Cybersecurity Saturday

From the cybersecurity policy and law enforcement front,

The American Hospital Association tells us,
- The Trump Administration March 28 announced that it renewed for one year the public emergency for ongoing malicious cyber-enabled activities against the U.S. The national emergency was first issued in April 2015.”
Cyberscoop tells us,
- “Many cyber experts are panning a new Trump administration executive order that would shift more responsibilities for responding to cyberattacks to state and local governments, saying it will leave states holding the bag for a job they aren’t best equipped to handle.
- “The executive order, issued last week, is entitled “Achieving Efficiency Through State and Local Preparedness.” Its stated purpose is to improve defenses against cyberattacks and other risks, but many expect it will do the opposite.
- “Federal policy must rightly recognize that preparedness is most effectively owned and managed at the State, local, and even individual levels, supported by a competent, accessible, and efficient Federal Government,” it reads. “Citizens are the immediate beneficiaries of sound local decisions and investments designed to address risks, including cyber attacks, wildfires, hurricanes, and space weather.”
- “A number of cyber experts said it was a misguided document, sometimes in harsh terms, especially as it pertains to where they believe responsibilities should be assigned.”

Indiana University Professor Scott Shackleford, writing in the Wall Street Journal, offers ideas five federal cybersecurity reforms:
- “The U.S. is spending more than ever on cybersecurity yet cyberattacks continue to proliferate.
- “According to McKinsey, global losses to cyberattacks could exceed $10.5 trillion this year, a 300% increase from 2015 and an amount larger than the economies of Germany and Japan combined.
- “I believe a new approach is needed—one in which the federal government plays a more assertive role.
- “For at least two decades, U.S. cybersecurity policy has been stuck in a pattern of incremental tweaks focused on the same basic ideas—encouraging voluntary industry cooperation, offering information-sharing partnerships and establishing new bureaucratic offices. It isn’t working. We need bold changes, the most important of which is treating cybersecurity as a public good akin to national security and public safety.”

FCW/NextGov informs us,
- “The General Services Administration launched FedRAMP 20x Monday, an effort it is pursuing with industry to use more automation and cut red tape around the government’s cloud security assessment and authorization program.
- “The Federal Risk and Authorization Management Program, or FedRAMP, is used to ensure services offered by cloud providers meet certain cybersecurity requirements before government agencies can use them.
- “Our partnership with the commercial cloud industry needs serious improvement. Strengthening this relationship will help us fulfill our commitment to cutting waste and adopting the best available technologies to modernize the government’s aging IT infrastructure,” Stephen Ehikian, acting administrator of the General Services Administration, which runs FedRAMP, said in a statement. “FedRAMP 20x will give agencies access to the latest technology now — not months or years down the road.”

Security Boulevard summarizes public comments on the proposed HIPAA Security Rule amendments and discusses next steps. The public comment deadline was March 7.

Bleeping Computer points out,
- “The U.S. Department of Justice (DOJ) has seized over $8.2 million worth of USDT (Tether) cryptocurrency that was stolen via ‘romance baiting’ scams.
- “Previously referred to as ‘pig butchering,’ in this type of financial fraud victims are manipulated into making investments on fraudulent websites/apps that showcase massive returns.”

From the cybersecurity vulnerabilities and breaches front,

Security Week lets us know,
- “The National Institute of Standards and Technology (NIST) is still struggling to clear the growing backlog of CVEs in the official national vulnerability database and the problem will only get worse this year.
- “That’s the gist of a fresh NIST update with an admission that the current pace of processing vulnerabilities is simply not enough to keep up with the surge in submissions.
- “According to the update, while the National Vulnerability Database (NVD) is processing incoming CVEs at the same rate as before the slowdown in spring and early summer 2024, a 32 percent jump in submissions last year means that the backlog continues to grow.
- “We anticipate that the rate of submissions will continue to increase in 2025,” the institute said, noting that it is exploring the use of AI and machine learning to automate certain processing tasks.”

The Cybersecurity and Infrastructure Security Agency added five known vulnerabilities to it catalog this week.
March 24, 2025
- CVE-2025-30154 review dog action-setup GitHub Action Embedded Malicious Code Vulnerability
March 26, 2025
- CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
- CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
  - Security Affairs discusses the March 24 and 26 KVEs here.
March 27, 2025
- CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
  - Bleeping Computer discusses a fix to this KVE here.

Cybersecurity Dive reports yesterday,
- “Information security firms are taking measures to protect customers and their own networks as they wait for official guidance following claims of a massive attack against Oracle Cloud.
- “A threat actor last week claimed to have stolen 6 million data records, including user credentials, from Oracle Cloud, which could affect more than 140,000 customers. After initially releasing strong denials, Oracle has been silent this week, while security researchers have compiled evidence backing claims of an actual attack.” * * *
- “Orca Security said it was initially skeptical of the reported breach and has not seen any confirmation that the hacker obtained user credentials. However, the firm did not consider Oracle’s initial denials to be fully transparent.
- “We still believe that the risk outweighs our skepticism and that organizations should take immediate action to rotate credentials and otherwise protect their Oracle Cloud tenants as appropriate,” Neil Carpenter, field CTO at Orca Security, said via email.”
and
- “Researchers warn that three older vulnerabilities in DrayTek routers have been actively exploited in recent weeks, which coincides with widespread reports of devices automatically rebooting in recent days, according to GreyNoise Intelligence.
- “Researchers said exploitation activity has been observed against three vulnerabilities, tracked as CVE-2020-8515, CVE-2021-20123 and CVE-2021-20124.
- “GreyNoise researchers said they cannot directly link the exploitation to the reboots. However, in a post on X Wednesday morning, DrayTek said the reboots appear to be linked to vulnerabilities disclosed in early March.”
and
- “A prolific Russian threat actor is exploiting a zero-day flaw in the Microsoft Management Console (MMC) framework to execute malicious code on targeted systems in an ongoing cyberattack campaign that puts unpatched systems at risk.
- “The attacks, by a group that Trend Micro tracks as Water Gamayun, uses the CVE-2025-26633 vulnerability, also known as MSC Evil Twin, to manipulate .msc files and the MCC console’s Multilingual User Interface Path (MUIPath). From there the attacker, better known as EncryptHub, downloads and executes malicious payloads, maintains persistence and steals sensitive data from infected systems.
- Microsoft patched MSC Evil Twin as part of its March Patch Tuesday raft of fixes on March 11. The flaw was still a zero-day when EncryptHub exploited it by executing malicious .msc files through a legitimate one, according to Trend Micro. The flaw allows an attacker to bypass a security feature in the MMC after convincing a victim to click on a malicious link or open a malicious file. The weakness stems from the console’s failure to properly sanitize user input.

Dark Reading reports,
- “The rate of severe cloud security incidents affecting customers of Palo Alto Networks rose more than threefold over the course of 2024.
- “By comparing the beginning and end of 2024, Palo Alto tracked a 388% increase in cloud security alerts affecting organizations. The overwhelming majority of that rise can be attributed to neither threats of a low severity (up 10% through the year) nor even medium-severity (up 21%), but high-severity incidents, which rose by a full 235%.
- “The implication here is that malicious actors are not only attacking the cloud more often but also doing it more effectively.”
and
- “Bypassing multifactor authentication isn’t hard, if you’re willing to get a little evil.
- “Sophos researchers this week detailed how Evilginx, a malicious version of the widely used open source NGINX Web server, can be used in adversary-in-the-middle (AitM) attacks to steal credentials and authentication tokens. Perhaps more importantly, the hacking tool can beat MFA protection.
- “Evilginx has been around for many years as an AitM framework for capturing user credentials, but security researchers have recently deployed the tool for more complex attacks. For example, Accenture security research Yehuda Smirnov last year developed a technique to beat Microsoft’s Windows Hello for Business by downgrading the authentication via an Evilginx attack.
- “Smirnov demonstrated the technique at Black Hat USA 2024, and Microsoft issued a fix to prevent the attack. However, Sophos researchers say Evilginx can still be used to sweep up credentials and bypass MFA.”

Per Bleeping Computer,
- “A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection.
- “The platform also leverages DNS email exchange (MX) records to identify victims’ email providers and to dynamically serve spoofed login pages for more than 114 brands.
- “Morphing Meerkat has been active since at least 2020 and it was discovered by security researchers at Infoblox. Although the activity has been partially documented, it went mostly under the radar for years.”

From the ransomware front,

Cybersecurity Dive reports,
- “Ransomware actors are increasingly abusing vulnerable drivers to craft tools known as “EDR killers,” which can disrupt and even delete extended detection and response products in enterprise networks, according to an ESET report published Wednesday.
- “Threat actors abuse vulnerable drivers because they have kernel access to operating systems, which enables attackers to kill processes for security products like EDR before they can detect malicious activity.
- “ESET researchers analyzed a custom tool called “EDRKillShifter,” which was developed and maintained by the notorious RansomHub ransomware gang and is now available on the dark web. The researchers observed an increase in the use of EDRKillShifter among other ransomware-as-a-service gangs such as Play, Medusa and BianLian.”

Beckers Health IT warns,
- “The FBI and other federal authorities are warning healthcare organizations to safeguard against a ransomware group targeting the industry.
- “The Medusa ransomware-as-a-service variant has been used to hack more than 300 victims from a variety of industries, including healthcare, most commonly through phishing campaigns and unpatched software vulnerabilities, according to a March cybersecurity advisory from the FBI, Cybersecurity and Infrastructure Security Agency, and Multi-State Information Sharing and Analysis Center.
- “Medusa threat actors employ a “double extortion” model, where they both encrypt victims’ data and threaten to publicly release stolen information if their demands aren’t met, per the notice. They typically send ransom notes within 48 hours of an attack, offering to extend the deadline to pay by $10,000 a day.
- “Healthcare organizations can protect against the threat by taking such steps as implementing a recovery plan, requiring multifactor authentication, and ensuring all operating systems, firmware and software are up to date, the agencies said.”

Per the Silicon Alley,
- A new report out today from cybersecurity company SquareX Inc. is warning of a dangerous new evolution in ransomware: browser-native attacks that bypass traditional defenses and put millions of users at risk.
- “Browser-based ransomware differs from traditional ransomware that relies on downloaded files to infect systems in that the ransomware operates entirely within the browser and requires no download. Instead, the attack targets the victim’s digital identity, taking advantage of the shift toward cloud-based enterprise storage and the fact that browser-based authentication has become the primary gateway to accessing these resources.
- “In a case study published by SquareX last week, the attacks leverage AI agents to automate the majority of the attack sequence, requiring minimal social engineering and interference from the attacker.”

The Hacker News tells us,
- “In what’s an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
- “Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it possible to extract configuration files, credentials, as well as the history of commands executed on the server.
- ‘The flaw concerns a “certain misconfiguration in the Data Leak Site (DLS) of BlackLock Ransomware, leading to clearnet IP addresses disclosure related to their network infrastructure behind TOR hidden services (hosting them) and additional service information,” the company said.”

Security Week lets us know
- “Ransomware Shifts Tactics as Payouts Drop: Critical Infrastructure in the Crosshairs
  Threats themselves change very little, but the tactics used are continually revised to maximize the criminals’ return on investment and effort.”

From the cybersecurity defenses front,

Cyberscoop reminds us,
- “Despite glitches and possible funding potholes along the road, experts have nothing but praise and optimism for the CVE program’s future. “It’s not perfect by any means, but it has stood the test of time,” Art Manion, a longtime CVE expert and deputy director of ANALYGENCE Labs, speaking in his personal capacity, told CyberScoop. “A world without CVE in it would get pretty ugly.”
- “MITRE’S Summers says, “It’s been 25 years of this program, and I don’t know if it’s possible to name another such public-private partnership program that has lasted that long and has continued to be so impactful in an ongoing way. I’m excited about the opportunity to continue evolving in ways that bring value to the community.”
- “Empirical Security’s Roytman echoes the enthusiasm of his peers when he says, “The fact that we’ve gotten together as an industry and have this public good, and vendors build whole products off of it is wonderful and excellent and should continue to improve.”

Dark Reading offers “5 Considerations for a Data Loss Prevention Rollout; Strong DLP can be a game-changer — but it can also become a slow-moving, overcomplicated mess if not executed properly,” while SC Media provides “5 steps to protect against macOS security gaps.”

Here is a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

FEHBlog

Leave a Reply Cancel reply

Subscribe to FEHBlog

Leave a Reply Cancel reply