Cybersecurity Saturday

From the cybersecurity policy and law enforcement front,
- Federal News Network lets us know,
- “A former Energy Department and National Security Council official has been tapped to lead the Cybersecurity and Infrastructure Security Agency [CISA].
- “President Donald Trump today [March 11, 2025,] formally nominated Sean Plankey to serve as director of CISA. Plankey’s name was included among a slew of nominations sent to the Senate.
- “During Trump’s first term, Plankey served as principal deputy assistant secretary for Energy’s Office of Cybersecurity, Energy Security and Emergency Response, known as “CESER,” which leads cyber preparedness in the energy sector. He also served on Trump’s National Security Council as director for maritime and Pacific cybersecurity policy.”
- Per a March 12, 2025, CISA news release,
- CISA’s Red Team is among the best in the world and remains laser focused on helping our federal and critical infrastructure partners identify and mitigate their most significant vulnerabilities and weaknesses. This has not changed.
- Contrary to inaccurate reporting, CISA has not “laid off” our Red Team. CISA has taken action to terminate contracts where the agency has been able to find efficiencies and eliminate duplication of effort. As good stewards of the taxpayer dollar and in accordance with good fiscal governance practices, CISA regularly reviews contracts across the agency to ensure that we have the capabilities that we need and that we are allocating resources in ways that make the most impact. This was a contract action that did not impact the employment status of CISA personnel.
- CISA’s Red Teams continue their work without interruption. The team works directly with network defenders, system administrators, and other technical staff to address strengths and weaknesses across critical infrastructure networks and systems. They continue to assist organizations in refining their detection, response, and hunt capabilities to protect the nation’s critical infrastructure from a range of threats.
- Dark Reading offers context for this release.
- The National Institute of Standards and Technology announced on March 12, 2025,
- “The comment period for [draft] NIST Special Publication 1308, NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick Start Guide is open through April 25, 2025, at 11:59 PM.”
- Fedscoop tells us,
- “Ethan Klein, an emerging technology policy adviser during the first Trump administration, has been nominated to be the White House’s chief technology officer, the Office of Science and Technology Policy confirmed Tuesday.
- “After serving in the first Trump White House, Klein completed a PhD in nuclear science and engineering at MIT, where he worked to develop nuclear tech for arms control and nonproliferation with funds from a fellowship through the National Nuclear Security Administration.”
- and
- An Office of Personnel Management watchdog investigation into cybersecurity risks on government networks and the potential exposure of sensitive information will include an examination of DOGE access to those systems.
- OPM’s Office of Inspector General said in a letter to Democrats on the House Oversight Committee that it would incorporate “parts” of the lawmakers’ February request to probe DOGE’s unauthorized accessing of IT networks and Americans’ data into “existing work.” The watchdog also said it had “initiated a new engagement on specific emerging risks at OPM that are related to issues raised” in Democrats’ letter.
- Dark Reading relates,
- “A dual Russian-Israeli citizen working as one of LockBit ransomware group’s lead developers has been extradited from Israel to the US. Rostislav Panev, 51, was arrested in 2023 and had his first US court appearance on March 14.
- “According to the complaint against him, Panev was a developer for LockBit ransomware group from 2019 to at least February 2024. The ransomware group attacked more than 2,500 victims in 120 countries, 1,800 of them in the US. Victims ranged from individuals to small businesses and even multinational corporations that included nonprofit organizations, educational institutions, hospitals, and critical infrastructure. In targeting them, LockBit was able to garner at least $500 million in ransom payments and cause billions of dollars in losses.”
From the cybersecurity vulnerabilities and breaches front,
- Security Week reports on March 10, 2025,
- “More than 560,000 people were impacted across four data breaches disclosed last week to authorities by the healthcare organizations Hillcrest Convalescent Center, Gastroenterology Associates of Central Florida, Community Care Alliance, and Sunflower Medical Group.”
- “More than 560,000 people were impacted across four data breaches disclosed last week to authorities by the healthcare organizations Hillcrest Convalescent Center, Gastroenterology Associates of Central Florida, Community Care Alliance, and Sunflower Medical Group.”
- CISA added thirteen known exploited vulnerabilities to its catalog this week:
- March 10, 2025
- CVE-2025-25181 Advantive VeraCore SQL Injection Vulnerability
- CVE-2024-57968 Advantive VeraCore Unrestricted File Upload Vulnerability
- CVE-2024-13159 Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
- CVE-2024-13160 Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
- CVE-2024-13161 Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
- March 11, 2025
- CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
- CVE-2025-24984 Microsoft Windows NTFS Information Disclosure Vulnerability
- CVE-2025-24985 Microsoft Windows Fast FAT File System Driver Integer Overflow Vulnerability
- CVE-2025-24991 Microsoft Windows NTFS Out-Of-Bounds Read Vulnerability
- CVE-2025-24993 Microsoft Windows NTFS Heap-Based Buffer Overflow Vulnerability
- CVE-2025-26633 Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerability
- Cyberscoop discusses these CVEs here.
- March 13, 2025
- CVE-2025-24201 Apple Multiple Products WebKit Out-of-Bounds Write Vulnerability
- CVE-2025-21590 Juniper Junos OS Improper Isolation or Compartmentalization Vulnerability
- March 10, 2025
From the ransomware front,
- Cybersecurity Dive reports,
- “The Medusa ransomware gang has infected more than 300 organizations in critical infrastructure sectors such as the medical, manufacturing and technology industries.
- That’s according to a joint cybersecurity advisory published Wednesday by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The agencies noted that Medusa — which is not connected to MedusaLocker ransomware — has been active since 2021 and initially began as a closed ransomware operation.
- “While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers,” the [March 12, 2025,} advisory said. “Both Medusa developers and affiliates — referred to as ‘Medusa actors’ in this advisory — employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.”
- and
- “A newly discovered ransomware strain, tracked as SuperBlack, has been used in a series of attacks targeting critical vulnerabilities in Fortinet since late January, according to a report by Forescout Research-Vedere Labs.
- “The attacks involved exploitation of two vulnerabilities, CVE-2024-55591 and CVE-2025-24472, which can allow unauthenticated attackers to gain super admin privileges on FortiOS firewalls.
- “Researchers link the attacks to a threat actor — tracked as Mora_001 — that has operational overlaps with LockBit ransomware operations.
- and
- “About six of every 10 ransomware claims in 2024 involved the compromise of a perimeter security device such as a virtual private network or firewall, according to the Coalition Cyber Threat Index report released Tuesday [March 11, 2025]. In two of every 10 cases, remote desktop protocols were exploited for initial access.
- “Stolen credentials served as the initial access vectors in almost half of the cases, while software vulnerabilities were exploited in about three of every 10 cases.
- “Two thirds of businesses had at least one internet-exposed web login panel at the time they applied for cyber insurance policies, according to the report. The cyber insurance provider said it detected more than 5 million exposed remote management solutions and tens of thousands of exposed login panels.”
- Dark Reading points out,
- “A recent analysis of a year’s worth of chat logs from the infamous Black Basta ransomware group revealed that its members used nearly 3,000 unique credentials to attempt to compromise a variety of corporate networks.
- “The top five uses of the credentials? Targeting remote-desktop software and virtual private networks (VPNs), according to threat intelligence firm KELA, which published its analysis of the chat logs last week.
- “From Microsoft’s Remote Desktop Web Access to Palo Alto’s Global Protect and from Cisco’s VPN services to general remote login portals, stealing credentials to target remote access is perhaps the most popular technique used by ransomware groups. Once compromised, such services can be used as gateways to the corporate networks and quickly lead to data exfiltration and eventual ransomware deployment, says Irina Nesterovsky, chief research officer for KELA.
- “Obtaining such credentials and successfully accessing those platforms — either due to lack of MFA or bypassing it — allows the actors a foothold into an organization’s network, which they can then further expand using different tools and reconnaissance,” she says. “KELA observed the Black Basta ransomware actors discussing the sourcing of specifically login credentials to VPN and remote access portals in the context of a ransomware operation — it is very clear what such credentials are abused for.”
- Bleeping Computer adds,
- “The Black Basta ransomware operation created an automated brute-forcing framework dubbed ‘BRUTED’ to breach edge networking devices like firewalls and VPNs.
- “The framework has enabled BlackBasta to streamline initial network access and scale ransomware attacks on vulnerable internet-exposed endpoints.
- “The discovery of BRUTED comes from EclecticIQ researcher Arda Büyükkaya following an in-depth examination of the ransomware gang’s leaked internal chat logs.”
- Per Security Affairs,
- “Microsoft observed a North Korea-linked APT group, tracked as Moonstone Sleet, deploying Qilin ransomware in limited attacks since February 2025. The APT group uses Qilin ransomware after previously using custom ransomware.
- “Moonstone Sleet has previously exclusively deployed their own custom ransomware in their attacks, and this represents the first instance they are deploying ransomware developed by a RaaS operator.” Microsoft wrote on X.
- “In May 2024, Microsoft observed the North Korea-linked group “Moonstone Sleet” (Previously tracked as Storm-1789) using known and novel techniques like fake companies, trojanized tools, a malicious game, and custom ransomware for financial gain and espionage.
- Storm-1789, initially linked to other North Korean threat groups, has since adopted unique tactics, tools, and attack infrastructure.
- “Moonstone Sleet threat actors target financial and cyberespionage victims using trojanized software, custom malware, malicious games, and fake companies like StarGlow Ventures and C.C. Waterfall to engage victims on LinkedIn, freelancing sites, Telegram, and email.”
From the cybersecurity defenses front,