included instructions for an open weight version of OpenAI’s ChatGPT to carry out a series of tasks — such as inspecting file systems, exfiltrating data and writing ransom notes.
  • “ESET researchers told CyberScoop at the time that the code appeared to be unfinished or a proof of concept. Other than knowing it was uploaded by a user in the United States, the company had no further information about the malware’s origin. 
  • “Now, researchers at NYU’s Tandon School of Engineering have confirmed that they created the code as part of a project meant to illustrate the potential harms of AI-powered malware.”
  • In a corresponding academic paper, the researchers call the project “Ransomware 3.0” and describe it as a new attack method. This technique “exploits large language models (LLMs) to autonomously plan, adapt, and execute the ransomware attack lifecycle.”

From the cybersecurity business and defenses front,

• Cyberscoop informs us,
  • “Major cyber intrusions by the Chinese hacking groups known as Salt Typhoon and Volt Typhoon have forced the FBI to change its methods of hunting sophisticated threats, a top FBI cyber official said Wednesday.
  • “U.S. officials, allied governments and threat researchers have identified Salt Typhoon as the group behind the massive telecommunications hack revealed last fall but that could have been ongoing for years. Investigators have pointed at Volt Typhoon as a group that has infiltrated critical infrastructure to cause disruptions in the United States if China invades Taiwan and Americans intervene.
  • “Those hacks were stealthier than in the past, and more patient, said Jason Bilnoski, deputy assistant director of the FBI’s cyber division. The Typhoons have focused on persistent access and gotten better at hiding their infiltration by using “living off the land” techniques that involve using legitimate tools within systems to camouflage their efforts, he said. That in turn has complicated FBI efforts to share indicators of compromise (IOCs).
  • “We’re having to now hunt as if they’re already on the network, and we’re hunting in ways we hadn’t before,” he said at the Billington Cybersecurity Summit. “They’re not dropping tools and malware that we used to see, and perhaps there’s not a lot of IOCs that we’d be able to share in certain situations.”

• The Wall Street Journal reports,
  • “Japanese industrial giant Mitsubishi Electric said Tuesday that it intends to acquire U.S. cybersecurity company Nozomi Networks in a deal valued at about $1 billion.
  • “Nozomi will become a wholly owned subsidiary of Mitsubishi Electric under the terms of the deal and operate independently. The transaction value includes $883 million in cash as well as previous equity.
  • “Nozomi raised $100 million in a 2024 Series E funding round that included several heavyweights in operational technology, such as Mitsubishi Electric and Schneider Electric. Previous investors included Honeywell; the U.S. Central Intelligence Agency’s venture arm, In-Q-Tel; and Johnson Controls. 
  • “Nozomi Chief Executive Edgard Capdevielle said the company will continue to provide services to those prior investors and other companies after the acquisition, which is expected to close in the fourth quarter. 
  • “The fact that we’re now a wholly owned subsidiary of Mitsubishi does not change the fact that we will continue to be vendor-agnostic,” he said.”

• Dark Reading adds,
  • “F5, a software company that improves application speed and security, today announced its plans to acquire CalypsoAI, a provider of adaptive artificial intelligence (AI) security capabilities. CalypsoAI’s technology will be integrated into the F5 Application Delivery and Security Platform (ADSP), F5 said.
  • Founded in 2018, CalypsoAI focuses on real-time protection against threats targeting AI applications and models, such as prompt injection and jailbreaking. The platform brings threat defense, red teaming at scale, and data security to businesses preparing to launch or adopt generative and agentic AI. CalypsoAI came in second place at RSAC Conference’s Innovation Sandbox earlier this year as a company that protects models and agents with prompt firewalls.
  • “By integrating CalypsoAI features into ADSP, F5 hopes to build modern firewalls and point solutions that can secure AI models, agents, and data flows. Traditional options “can’t keep up,” said François Locoh-Donou, president and CEO of F5, in a statement.”

• Here’s a link to Dark Reading’s CISO Corner.