Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy and law enforcement front.

Security Week informs us,
- “The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 [(HR 872)] instructs the Office of Management and Budget (OMB) to consult with CISA, the Office of the National Cyber Director, NIST, and other relevant departments, and require federal contractors to have a [vulnerability disclosure program] VDP that is consistent with NIST guidelines.
- “The bill also instructs the Defense Department to require defense contractors to adopt similar policies.
- “The goal is to make it easier for individuals and companies who find vulnerabilities in contractors’ systems to responsibly disclose them.
- “Just days before the bill passed the House, several major cybersecurity and tech companies signed a letter urging the House and Senate to approve the legislation.” * * *
- “The legislation is now in the Senate, where it has been referred to the Committee on Homeland Security and Governmental Affairs.”
Speaking of NIST, earlier this week, NIST finalized “Guidelines for Evaluating ‘Differential Privacy’ Guarantees to De-Identify Data.”
- “Using differential privacy can help organizations glean useful insights from databases while protecting individuals’ data.
- “NIST has put the finishing touches on guidelines intended to help organizations evaluate differential privacy claims.
- “The finalized publication expands upon draft guidelines that NIST released last year.”
Bleeping Computer lets us know,
- “U.S. authorities have seized over $23 million in cryptocurrency linked to the theft of $150 million from a Ripple crypto wallet in January 2024. Investigators believe hackers who breached LastPass in 2022 were behind the attack.
- “Despite the threat actors’ efforts, law enforcement agents traced $23,604,815.09 of the stolen digital assets between June 2024 and February 2025 to the following cryptocurrency exchanges: OKX, Payward Interactive, Inc. (dba Kraken), WhiteBIT, AscendEX Technology SRL, Ftrader Ltd (dba FixedFloat), SwapSpace LLC, and Rabbit Finance LLC (dba CoinRabbit).
- “A forfeiture complaint unsealed by the U.S. Justice Department yesterday [March 6] and first spotted by crypto fraud investigator ZachXBT reveals that U.S. Secret Service agents who interviewed the victim believe the attackers could have only stolen the cryptocurrency using private keys extracted by cracking the victim’s password vault stolen in a 2022 breach of an online password manager.”

Cyberscoop tells us,
- The Justice Department on Wednesday [March 6] indicted 12 Chinese nationals for their alleged involvement in an extensive nation-state-backed espionage campaign that included a spree of attacks on U.S. federal and state agencies, including the late 2024 attack targeting the Treasury Department.
- Officials accused the Chinese individuals, including two officers of China’s Ministry of Public Security, eight i-Soon employees and two members of the Chinese state-backed threat group APT27 or Silk Typhoon, of breaching numerous networks globally to steal and sell data to China’s intelligence and security services. Some of the alleged attacks date back to 2011, officials said.
- The indictments reveal China’s alleged well-coordinated effort to use a hacker-for-hire ecosystem to conduct espionage while obscuring the government’s direct involvement. The pool of victims impacted by the alleged co-conspirators is immense, including U.S.-based critics and dissidents of China, a large U.S.-based religious organization and foreign ministries of multiple governments in Asia.

Per a U.S. Justice Department news release,
- “A federal jury in Cleveland convicted a Texas man today for writing and deploying malicious code on his former employer’s network.
- “According to court documents and evidence presented at trial, Davis Lu, 55, of Houston, was employed as a software developer for the victim company headquartered in Beachwood, Ohio, from November 2007 to October 2019. Following a 2018 corporate realignment that reduced his responsibilities and system access, Lu began sabotaging his employer’s systems. By Aug. 4, 2019, he introduced malicious code that caused system crashes and prevented user logins. Specifically, he created “infinite loops” (in this case, code designed to exhaust Java threads by repeatedly creating new threads without proper termination and resulting in server crashes or hangs), deleted coworker profile files, and implemented a “kill switch” that would lock out all users if his credentials in the company’s active directory were disabled. The “kill switch” code — which Lu named “IsDLEnabledinAD”, abbreviating “Is Davis Lu enabled in Active Directory” — was automatically activated upon his termination on Sept. 9, 2019, and impacted thousands of company users globally.”

From the cybersecurity vulnerabilities and breaches front,

Cyberscoop relates,
- “The Chinese state-backed threat group Silk Typhoon shifted tactics in late 2024 to broaden access and enable follow-on attacks against downstream customers of its initial targets, Microsoft Threat Intelligence said in a blog released Wednesday.
- “The Chinese espionage group, which is also known as APT27, has abused stolen API keys and credentials for privileged access management, cloud-based application providers and data management companies to intrude networks operated by state and local governments and organizations in the IT sector.
- “After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives,” Ann Johnson, corporate vice president at Microsoft Security, said in a LinkedIn post.”

Cybersecurity Dive reports,
- “Cyberattacks targeting third-party vendors are causing more financial damage than ever before, cyber risk management firm Resilience said in a recent report.
- “Nearly a quarter (23%) of cyber insurance claims filed with Resilience last year involved material losses resulting from a third-party breach, according to the analysis. It’s a first for the company, which hasn’t previously observed customer claims with material losses in the third-party risk category.
- “Many of the vendor-related incidents from 2024 resulted in some sort of pause on our customers’ ability to conduct business and, as a result, had a much larger financial impact,” Ann Irvine, chief data and analytics officer at Resilience, said via email.”
and
- Broadcom on Tuesday disclosed three zero-day vulnerabilities that affect multiple VMware products, including ESXi, Workstation and Fusion. The vulnerabilities have been exploited in the wild.
- More than 37,000 VMware ESXi instances remain vulnerable to CVE-2025-22224, a critical zero-day vulnerability, according to scanning data from the Shadowserver Foundation.
- Some customers with downgraded VMware licenses have been unable to download the patches because of an issue with the Broadcom Support Portal. The company said in an FAQ that the issue is “a high priority and will be fixed shortly.”

The American Hospital Association News notes,
- “A Microsoft report published March 5 identified recent tactics by Silk Typhoon, a Chinese state-sponsored cyberthreat group known for extensive espionage activities. The group has been recently targeting IT solutions such as remote management tools and cloud applications to gain access and potentially cause supply chain disruptions. Silk Typhoon is viewed as a significant threat to critical infrastructure, the Health Information Sharing and Analysis Center said.
- “Silk Typhoon is a highly skilled group, and it has shown the ability to move rapidly and exploit unpatched vulnerabilities in systems,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “The best way for hospitals to defend themselves is focusing on the basics of cybersecurity like patch management.”

The Cybersecurity and Infrastructure Security Agency (“CISA”) added nine known exploited vulnerabilities to its catalog this week.
- March 3, 2025
  - CVE-2023-20118 Cisco Small Business RV Series Routers Command Injection Vulnerability (discussed here)
  - CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability (discussed here)
  - CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability (discussed here)
  - CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability (discussed here)
  - CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability (discussed here)
- March 4, 2025
  - CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability (discussed here)
  - CVE-2025-22225 VMware ESXi Arbitrary Write Vulnerability
  - CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
  - CVE-2025-22226 VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability (all three VMware discussed here)

From the ransomware front,

Per Cyberscoop,
- “The FBI and threat researchers are warning executives to be on the lookout for physical letters in the mail threatening to leak sensitive corporate data.
- “The letters, which are stamped “time sensitive read immediately” and shipped directly to executives through the Postal Service, are part of a nationwide scamdesigned to extort victims into paying $250,000 to $500,000, the FBI said Thursday.
- “The unidentified criminal or threat group behind the mail scam is masquerading as BianLian, a prolific ransomware and data extortion group that has attacked multiple U.S. critical infrastructure sectors since June 2022.
- “Cyber authorities and researchers have not confirmed BianLian’s involvement and believe the letters are an attempt to scam organizations into paying a ransom.”

Cybersecurity Dive lets us know,
- “A zero-day vulnerability in a Microsoft-signed driver from Paragon Software is being exploited in ransomware attacks.
- “CERT Coordination Center on Friday warned in a security advisory that five vulnerabilities were discovered in Paragon Partition Manager’s BioNTdrv.sys driver. Threat actors have already exploited one of the flaws in what are known as “bring your own vulnerable driver” (BYOVD) attacks, in which attackers use signed drivers to compromise systems and evade detection.
- “According to the advisory, CVE-2025-0289 is an insecure kernel resource access vulnerability that can be used to either escalate privileges or execute DoS attacks on targeted devices. CERT warned the vulnerability can be executed on Windows devices even if Paragon Partition Manager, which partitions hard drives to optimize disk space and performance, is not installed.
- “Microsoft has observed threat actors (TAs) exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level, then execute further malicious code,” CERT said in the advisory. “These vulnerabilities have been patched by both Paragon Software, and vulnerable BioNTdrv.sys versions blocked by Microsoft’s Vulnerable Driver Blocklist.”
Per Bleeping Computer,
- “The Akira ransomware gang was spotted using an unsecured webcam to launch encryption attacks on a victim’s network, effectively circumventing Endpoint Detection and Response (EDR), which was blocking the encryptor in Windows.
- “Cybersecurity firm S-RM team discovered the unusual attack method during a recent incident response at one of their clients.
- “Notably, Akira only pivoted to the webcam after attempting to deploy encryptors on Windows, which were blocked by the victim’s EDR solution.”

Per Hacker News,
- “The threat actors behind the Medusa ransomware have claimed nearly 400 victims since it first emerged in January 2023, with the financially motivated attacks witnessing a 42% increase between 2023 and 2024.
- “In the first two months of 2025 alone, the group has claimed over 40 attacks, according to data from the Symantec Threat Hunter Team shared with The Hacker News. The cybersecurity company is tracking the cluster under the name Spearwing.
- “Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom,” Symantec noted.
- “If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site.”
- “While other ransomware-as-a-service (RaaS) players like RansomHub (aka Greenbottle and Cyclops), Play (aka Balloonfly), and Qilin (aka Agenda, Stinkbug, and Water Galura) have benefited from the disruptions of LockBit and BlackCat, the spike in Medusa infections raises the possibility that the threat actor could also be rushing in to fill the gap left by the two prolific extortionists.
- “The development comes as the ransomware landscape continues to be in a state of flux, with a steady stream of new RaaS operations, such as Anubis, CipherLocker, Core, Dange, LCRYX, Loches, Vgod, and Xelera, emerging in the wild in recent months.”

From the cybersecurity defenses front,

Forbes discusses “How CISOs Will Navigate the Threat Landscape Differently In 2025.”
Here’s a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog