From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • Congress moved one step closer to reauthorizing a key cyber threat information-sharing law on Thursday during a hearing that highlighted both the act’s value and potential shortcomings.
  • The House Homeland Security Committee’s cyber subcommittee held the hearing [on May 15] to evaluate the private sector’s satisfaction with the 2015 Cybersecurity Information Sharing Act, which expires on Sept. 30. Witnesses from the tech industry praised the law for encouraging companies to share cyber threat indicators with each other and with federal agencies, but they also offered lawmakers suggestions for how to improve the program.”

• Defensescoop tells us,
  • “The Department of Defense has expanded its number of cyber teams by 12, with two more slated to come online in the next few years, according to a spokesperson.
  • “The cyber mission force began building in 2012, and the initial 133 teams reached full operational capability in 2018. In DOD’s fiscal 2022 budget request, U.S. Cyber Command proposed and was eventually approved for a phased approach to add 14 additional cyber mission force teams beyond the original 133. That request and authorization in 2021 was the first substantial effort to grow that force since it was designed almost a decade ago, long before modern and advanced threats had surfaced.
  • “In 2021, the Secretary of Defense directed the creation of 14 New cyber teams by September 2028. Of the 14 teams, 12 have been established. These teams are spread across Army, Air Force, and Navy Commands,” a Cybercom spokesperson said.
  • “They declined to offer specifics regarding how many additional teams each service received or what types of teams those additional builds provided to each service — such as offensive, defensive or support teams — citing operational security.”

• Per a May 15 HHS press release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Vision Upright MRI, a small California health care provider that conducts magnetic resonance imaging and related services, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification and Security Rules. The settlement resolves an OCR investigation concerning the breach of an unsecured server containing the medical images of 21,778 individuals.” * * *
  • “Under the terms of the resolution agreement, Vision Upright MRI agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $5,000 to OCR.” 
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hhs-ocr-hipaa-racap-vum/index.html“
    
• Cyberscoop informs us,
  • “Federal authorities seized two domains and indicted four foreign individuals for alleged involvement in a long-running botnet service that infected older wireless internet routers, the Justice Department said Friday. 
  • “The malware created for the botnet allowed infected routers to be reconfigured, which granted unauthorized access to third parties and made the routers available for sale as proxy servers on Anyproxy.net and 5socks.net, according to law enforcement officials. Both domains, which were managed by a company headquartered in Virginia and hosted on servers worldwide, now render seizure notices under an effort the DOJ and FBI dubbed “Operation Moonlander.”
  • “The 5socks.net website claimed to be in operation for over 20 years and had more than 7,000 proxies for sale worldwide for a monthly subscription of $9.95 to $110 per month, according to prosecutors. The botnet’s overseas operations were also seized and disabled by law enforcement agencies in the Netherlands and Thailand.
  • “Authorities also indicted the botnet’s alleged administrators and charged them with conspiracy and damage to protected computers, for conspiring with others to maintain, operate and profit from the bot.”
• and
  • Liridon Masurica, the alleged lead administrator of cybercrime marketplace BlackDB.cc, was extradited to the United States on Friday and faces charges that carry a maximum penalty of 55 years in federal prison, the Justice Department said Tuesday. 
  • Masurica, 33, who is also known as “@blackdb,” was arrested by authorities in Kosovo on Dec. 12. He made his initial appearance in federal court in Tampa, Fla., on Tuesday and was ordered detained pending a trial. 
  • Federal prosecutors charged Masurica with one count of conspiracy to commit access device fraud and five counts of fraudulent use of 15 or more unauthorized access devices.
  • Masurica, of Gjilan, Kosovo, is accused of running BlackDB.cc since 2018. The cybercriminal marketplace offered to sell compromised account and server credentials, credit card information and other personally identifiable information of individuals mostly located in the United States, the DOJ said.

From the cybersecurity breaches and vulnerabilities front,

• Cyberscoop reports,
  • “Hundreds of victims are surfacing across the world from zero-day cyberattacks on Europe’s biggest software manufacturer and company, in a campaign that one leading cyber expert is comparing to the vast Chinese government-linked Salt Typhoon and Volt Typhoon breaches of critical infrastructure.
  • “The zero-days — vulnerabilities previously unknown to researchers or companies, but that malicious hackers have discovered — got patches this month and last month, but there are signs it could be getting worse before it gets better, according to Dave DeWalt, CEO of NightDragon, a venture capital and advisory firm. Ransomware gangs are now reported to be exploiting it, beyond the original Chinese government-connected attackers.
  • “The net of it is this is like the Typhoon size, so much like we saw [with] Volt Typhoonand then Salt Typhoon,” DeWalt told CyberScoop. “Once these exploits get into the wild, it’s a race to see who can get more access to it. So initially it looks like three Chinese actors all used it, and now we’re going to see more.”
  • “A number of companies have been tracking the vulnerability and its consequences, including one, Onapsis, that DeWalt’s company invests in, along with EclecticIQ, ReliaQuest and Google’s Mandiant.”
• and
  • “Over the past few years, cybersecurity experts have increasingly said that nation-state operatives and cybercriminals often blur the boundaries between geopolitical and financial motivations. A new report released Wednesday shows how North Korea has flipped that idea on its head. 
  • “North Korea has silently forged a global cyber operation that experts now liken to a mafia syndicate, with tactics and organization far removed from other nation-state actors, according to a comprehensive new report released by DTEX Systems.
  • “The study — based on years of investigations, technical analysis, and work with other open-source intelligence analysts — pulls back the curtain on a highly adaptive regime that has built its cyber capabilities on a survivalist, profit-driven approach. It reveals a hierarchy blending criminality, espionage, and front-line IT work, coordinated by an authoritarian government that rewards loyalty and secrecy while punishing failure.” * * *
  • “You can read the full report on DTEX’s website.”

• Cybersecurity Dive relates.
  • “The FBI is warning about a threat campaign in which malicious actors are impersonating senior U.S. officials using malicious text messages and AI-generated voice messages.
  • “The messages have been sent to current and former federal and state officials and others who may be contacts of those individuals, the bureau said in an alert released Thursday.
  • “The messages are designed to establish a rapport with individuals who might then turn over access to a personal account, according to the alert. These social engineering techniques could be used to reach additional contacts and gain access to additional information or funds.”

• Bleeping Computer lets us know,
  • “A new tool called ‘Defendnot’ can disable Microsoft Defender on Windows devices by registering a fake antivirus product, even when no real AV is installed.
  • “The trick utilizes an undocumented Windows Security Center (WSC) API that antivirus software uses to tell Windows it is installed and is now managing the real-time protection for the device.
  • “When an antivirus program is registered, Windows automatically disables Microsoft Defender to avoid conflicts from running multiple security applications on the same device.
  • “The Defendnot tool, created by researcher es3n1n, abuses this API by registering a fake antivirus product that meets all of Windows’ validation checks. * * *
  • “While Defendnot is considered a research project, the tool demonstrates how trusted system features can be manipulated to turn off security features.
  • “Microsoft Defender is currently detecting and quarantining Defendnot as a ‘Win32/Sabsik.FL.!ml; detection.”
    
• The Cybersecurity and Infrastructure Security Agency (CISA) added nine known exploited vulnerabilities to its catalog this week.
• May 13, 2025
  • “CVE-2025-30400 Microsoft Windows DWM Core Library Use-After-Free Vulnerability
  • “CVE-2025-32701 Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
  • “CVE-2025-32706 Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
  • “CVE-2025-30397 Microsoft Windows Scripting Engine Type Confusion Vulnerability
  • “CVE-2025-32709 Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability”
    • Crowdstrike discusses these KVEs here.
    • Cyberscoop discusses Microsoft’s May 13 Patch Tuesday here.
    • See also Bleeping Computer article titled “Microsoft confirms May Windows 10 updates trigger BitLocker recovery”
• May 14, 2025
  • “CVE-2025-32756 Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability”
    • Rapid 7 discusses this KVE here.
• May 15, 2025
  • “CVE-2024-12987 DrayTek Vigor Routers OS Command Injection Vulnerability
    • This KVE is discussed here.
  • “CVE-2025-4664 Google Chromium Loader Insufficient Policy Enforcement Vulnerability
    • This KVE is discussed here.
  • “CVE-2025-42999 SAP NetWeaver Deserialization Vulnerability”
    • The KVE is discussed here.

• Cyberscoop adds,
  • “Apple rolled out a series of substantial security updates Monday for its major software platforms, with advisories covering iOS, iPadOS, and two versions of macOS lines, addressing more than 30 vulnerabilities in total. 
  • “Among the numerous fixes, iOS 18.5 and iPadOS 18.5 introduce the first security update for Apple’s in-house C1 modem, featured in the newly released iPhone 16e. The patch addresses a baseband vulnerability (CVE-2025-31214) that, according to the company, could have allowed an attacker “in a privileged network position” to intercept network traffic. While the specific details remain undisclosed, the risk highlights concerns about how devices communicate on the hardware level, since baseband processors control things like data transmission, call processing, and other network functions.”

• PC World reports
  • “Malware is a thing you just have to be aware of. But it’s pretty rare that it can actually damage your computer in a permanent sense — wipe the drive if you’re okay with losing local data, and you can generally get up and running in a day or two. But what if the microcode running on your CPU’s tiny integrated memory becomes infected? One security researcher says he’s done it.
  • “Christiaan Beek of Rapid7 says he has created a proof-of-concept ransomware that can hide inside a CPU’s microcode, building on previous work that emerged when Google required AMD processors to always return “4” when asked for a random number. He claims that modifying UEFI firmware can install an unsigned update to the processor, slipping past any kind of conventional antivirus or OS-based security.” * * *
  • “CPU-level ransomware has not been seen “in the wild,” and it seems likely that when and if it emerges, it’ll be a state-level actor that exploits it first. That means your typical user probably won’t be targeted, at least immediately. Still, maybe keep a remote backup of your important files, just in case.”

From the ransomware front,

• Per a news release,
  • “Black Kite, the leader in third-party cyber risk intelligence, today announced its newest report, 2025 Ransomware Report: How Ransomware Wars Threaten Third-Party Cyber Ecosystems, which provides a deep analysis into evolving ransomware trends and threats. The report found that threats have escalated with more actors, less predictability, and deeper entanglement in supply chains, underscoring an urgent need for organizations to implement intelligence-driven defenses and proactive vendor monitoring.”

• Beckers Hospital Review tells us,
  • “From October 2009 to October 2024, ransomware and hacking have increasingly driven healthcare data breaches, a May 14 study published in JAMA Network Open found. 
  • “The study examined ransomware attacks and other hacking incidents across all healthcare organizations covered by HIPAA from October 2009 through October 2024. It analyzed breaches affecting 500 or more patient records that were reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.”

• Cybersecurity Dive reports,
  • “A cybercrime gang believed to be responsible for three attacks in the U.K. in recent weeks has turned its attention toward the U.S. and has been able to compromise multiple targets in the sector, according to researchers from Google Threat Intelligence Group and Google subsidiary Mandiant. 
  • “Researchers said the same threat actors linked to attacks against U.K. companies are now using well-crafted social engineering techniques against U.S. retail companies.  
  • “The threat group, tracked as UNC3944 or Scattered Spider, is widely considered the prime suspect in the attacks on British firms Harrods, Co-op and M&S, but Mandiant and Google have not formally attributed the intrusions to any specific actor. Researchers said, however, that the hackers behind the U.S. attacks share the same techniques and procedures as the intruders in the British incidents.”

• Dark Reading adds,
  • “While dynamic DNS services have been around for many years, they’ve recently emerged as an integral tool in the arsenals of cybercriminal groups like Scattered Spider.
  • “Dynamic DNS (DDNS) services automatically update a domain name’s DNS records in real-time when the Internet service provider changes the IP address. Real-time updating for DNS records wasn’t needed in the early days of the Internet when static IP addresses were the norm.” * * *
  • “In a blog post last month, threat intelligence vendor Silent Push reported that despite some notable arrests of alleged members in 2024, Scattered Spider was actively engaged in new phishing campaigns targeting well-known enterprises. One of the key findings of the report was a shift in tactics from Scattered Spider members that featured the use of rentable subdomains from dynamic DNS providers like it.com Domains LLC.
  • “In an example of an observed attack, Scattered Spider actors established a new subdomain, klv1.it[.]com, designed to impersonate a similar domain, klv1.io, for Klaviyo, a Boston-based marketing automation company.
  • “Silent Push’s report noted that the malicious domain had just five detections on VirusTotal at the time of publication. The company also said the use of publicly rentable subdomains presents challenges for security researchers.”

• Bleeping Computer points out,
  • “Ransomware gang members increasingly use a new malware called Skitnet (“Bossnet”) to perform stealthy post-exploitation activities on breached networks.
  • “The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025.
  • ‘Prodaft told BleepingComputer they have observed multiple ransomware operations deploying Skitnet in real-world attacks, including BlackBasta in Microsoft Teams phishing attacks against the enterprise, and Cactus.”

From the cybersecurity business and defenses front,

• Cyberscoop reports,
  • “Proofpoint has entered into an agreement to acquire Hornetsecurity Group, a Germany-based provider of Microsoft 365 security services, in a deal reportedly valued at more than $1 billion.
  • “The acquisition, described as the largest in Proofpoint’s history, comes amid accelerating consolidation in the cybersecurity industry as companies seek to broaden their offerings to enterprise customers of all sizes. While Proofpoint did not disclose terms, CNBC reports the deal is “well over” $1 billion. 
  • “Hornetsecurity, headquartered in Hannover, Germany, serves more than 12,000 managed service providers (MSPs) and 125,000 small and mid-sized businesses (SMBs) primarily across Europe. According to a press release announcing the deal, Hornetsecurity brings in $160 million in annual recurring revenue, with growth exceeding 20% year over year. 
  • “For Proofpoint, the acquisition provides an entry point into the SMB market through Hornetsecurity’s established MSP network.'” * * *
  • “The transaction comes as Proofpoint, which was taken private by Thoma Bravo in 2021for $12.3 billion, is exploring an IPO, according to the CNBC report.” 
• and
  • “Coinbase responded to a security incident with combative measures Thursday after the company said cybercriminals bribed some of the cryptocurrency exchange’s international support staff to steal data on customers. The unnamed threat group stole personally identifiable information and other sensitive data on less than 1% of Coinbase’s monthly users, the company said in a blog post.
  • “The cybercriminals contacted customers under the guise of an employee at Coinbase in an attempt to dupe people into relinquishing their cryptocurrency. “They then tried to extort Coinbase for $20 million to cover this up. We said no,” the company said.
  • Coinbase flipped the script as part of its response. “Instead of paying this $20 million ransom, we’re turning it around and we’re putting out a $20 million award for any information leading to the arrest and conviction of these attackers,” Coinbase CEO Brian Armstrong said in a video posted on X.
  • “For these would-be extortionists, or anyone seeking to harm Coinbase customers, know that we will prosecute you and bring you to justice,” he added.” 

• Dark Reading shares insights on the recent RSAC conference and of course also offers its CISO Corner.

From the cybersecurity and law enforcement front,

• Cyberscoop reports,
  • “Homeland Security Secretary Kristi Noem outlined her plans Tuesday to refocus the Cybersecurity and Infrastructure Security Agency (CISA) on protecting critical infrastructure from increasingly sophisticated threats — particularly from China — while distancing the agency from what she characterized as mission drift under previous leadership.
  • “Speaking at the 2025 RSAC Conference, Noem provided the most detailed vision yet of how the current administration is pushing CISA to a “back-to-basics” approach aimed at hardening defenses against adversaries who have demonstrated capabilities to infiltrate critical systems.”
• and
  • “Threat intelligence sharing is flowing between the private sector and federal government and remains unimpeded thus far by job losses and budget cuts across federal agencies that support the cyber mission, according to executives at major security firms.
  • “Top brass at Amazon, CrowdStrike, Google and Palo Alto Networks said there’s been no change to interactions with the federal government since President Donald Trump was inaugurated earlier this year.
  • “Across multiple interviews and media briefings during the RSAC 2025 Conference this week, none of the leaders at these top cybersecurity companies conveyed any concern about or experience with communication breakdowns. Each of them dismissed the idea that collaboration has slowed down amid significant workforce reductions and strategic changes across the federal government.”

• Earlier this week, the National Institute of Standards and Technology released its FY 2024 Cybersecurity & Privacy Program Annual Report.

• Federal News Network tells us,
  • “While much of the cybersecurity community’s attention was out west at the annual RSA Conference, the Justice Department announced yet another settlement in its pursuit of contractors who falsely attest to meeting cybersecurity requirements.
  • “DoJ announced today that Raytheon Company, RTX Corporation and Nightwing Group have agreed to pay $8.3 million to settle allegations that Raytheon violated the False Claims Act by falling short of contractually mandated cybersecurity standards.
  • “RTX sold its cybersecurity, intelligence and services business to Nightwing in 2024. DoJ’s case centered on conduct between 2015 and 2021, prior to the acquisition.
  • “The case is another feather in the cap for DoJ’s Civil-Cyber Fraud Initiative. Started under the Biden administration, the goal of the initiative is to enforce cybersecurity requirements that many contractors had been ignoring through the False Claims Act.”

• Per the Hacker News,
  • “The U.S. Department of Justice (DoJ) on Thursday announced charges against a 36-year-old Yemeni national for allegedly deploying the Black Kingdom ransomware against global targets, including businesses, schools, and hospitals in the United States.
  • “Rami Khaled Ahmed of Sana’a, Yemen, has been charged with one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer. Ahmed is assessed to be currently living in Yemen.
  • “From March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin,” the DoJ said in a statement.”

• Cyberscoop adds,
  • “Federal authorities extradited a Ukrainian citizen to the United States on Wednesday to face charges for participating in a series of ransomware cyberattacks on organizations based in the U.S. and multiple European countries. 
  • “Artem Stryzhak, 35, was arrested in Spain in June 2024 and was scheduled to appear for arraignment Thursday in the U.S. District Court for the Eastern District of New York. Stryzhak is accused of conspiracy to commit fraud and related activity, including extortion.
  • “Prosecutors accuse Stryzhak and his co-conspirators of using Nefilim ransomware to encrypt computer networks in the U.S., Canada, France, Germany, Australia, the Netherlands, Norway and Switzerland between late 2018 to late 2021.
  • “As alleged, the defendant was part of an international ransomware scheme in which he conspired to target high-revenue companies in the United States, steal data, and hold data hostage in exchange for payment. If victims did not pay, the criminals then leaked the data online,” John Durham, U.S. attorney for the Eastern District of New York, said in a statement.”

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “Hackers are increasingly using AI in their attacks and defenders should follow suit, Check Point Software Technologies said in a report published Wednesday.
  • “The company’s AI security report, announced at the 2025 RSAC Conference in San Francisco, also found that one in 13 generative AI prompts contained potentially sensitive information, and one in every 80 prompts posed “a high risk of sensitive data leakage.”
  • “Unauthorized AI tools, data loss, and AI platform vulnerabilities topped the list of AI risks for enterprises, according to Check Point.”
• and
  • “In a report published Tuesday, Google said it saw hackers exploit fewer zero-day vulnerabilities in the wild in 2024 than in 2023.
  • “The company attributed the decrease to improvements in secure software development practices.
  • “Still, Google said it is seeing a “slow but steady” increase in the rate of zero-day exploitation over time.”

• CISA added eight known exploited vulnerabilities to its catalog this week.
• “April 28, 2025
  • “CVE-2025-1976 Broadcom Brocade Fabric OS Code Injection Vulnerability
  • “CVE-2025-42599 Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability
  • “CVE-2025-3928 Commvault Web Server Unspecified Vulnerability”
  • Bleeping Computer discusses these KVEs here.
• “April 29, 2025
  • “CVE-2025-31324 SAP NetWeaver Unrestricted File Upload Vulnerability”
  • Cybersecurity Dive discusses this KVE here.
• “May 1, 2025
  • “CVE-2024-38475 Apache HTTP Server Improper Escaping of Output Vulnerability
  • “CVE-2023-44221 SonicWall SMA100 Appliances OS Command Injection Vulnerability
  • Cybersecurity News discusses the Apache KVE here.
  • Bleeping Computer discusses the SonicWall KVE here.
• “May 2, 2025
  • “CVE-2025-34028 Commvault Command Center Path Traversal Vulnerability
  • “CVE-2024-58136 Yiiframework Yii Improper Protection of Alternate Path Vulnerability”
  • Security Affairs discusses these KVEs here.

From the ransomware front,

• Techradar points out,
  • New research has revealed the scale of recent ransomware revolution, warning it remains a dominant threat to organizations worldwide.
  • A Veeam study, which gathered insights from 1,300 CISOs, IT leaders, and security professionals across the Americas, Europe, and Australia, found nearly three-quarters of businesses were impacted by ransomware over the past year.
  • Cybersecurity measures seem to be having some effect, with businesses facing ransomware incidents dropping slightly from 75% to 69% – and ransomware payments are also decreasing, as in 2024, 36% of affected businesses chose not to pay, and 60% of those who did paid less than half of the demanded ransom.

• Dark Reading adds,
  • “Several high-profile retailers based in the UK have suffered cyberattacks in recent weeks, and all signs point to two possible threat actors being behind the campaign.
  • “The National Cyber Security Centre (NCSC), the UK’s primary cyber agency, said on May 1 that it was tracking a series of attacks impacting retailers. NCSC CEO Dr. Richard Horne said in an included statement that the agency was working with affected organizations and that “these incidents should act as a wake-up call to all organizations.”
  • “Co-Op, Marks & Spencer, and Harrods are among the retailers that have confirmed attacks in recent weeks. In an article published May 2, Bloomberg News reported a spokesperson for the DragonForce ransomware gang — a group that emerged as a ransomware-as-a-service (RaaS) player in 2023 — took credit for the attacks against all three retailers.
  • “Last month, researchers from Sophos’ Secureworks reported that DragonForce had an RaaS model where affiliates could create their own “brand,” using DragonForce’s ransomware or using their own tools for extortion attacks.”
• and
  • “The notorious Scattered Spider threat group continues to attack high-value targets despite landing on the receiving end of multiple global law enforcement operations.
  • “Scattered Spider gained notoriety in recent years with high-profile breaches and ransomware attacks against large enterprises, including Las Vegas casino and hotel giants Caesars Entertainment and MGM Resorts in 2023. First emerging in 2022, the group’s members displayed a knack for social engineering schemes that allowed them to steal credentials from targeted organizations and gain privileged access into their networks. * * *
  • Bleeping Computer this week reported that the cyberattack against British retail giant Marks & Spencer was perpetrated by members of the group using DragonForce ransomware. Earlier this month, threat intelligence vendor Silent Push said it had observed significant threat activity, specifically phishing campaigns targeting well-known brands this year, from Chick-fil-A to Louis Vuitton.
• and
  • “RansomHub, an aggressive ransomware-as-a-service (RaaS) operation that gained prominence over the past year in the wake of law enforcement actions against LockBit and ALPHV, appears to have abruptly gone dark earlier this month.
  • “In a new report this week that offers an in-depth look at RansomHub’s affiliate recruitment methods, negotiation tactics, and aggressive extortion strategies, researchers at Group-IB described the operation as inactive since April 1.
  • “Cybercriminals associated with the operation may have migrated to the Russian-language speaking Qilin RaaS operation and are continuing their attacks under that banner, Group-IB said. The security vendor did not offer any explanation for the rapidly growing RansomHub operation’s seemingly sudden and unexpected demise — if that is indeed what it is.”

• TechTarget offers a “look at the [seven] distinct stages of the ransomware lifecycle to better understand how attackers strike — and how defenders might be better able to resist.

From the cybersecurity defense front,

• Cyberscoop reports
  • “Leaders of various federal research agencies and departments outlined a vision Tuesday for the future of critical infrastructure security, emphasizing the promise of combining formal software development methods with large language models (LLMs). 
  • “Acting DARPA Director Rob McHenry told an audience at the RSAC 2025 Conference that such a combination could “virtually eliminate software vulnerabilities” across foundational system infrastructures, a departure from the traditionally accepted risks of software flaws.
  • “We’ve all been trained in a world where we have to accept that there are vulnerabilities in our software, and bad guys exploit those vulnerabilities,” he said. “We try to mitigate the damage and patch them, and we go round on this merry-go-round. That technologically does not need to be true anymore.”
  • “DARPA’s statements came in the context of the AI Cyber Challenge, a public-private collaboration involving industry leaders such as Google, Microsoft, Anthropic and OpenAI. The initiative tests whether advanced AI systems can identify and patch vulnerabilities in open-source software components vital to the electric grid, health care, and transportation.”
• and
  • “Cryptography experts say the race to fend off future quantum-computer attacks has entered a decisive but measured phase, with companies quietly replacing the internet plumbing that the majority of the industry once considered unbreakable.
  • “Speaking at Cloudflare’s Trust Forward Summit on Wednesday, encryption leaders at IBM Research, Amazon Web Services and Cloudflare outlined how organizations are refitting cryptographic tools that safeguard online banking, medical data and government communications. The aim is to stay ahead of quantum machines that, once powerful enough, could decode the math protecting today’s digital traffic.
  • “Over the next five to 10 years you’re going to see a Cambrian explosion of different cryptographic systems,” said Wesley Evans, a product manager for Cloudflare’s research team, referring to an evolutionary period with a rapid diversification of animal life that occurred roughly 540 million years ago.” 

• Dark Reading adds,
  • “Each year, top SANS faculty joins the RSAC conference to present what their community of practitioners and researchers see as the most pressing challenges facing the cybersecurity community for the year to come. This year’s list of top-five threats aren’t merely technical, and tackling them will demand coordinated leadership from the very top of the organization and beyond.
  • “The attack techniques outlined in the SANS RSAC 2025 keynote underscore a common theme: Cybersecurity is no longer confined to the security operations center — it’s a leadership issue that impacts every layer of the enterprise,” according to a SANS media statement. “The threats of tomorrow demand a strategic, integrated response rooted in visibility, agility, and cross-functional alignment.”

• Bleeping Computer notes,
  • “Microsoft has announced that all new Microsoft accounts will be “passwordless by default” to secure them against password attacks such as phishing, brute force, and credential stuffing.
  • “The announcement comes after the company started rolling out updated sign-in and sign-up user experience (UX) flows for web and mobile apps in March, optimized for passwordless and passkey-first authentication.
  • “As part of this simplified UX, we’re changing the default behavior for new accounts. Brand new Microsoft accounts will now be ‘passwordless by default’,” said Joy Chik, Microsoft’s President for Identity & Network Access, and Vasu Jakkal, Corporate Vice President for Microsoft Security.”

• Here is a link to Dark Reading’s CISO Corner.