From the cybersecurity policy and law enforcement front,
- Next week, House of Representatives will fast track approval of H.R. 872 – Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025, as amended. This bill which would apply known exploited vulnerability (KEV) remediation rules to certain federal contractors has not received Senate consideration yet.
- CISA explains “Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate [CISA] identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.”
- Cyberscoop reports
- “A push is gearing up to renew an expiring 10-year-old cybersecurity law that was viewed at its initial passage as the most significant cybersecurity legislation Congress had ever passed, and that advocates say now fosters several important threat-sharing initiatives.
- “The 2015 Cybersecurity Information Sharing Act provides safeguards for companies that voluntarily share threat intelligence data with the government or each other, such as federal antitrust exemptions and shields against state and federal disclosure laws.
- “Reauthorization of the law faces several hurdles, including uncertainty about who will take the lead on the bill in the House and Senate, potential privacy concerns, a tight timeline, and other competing priorities. There are also some who believe the law could use updates to fit today’s threats, potentially introducing further complications.
- “But its renewal has some bipartisan support, including among leaders of committees important to its passage, and there is optimism among outside groups that it can win congressional approval. The push is in the very early stages, but there’s a “growing recognition” that it needs to be reauthorized, said Matthew Eggers, vice president of cybersecurity policy in the U.S. Chamber of Commerce’s cyber, intelligence and security division.
- “We’re in a little bit of spring training in the sense that we haven’t advocated for this legislation for about 10-plus years,” he said. “A number of organizations, over the last 10 years, have probably taken for granted the work that’s been done to get the legislation passed.”
- Cybersecurity Dive tells us,
- “The Cybersecurity and Infrastructure Security Agency confirmed that Karen Evans was named executive assistant director for cybersecurity under the Department of Homeland Security.
- “Evans, who first joined CISA in January as a senior adviser, will be responsible for leading the agency’s cybersecurity efforts as the national coordinator for critical infrastructure security and resilience.
- “Starting in 2018, Evans served as assistant secretary for cybersecurity, energy security and emergency response at the Department of Energy. She was named chief information officer at DHS and served from March 2020 to January 2021. She also served as managing director of the Cyber Readiness Institute before joining CISA.”
- Cyberscoop adds,
- “President Donald Trump hasn’t yet selected an overall leader for CISA, although Sean Plankey has reportedly been in line for the Senate-confirmed job. But Evans’ appointment is the latest key position to get a name attached to it among top cyber jobs in the administration.
- “The administration recently named Sean Cairncross as its pick for the Senate-confirmed position of national cyber director. It also picked Alexei Bulazel as senior director for cyber at the National Security Council.”
- The National Institute of Standards and Technology is celebrating the first anniversary of its Cybersecurity Framework 2.0.
- Dark Reading lets us know,
- “The US Army soldier arrested for unlawful transfer of confidential phone records told a federal judge he intends to plead guilty to the charges.
- “Cameron John Wagenius, who went by the online alias “Kiberphant0m,” was involved in the Snowflake hacking campaign alongside Connor Riley Moucka, known as “Judische,” who was arrested in October 2024.
- “Wagenius was arrested after infiltrating 15 telecommunications providers while on active military duty. He then reportedly published the stolen AT&T call logs of high-ranking officials like President Donald Trump and former Vice President Kamala Harris on Dark Web forums.”
From the cybersecurity vulnerabilities and breaches front,
- Security Week informs us,
- “CrowdStrike this week published its 2025 Global
Threat Report, which summarizes the latest adversary tactics and techniques, as well as important trends that defined 2024.
- “The cybersecurity giant started tracking 26 new threat groups in 2024, which brought the total number of adversaries known by the company to 257.
- “CrowdStrike pointed out that China-linked activity surged, with a 150% increase seen across all sectors, and a rise of 200-300% in industries such as financial services, media, manufacturing, and industrials and engineering compared to 2023.
- “One interesting aspect that CrowdStrike has been tracking is breakout time, the time it takes threat actors to move from initial access to high-value assets. This breakout time is important because that is how much time defenders have to detect and respond to an attack before the hackers start establishing deeper control.
- “In 2024, the average breakout time in the case of cybercrime intrusions dropped to 48 minutes, from 62 minutes in 2023, and the fastest breakout seen by CrowdStrike last year was just 51 seconds.
- “Over half of the vulnerabilities seen by CrowdStrike last year were related to initial access, which the company says reinforces the need to secure exposed systems. It also noted that identity-based attacks are increasingly favored over traditional malware attacks.”
- Cyberscoop lets us know,
- “Cybercriminals intentionally disrupted operations at a growing rate last year, Palo Alto Networks’ threat intelligence firm Unit 42 said in an annual incident response report released Tuesday.
- “Of the nearly 500 major cyberattacks Unit 42 responded to last year, 86% involved business disruption, including operational downtime, fraud-related losses, increased operating costs and negative reputational impacts.
- “Unit 42 called this trend the “third wave of extortion attacks,” another point of potential leverage for threat groups to impose on targets in addition to encryption and data theft.
- “These disruptive attacks stand out for the pain, impact and broader ripple effects they inflict on society and the economy at large, said Sam Rubin, senior vice president of consulting and threat intelligence at Unit 42.
- “This is what organizations need to be worried about from a threat perspective and from a defensive strategy standpoint,” Rubin said.”
- Cybersecurity Dive reports,
- “Approximately 2,850 IP addresses are vulnerable to CVE-2025-22467, a critical stack buffer-overflow vulnerability that affects Ivanti Connect Secure VPNs, according to a post on X by the Shadowserver Foundation.
- “Ivanti disclosed and patched CVE-2025-22467 on Feb. 11 and said it was not aware of any exploitation of the vulnerability prior to the public disclosure. Exploitation of the critical flaw can allow a remote authenticated attacker to achieve remote code execution.
- ‘Shadowserver found the U.S. and Japan were the countries with the highest number of vulnerable IP addresses, with 852 and 384 instances, respectively.”
- CISA added four known exploited vulnerabilities to its catalog this week.
From the ransomware front,
- CSO points out five things to know about ransomware threats in 2025.
- Per Security Week,
- “Threat Intelligence firm Kela warns of a new ransomware group called Anubis operating as a RaaS service with an extensive array of options for affiliates.
- “The group emerged as recently as late 2024, although the researchers believe that its members have experience in ransomware, both malware and operations. Information on Anubis comes from an analysis of the group’s dark web footprint rather than code analysis of the ransomware.
- “As with most ransomware groups today, Anubis uses double extortion. The researchers suggest that “Anubis appears to be an emerging threat, highlighting different business models employed by modern extortion actors.”
- Dark Trace discusses “Lynx ransomware, emerging in 2024, targets finance, architecture, and manufacturing sectors with phishing and double extortion.”
- Cybersecurity Dive lets us know,
- “Researchers analyzed leaked chat logs from the infamous Black Basta ransomware gang and found references to 62 unique CVEs, 53 of which are known to have been exploited in the wild.
- “Black Basta favored vulnerabilities in “widely adopted enterprise technologies” that included Microsoft products, Citrix Netscaler and Atlassian Confluence, as well as flaws in network edge devices from Fortinet, Cisco, F5 Networks and Palo Alto Networks, according to the findings by VulnCheck.
- “VulnCheck’s research revealed that in many cases Black Basta members began discussing CVEs within days of security advisories being published, underscoring the importance of prompt patching and mitigations for critical flaws in widely used applications and devices.”
- Cyberscoop adds,
- “Black Basta’s inner workings reveal a cybercrime group rife with internal conflicts. Yet, the notorious ransomware-as-a-service group’s affiliates have wreaked havoc on organizations globally.
- “Over a two-year period, the ransomware variant was used to encrypt and steal data from at least 12 of the 16 critical infrastructure sectors, impacting more than 500 organizations, according to the Cybersecurity and Infrastructure Security Agency.
- “The group pulled in at least $107 million in ransom payments by late 2023, research from Elliptic and Corvus Insurance found.
- “The Black Basta leak followed a decrease in activities earlier this year, which was caused by key members defecting to other cybercriminal operations, like the Cactus ransomware group, according to Alptekin. “This exposure has further destabilized the group and impacted trust among its members,” he said.
- “Rapid7 observed a resurgence of social engineering attacks linked to Black Basta operators in early October, but the group has been largely inactive this year.”
From the cybersecurity defenses front,
- The Wall Street Journal reports,
- “Every company needs a cybersecurity strategy but getting the money to enact it can be complicated.
- “Benchmarks that compare cyber spending across companies relative to their revenues, overall tech budget or head count can validate funding choices, but they aren’t useful in establishing the security needs of an organization, chief information security officers say.
- “That tactic never worked for me,” said Selim Aissi, a cybersecurity consultant who has held executive cyber roles at companies including Intel, Visa and Blackhawk Network Holdings, which sells gift cards.
- “The CEO, the CFO will shut you down immediately and say, ‘Who cares? We’re not [company] XYZ.’”
- “Cybersecurity is a necessary expense. Attackers exploit new vulnerabilities within days of discovery and malware multiplies by the day. It takes just 48 minutes, on average, for a hacker to move through a corporate network after getting in, according to cyber company ReliaQuest. International Business Machines found the average cost of a data breach in the U.S. was $4.9 million last year. But companies are wary of paying for more protection than they need, and it falls on CISOs to justify the expense.
- “Understanding the costs of disruption is a useful way to allocate spending, said Mike Anderson, chief digital and information officer of cyber company Netskope. Some business functions are more critical than others or will take more resources to fix if they are disrupted, he said.
- “You can’t treat everything exactly the same,” Anderson said. “I align the investments to the criticality.”
- Here is a link to Dark Reading’s CISO Corner.
