From the cybersecurity policy and law enforcement front,

• The White House issued a proclamation yesterday about October being Cybersecurity Awareness Month so let’s go.

• Per Cyberscoop,
  • “European law enforcement dismantled and seized an expansive cybercrime operation used to facilitate phishing attacks via mobile networks for fraud, including account intrusions, credential and financial data theft, Europol said Friday [October 17].
  • “Investigators from Austria, Estonia and Latvia linked the cybercrime networks to more than 3,200 fraud cases, which also involved investment scams and fake emergencies for financial gain. Financial losses amounted to about $5.3 million in Austria and $490,000 in Latvia, authorities said.
  • “The operation dubbed “SIMCARTEL” netted seven arrests and the seizure of 1,200 SIM box devices, which contained 40,000 active SIM cards that were used to conduct various cybercrimes over telecom networks. Officials described the infrastructure as highly sophisticated, adding that the online service it supported provided telephone numbers for criminal activities to people in more than 80 countries.”
• and
  • “A Massachusetts man who previously pleaded guilty to a cyberattack on PowerSchool, exposing data on tens of millions of students and teachers, was sentenced to four years in prison Tuesday — half the amount federal prosecutors sought in sentencing recommendations submitted to the court.
  • “Matthew Lane, 20, stole data from PowerSchool belonging to nearly 70 million students and teachers, extorted the California-based company for a ransom, which it paid, causing the education software vendor more than $14 million in financial losses, according to prosecutors.
  • “U.S. District Judge Margaret Guzman sentenced Lane to four years in prison, followed by three years of supervised release. Lane was also ordered to pay almost $14.1 million in restitution and a $25,000 fine for crimes involving the attack on PowerSchool and an undisclosed U.S. telecommunications company.”

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop reports,
  • “Federal cyber authorities issued an emergency directive Wednesday [October 15] requiring federal agencies to identify and apply security updates to F5 devices after the cybersecurity vendor said a nation-state attacker had long-term, persistent access to its systems.
  • The order, which mandates federal civilian executive branch agencies take action by Oct. 22, marked the second emergency directive issued by the Cybersecurity and Infrastructure Security Agency in three weeks. CISA issued both of the emergency directives months after impacted vendors were first made aware of attacks on their internal systems or products.
  • F5 said it first learned of unauthorized access to its systems Aug. 9, resulting in data theft including segments of BIG-IP source code and details on vulnerabilities the company was addressing internally at the time. CISA declined to say when F5 first alerted the agency to the intrusion.
  • CISA officials said they’re not currently aware of any federal agencies that have been compromised, but similar to the emergency directive issued following an attack spree involving zero-day vulnerabilities affecting Cisco firewalls, they expect the response and mitigation efforts to provide a better understanding of the scope of any potential compromise in federal networks.
• and
  • “F5, a company that specializes in application security and delivery technology, disclosed Wednesday that it had been the target of what it’s calling a “highly sophisticated” cyberattack, which it attributes to a nation-state actor. The announcement follows authorization from the U.S. Department of Justice, which allowed F5 to delay public disclosure of the breach under Item 1.05(c) of Form 8-K due to ongoing law enforcement considerations.
  • “According to an 8-K form filed with the Securities and Exchange Commission, the company first became aware of unauthorized access Aug. 9 and initiated standard incident response measures, including enlisting external cybersecurity consultants. In September, the Department of Justice permitted F5 to withhold public disclosure of the breach, which the government allows if a breach is determined to be a “a substantial risk to national security or public safety.”  
  • “Investigators discovered that the threat actor maintained prolonged access to parts of F5’s infrastructure. Systems affected included the BIG-IP product development environment and the company’s engineering knowledge management platform. The unauthorized access resulted in the exfiltration of files, some of which contained segments of BIG-IP source code and details regarding vulnerabilities that the company was actively addressing at the time. It also said the files taken were “configuration or implementation information for a small percentage of customers.”

• Cybersecurity Dive adds,
  • “More than 600,000 F5 network security devices running the company’s flagship BIG-IP software are sitting unpatched on the internet one day after the company revealed that nation-state hackers had accessed its networks and source code.
  • “The figure, which Palo Alto Networks provided on Thursday [October 16], highlights how many organizations could be vulnerable to cyberattacks exploiting vulnerabilities that the unidentified hackers discovered while roaming through F5’s production environment and developer resources.” * * *
  • “F5, which said on Thursday that it believed it had kicked the hackers out of its networks, is working with government and private-sector cyber experts to further investigate the compromise. CISA ordered federal agencies to promptly patch their affected F5 products and disconnect the devices’ management interfaces from the internet.
  • “The potential impact of this compromise is unique due to the theft of confidential information regarding previously undisclosed vulnerabilities that F5 was actively in the process of patching,” Palo Alto Networks researchers wrote in their blog post. “This data potentially grants threat actors the capacity to exploit vulnerabilities for which no public patch currently exists, which could accelerate the creation of exploits.”
  • “F5 said there was no evidence that the hackers had compromised its source code or software production processes, despite having access to those systems and data.”

• CISA added six known exploited vulnerabilities to its catalog this week.
  • October 14, 2025
    • CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
    • CVE-2025-6264 Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
    • CVE-2025-24990 Microsoft Windows Untrusted Pointer Dereference Vulnerability
    • CVE-2025-47827 IGEL OS Use of a Key Past its Expiration Date Vulnerability
    • CVE-2025-59230 Microsoft Windows Improper Access Control Vulnerability
      • Security Affairs Discusses these KVEs here.
  • October 15, 2025
    • CVE-2025-54253 Adobe Experience Manager Forms Code Execution Vulnerability
      • Security Week discusses this KVE here.

• Per Cyberscoop,
  • “North Korean operatives that dupe job seekers into installing malicious code on their devices have been spotted using new malware strains and techniques, resulting in the theft of credentials or cryptocurrency and ransomware deployment, according to researchers from Cisco Talos and Google Threat Intelligence Group.
  • “Cisco Talos said it observed an attack linked to Famous Chollima that involved the use of BeaverTail and OtterCookie — separate but complementary malware strains frequently used by the North Korea-aligned threat group. Researchers said their analysis determined the extent to which BeaverTail and OtterCookie have merged and displayed new functionality in recent campaigns. 
  • “GTIG said it observed UNC5342 using EtherHiding, malicious code in the form of JavaScript payloads that turn a public blockchain into a decentralized command and control server. Researchers said UNC5342 incorporated EtherHiding into a North Korea-aligned social engineering campaign previously dubbed Contagious Interview by Palo Alto Networks. 
  • “Cisco and Google both said North Korean threat groups’ use of more specialized and evasive malware underscores the efforts the nation-state attackers are taking to achieve multiple goals while avoiding more common forms of detection.”

• Per Dark Reading,
  • “Major password managers are being impersonated in a spate of recent phishing attacks, including LastPass, Bitwarden, and 1Password, and enterprise users should be on notice. In a three-week span, all of them have been dealing with impersonation attacks by threat actors trying to con users into handing over their master password — and with it, troves of sensitive credentials.
  • “Password management vendors have long been among hackers’ favorite brands to impersonate, for good reason. Users need to have complete trust in their password managers — after all, nobody would store all of their credentials for all of their accounts in an app they didn’t have total confidence in. Phishers try to exploit that trust.
  • “Because password managers are protected by a single master password, a password reset scam — “Your password has been compromised, click here to reset it” — might engender more fear and urgency in this context than in others with lower stakes (that is, unless the user understands the basic mechanics of how their manager works — namely, that their master password would never be stored online to begin with). And of course, if attackers can get their hands on just that one master password, they can access all of a user’s online accounts, plus all of the huge corporate systems they might afford access to.
  • “Either by coincidence or reflecting a growing trend, password manager phishing attacks have been popping up even more than usual this October, cyber researchers are warning.”
    
• Per Bleeping Computer,
  • “Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in Cisco networking devices to deploy a rootkit and target unprotected Linux systems.
  • “The security issue leveraged in the attacks affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE and leads to RCE if the attacker has root privileges.
  • “According to cybersecurity company Trend Micro, the attacks exploited the flaw in Cisco 9400, 9300, and legacy 3750G series devices and deployed rootkits on “older Linux systems that do not have endpoint detection response solutions.”
• and
  • “Earlier this week, Microsoft patched a vulnerability that was flagged with the “highest ever” severity rating received by an ASP.NET Core security flaw.
  • “This HTTP request smuggling bug (CVE-2025-55315) was found in the Kestrel ASP.NET Core web server, and it enables authenticated attackers to smuggle another HTTP request to hijack other users’ credentials or bypass front-end security controls.
  • “An attacker who successfully exploited this vulnerability could view sensitive information such as other user’s credentials (Confidentiality) and make changes to file contents on the target server (Integrity), and they might be able to force a crash within the server (Availability),” Microsoft said in a Tuesday advisory.”

• Per InfoSecurity Magazine,
  • “The phishing platform “Whisper 2FA” has rapidly become one of the most active tools used in large-scale credential theft campaigns, according to new research from Barracuda.
  • “Since July 2025, the platform has been responsible for nearly one million phishing attacks targeting accounts across multiple industries, placing it just behind Tycoon and EvilProxy in the global phishing-as-a-service (PhaaS) landscape.
  • “What makes Whisper 2FA stand out is its use of AJAX, a web technology that allows real-time communication between browser and server without page reloads. This enables the phishing kit to repeatedly capture credentials and multi-factor authentication (MFA) codes until it obtains a valid token. 
  • “Unlike typical phishing kits that stop after stealing a password, Whisper 2FA continuously loops through attempts, effectively bypassing MFA protections.
  • “Attackers have been using a range of lures to deliver Whisper 2FA, mimicking brands such as DocuSign, Adobe and Microsoft 365. These phishing emails often use urgent pretexts, such as invoices or voicemail notifications, to prompt users to log in and unknowingly submit their details to attackers.”

From the ransomware front,

• Microsoft tells us,
  • “In 80% of the cyber incidents Microsoft’s security teams investigated last year, attackers sought to steal data—a trend driven more by financial gain than intelligence gathering. According to the latest Microsoft Digital Defense Report, written with our Chief Information Security Officer Igor Tsyganskiy, over half of cyberattacks with known motives were driven by extortion or ransomware. That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%. Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit.
  • “Every day, Microsoft processes more than 100 trillion signals, blocks approximately 4.5 million new malware attempts, analyzes 38 million identity risk detections, and screens 5 billion emails for malware and phishing. Advances in automation and readily available off-the-shelf tools have enabled cybercriminals—even those with limited technical expertise—to expand their operations significantly. The use of AI has further added to this trend with cybercriminals accelerating malware development and creating more realistic synthetic content, enhancing the efficiency of activities such as phishing and ransomware attacks. As a result, opportunistic malicious actors now target everyone—big or small—making cybercrime a universal, ever-present threat that spills into our daily lives.
  • “In this environment, organizational leaders must treat cybersecurity as a core strategic priority—not just an IT issue—and build resilience into their technology and operations from the ground up. In our sixth annual Microsoft Digital Defense Report, which covers trends from July 2024 through June 2025, we highlight that legacy security measures are no longer enough; we need modern defenses leveraging AI and strong collaboration across industries and governments to keep pace with the threat. For individuals, simple steps like using strong security tools—especially phishing-resistant multifactor authentication (MFA)—makes a big difference, as MFA can block over 99% of identity-based attacks.”

• HIPAA Journal reports,
  • “Kettering Health has provided an update on its May 20, 2025, ransomware attack. The investigation confirmed that the Interlock ransomware group first gained access to its network on April 9, 2025, and retained access until May 20, 2025, when the attack was detected and the unauthorized access was blocked. During that time, the ransomware group accessed or copied files containing patient information.
  • “Kettering Health has been providing regular updates on its progress recovering from the attack and has now completed its file review. The review confirmed that current and former patients had the following information compromised in the attack: first and last name, contact information, date of birth, Social Security number, patient identification number, medical record number, medical information, treatment information, diagnosis information, health insurance information, driver’s license/state identification number, financial account information, and/or education records.
  • “Kettering Health said it has reviewed its policies, procedures, and processes related to data security and has taken steps to prevent similar incidents in the future. Kettering Health said it is unaware of any misuse of the exposed information and has provided patients with information on how they can protect themselves against identity theft and fraud. Complimentary credit monitoring and identity theft protection services do not appear to have been offered.”

• The Record adds,
  • “Michigan City, Indiana, has confirmed that a damaging cyber incident three weeks ago that impacted government systems was a ransomware attack.  
  • “The Indiana city located on the south shore of Lake Michigan was forced to take many systems offline on September 23 and initially called it a “network disruption.” 
  • “On Saturday [October 11], the city acknowledged it was hit with a ransomware attack “that affected a portion of the City’s data and impacted municipal employees’ online and telephone access.” * * *
  • “On Monday, the Obscura ransomware gang took credit for the attack and said they stole 450 gigabytes of data. The group claimed that the time on their ransom had expired and  that they posted all of the data that was taken during the cyberattack. Obscura emerged last month and has since named more than 15 victims.”  

• Dark Reading points out,
  • “Harvard University confirmed that it fell victim to an attack exploiting the recently disclosed zero-day vulnerability in Oracle’s E-Business Suite (EBS) system.
  • “The critical vulnerability, tracked as CVE-2025-61882, allows an attacker without authentication to remotely access EBS instances. The flaw has been exploited by the notorious Clop ransomware gang in attacks on Oracle customers.   
  • “Harvard is aware of reports that data associated with the University has been obtained as a result of a zero-day vulnerability in the Oracle E-Business Suite system,” the University told Dark Reading. “This issue has impacted many Oracle E-Business Suite customers and is not specific to Harvard. While the investigation is ongoing, we believe that this incident impacts a limited number of parties associated with a small administrative unit.”
• and
  • “Microsoft disrupted a Rhysida ransomware campaign that used fake Teams binaries signed with digital certificates, including many from Microsoft’s own service. 
  • “In a social media post on X, Microsoft Threat Intelligence on Wednesday said it revoked more than 200 code-signing certificates issued by Azure’s Trusted Signing service. These certificates are sometimes abused by threat actors to make malware appear as if it is legitimate, trusted software.
  • “According to the post, a cybercriminal group tracked by Microsoft as Vanilla Tempest crafted the fake Teams files to drop a backdoor known as “Oyster,” which allowed attackers to eventually deliver Rhysida ransomware in victims’ networks.
  • “Vanilla Tempest, also known as Vice Society, has a track record of targeting healthcare organizations and public schools, though it’s unclear what organizations the group was targeting with its latest campaign.”
     
• Wiz notes,
  • “Cloud ransomware targets data and systems in cloud environments by exploiting cloud-native features and APIs rather than just encrypting local files
  • “Attackers have evolved beyond simple encryption to use sophisticated tactics like data exfiltration, deletion, and manipulation of cloud services
  • “Common attack vectors include compromised credentials, misconfigured storage, overly permissive identities, and supply chain compromises
  • “Defending against cloud ransomware requires cloud-native detection and prevention strategies with deep visibility across your entire environment.”

From the cybersecurity defenses front,

• Cybersecurity Dive reports,
  • “Fortune 500 companies have seen the structure of their security operations teams evolve in recent years, with four of every 10 companies assigning a dedicated, deputy chief information security officer or an equivalent leadership role, according to a report released Thursday from IANS Research and Artico Search. 
  • “A deputy CISO steps in when the CISO is unavailable and is seen as the eventual successor to the CISO in the company’s risk management hierarchy, according to researchers. 
  • “In practical terms, the deputy CISO often either holds a dual role as a functional department head who takes on additional executive leadership responsibility or operates as a chief of staff who also takes on CISO-like responsibilities that the CISO needs to delegate,” Nick Kakolowski, senior research director at IANS Research told Cybersecurity Dive via email.”

• Beckers Hospital Review calls attention to six notes about health system efforts to sharpen their cybersecurity and margins narrow.

• Dark Reading relates,
  • “Agentic AI deployments are becoming an imperative for organizations of all sizes looking to boost productivity and streamline processes, especially as major platforms like Microsoft and Salesforce build agents into their offerings. In the rush to deploy and use these helpers, it’s important that businesses understand that there’s a shared security responsibility between vendor and customer that will be critical to the success of any agentic AI project.
  • “The stakes in ignoring security are potentially high: last month for instance, AI security vendor Noma detailed how it discovered “ForcedLeak,” a critical severity vulnerability chain in Salesforce’s agentic AI offering Agentforce, which could have allowed a threat actor to exfiltrate sensitive CRM data from a customer with improper security controls through an indirect prompt injection attack. Although Salesforce addressed the issue through updates and access control recommendations, ForcedLeak is but one example of the potential for agents to leak sensitive data, either through improper access controls, ingested secrets, or a prompt injection attack.
  • “It’s not an easy task to add agentic AI security to the mix; it’s already challenging enough to determine where responsibility and culpability lie with traditional software and cloud deployments. With something like AI, where the technology can be hastily rolled out (by both vendor and customer alike) and is constantly evolving, establishing those barriers can prove even more complex.” 
     
• TechRadar explains “how to plan a smooth Windows 10 to Windows 11 migration – even if you missed the October 14th [support] deadline.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front.

• Cyberscoop tells us,
  • “A top Senate Democrat introduced legislation Thursday to extend and rename an expired information-sharing law, and make it retroactive to cover the lapse that began Oct. 1.
  • “Michigan Sen. Gary Peters, the ranking member of the Homeland Security and Governmental Affairs Committee, introduced the Protecting America from Cyber Threats (PACT) Act, to replace the expired Cybersecurity and Information Sharing Act of 2015 (CISA 2015) that has provided liability protections for organizations that share cyber threat data with each other and the federal government. Industry groups and cyber professionals have called those protections vital, sometimes describing the 2015 law as the most successful cyber legislation ever passed.
  • “The 2015 law shares an acronym with the Cybersecurity and Infrastructure Security Agency, which some Republicans — including the chairman of Peters’ panel, Rand Paul of Kentucky — have accused of engaging in social media censorship. As CISA 2015 has lapsed and Peters has tried to renew it, “some people think that’s a reauthorization of the agency,” Peters told reporters Thursday in explaining the new bill name.” * * *
  • “Michael Daniel, leader of the Cyber Threat Alliance made up of cybersecurity companies, told CyberScoop that his organization hasn’t been affected by the lapse yet, but that’s partially because it’s an organization that was set up with the long term in mind, with a formalized structure that included information-sharing requirements for members.
  • “The lapse might also not immediately affect other organizations, he said, comparing it to the risks of the government shutdown underway.
  • “An hour-long lapse doesn’t really do very much, but the longer it goes on, the more you have time for organizations to say, ‘Well, maybe we need to reconsider what we’re doing, maybe we need to think about it differently,’” Daniel said. “The longer it goes on, you start having questions about, ‘Maybe this thing won’t get reauthorized down the road.’ And once you start questioning the long-term prospects, that’s when people start making changes in their behavior.”

• The American Hospital Association News (“AHA”) informs us,
  • “The Health Sector Coordinating Council Oct. 7 released its Sector Mapping and Risk Toolkit, created to help health care providers and other organizations visualize key services that support essential health care workflows and determine which of them present critical risk of cyberattack disruption capable of impacting care delivery, operations and liquidity. The toolkit consists of 17 health care workflow maps and usage guidelines and encourages organizations to prioritize their risks, mitigate them where possible and develop recovery and continuity plans that cannot be controlled or mitigated.
  • “The SMART initiative was created in April 2024 as a response to the cyberattack on Change Healthcare two months earlier. The AHA contributed the development of this project, which has helped identify these systemically important, mission-critical services for health care.”

• AHA President and CEO Rick Pollack writes in the AHA News about his thoughts on this Cybersecurity Awareness Month.
  • “This week, the FBI issued an urgent warning to all users — including hospitals — of a critical security soft spot within Oracle’s E-Business Suite, stating “This is ‘stop-what-you’re-doing and patch immediately vulnerability.’”
  • “The vulnerability has allowed cyber bad actors to carry out data theft ransomware attacks. Oracle is offering a patch to address the security problem.
  • “This latest threat reminds us that cybercrime is ever-present, and health care has been the No. 1 target for years. Hospitals and health systems are committed to taking every possible precaution to protect system operability and patients’ personal data, and the good news is their defenses block most attacks.
  • “But no individual hospital can defend against all of these very sophisticated criminal and nation-state sponsored attacks. That’s why we need a whole-of-government approach to preventing and mitigating cyberattacks, including the federal government going after the bad guys as it has effectively done in counterterrorism.
  • “As we observe Cybersecurity Awareness Month this October, we must remain aware that the scope, frequency and sophistication of cyber incursions into health care have increased steadily. The evolving tactics used by bad actors to steal information, encrypt systems, delay and disrupt patient care, and shut down vital systems continue to put patient care and safety at risk.”

• Dark Reading adds,
  • “Last night [October 9, 2025], the FBI, in coordination with law enforcement in France, seized the latest version of the BreachForums’ underground forum domain, which was converted earlier this month into an extortion site used by Scattered Lapsus$ Hunters, the gang behind the recent high-profile spate of Salesforce data heists.
  • “Scattered Lapsus$ Hunters is an apparent combination of the Scattered Spider, Lapsus$, and ShinyHunters cybercriminal groups that first emerged this past summer. It has been busy compromising Salesforce data and claims that Salesforce victims have up until midnight Eastern Time today, Oct. 10, to meet its ransom demands before it will start publishing the stolen records. 
  • “Despite the BreachForums site being taken down, the group’s Tor Dark Web site is still accessible, and will be used to leak the data, the threat actors claimed.
  • “Aside from Salesforce data, Scattered Lapsus$ Hunters claims to have 1 billion records and 39 victim organizations listed on the site with sample data, such as Chanel, Disney and Hulu, Marriot, Google, Toyota, FedEx, and many more.
  • “For its part, Salesforce has issued its own statement, acknowledging the extortion attempts and reiterating that there is no indication that the Salesforce platform itself had been compromised.”

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop reports,
  • “A brute-force attack exposed firewall configuration files of every SonicWall customer who used the company’s cloud backup service, the besieged vendor said Wednesday.
  • “An investigation aided by Mandiant confirmed the totality of compromise that occurred when unidentified attackers hit a customer-facing system of SonicWall controls. The company previously said less than 5% of its firewall install base stored backup firewall configuration files in the cloud-based service.
  • “SonicWall did not answer questions about the extent to which the investigation revealed a more widespread impact for its customers, or if its assessment of that 5% figure remained accurate. The company initially revised its disclosure to clarify the scope of exposure was less than 5% of firewalls as of Sept. 17 but has since removed that detail from the blog post. 
  • “The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service,” the company said in a statement.” * * *
  • “Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a wave of about 40 Akira ransomware attacks between mid-July and early August.
  • “While those attacks were linked to exploited vulnerabilities in SonicWall devices, the latest attack marked a direct hit on SonicWall’s internal infrastructure and practices.”

• Security Week tells us,
  • Law firm Williams & Connolly said state-sponsored hackers breached some of its systems and gained access to attorney email accounts.
  • “The prominent Washington, DC-based law firm is known for representing political figures and government officials, including Barack Obama and the Clintons, as well as major companies such as Intel, Samsung, Google, Disney, and Bank of America. 
  • “According to a statement issued by the company, an investigation conducted with the assistance of CrowdStrike showed that the hackers exploited an unspecified zero-day vulnerability to gain access to a “small number” of attorneys’ email accounts. 
  • “The probe showed that the attack was likely the work of a state-sponsored hacker group known to have recently targeted law firms and other companies. 
  • “Williams & Connolly said there was no evidence that confidential client data was stolen or that other parts of its IT system had been compromised. 
  • “While the company’s statement does not mention China, The New York Times learned that Chinese hackers targeted Williams & Connolly, along with other law firms.”

• The Cybersecurity and Infrastructure Security Agency (CISA) added nine known exploited vulnerabilities to its catalog this week.
  • October 6, 2025
    • CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability
    • CVE-2010-3962 Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
    • CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability
    • CVE-2013-3918 Microsoft Windows Out-of-Bounds Write Vulnerability
    • CVE-2021-22555 Linux Kernel Heap Out-of-Bounds Write Vulnerability
    • CVE-2021-43226 Microsoft Windows Privilege Escalation Vulnerability
    • CVE-2025-61882 Oracle E-Business Suite Unspecified Vulnerability 
      • Cyberscoop and Cybersecurity Dive discuss the Oracle KVE.
      • DVE discusses the Microsoft Internet Explorer KVE
      • Cyber Press discusses the Microsoft Windows Privilege Escalation KVE
      • Security Affairs discusses the other KVEs.
  • October 7, 2025
    • CVE-2025-27915. Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
      • Cyber Press discusses this KVE.
  • October 9, 2025
    • CVE-2021-43798 Grafana Path Traversal Vulnerability
      • Cybersecurity News discusses this KVE.
        
• Per Bleeping Computer,
  • “Threat actors are exploiting a zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox products, which allows a local attacker to access system files without authentication.
  • “At least three companies have been targeted so far. Although a patch is not yet available, customers can apply mitigations.
  • “CentreStack and Triofox are Gladinet’s business solutions for file sharing and remote access that allow using a company’s own storage as a cloud. According to the vendor, CentreStack “is used by thousands of businesses from over 49 countries.”

• Cardiovascular Business relates,
  • “The U.S. Food and Drug Administration (FDA) has announced another new recall for Johnson & Johnson MedTech’s Automated Impella Controller (AIC) due to a significant cybersecurity risk. 
  • “If the identified cybersecurity vulnerabilities are exploited, it may affect the essential performance of the AIC,” according to the FDA’s advisory.
  • “At this time, no cyberattacks have been tied to this specific issue. This is the fourth time in three months the FDA has shared serious safety concerns related to these devices, which serve as the primary user control interface for Impella catheters.” 

• Per Cybersecurity Dive,
  • “AI isn’t yet transforming how hackers launch phishing attacks, although it is helping them clean up their lures, the security firm Intel 471 said in a report published on Wednesday.
  • “Several factors have combined to keep AI in an evolutionary rather than revolutionary role, the report found.
  • “Still, business and government leaders need to pay attention to several increasingly common AI-assisted attack strategies.”

From the ransomware front,

• Sophos shares its 2025 report on the state of ransomware in healthcare.
  • “Sophos’ latest annual study explores the real-world ransomware experiences of 292 healthcare providers hit by ransomware in the past year. The report examines how the causes and consequences of these attacks have evolved over time. This year’s edition also sheds new light on previously unexplored areas, including the organizational factors that left providers exposed and the human toll ransomware takes on retail IT and cybersecurity teams.”

• TRM Labs point out “Nine Emerging Groups Shaping the Ransomware Landscape.”
  • “Artificial intelligence (AI) has lowered the barrier to entry for cybercriminals, allowing ransomware threat actors to automate coding, generate polymorphic malware — which alters its code with each infection to evade detection — and create more convincing social engineering lures. As a result, new groups are emerging rapidly, and established groups are scaling their operations. 
  • “In this post, we take a closer look at nine emerging ransomware groups and examine how their off-chain and on-chain tactics are reshaping the ecosystem.”

• The Hacker News relates,
  • “Three prominent ransomware groups DragonForce, LockBit, and Qilin have announced a new strategic ransomware alliance, once underscoring continued shifts in the cyber threat landscape.
  • “The coalition is seen as an attempt on the part of the financially motivated threat actors to conduct more effective ransomware attacks, ReliaQuest said in a report shared with The Hacker News.
  • “Announced shortly after LockBit’s return, the collaboration is expected to facilitate the sharing of techniques, resources, and infrastructure, strengthening each group’s operational capabilities,” the company noted in its ransomware report for Q3 2025.
  • “This alliance could help restore LockBit’s reputation among affiliates following last year’s takedown, potentially triggering a surge in attacks on critical infrastructure and expanding the threat to sectors previously considered low risk.”

• Per Cyberscoop,
  • “Microsoft Threat Intelligence said a cybercriminal group it tracks as Storm-1175 has exploited a maximum-severity vulnerability in GoAnywhere MFT to initiate multi-stage attacks including ransomware. Researchers observed the malicious activity Sept. 11, Microsoft said in a blog post Monday.
  • “Microsoft’s research adds another substantive chunk of evidence to a growing collection of intelligence confirming the defect in Fortra’s file-transfer service was exploited as a zero-day before the company disclosed and patched CVE-2025-10035 on Sept. 18.
  • ‘Despite this mounting pile of evidence, Fortra has yet to confirm the vulnerability is under active exploitation. The company has not answered questions or provided additional information since it updated its security advisory Sept. 18 to include indicators of compromise. 
  • “Storm-1175, a financially motivated cybercrime group known for exploiting public vulnerabilities to gain access and deploy Medusa ransomware, exploited CVE-2025-10035 to achieve remote code execution, according to Microsoft.”

• Per Dark Reading,
  • “A China-based threat group known as Storm-2603 has added a new weapon to its hacking arsenal.
  • “Cisco Talos researchers observed Storm-2603 abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in a recent ransomware attack. The open-source project, which was acquired by Rapid7 in 2021, was designed by security researcher Michael Cohen to assist incident response teams with endpoint monitoring and investigations. However, it seems attackers have turned the tables on defenders and are now leveraging Velociraptor to conceal their malicious activity.”
  • “Storm-2603 initially burst on to the threat landscape in July as one of several threat groups exploiting a set of SharePoint vulnerabilities in an attack chain known as “ToolShell.” There, the threat actors gained access to SharePoint servers, moved laterally in the victims’ networks, and deployed Warlock ransomware. In a blog post published Thursday, Cisco Talos researchers said they responded to a different incident in August, in which threat actors dropped three different types of ransomware on the victim’s VMware ESXi servers — Warlock, LockBit, and Babuk — and caused severe disruption to the organization.
  • “In addition to the ransomware trio, Cisco Talos found Storm-2603 actors had also deployed Velociraptor to aid their attack. It was a shift in strategy; the researchers noted that the tool had not been definitively tied to ransomware attacks prior to August.”
• and
  • “Chaos ransomware has gotten a significant facelift with an “aggressive” new variant that adds destructive tactics and clipboard hijacking for cryptocurrency theft, as well as other capabilities to bolster its operations for speed and effectiveness.
  • “Researchers from FortiGuard Labs have identified a new version of Chaos ransomware written in C++, the first not written in .NET, they revealed in a report published Wednesday. This evolution also introduces a host of new features that make the ransomware harder to disrupt once it’s in execution, as well as more destructive than previous versions.
  • “This evolution underscores Chaos’s shift toward more aggressive methods, amplifying both its operational impact and the financial risk it poses to victims,” FortiGuard researcher Yen-Ting Lee wrote in the report.”

From the cybersecurity defenses front,

• Cybersecurity Dive reports,
  • “Managing cyber risk has become a point of emphasis in the insurance and asset management sector, with companies boosting annual expenditures and increasing oversight at the board level, according to a report released Wednesday by Moody’s.
  • “Almost seven of every 10 companies have a chief information security officer overseeing corporate cyber risk, while another 10% of companies have a chief information officer overseeing cybersecurity. 
  • “More than 95% of organizations have their CISOs provide briefings directly to the chief executive officer at least on a semiannual basis. This compared with 88% using that practice in 2023.
  • “In addition, seven of 10 companies have their CISO brief the corporate board of directors, at least on a semiannual basis. This compares with 54% in 2023. Four of every 10 companies link CEO compensation to the company’s cybersecurity performance, a sharp increase from just 24% in 2023.” 

• The Wall Street Journal adds,
  • “Security chiefs are emerging as sought-after advisers as companies plunge headlong into artificial intelligence.
  • “Although the rising threat of cyberattacks has elevated the role of chief information security officers in recent years, some say they are appearing more frequently before their boards and senior executives to help unpack the risks associated with AI.
  • “Often jokingly referred to as the “Department of No” inside companies, security staff are now being actively consulted on AI implementations. This includes explaining risks to management and collaborating with other parts of the business that haven’t typically worked closely with cybersecurity.
  • “Security was always thought of as the boat anchor; what I want is to be the boat motor,” said Pablo De La Rosa, vice president of information security at electric vehicle infrastructure specialist Vontier.”

• Dark Reading discusses the cyber-risks associated with AI note takers. “Transcription applications are joining your online meetings. Here’s how to create policies for ensuring compliance and security of your information.”

• Security Week notes,
  • “Google has several projects focusing on the use of AI for the discovery of vulnerabilities in software. The tech giant recently reported that its Big Sleep agent discovered a critical SQLite vulnerability and thwarted efforts to exploit it in the wild.
  • “Its latest product is CodeMender, an AI agent that not only finds security holes but also patches them. The company argues that such tools are needed because as AI gets better at discovering flaws, it will be difficult for humans to keep up with patching.” 

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Health ISAC reminds us,
  • “Despite widespread public and private interest in reauthorizing the U.S. Cybersecurity Information Sharing Act of 2015 (“CISA 2015”)[i], we are rapidly approaching September 30th, the date when the Act is set to expire barring congressional action to extend it. With time running short, let’s assess the options still being considered and breakdown how and why reauthorization is going down to the wire.” * * *
  • “The current most likely path for a CISA 2015 reauthorization is not a simple standalone bill that is quickly passed by both chambers. Instead, the most likely path runs through a short term extension as part of a continuing resolution (“CR”) and then through the National Defense Authorization Act (“NDAA”).
  • “For those who are unfamiliar, a CR is a “temporary spending [bill] that [allows] federal government operations to continue when final appropriations have not been approved by Congress and the President. Without final appropriations or a CR, there could be a lapse in funding that results in a government shutdown.”[ii] The NDAA is an annual end of year bill that provides appropriations for the Department of Defense (“DOD”). It is generally considered to be a “must pass” piece of legislation that lawmakers attempt to add otherwise unrelated policy matters.”

• Nextgov/FCW tells us,
  • “Greg Barbaccia, the federal chief information officer, says that the Office of Management and Budget is backing the General Services Administration’s overhaul of FedRAMP, the government’s cloud security assessment and authorization program. 
  • “GSA launched FedRAMP 20x — meant to use more automation in place of annual assessments, cut red tape and speed up authorizations — in March. It announced its phase two pilot on Wednesday.
  • “Barbaccia acknowledged the past problems with FedRAMP at a Wednesday event held by the Alliance for Digital Innovation. 
  • “I have done FedRAMP in my past life,” said Barbaccia, who previously worked at Palantir and more recently at a machine-learning enabled asset manager. “What a pain in the butt.”
  • “The FedRAMP program is planning on pursuing 10 pilot authorizations at the Moderate security level as part of the new phase of FedRAMP 20x, said FedRAMP Director Pete Waterman.”

• Per a Cybersecurity and Infrastructure Security Agency (“CISA”) news release,
  • Today [September 23, 2025], the Cybersecurity and Infrastructure Security Agency (CISA) announced the appointment of Stephen L. Casapulla as the Executive Assistant Director for Infrastructure Security.
  • “I am pleased to have Steve expand his role on CISA’s leadership team,” said Acting Director Madhu Gottumukkala. “With his extensive experience in critical infrastructure security and working with stakeholders, he is perfectly poised to lead our efforts in securing the nation’s critical infrastructure. I look forward to working with him on this important mission.”
  • Prior to joining CISA, Casapulla served as the Director for Critical Infrastructure Cybersecurity in the Office of the National Cyber Director. He previously spent over thirteen years at CISA and its predecessor, holding a variety of senior roles. His prior federal service includes work at the Small Business Administration and at the Department of State in Iraq. He also serves as an officer in the U.S. Navy Reserve, with over twenty years of service and multiple overseas deployments.

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency on Thursday [September 25, 2025,] ordered U.S. government agencies to patch multiple vulnerabilities in Cisco networking products, saying an “advanced threat actor” was using them in a “widespread” campaign.
  • “This activity presents a significant risk to victim networks,” CISA said in an emergency directive that laid out a mandatory timeline for agencies to identify, analyze and patch vulnerable devices.
  • “The hacking campaign — an extension of the sophisticated “ArcaneDoor” operation that Cisco first revealed in April 2024 — has compromised multiple federal agencies, two U.S. officials told Cybersecurity Dive. Both officials requested anonymity to discuss a sensitive and evolving investigation.”

• Cyberscoop adds,
  • “Cisco said it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May. The vendor, which attributes the attacks to the same threat group behind an early 2024 campaign targeting Cisco devices it dubbed “ArcaneDoor,” said the new zero-days were exploited to “implant malware, execute commands, and potentially exfiltrate data from the compromised devices.” 
  • “Cisco disclosed three vulnerabilities affecting its Adaptive Security Appliances — CVE-2025-20333, CVE-2025-20363 and CVE-2025-20362 — but said “evidence collected strongly indicates CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign.” 
  • “The Cybersecurity and Infrastructure Security Agency said those two zero-days pose an “unacceptable risk” to federal agencies and require immediate action.”

• Dark Reading points out,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) this week disclosed that threat actors breached a federal agency last year by exploiting a critical vulnerability in the open source GeoServer mapping server.
  • “In the advisory, CISA said it conducted incident response at a large, unnamed federal civilian executive branch (FCEB) agency after malicious activity was flagged by the agency’s endpoint detection and response (EDR) platform, but found the agency’s response playbook to be lacking; so lacking in fact that it hampered CISA’s investigation and allowed the attackers to burrow deeper into the network unchecked.

• Cybersecurity Dive adds,
  • “[On September 23, 2025,] the Cybersecurity and Infrastructure Security Agency urged security teams to monitor their systems following a massive supply chain attack that struck the Node Package Manager ecosystem. 
  • “The attack, tracked under the name Shai-Hulud, involved a self-replicating worm that compromised more than 500 software packages, according to StepSecurity. 
  • “After gaining access, a malicious attacker injected malware and scanned the environment for sensitive credentials. The credentials included GitHub Personal Access Tokens and application programming interface keys for various cloud services, including Amazon Web Services, Google Cloud Platform and Microsoft Azure. 
  • “The stolen credentials were uploaded to an endpoint controlled by the attacker and then uploaded to a public repository called Shai-Hulud. 
  • “Researchers at Palo Alto Networks said the attacker used an LLM to write the malicious script, according to an updated blog post released Tuesday.” 

• CISA added one known exploited vulnerability to its catalog this week.
  • September 23, 2025
    • CVE-2025-10585 Google Chromium V8 Type Confusion Vulnerability
      • Cybersecurity News discusses this KVE here.

• Cybersecurity Dive relates,
  • “Hackers are conducting brute force attacks against the MySonicWall.com portal in order to access the company’s cloud backup service for firewalls, SonicWall and federal authorities warned in advisories released Monday [September 22, 2025].
  • “SonicWall said its investigation found that hackers gained access to 5% of backup firewall preference files. The company warned that while credentials inside the files were encrypted, the files contained other information that could help attackers exploit the firewall, according to the advisory.  
  • “SonicWall also released a video explaining the scope of the incident. 
  • “In an advisory on Monday, the Cybersecurity and Infrastructure Security Agency urged customers to log into their accounts to determine whether their devices are at risk.” 

• Cyberscoop reports,
  • “The Secret Service said Tuesday [September 23, 2025] that it disrupted a network of electronic devices in the New York City area that posed imminent telecommunications-based threats to U.S. government officials and potentially the United Nations General Assembly meeting currently underway.
  • “The range of threats included enabling encrypted communications between threat groups and criminals or disabling cell towers and conducting denial-of-service attacks to shut down cell communications in the region. Matt McCool, special agent in charge of the Secret Service’s New York field office, said the agency’s early analysis of the network indicated “cellular communications between foreign actors and individuals that are known to federal law enforcement.”
  • “In all, the agency said it discovered more than 300 servers and 100,000 SIM cards spread across multiple sites within 35 miles of the U.N. meeting. The Secret Service announcement came the same day President Donald Trump was scheduled to deliver a speech to the General Assembly.
  • “The potential for disruption to our country’s telecommunications posed by this network of devices cannot be overstated,” U.S. Secret Service Director Sean Curran said in a news release.”

• Cyberscoop warns,
  • “Ambitious, suspected Chinese hackers with a slew of goals — stealing intellectual property, mining intelligence on national security and trade, developing avenues for future advanced cyberattacks — have been setting up shop inside U.S. target networks for exceptionally long stretches of time, in a breach that the researchers who uncovered it said could present problems for years to come.
  • “Mandiant and Google Threat Intelligence Group (GTIG) researchers described the campaign as exceptionally sophisticated, stealthy and complex, calling those behind it a “next-level threat.” But they don’t yet have a full handle on who the hackers are behind the malware they’ve dubbed Brickstorm, or how far it stretches. A blog post the company posted Wednesday sheds light on the group.
  • “The primary targets are legal services organizations and tech companies that provide security services, the researchers said. But the hackers aren’t limiting their interest to the primary targets, since they’ve used that access to infiltrate “downstream” customers. The researchers declined to describe those downstream customers or say whether U.S. federal agencies are among those targeted. A great many of them don’t know yet that they’re victims, they said.
  • “By stealing intellectual property from security-as-a-service (SaaS) firms, the hackers aim to find future zero-day vulnerabilities, a kind of vulnerability that is previously unknown and unpatched and thus highly prized, in order to enable more attacks down the line, the researchers from Mandiant and its parent company Google said.”

• Per Dark Reading,
  • “Salesforce Web forms can be manipulated by the company’s “Agentforce” autonomous agent into exfiltrating customer relationship management (CRM) data — a concerning development as legacy software-as-a-service (SaaS) providers race to integrate agentic AI into their platforms to zhuzh up the user experience and generate buzz among investors.
  • “Agentforce is an agentic AI platform built into the Salesforce ecosystem, which allows users to spin up autonomous agents for most conceivable tasks. As the story often goes though, the autonomous technology appears to be the victim of the complexity of AI prompt training, according to researchers at Noma Security. 
  • “To wit: The researchers have identified a critical vulnerability chain in Agentforce, carrying a 9.4 out of 10 score on the CVSS vulnerability-severity scale. In essence it’s a cross-site scripting (XSS) play for the AI era — an attacker plants a malicious prompt into an online form, and when an agent later processes it, it leaks internal data. In keeping with all of the other prompt injection proofs-of-concept (PoCs) coming out these days, Noma has named its trick “ForcedLeak.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “RTX Corp., the parent firm of Collins Aerospace, confirmed that ransomware was used in the hack of its airline passenger processing software, in a filing with federal regulators. 
  • “The attack, discovered on Sept. 19, has disrupted flights across Europe since last week, including at London’s Heathrow Airport, Brussels Airport, and airports in Berlin and Dublin. 
  • “The Multi-User System Environment software, known as MUSE, is used by multiple airlines to check-in and board passengers and is also used to track baggage, according to the filing with the U.S. Securities and Exchange Commission. 
  • “Virginia-based RTX said the MUSE system operates on a customer-specific network outside of the company’s enterprise network.
  • “U.K. authorities said Wednesday that a man in his 40s had been arrested on suspicion of violating the Computer Misuse Act. The police investigation is ongoing.” 

• Dark Reading points out,
  • “Volvo Group North America (Volvo NA) has been breached via a third-party human resources (HR) software provider.
  • “At the root of the story is Miljödata, a Swedish company specializing in occupational software-as-a-service (SaaS), whose cloud infrastructure was breached in August. Thanks to its centralized, multi-tenant arrangement, hundreds of customers and millions of individuals have been affected. In a recent letter to its staff, Volvo NA, whose parent company is based in Sweden, revealed itself to be one such victim.
  • “Like other Miljödata customers, Volvo NA’s systems were untouched by the attack. Still, its employees’ names and Social Security numbers (SSNs) were stolen, and potentially published to the Dark Web. According to its website, Volvo NA employs just shy of 20,000 people.
  • “For municipalities, universities, and even big corporations like Volvo, this isn’t just a security issue, it’s an integrity issue,” says Anders Askasen, vice president of product marketing at Radiant Logic. “People suddenly wonder whether the systems handling their most sensitive data are fit for the purpose, and with good reason. That loss of confidence is as damaging as the leak itself.”

• Industrial Cyber tells us,
  • “The Rhysida ransomware gang claimed responsibility for a late-August data breach at the Maryland Transit Administration. Exposed data includes names, surnames, dates of birth, driver’s licenses, SSNs, passports, and confidential information.
  • “The group is said to have demanded a ransom of 30 bitcoin, around US $3.4 million at the time of writing, to be paid within seven days. To support its claim, Rhysida posted images of documents allegedly stolen from the MTA, including scans of a Social Security card, driver’s license, passport, and several other records.
  • “Comparitech identified that to prove its claim, Rhysida posted images of what it says are documents stolen from the MTA. They include scans of a Social Security card, driver’s license, passport, and several other documents. 
  • “The Maryland Transit Administration is a division of the state’s Department of Transportation. It operates buses, light rail, subways, commuter trains, taxis, and a paratransit system. The MTA specifically mentioned the paratransit system, MobilityLink, being disrupted by the cyber attack.”

• Per the Record,
  • “Ransomware hackers stole Social Security numbers, financial information and more during a recent cyberattack on Union County in Ohio. 
  • “The county government began sending out breach notifications to 45,487 local residents and county employees this week. The letters say ransomware was detected on the county’s network on May 18, prompting officials to hire cybersecurity experts and notify federal law enforcement agencies.  
  • “The hackers stole documents that had names, Social Security numbers, driver’s license numbers, financial account information, fingerprint data, medical information, passport numbers and more.  
  • “No ransomware gang has taken credit for the attack publicly, and the letters said the county has been monitoring internet sources but have not found any indication the stolen information was released or offered for sale.  
  • “The county has about 71,000 residents and is 45 minutes outside of Columbus — which dealt with its own ransomware attack one year ago.” 

• HIPAA Journal lets us know,
  • “There’s good and bad news on the ransomware front. Attacks are down year-over-year; however, successful attacks are proving even costlier to mitigate, according to the Mid-Year Risk Report from the cyber risk management company Resilience. The company saw a 53% reduction in cyber insurance claims in the first half of the year, which indicates organizations are getting better at preventing attacks; however, when ransomware attacks succeed, they have been causing increased financial harm, with losses 17% year-over-year. While ransomware accounted for just 9.6% of claims in H1, 2025, ransomware attacks accounted for 91% of incurred losses.
  • “On average, a successful ransomware attack causes $1.18 million in damages, up from $1.01 million in 2024, and the cost is even higher in healthcare. Resilience’s healthcare clients suffered average losses of $1.3 million in 2024, and in the first half of 2025, some healthcare providers faced extortion demands as high as $4 million. While it is too early to tell what the severity of claims will be in 2025 until claims are settled, Resilience said there are indications that the average severity of incurred losses for healthcare ransomware attacks this year could be $2 million, up from an average of $705,000 in 2024 and $1.6 million in 2023.”

From the cybersecurity defenses front,

• Cyberscoop advises,
  • “Artificial intelligence is no longer a future concept; it is being integrated into critical infrastructure, enterprise operations and security missions around the world. As we embrace AI’s potential and accelerate its innovation, we must also confront a new reality: the speed of cybersecurity conflict now exceeds human capacity. The timescale for effective threat response has compressed from months or days to mere seconds. 
  • “This acceleration requires removing humans from the tactical security loop. To manage this profound shift responsibly, we must evolve our thinking from abstract debates on “AI safety” to the practical, architectural challenge of “AI security.” The only way to harness the power of probabilistic AI is to ground it with deterministic controls.”

• A Dark Reading commentator recommends that “With the emergence of AI-driven attacks and quantum computing, and the explosion of hyperconnected devices, zero trust remains a core strategy for security operations.”

• Per a CISA news releases,
  • “In today’s increasingly interconnected industrial landscape, operational technology (OT) systems are no longer isolated islands of automation—they’re deeply entwined with information technology and business networks, making them prime targets for cyber threats. Recognizing this growing risk, the Cybersecurity and Infrastructure Security Agency (CISA) collaborated with three U.S. federal agencies and five international partners and received contributions from twelve private sector stakeholders to develop and publish, “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators”.
  • “This key resource helps owners and operators of OT systems create stronger, more secure infrastructures by building a clear inventory and classification of their assets. By identifying, organizing, and managing OT assets effectively, organizations can not only improve cybersecurity but also enhance operational reliability, safety, and resilience.”

• Per National Institute of Standards news releases,
  • “NIST has released Special Publication (SP) 800-88r2 (Revision 2), Guidelines for Media Sanitization.
  • “Media sanitization is a process that renders access to the target data on media infeasible for a given level of effort. This guide will assist organizations and system owners in setting up a media sanitization program with proper and applicable methods and controls for sanitization and disposal based on the sensitivity of their information.”
• and
  • “NIST has released Special Publication (SP) 800-90C, Recommendation for Random Bit Generator (RBG) Constructions. It is the final document in the SP 800-90 series, which supports the generation of high-quality random bits for cryptographic and non-cryptographic use.
  • “SP 800-90C specifies constructions for implementing random bit generators (RBGs) that include deterministic random bit generator (DRBG) mechanisms as specified in SP 800-90A and use entropy sources as specified in SP 800-90B.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• The Wall Street Journal reports,
  • “The collapse on Friday [September 19] of an emergency federal funding bill leaves the fate of cybersecurity legislation that provides legal protection for companies sharing cyber-threat intelligence up in the air.
  • Without a reprieve of the expiring cyber legislation that had been included in the funding bill, companies face uncertainty on how to communicate about cyber threats as competing reauthorization bills work through a divided House and Senate.
  • “Both the private sector and the government need certainty, including the ability to allocate resources for long-term cybersecurity planning and implementation,” said Matthew Eggers, vice president of cybersecurity policy at the U.S. Chamber of Commerce. 
  • The 2015 Cybersecurity Information Sharing Act, or CISA, is set to expire at the end of September. Friday’s scuttled emergency funding measure, which applied to a number of federal programs and sought to avert a government shutdown, would have given lawmakers more time [until November 21] to iron out critical differences between House and Senate versions of CISA renewal bills. * * *
  • “A notable difference in the House bill is the forward-thinking inclusion of artificial intelligence in the renewal,” said Justine Phillips, a partner and co-chair of the data and cyber practice group at law firm Baker McKenzie. Despite these updates, she said, “the House bill is the functional equivalent of extending the act as is, because it leaves the legal liability protections intact.”
  • “The cyber bill’s renewal by the Senate may prove more problematic, cybersecurity experts say.”

• Cyberscoop informs us,
  • “Federal agencies are increasingly incorporating artificial intelligence into the cyber defenses of government networks, and there’s more still to come, acting Federal Chief Information Security Officer Michael Duffy said Thursday.
  • “We’re at an exciting time in the federal government to see that we’re not only putting AI in production, but we’re finding ways to accelerate emerging technology across the government, across all missions and all angles,” Duffy said at FedTalks, produced by Scoop News Group. In his “role overseeing federal cybersecurity policy,” he said, he is “able to see these at the ground level, as agencies bring excitement and enthusiasm and hope for what they can optimize through artificial intelligence.”
  • “Cyber attackers are moving faster than ever, and on a much larger scale than before, he said. They’re also using technology in new ways. But it’s not all “doom and gloom” when it comes to the cybersecurity of federal networks, especially because of feds’ move toward AI, Duffy said.
  • “I’m pleased to say that the advancements that we’ve made over the past decade in the federal government have brought us to this point: Agencies are poised now, postured, positioned, to take advantage of new capabilities, bring them into federal agencies and make them work for the mission,” he said.”

• In related news, Cybersecurity Dive tells us,
  • “The National Institute of Standards and Technology on Thursday [September 18] published guidance describing how implementation of post-quantum cryptography (PQC) both supports and relies on the safeguards in the agency’s major cybersecurity publications.
  • “The draft NIST document, derived from the output of the agency’s PQC migration project, is designed to illustrate the connections between the tools required for adopting quantum-resistant encryption and the security practices that NIST recommends in its Cybersecurity Framework and other guidance.
  • “The capabilities demonstrated in the project support several security objectives and controls identified” in other NIST guidance documents, the agency said in its new publication. “At the same time, responsible implementation of the demonstrated capabilities is dependent on adherence to several security objectives and controls identified in these risk framework documents.”
  • “Collecting information about which technologies use cryptography supports the Cybersecurity Framework practices of creating hardware and software inventories, the document notes. Similarly, analyzing cryptographic weaknesses supports the CSF practice of identifying vulnerabilities in technology assets.”

• A September 19, 2025, NIST news release adds,
  • “To help organizations protect their data against possible future attacks from quantum computers, the National Institute of Standards and Technology (NIST) has released a publication offering guidelines for implementing a class of post-quantum cryptography (PQC) algorithms known as key-encapsulation mechanisms, or KEMs.
  • “A KEM is a set of algorithms that can be used by two parties to securely establish a shared secret key over a public channel — a sort of first handshake between parties that want to exchange confidential information. Recent examples of KEMs include ML-KEM and HQC.
  • The new publication, Recommendations for Key-Encapsulation Mechanisms (NIST Special Publication 800-227), describes the basic definitions, properties and applications of KEMs and provides recommendations for implementing and using KEMs securely.

• Cyberscoop reports,
  • “Two teenagers were arrested in the United Kingdom this week, accused of associating with the sprawling criminal collective known as The Com, and participating in many high-profile and damaging cyberattacks on critical infrastructure globally.
  • “Thalha Jubair, 19 of London, and Owen Flowers, 18 of Walsall, England, were arrested at their residences Tuesday and charged with crimes related to the cyberattack on the Transport for London in September 2024, the U.K.’s National Crime Agency said.
  • “Jubair and Flowers were allegedly highly involved in many other cyberattacks attributed to Scattered Spider, a nebulous offshoot of The Com that commits ransomware and data extortion. The Com is composed of thousands of members, splintered into three primary subsets of interconnected networks that commit swatting, extortion and sextortion of minors, violent crime and various other cybercrimes, according to the FBI.
  • “The Justice Department on Thursday unsealed charges against Jubair, a U.K. national, accusing him of participating in at least 120 cyberattacks as part of Scattered Spider’s sweeping extortion scheme from May 2022 to September 2025, including 47 U.S.-based organizations. Victims of those attacks paid at least $115 million in ransom payments, authorities said.”

From the cybersecurity vulnerabilities and breaches front,

• While CISA did not add any known exploited vulnerabilities to its catalog this week, SC Media lets us know,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 18 issued a malware analysis report on two sets of malicious code from an organization compromised by threat actors exploiting two bugs in the Ivanti Endpoint Manager Mobile (EPMM) tool.
  • “CISA said the malware exploited two CVEs – CVE-2025-4427 and CVE-2025-4428. After exploitation, the malware let the threat actors inject and run arbitrary code on the compromised server.
  • “Lawrence Pingree, technical evangelist at Dispersive Holdings, said malware that’s instrumented to target specific vulnerabilities in centralized endpoint management solutions like these Ivanti tools is incredibly important to defend against.
  • “Isolating and microsegmenting sensitive systems like this is essential. Patching rapidly, ideally with an automated process, is essential in defending against vulnerabilities,” said Pingree.”

• Per Dark Reading,
  • “Security vendor SonicWall suffered a data breach that exposed customer firewall configuration file backups.
  • “On Sept. 17, SonicWall, a vendor best known for its network security appliances, published a knowledge base article disclosing what it described as a “cloud backup file incident.” The company said its security teams recently detected “suspicious activity targeting the cloud backup service for firewalls” and confirmed it to be a security event in the past few days.
  • “Unidentified threat actors accessed backup firewall preference files stored in the cloud representing “fewer than 5% of our firewall install base,” according to SonicWall. Attackers were able to access encrypted credentials as well as firewall configuration files “that could make it easier for attackers to potentially exploit the related firewall.”
  • “We are not presently aware of these files being leaked online by threat actors,” SonicWall said in its disclosure. “This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.”
    
• Per Cyberscoop,
  • “Researchers warned that a maximum-severity vulnerability affecting GoAnywhere MFT bears striking similarities with a widely exploited defect in the same file-transfer service two years ago.
  • “Fortra, the cybersecurity vendor behind the product, disclosed and released a patch for the vulnerability — CVE-2025-10035 — Thursday. The deserialization vulnerability “allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection,” the company said in a security advisory.
  • “File transfer services are a valuable target for attackers because they store a lot of sensitive data. If cybercriminals exploit these services, they can quickly access information from many users at once, making these services especially attractive for large-scale attacks. 
  • “Fortra didn’t provide any evidence of active exploitation and researchers from multiple security firms said they haven’t observed exploitation but expect that to change soon. “We believe that it’s just a matter of time and are monitoring the situation closely,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.
  • “The vulnerability, which has a CVSS rating of 10, is “virtually identical to the description for CVE-2023-0669,” a zero-day vulnerability exploited by Clop, resulting in attacks on more than 100 organizations, and at least five other ransomware groups, Caitlin Condon, vice president of security research at VulnCheck, said in a blog post.”
• and
  • “Apple’s latest operating systems for its most popular devices — iPhones, iPads and Macs — include patches for multiple vulnerabilities, but the company didn’t issue any warnings about active exploitation. 
  • “Apple patched 27 defects with the release of iOS 26 and iPadOS 26 and 77 vulnerabilities with the release of macOS 26, including some bugs that affected software across all three devices. Apple’s new operating systems, which are now numbered for the year of their release, were published Monday as the company prepares to ship new iPhones later this week.
  • “Users that don’t want to upgrade to the latest versions, which adopt a translucent design style Apple dubs “liquid glass,” can patch the most serious vulnerabilities by updating to iOS 18.7 and iPad 18.7 or macOS 15.7. Most Apple devices released in 2019 or earlier are not supported by the latest operating systems.
  • “None of the vulnerabilities Apple disclosed this week appear to be under active attack, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop.”

• Cybersecurity Dive points out,
  • “Most companies worry their networks aren’t safe against cyberattacks powered by artificial intelligence.
  • “Only 31% of IT leaders are at least somewhat confident that they can defend their organizations against AI-powered attacks, according to a Lenovo report published on Thursday.
  • “The report delves into why IT and security leaders are worried about hackers’ use of AI — and why they see their companies’ own use of AI systems as vulnerable.”
• and
  • “The number of healthcare organizations that have lost more than $200,000 to cyberattacks has quadrupled this year compared with the same period in 2024, data security firm Netwrix said in a report published Thursday [September 19].
  • “Nearly half of all healthcare organizations (48%) experienced at least one intrusion between March 2024 and March 2025, the report found.
  • “Healthcare organizations experienced more cyberattack-related losses of at least $500,000 than critical infrastructure firms did, on average: 12% of healthcare organizations, compared with 6% of all organizations.”

From the ransomware front,

• Infosecurity Magazine reports,
  • “Fifteen well-known ransomware groups, including Scattered Spider, ShinyHunters and Lapsus$, have announced that they are shutting down their operations.
  • “The collective announcement was posted on Breachforums, where the groups claimed they had achieved their goals of exposing weaknesses in digital infrastructure rather than profiting through extortion.
  • “In their statement, the gangs said they would now shift to “silence,” with some members planning to retire on the money they had accumulated, while others would continue studying and improving the systems people rely on daily.” * * *
  • “Organizations should take these announcements with a pinch of salt,” Nivedita Murthy, senior staff consultant at Black Duck, said.
  • “It could be possible that some of these groups may have decided to step back and enjoy their payday, [but] it does not stop copycat groups from rising up and taking their place.”

• IT Pro discusses the “top ransomware trends for businesses in 2025. A splintering of top groups and changing attitudes toward payments are changing attacker tactics at speed.”

• Morphisec calls attention to “The Top Exploited Vulnerabilities Leading to Ransomware in 2025 — and How to Stay Ahead.” 

From the cybersecurity defenses front,

• The American Hospital Association News reports,
  • “Microsoft Sept. 16 announced it had disrupted a growing phishing service that had targeted at least 20 U.S. health care organizations. The company said it used a court order granted by the U.S. District Court for the Southern District of New York to seize 338 websites associated with RaccoonO365, a cyber threat group known for stealing Microsoft 365 credentials through phishing tactics. RaccoonO365 offers subscription-based phishing kits that allow individuals to steal Microsoft credentials by mimicking official Microsoft communications. The company said the phishing kits use Microsoft branding to create fraudulent emails, attachments and websites. Since July 2024, the kits have stolen at least 5,000 Microsoft credentials from individuals in 94 countries. The group was recently observed offering a new artificial intelligence-powered service in an attempt to scale their operations.
  • “Credentials stolen through RaccoonO365 enabled ransomware attacks against hospitals, posing a direct threat to patient and community safety,” said John Riggi, AHA national advisor for cybersecurity and risk. “This operation also highlights a disturbing trend — cybercriminals’ increased use of ‘initial access brokers’ to steal credentials and AI to accelerate the effectiveness, sophistication and impact of cyberattacks. The need for continued and evolving social engineering training for staff is essential to defend against the latest deception tactics used by hackers.”

• Cybersecurity Dive tells us,
  • “Preemptive cybersecurity solutions will account for about half of all IT security spending by the year 2030, a significant increase from its 5% share in 2024, Gartner said in a report published Thursday.
  • “Preemptive cybersecurity will effectively replace standard detection and response technologies as the preferred defense against malicious hacking, Gartner predicted.
  • “The technology uses artificial intelligence and machine learning to anticipate threats and then neutralize them before they can compromise their targets, according to researchers.”

• Security Week reflects on the fifteen anniversary of the Zero Trust strategy.
  • “The implementation of zero trust is essential for cybersecurity: but after 15 years, we’re still not there. Implementation is like the curate’s egg: good in parts.
  • “Zero Trust turned fifteen years old on September 14, 2025. Its invention was announced with Forrester’s publication of John Kindervag’s paper, No More Chewy Centers: Introducing The Zero Trust Model of Information Security, on that date in 2010 (archived here).
  • “Zero trust recognizes that treating cybersecurity like an M&M (a hard crunchy shell impenetrable to hackers protecting a soft chewy center where staff can work freely and safely) simply doesn’t work. “Information security professionals must eliminate the soft chewy center by making security ubiquitous throughout the network, not just at the perimeter,” wrote Kindervag.
  • “This is the basis of zero trust (or ZT): abandon the old concept of a barrier between two separate networks (one untrusted: the internet; and one trusted: the enterprise). Instead, trust nothing and verify everything, regardless of source or destination. The concept is sound and rapidly gained approval, culminating in EO14028 mandating that federal agencies must move toward a zero trust architecture while private companies should do similar – but never defining how it could be achieved.
  • “There’s the rub. Zero trust is fundamentally a concept where implementation will depend on individual different corporate ecospheres.”

• Dark Reading recommends “Transforming Cyber Frameworks to Take Control of Cyber-Risk.”

• Here’s a link to Dark Reading’s CISO Corner.