Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy front,

Cyberscoop lets us know,
- “Bipartisan legislation to close a loophole in federal cybersecurity standards by requiring vulnerability disclosure policies for government contractors is getting another shot at passage in this Congress.
- “The Federal Contractor Cybersecurity Vulnerability Reduction Act, a bicameral, bipartisan bill that stalled out last year in the Senate, was reintroduced Friday [January 31] in the House by Reps. Nancy Mace, R-S.C., and Shontel Brown, D-Ohio.
- “The bill, whose 2024 companion in the upper chamber came from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., calls on the Office of Management and Budget and the Defense Department to update federal acquisition policies to require all federal contractors to institute vulnerability disclosure policies (VDPs).
- “This is a matter of national security,” Mace said in a press release. “Federal contractors handle some of the most sensitive information and critical infrastructure in the country. Without basic vulnerability disclosure policies, we are leaving a gaping hole in our cybersecurity defenses. This bipartisan bill ensures contractors uphold the same cybersecurity standards as federal agencies, reducing risks before they turn into catastrophic breaches.”

The Wall Street Journal reports,
- “Lawmakers announced Thursday they planned to introduce a bill to ban DeepSeek’s chatbot application from government-owned devices, over new security concerns that the app could provide user information to the Chinese government.
- “The legislation written by Reps. Darin LaHood, an Illinois Republican, and Josh Gottheimer, a New Jersey Democrat, is echoing a strategy that Congress used to ban Chinese-controlled TikTok from government devices, which marked the beginning of the effort to block the company from operating in the U.S.
- “This should be a no-brainer in terms of actions we should take immediately to prevent our enemy from getting information from our government,” Gottheimer said.

SC Media tells us,
- “A U.S. cybersecurity agency issued a fresh set of guidance for organizations regarding best practices in securing their networks and data storage.
- “The U.S. Cyber Security and Infrastructure Security Agency (CISA) posted a set of guidelines aimed at helping companies better secure the commonly used devices that sit at the edges of most networks.
- “This set of guidance, led by international cybersecurity authorities, is intended to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, Internet of Things (IoT) devices, internet-facing servers, and internet-facing operational technology (OT) systems,” CISA explained.
- “It’s thought that American organizations will be motivated in the new year to brush up on security and install updates for commonly exploited security vulnerabilities in their edge devices.”

From the cybersecurity vulnerabilities and breaches front,

CISA added eleven known exploited vulnerabilities to its catalog this week.
- February 4, 2025
  - CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability
  - CVE-2024-29059 Microsoft .NET Framework Information Disclosure Vulnerability
  - CVE-2018-9276 Paessler PRTG Network Monitor OS Command Injection Vulnerability
  - CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
- February 5, 2025
  - CVE-2024-53104 Linux Kernel Out-of-Bounds Write Vulnerability
- February 6, 2025
  - CVE-2025-0411 7-Zip Mark of the Web Bypass Vulnerability
  - CVE-2022-23748 Dante Discovery Process Control Vulnerability
  - CVE-2024-21413 Microsoft Outlook Improper Input Validation Vulnerability
  - CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
  - CVE-2020-15069 Sophos XG Firewall Buffer Overflow Vulnerability
- February 7, 2025
  - CVE-2025-0994 Trimble Cityworks Deserialization Vulnerability
Supplemental Information on the additional KEVs.
- Bleeping Computer provides background on the February 4 additions.
- This Linux Security article explains the February 5 addition.
- ACA Global explains the 7-Zip (a file compression) tool addition on February 6.
- WNE Security explains the Dante Discovery addition also on February 6.
- Bleeping Computer discusses the Microsoft Outlook addition also on February 6.
- Hacker News delves into the Trimble Cityworks addition on February 7.

Cybersecurity Dive points out,
- “Microsoft has identified more than 3,000 publicly exposed ASP.NET machine keys that could be used by threat actors in code injection attacks against enterprise servers.
- “In a blog post Thursday, Microsoft Threat Intelligence said it observed “limited activity” in December, in which a threat actor used a publicly available ASP.NET machine key to inject malicious code and deploy the Godzilla post-exploitation framework. While Microsoft said the threat actor is “unattributed,” the U.S. government previously has tied the Godzilla framework, which creates malicious web shells that can be used as backdoors, to Chinese state-sponsored threat actor.
- “In the course of investigating, remediating, and building protections against this activity, we observed an insecure practice whereby developers have incorporated various publicly disclosed ASP.NET machine keys from publicly accessible resources, such as code documentation and repositories, which threat actors have used to perform malicious actions on target servers,” Microsoft said in the blog post.”
and
- “Security researchers warned about a surge in web login brute force attacks against edge devices from a suspected botnet since mid-to-late January, according to a post on X from the Shadowserver Foundation.
- “The threat activity targeted devices from several major vendors, including Palo Alto Networks, SonicWall and Ivanti, with more than 2.8 million source IPs per day, according to Shadowserver. The observed threat activity goes well beyond scanning and involves actual login attempts, researchers said.
- “We do not know who is being targeted in particular, we can only observe attacks against our own honeypots,” Piotr Kijewski, CEO of Shadowserver, said via email.

Dark Reading reports
- More than two weeks after China’s DeepSeek garnered worldwide attention with its low-cost AI model, threat actors have been busy capitalizing on the news by setting up phishing sites impersonating the company.
- The fraudulent sites aim to deceive users into downloading malicious software or providing credentials and other sensitive information. Researchers at Israel-based Memcyco spotted at least 16 such sites actively impersonating DeepSeek earlier this week and believe the activity represents a coordinated attack campaign among threat actors.

Per SC Media,
- “Infostealers were identified as the largest group of new macOS malware, having increased by 101% in the last two quarters of 2024, according to the Palo Alto Networks Unit42 research group.
- “The Unit42 research team pointed to three prevalent macOS infostealers in the wild: Poseidon, Atomic and Cthulhu.
- “While infostealers are often seen as limited in capability compared with trojans, the researchers said in a Feb. 4 blog post that by exfiltrating sensitive credentials, financial records and intellectual property, infostealers often lead to data breaches, financial losses and reputational damage.
- “Most infostealers are indiscriminate, aiming to maximize data collection for impact and monetization,” wrote the researchers. “This broad range of information stealing capabilities exposes organizations to significant risks, including data leaks and providing initial access for further attacks, such as ransomware deployment.”

From the ransomware front,

Cyberscoop informs us,
- “Ransomware payments saw a dramatic 35% drop last year compared to 2023, even as the overall frequency of ransomware attacks increased, according to a new report released by blockchain analysis firm Chainalysis.
- “The considerable decline in extortion payments is somewhat surprising, given that other cybersecurity firms have claimed that 2024 saw the most ransomware activity to date. Chainalysis itself warned in its mid-year report that 2024’s activity was on pace to reach new heights, but attacks in the second half of the year tailed off.
- “The total amount in payments that Chainalysis tracked in 2024 was $812.55 million, down from 2023’s mark of $1.25 billion.
- “Despite its small half-over-half (HoH) increase, we expected 2024 to surpass 2023’s totals by the end of the year,” the company wrote on its website. “Fortunately, however, payment activity slowed after July 2024 by approximately 34.9%. This slowdown is similar to the HoH decline in ransom payments since 2021 and the overall decline during H2 2024 in some types of crypto-related crime, such as stolen funds. Notably, the decline this year is more pronounced than in the last three years.”
- “The disruption of major ransomware groups, such as LockBit and ALPHV/BlackCat, were key to the reduction in ransomware payments. Operations spearheaded by agencies like the United Kingdom’s National Crime Agency (NCA) and the Federal Bureau of Investigation (FBI) caused significant declines in LockBit activity, while ALPHV/BlackCat essentially rug-pulled its affiliates and disappeared after its attack on Change Healthcare.
- “As the industry has seen in past years, ransomware groups often fill the market after the heads of the pack have been dismantled by law enforcement. However, when LockBit and BlackCat disappeared, a well-known ransomware group did not immediately take the mantle. Instead, smaller groups took advantage of the situation, focusing on small to medium-sized targets and asking for small ransoms, according to Chainalysis’ report.
- “Additionally, the company says more organizations have become stronger against attacks, with many choosing not to pay a ransom and instead using better cybersecurity practices and backups to recover from these incidents.”

Hacker News identifies the Top 3 Ransomware Threats Active in 2025.

Per Bleeping Computer
- “The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
- “This is a sign of shifting tactics for Kimsuky, according to AhnLab SEcurity Intelligence Center (ASEC), who discovered the campaign.
- “ASEC says the North Korean hackers now use a diverse set of customized remote access tools instead of relying solely on noisy backdoors like PebbleDash, which is still used.”

From the cybersecurity defenses and business / history front

ISACA has released its 2025 State of Privacy Report.

Here’s a link to Dark Reading’s CISO Corner.

Cybersecurity Dive relates,
- “Thoma Bravo-backed cybersecurity firm Sophos completed its acquisition of Secureworks Monday in an all-cash transaction valued at $859 million.
- “Sophos said the purchase of Secureworks positions Sophos as the largest pure-play provider of managed detection and response services, with a customer base of 28,000 organizations worldwide.
- “The agreement also expands Sophos’s threat intelligence capabilities operating under the Sophos X-Ops name, with the addition of the Secureworks Counter Threat Unit and other security operations and advisory services.”
and
- “SolarWinds Corp. has agreed to a $4.4 billion deal with Turn/River Capital whereby the private equity firm buys the software firm in an all-cash transaction at $18.50 per share.
- “The observability and IT management software provider will become a privately held company and no longer trade on the New York Stock Exchange.
- “We have built a great track record of helping customers accelerate business transformations through simple, powerful, secure solutions designed for hybrid and multicloud environments,” Sudhakar Ramakrishna, president and CEO of SolarWinds said in a statement.
- “The Austin, Texas-based firm took center stage in one of the most consequential cyberattack campaigns in history when state-linked hackers infected its Orion platform. The attack, disclosed in late 2020, led to massive reforms in how the industry developed software and attempted to secure IT systems against increasingly sophisticated state actors.”

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog