Cybersecurity Dive - Ermer and Suter PLLC

From the cybersecurity policy and law enforcement front,

NextGov/FCW lets us know,
- “A cornerstone federal program that certifies the security architecture of private sector cloud services for government use is expected to announce a fundamental overhaul to its processes on Monday [March 24], according to multiple people familiar with the matter.
- “The moves, in the long term, are expected to automate many of the certification process steps for the Federal Risk and Authorization Management Program, or FedRAMP, which is used to ensure cloud providers meet strict cybersecurity requirements before government agencies can use their services, according to the people, who were granted anonymity to be candid about the forthcoming changes.
- “FedRAMP has been a mainstay in government procurement for the last decade but has faced repeated complaints about the slow pace of cloud service approvals. FedRAMP has different approval levels that vary based on the sensitivity of the data a cloud service can handle, with higher levels requiring stricter security controls and generally longer review processes.”
and
- “Despite goals set last year by the National Institute of Standards and Technology to process a backlog of unanalyzed cybersecurity vulnerabilities, the agency said it’s not expecting a slowdown anytime soon.
- “The National Vulnerability Database — NIST’s cornerstone repository for researchers who use its contents and measuring tools to assess the dangers of cyber exploits — has been backed up with unanalyzed vulnerabilities since February last year. The scientific standards agency was projected to clear the logjam this month based on rates observed this past summer, Nextgov/FCW previously reported.
- “But NIST said Wednesday that vulnerability submissions increased 32% in 2024 and prior processing rates from spring and early summer last year are no longer sufficient to keep up with incoming submissions. The backlog is still growing as a result.
- “We anticipate that the rate of submissions will continue to increase in 2025. The fact that vulnerabilities are increasing means that the NVD is more important than ever in protecting our nation’s infrastructure. However, it also points to increasing challenges ahead,” an agency spokesperson said. “To address these challenges, we are working to increase efficiency by improving our internal processes, and we are exploring the use of machine learning to automate certain processing tasks.”

Per a March 21, 2025, HHS news release,
- “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Health Fitness Corporation (Health Fitness), located in Illinois, that provides wellness plans to clients across the country, resolving a potential violation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.” * * *
- “The settlement resolves OCR’s investigation of Health Fitness, which OCR initiated after receiving four reports from Health Fitness, over a three-month period (October 15, 2018, to January 25, 2019), of breaches of unsecured protected health information. Health Fitness filed the breach reports on behalf of multiple covered entities as their business associate. Health Fitness reported that beginning approximately in August 2015, ePHI became discoverable on the internet and was exposed to automated search devices (web crawlers) resulting from a software misconfiguration on the server housing the ePHI. Health Fitness discovered the breach on June 27, 2018. Health Fitness initially reported that approximately 4,304 individuals were affected and later estimated that the number of individuals affected may be lower. OCR’s investigation determined that Health Fitness had failed to conduct an accurate and thorough risk analysis, until January 19, 2024, to determine the potential risks and vulnerabilities to the ePHI held by Health Fitness.
- “Under the terms of the resolution agreement, Health Fitness agreed to implement a corrective action plan that OCR will monitor for two years and paid $227,816 to OCR.” * * *
- The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/health-fitness-ra-cap.pdf [PDF, 202 KB].

From the cybersecurity breaches and vulnerabilities front,

Cyberscoop tells us,
- “Cybercriminals used information-stealing malware to a devastating effect last year, capturing sensitive data that fueled ransomware, breaches and attacks targeting supply chains and critical infrastructure, according to a new report.
- “Infostealers were used to steal 2.1 billion credentials last year, accounting for nearly two-thirds of 3.2 billion credentials stolen from all organizations, Flashpoint said in a report released Tuesday. By targeting identity and access, cybercriminals stole 33% more credentials in 2024 compared to the previous year. More than 200 million credentials were already stolen in the first two months of this year.
- “Infostealers are proving to be incredibly versatile, contributing to account takeover, increasing data breach totals, acting as initial access vectors to ransomware, as well as assisting in exploitation via vulnerabilities,” Ian Gray, vice president of intelligence at Flashpoint, said in an email.”

Security Week informs us,
- “Browser security cannot be ignored. It’s where people spend most of their working day, and it’s where attackers focus most of their attacks.
- “Statistics come from Menlo Security’s analysis of 750,000 browser-based phishing attacks targeting more than 800 entities detected over the last 12 months. This analysis reveals a 140% increase in browser phishing, including a 130% increase in zero-hour phishing attacks (effectively, a zero-day attack applied to phishing).
- “The reasons for the growth are multiple: our growing reliance on the browser for much of our daily work, the prevalence of zero-day vulnerabilities, the increasing sophistication of the cybercriminal underworld, and, worryingly, the growing influence of gen-AI. Gen-AI is particularly concerning, both for its use today and its potential use in the future.
- “Threat actors have advanced in speed and skills. They are using the same tools and infrastructure as professional engineers,” comments Andrew Harding, VP of security strategy at Menlo Security. “We’re seeing a dangerous combination of zero-day attacks, advanced social engineering techniques, sophisticated phishing techniques, and readily available phishing-as-a-service kits, all designed to infiltrate systems and steal valuable data.”
- “He adds, “This trend is only poised to escalate dramatically in 2025 as attackers adopt AI to increase both scale and effectiveness.”

Dark Reading adds,
- “A nearly decade-long malware campaign known as “DollyWay World Domination” has compromised more than 20,000 WordPress websites over the past eight years.
- “GoDaddy published a report this week claiming multiple threat campaigns tracked by various security researchers since 2016 are actually one larger operation perpetrated by VexTrio, a massive cybercrime network that leverages traffic distribution systems (TDSs) and lookalike domains to deliver malware and scams.
- “GoDaddy’s Denis Sinegubko wrote in the company’s research blog that the operation is tracked as DollyWay World Domination due to a string of code found in variations of the DollyWay malware: “define(‘DOLLY_WAY’, ‘World Domination’);”.
and
- “Mobile phone jailbreaks are thriving, exposing users to anywhere between three- and 3,000-times greater risk of cyber compromise.
- “Organizations already face a significant risk in bring your own device (BYOD) attacks. More than 70% of infected devices are personal, and a good chunk of organizations have watched as malware entered their walls through unmanaged devices belonging to employees.
- “The risk is supercharged, though, when those devices are cracked. New data from Zimperium shows that rooted and jailbroken Android phones and iPhones are 3.5 times more likely to be infected with malware and 250 times more likely to be totally compromised.
- “What we’ve seen is that the amount of jailbreaks and roots has decreased slightly in recent years,” says Kern Smith, vice president of global solutions engineering at Zimperium. However, he warns, “The risk of those has increased significantly. These jailbreaks and roots expose these devices to a much, much higher risk profile. And mobile devices in general are being exposed to a much higher risk profile today. So it becomes a multiplier effect.”
Per Fedscoop,
- “The Federal Bureau of Investigation has warned federal employees that cybercriminals are attempting to steal their login credentials in connection to a widely used government financial services platform, according to a notice viewed by FedScoop.
- “Hackers are targeting the Employee Personal Page, or MyEPP page, which is operated by the National Finance Center (NFC), a financial and human resources shared service within the Agriculture Department used by 661,000 employees across the federal government for payroll. The site, which is used to manage salary and benefits information, is typically accessed through an online account or with Login.gov credentials.
- “According to the FBI, cybercriminals hope to trick federal employees by running advertisements on search engines that impersonate the NFC website. If they click on the ad, employees are brought to a “sophisticated phishing website” that looks similar to the actual MyEPP page that aims to capture their login credentials when users enter them.”

Per Bleeping Computer,
- “Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations.
- “The flaw was disclosed yesterday and affects Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds. The company fixed it in version 12.3.1 (build 12.3.1.1139), which was released yesterday.
- “According to a technical writeup by watchTowr Labs, who discovered the bug, CVE-2025-23120 is a deserialization vulnerability in the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary .NET classes.”

Cybersecurity Dive tells us,
- At least 11 state-sponsored threat groups since 2017 have been actively exploiting a Microsoft zero-day flaw allowing for abuse of Windows shortcut files to steal data and commit cyber espionage against organizations in various industries.
- Researchers from Trend Micro’s Trend Zero Day Initiative (ZDI) have identified nearly 1,000 malicious .lnk files abusing the flaw, tracked as ZDI-CAN-25373, which allows attackers to execute hidden malicious commands on a victim’s machine by leveraging crafted shortcut files.
- “By exploiting this vulnerability, an attacker can prepare a malicious .lnk file for delivery to a victim,” according to a Trend Micro blog post on Tuesday. “Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content.”
- “The malicious files delivered by attackers include various payloads, including the Lumma infostealer and Remco’s remote access Trojan (RAT), that expose organizations to risks of data theft and cyber espionage.”

CISA added five known exploited vulnerabilities to its catalog this week.
- March 18, 2025
  - CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
  - CVE-2025-30066 tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
    - Dark Reading discusses the Fortinent KVE here, and Cybersecurity Dive discusses the Github KVE here.
- March 19, 2025
  - CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
  - CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
  - CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
    - Hacker News discusses the Edimax KVE here and the NAVIKO KVE here. Cybersecurity News discusses the SAP KVE here.

Cybersecurity Dive adds,
- Johannes Ullrich of the SANS Internet Storm Center reported exploitation attempts this week against two critical Cisco vulnerabilities that were initially disclosed in September. CVE-2024-20439 is a static credential vulnerability in the Cisco Smart Licensing Utility, and CVE-2024-20440 is an information disclosure flaw in the utility.
- It’s unclear if the exploitation was successful, but Ullrich noted the static credential for CVE-2024-20439 was previously published by a security researcher and could be used to remotely access affected devices.
- Ullrich told Cybersecurity Dive the exploitation attempts likely originate from a smaller botnet, with activity spiking over the last week.

Fierce Healthcare lets us know,
- “A new report by Clearwater Security found that incident response and resilience was a major issue for private equity-owned healthcare companies, which need to improve consistency in cybersecurity governance in light of their high-growth business model.
- “The assessment found systemic gaps in security preparedness, as healthcare organizations need more documented policies for cybersecurity practices from provider practices to digital health companies. Private equity firms need to consider the cybersecurity risk profiles of companies when deciding whether to acquire them or merge them with other businesses, Clearwater writes.
- “Because private equity firms prioritize rapid growth of their portfolio companies, Clearwater found that health IT infrastructures and cybersecurity practices often fall behind. A cybersecurity incident can devalue a company overnight or rack up regulatory fines, a dangerous prospect for PE firms.
- “The report looked at consumer health companies, healthcare data and analytics companies and physician practices owned by private equity firms. It also evaluated pharma, biosciences and dental services companies.”

From the ransomware front,

Cybersecurity Dive reports,
- “A Medusa ransomware campaign is using a malicious driver to disrupt and even delete endpoint detection and response (EDR) products on targeted organization networks.
- “According to new research from Elastic Security Labs, the malicious driver, dubbed ABYSSWORKER, is deployed along with a packer-as-a-service called HeartCrypt to deliver Medusa ransomware. Elastic noted the driver was first documented in a ConnectWise post in January involving a different campaign of IT support scams using Microsoft Teams.
- “In the Medusa ransomware attacks, Elastic discovered the malicious driver imitates a legitimate CrowdStrike Falcon driver and is using digital certificates from other companies to masquerade as a legitimate program.
- “All samples are signed using likely stolen, revoked certificates from Chinese companies,” Cyril François, senior research engineer at Elastic Security Labs, wrote in the blog post. “These certificates are widely known and shared across different malware samples and campaigns but are not specific to this driver.”

Per Bleeping Computer,
- “Two malicious VSCode Marketplace extensions were found deploying in-development ransomware, exposing critical gaps in Microsoft’s review process.
- “The extensions, named “ahban.shiba” and “ahban.cychelloworld,” were downloaded seven and eight times, respectively, before they were eventually removed from the store.
- “It is notable that the extensions were uploaded onto the VSCode Marketplace on October 27, 2024 (ahban.cychelloworld) and February 17, 2025 (ahban.shiba), bypassing safety review processes and remaining on Microsoft’s store for an extensive period of time.”

Per Trend Research,
- “Trend Research uncovered new versions of the Albabat ransomware. The development of these versions signifies the ransomware operators’ potential expansion of their targets from Windows to Linux and macOS. Research also reveals the group’s use of GitHub to streamline operations.
- “Enterprises should remain vigilant against ransomware threats like Albabat as a successful attack can incur reputational damage, operational disruption, and financial losses once threat actors get a hold of and ransom critical data.
- “To mitigate Albabat ransomware, organizations should have strong access controls for sensitive data, update and patch systems regularly and have proper backups.”

Per TechSpot,
- “Akira, one of the most dangerous ransomware strains floating around the internet, just met its match — an Indonesian programmer armed with cloud computing and sheer determination.
- “As first reported by TechSpot, Yohanes Nugroho successfully cracked Akira, a multiplatform ransomware that has been wreaking havoc since 2023. Used by cyber criminals to target hundreds of businesses, government agencies, and industries, Akira has helped its developers earn millions.
- “While this isn’t the first time someone has found a way to break Akira’s encryption, what makes this case remarkable is that Nugroho did it alone — and in just over 10 hours.”

From the cybersecurity business and defense front,

NextGov/FCW reports,
- “Google has moved to expand the security aspects of its cloud offering by agreeing to acquire Wiz in a $32 billion all-cash transaction, the global tech giant’s largest-ever.
- “Wiz generates roughly $1 billion in annual revenue with FedRAMP-authorized cloud security products in areas such as prevention, active detection and response.
- “Google sees the addition of Wiz as helping it support more agencies as they look to move their systems into multi-cloud and hybrid cloud environments.
- “At the same time, software and (artificial intelligence) platforms are becoming deeply embedded across products and operations, bringing new and evolving risks for private enterprises, governments, and other public sector organizations,” Google Cloud CEO Thomas Kurian said in a release.”

Dark Reading explains why “Cyber Quality Is the Key to Security. The time to secure foundations, empower teams, and make cyber resilience the standard is now — because the cost of waiting is far greater than the investment in proactive security.”

TechTarget offers “13 API security best practices to protect your business. APIs are the backbone of most modern applications, and companies must build in API security from the start. Follow these guidelines to design, deploy and protect your APIs.”

Here are links to
- Dark Reading’s CISO Corner
- A HelpNetSecurity video about “Pay, fight, or stall? The dilemma of ransomware negotiations”
- A Cyberscoop podcast in which its editor in chief “Greg Otto talks with FTI Consulting’s Allie Bohan exploring the challenges organizations face in maintaining effective communication during cyberattacks.”
- The FEHBlog watched the seven-minute-long video and listed to the podcast while drafting this post and he found them worthwhile.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog

Leave a Reply Cancel reply