Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy front,

  • Nextgov/FCW reports,
    • “Rep. Eric Swalwell, the House Homeland Security Committee’s leading Democratic voice on cybersecurity matters, suggested Wednesday that government contractors could be deployed to conduct offensive cybersecurity operations against foreign adversaries.
    • “Speaking at an Axonius event in Washington, D.C., the California congressman said the concept is worth exploring, in part, because “the federal government does not have the resources to protect every company that gets hit,” and that the moves could deter adversaries like Russia from targeting low-resourced critical infrastructure sectors.
    • “The remarks make Swalwell one of the first Democrats to publicly suggest that the private sector take a broader role in hacking back against foreign rivals. The dynamic has been floated in recent months largely by Republicans as a way to respond to headline-making Chinese intelligence intrusions into U.S. telecom systems and other infrastructure.”
  • Per a news release,
    • “Incident response is a critical part of cybersecurity risk management and should be integrated across organizational operations. The six Functions of the NIST Cybersecurity Framework (CSF) 2.0 all play vital roles in incident response.
    • “NIST has finalized Special Publication (SP) 800-61r3 (Revision 3), Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile, which describes how to incorporate incident response recommendations into cybersecurity risk management activities in alignment with CSF 2.0. This guidance will help organizations reduce the number and impact of incidents that occur and improve the efficiency and effectiveness of their incident detection, response, and recovery activities.
    • “SP 800-61r3 supersedes SP 800-61r2 (Revision 2), Computer Security Incident Handling Guide.
    • “Readers of SP 800-61r3 are encouraged to utilize the resources on NIST’s Incident Response project page in conjunction with this document to implement these recommendations and considerations.” 
  • The American Hospital Association News tells us,
    • “The House Energy and Commerce Oversight and Investigations Subcommittee April 1 discussed cybersecurity threats in legacy medical devices during a hearing. The subcommittee heard from experts on the dangers of outdated devices as the hardware can last several years longer than software.”

From the cyber vulnerabilities and breaches front,

  • The Cybersecurity and Infrastructure Security Agency added three known exploited vulnerabilities to its catalog this week.
  • Cybersecurity Dive reports on April 2,
    • A recent surge in login attempts targeting Palo Alto Networks’ PAN-OS GlobalProtect portals mainly located in the U.S. could be a precursor to a large-scale exploitation of unpatched or zero-day vulnerabilities, researchers have found. 
    • The threat activity means defenders with exposed Palo Alto Networks VPN systems should review March 2025 logs and consider engaging in detailed threat hunting to detect signs of compromise.
    • Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals, activity that suggests a coordinated effort to identify exposed or vulnerable systems for targeted abuse of flaws, according to a report released this week from security intelligence firm GreyNoise.
  • HelpNet Security points out “Attackers are targeting CrushFTP vulnerability with public PoC (CVE-2025-2825).”
    • “Exploitation attempts targeting the CVE-2025-2825 vulnerability on internet-facing CrushFTP instances are happening, the Shadowserver Foundation has shared on Monday, and the attackers have been leveraging publicly available PoC exploit code.”

From the ransomware front,

  • The Wall Street Journal reports,
    • “The Federal Trade Commission in March identified impostor scams—in which someone impersonates a loved one, colleague or government official—as the most-reported type last year, resulting in losses of nearly $3 billion. 
    • “Criminals increasingly use generative AI to mimic a loved one’s voice, making these kinds of scams more believable, the Federal Bureau of Investigation has warned. It takes just three seconds of audio to clone a voice with 85% accuracy, according to the security-software firm McAfee, whose survey of 7,000 people globally found that more than half regularly share voice content online.
    • “Criminals can also use AI to approximate the voice of someone of any age, gender or dialect. During a high-stress situation, a generic voice of a young woman could be confused for the voice of a daughter, according to cybersecurity experts.”
  • Per Cybersecurity Dive,
    • “The FBI, the Cybersecurity and Infrastructure Security Agency and a group of international partners on Thursday [April 3] warned that cyber threat groups are using a technique called “fast flux” to hide the locations of malicious servers, posing a significant threat to national security.
    • “Authorities warned that both criminal and state-linked threat groups have used fast flux to obfuscate the locations of these servers using fast-changing Domain Name System records. They also can create highly resilient command and control (C2) infrastructure to conceal their malicious operations, particularly in connection with botnets.
    • “Fast flux techniques are not only used for C2 communications but also in phishing campaigns to protect social engineering websites from being blocked or taken down, authorities said.” 
    • “Authorities did not specify whether there is an active campaign using fast flux or directly name any threat actor currently using the technique. However, they did reference past activity, noting that fast flux has been used in previous ransomware attacks linked to Hive and Nefilim. Additionally, a Russia-backed threat actor known as Gamaredon has also used fast flux to mask threat activities, according to the advisory.”
    • “Authorities did not specify whether there is an active campaign using fast flux or directly name any threat actor currently using the technique. However, they did reference past activity, noting that fast flux has been used in previous ransomware attacks linked to Hive and Nefilim. Additionally, a Russia-backed threat actor known as Gamaredon has also used fast flux to mask threat activities, according to the advisory.” 
  • Beckers Health IT informs us on March 31,
    • “The FBI is investigating a cyberattack on Oracle’s computer systems in which hackers stole patient data to extort multiple U.S. healthcare providers, Bloomberg reported March 28.
    • “Oracle notified some healthcare customers earlier this month that the breach occurred sometime after Jan. 22. According to a notice sent to clients and obtained by Bloomberg, hackers accessed company servers and copied patient data to an external location.
    • “A person familiar with the matter, who spoke on condition of anonymity, told the publication that cybercriminals attempted to demand ransom from affected medical providers. The total number of targeted providers and stolen patient records remains unknown.
    • “Oracle did not respond to Bloomberg’s request for comment. An FBI spokesperson also declined to comment.”
  • Per Bleeping Computer,
    • “​Port of Seattle, the U.S. government agency overseeing Seattle’s seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack.
    • “The agency disclosed the attack on August 24, saying the resulting IT outage disrupted multiple services and systems, including reservation check-in systems, passenger display boards, the Port of Seattle website, the flySEA app, and delayed flights at Seattle-Tacoma International Airport.
    • “Three weeks after the initial disclosure, the Port confirmed that the Rhysida ransomware operation was behind the August 2024 breach.
    • “After the incident, the Port also decided not to give in to the cybercriminals’ demands to pay for a decryptor even though they threatened to publish stolen data on their dark web leak site.
    • “We have refused to pay the ransom demanded, and as a result, the actor may respond by posting data they claim to have stolen on their darkweb site,” the Port of Seattle said on September 13, 2024.
    • “Our investigation of what data the actor took is ongoing, but it does appear that some Port data was obtained by the actor in mid-to-late August. Assessment of the data taken is complex and takes time.”
  • Forta discusses,
    • “HellCat [which] is the name of a relatively new ransomware-as-a-service (RaaS) group that first came to prominence in the second half of 2024. Like many other ransomware operations, HellCat breaks into organisations, steals sensitive files, and encrypts computer systems – demanding a ransom payment for a decryption key and to prevent the leaking of stolen files.”
  • GTSC brings us up to date on the Medusa ransomware gang.
    • The Medusa ransomware gang is a ransomware-as-a-service (RaaS) operation first identified in June 2021. Since then, it has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. ​
  • Per SC Media,
    • “A threat actor using a combination of AI-powered vishing, the more conventional remote access tool Microsoft Quick Assist, and living-off-the-land techniques has demonstrated how a simple vishing attack can escalate into a full compromise.
    • “In an April 1 blog post, researchers from Ontinue reported that the techniques observed in this recent campaign align with those previously attributed to Storm-1811, a threat actor identified by Microsoft known for leveraging vishing, MS Quick Assist, and social engineering via MS Teams to gain network access.
    • “SC Media first reported on this group last May, in which it was reported the group abused Quick Assist to deploy the BlackBasta ransomware.”

From the cybersecurity defenses front,

  • Cyberscoop reports,
    • “Businesses don’t always get what they pay for in cybersecurity. Some of the most expensive cloud network firewall vendors are among the worst performers against exploits and evasions, according to the most comprehensive, independent testing CyberRatings.org has conducted to date.
    • “Cisco, by far the most expensive cloud network firewall offering across the top 10 vendors on price per megabits per second, ranked seventh with an overall security effectiveness score of 53.5%, according to CyberRatings.org research released Wednesday. 
    • “The trio of big cloud providers — Amazon Web Services, Microsoft Azure and Google Cloud Platform — fared even worse, each landing at the bottom of the pack with a 0% security effectiveness score. 
    • “We’ve been told to use cloud-native technologies, that they’re better suited than using bolt-ons. Well, that’s clearly not the case here,” CyberRatings.org CEO Vikram Phatak told CyberScoop.”
  • Dark Reading explains “How an Interdiction Mindset Can Help Win War on Cyberattacks. The US military and law enforcement learned to outthink insurgents. It’s time for cybersecurity to learn to outsmart and outmaneuver threat actors with the same framework.”
  • In email news
    • Bleeping Computer lets us know “Google rolls out easy end-to-end encryption for Gmail business users.”
    • Dark Reading informs us “Microsoft Boosts Email Sender Rules for Outlook. Beginning on May 5, the tech giant will enforce new email authentication protocols for Outlook users who send large volumes of email.”
  • Per a NIST news release, here are “7 Tips to Keep Your Smart Home Safer and More Private, From a NIST Cybersecurity Researcher.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *