Cybersecurity Dive

David ErmerCybersecurity

From the cybersecurity policy and law enforcement front,

  • Federal News Network tells us,
    • “The second Trump administration’s cybersecurity policy is still coming into view, but GOP lawmakers are calling for the White House to kick off a review of existing and future cyber regulations.
    • “Lawmakers and policy experts are particularly focused on three key rules: the Cybersecurity and Infrastructure Security Agency’s incident reporting requirements; the Department of Health and Human Services’ proposed update to health care security requirements; and the Securities and Exchange Commission’s 2023 cybersecurity risk management requirements.”
  • FEHBlog note — As early as April 21, federal agencies will be announcing the withdrawal of certain proposed rules, such as the HIPAA Security Rule amendments, which stripped the rule of its most important feature — flexibility, and the repeal of certain final rules under a February 19, 2025, executive order which a Presidential memorandum supplemented last Wednesday.
  • The American Hospital Association News explained on April 10,
    • The Trump administration yesterday released executive orders on reducing anti-competitive regulatory barriers and repealing certain regulations deemed unlawful.  
    • The order on reducing anti-competitive barriers directs federal agencies to review all regulations subject to their rulemaking authority and identify those that create de facto or de jure monopolies, create barriers to entry for new market participants, create or facilitate licensure or accreditation requirements that unduly limit competition, or otherwise impose anti-competitive restraints or distortions in the market.   
    • The order on repealing unlawful regulations is linked to a Feb. [19] executive order [published in the Federal Register on Feb. 25] that directed agencies within 60 days to identify unlawful and potentially unlawful regulations to be repealed. The new order instructs agencies to take steps to immediately repeal regulations and provide justification within 30 days for any identified as unlawful but have not been targeted for repeal, explaining the basis for the decision not to repeal.
  • The Mintz law firm points out that on April 7, 2025, OMB issued new guidance for the Federal Government’s use of artificial intelligence (AI), and President Trump signed an EO for AI Data Centers.
  • Security Week reports,
    • The National Institute of Standards and Technology (NIST) has announced that all CVEs published before January 1, 2018, will be marked as ‘Deferred’ in the National Vulnerability Database (NVD).
    • This means that, because the CVEs are old, NIST will no longer prioritize updating NVD enrichment or initial NVD enrichment data for them, unless they are or have been included in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
    • “CVEs marked as Deferred will display a banner on their CVE Detail Pages indicating this status. This change will take place over the span of several nights. We are doing this to provide additional clarity regarding which CVE records are prioritized,” NIST announced.
    • “We will continue to accept and review requests to update the metadata provided for these CVE records. Should any new information clearly indicate that an update to the enrichment data for the CVE is appropriate, we will continue to prioritize those requests as time and resources allow,” NIST said.
  • Per an April 10, 2025, HHS press release,
    • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Northeast Radiology, P.C. (NERAD), a professional corporation that provides clinical services at medical imaging centers in New York and Connecticut, concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.” * * *
    • “OCR initiated its investigation of NERAD after receiving a breach report from NERAD in March 2020 about a breach of unsecured ePHI. NERAD reported that between April 2019 and January 2020, unauthorized individuals had accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.
    • “Under the terms of the resolution agreement, NERAD agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $350,000 to OCR.” * * *
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-settlement-nerad.pdf, opens in a new tab [PDF, 369 KB]

From the cybersecurity breaches and vulnerabilities front,

  • The Wall Street Journal reports,
    • “Chinese officials acknowledged in a secret December [2024] meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate.
    • “The Chinese delegation linked years of intrusions into computer networks at U.S. ports, water utilities, airports and other targets, to increasing U.S. policy support for Taiwan, the people, who declined to be named, said.  
    • “The first-of-its-kind signal at a Geneva summit with the outgoing Biden administration startled American officials used to hearing their Chinese counterparts blame the campaign, which security researchers have dubbed Volt Typhoon, on a criminal outfit, or accuse the U.S. of having an overactive imagination.” * * *
    • “A Chinese official would likely only acknowledge the intrusions even in a private setting if instructed to do so by the top levels of Xi’s government, said Dakota Cary, a China expert at the cybersecurity firm SentinelOne. The tacit admission is significant, he said, because it may reflect a view in Beijing that the likeliest military conflict with the U.S. would be over Taiwan and that a more direct signal about the stakes of involvement needed to be sent to the Trump administration.
    • “China wants U.S. officials to know that, yes, they do have this capability, and they are willing to use it,” Cary said.”
  • Per Bleeping Computer,
    • “Laboratory Services Cooperative (LSC) has released a statement informing it suffered a data breach where hackers stole sensitive information of roughly 1.6 million people from its systems.
    • “LSC is a Seattle-based nonprofit organization that provides centralized laboratory services to its member affiliates, including select Planned Parenthood centers.
    • “It plays a crucial role within its niche, supporting organizations in the reproductive health services across more than 35 U.S. states, handling sensitive lab testing, billing, and personal data.”
  • and
    • “Oracle finally confirmed in email notifications sent to customers that a hacker stole and leaked credentials that were stolen from what it described as “two obsolete servers.”
    • “However, the company added that its Oracle Cloud servers were not compromised, and this incident did not impact customer data and cloud services.
    • “Oracle would like to state unequivocally that the Oracle Cloud—also known as Oracle Cloud Infrastructure or OCI—has NOT experienced a security breach,” Oracle says in a customer notification shared with Bleeping Computer.”
  • and
    • “Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities.
    • “Tycoon2FA was discovered in October 2023 by Sekoia researchers, who later reported significant updates on the phishing kit that increased its sophistication and effectiveness.
    • Trustwave now reports that the Tycoon 2FA threat actors have added several improvements that bolster the kit’s ability to bypass detection and endpoint security protections.”
  • The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerablities to its catalog this week.
  • CISA announced yesterday,
    • Fortinet is aware of a threat actor creating a malicious file from previously exploited Fortinet vulnerabilities (CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475) within FortiGate products. This malicious file could enable read-only access to files on the device’s file system, which may include configurations. Fortinet has communicated directly with the account holders of customers identified as impacted by this issue based on the available telemetry with mitigation guidance.
    • See the following resource for more information: Analysis of Threat Actor Activity | Fortinet Blog

From the ransomware front,

  • Morphisec discusses the most notable ransomware attacks from the last six months.
  • Cybersecurity Dive informs us,
    • “Remote access tools were the initial entry point in eight of every 10 ransomware attacks in 2024, according to a report released Thursday by At-Bay. VPNs accounted for about two-thirds of ransomware attack entry points. 
    • “Indirect ransomware claims continue to rise, showing a 43% increase in 2024, according to At-Bay. Indirect ransomware is when an attack begins on a third-party vendor or business partner, often leading to a data breach or business interruption of a downstream client or partner. The report cites the 2023 MOVEit breaches and the 2024 CDK attacks
    • “Overall, the frequency of ransomware claims returned to record levels seen in 2021 after a decreased rate of attacks in 2022 and 2023, according to At-Bay.” 
  • and
    • “Sensata Technologies was struck by a ransomware attack earlier this week that disrupted several of the company’s operations, according to a regulatory filing.
    • “Sensata disclosed that a ransomware attack on Sunday encrypted certain devices on the network. The Attleboro, Mass.-based company specializes in sensors, controls and other industrial technology for the automotive, aerospace and manufacturing sectors.
    • “The incident has temporarily impacted Sensata’s operations, including shipping, receiving, manufacturing production, and various other support functions. While the company has implemented interim measures to allow for the restoration of certain functions, the timeline for a full restoration is not yet known,” Sensata said in the SEC filing.”
  • Dark Reading lets us know,
    • “While ransomware represented the costliest cyber-insurance claims in 2024, incidents of financial fraud continue to be far more numerous, with both often triggered by security failures at a third-party firm.
    • “That insight comes from the latest tranche of cyber-insurance data released this year, this time by cyber-insurance firm At-Bay. Financial fraud — most often following a phishing attack — remained the most common type of cyberattack leading to an insurance claim, according to At-Bay’s “2025 InsurSec Report,” released this week. While the cyber insurer saw 16% more claims in 2024 than the year before, the overall cost of each incident declined to $166,000, down from $213,000 in 2021.”
  • Microsoft Security explains how cyber attackers exploit domain controllers using ransomware.
  • CSO in a commentary article notes,
    • “If you didn’t pay much attention to news of the recent Codefinger ransomware attack, it’s probably because ransomware has become so prevalent that major incidents no longer feel notable.
    • “But Codefinger is not just another ransomware breach to add to the list of incidents where businesses lost sensitive data to attackers. In key respects, Codefinger represents a substantially new type of ransomware attack.
    • “By extension, the incident is a reminder of why conventional cybersecurity techniques won’t always protect businesses and their data — and why organizations need to think beyond the basics regarding defending against ransomware.”
  • Tech Target discusses best practices on reporting ransomware attacks.

From the cybersecurity defenses front,

  • Security Week notes,
    • “As the threat landscape grows more sophisticated, Chief Information Security Officers (CISOs) are continuously searching for innovative ways to safeguard their organizations. Yet one of the most potent tools in their arsenal remains underutilized – DNS (domain name systems).”
  • An ISACA blog entry discusses how to build AI governance by design.
  • Per Bleeping Computer,
    • “Microsoft is testing a new Defender for Endpoint capability that will block traffic to and from undiscovered endpoints to thwart attackers’ lateral network movement attempts.
    • “As the company revealed earlier this week, this is achieved by containing the IP addresses of devices that have yet to be discovered or onboarded to Defender for Endpoint.
    • “Redmond says the new feature will prevent threat actors from spreading to other non-compromised devices by blocking incoming and outgoing communication with devices using contained IP addresses.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *