From the cybersecurity policy and law enforcement front,

• Federal News Network tells us,
  • “The second Trump administration’s cybersecurity policy is still coming into view, but GOP lawmakers are calling for the White House to kick off a review of existing and future cyber regulations.
  • “Lawmakers and policy experts are particularly focused on three key rules: the Cybersecurity and Infrastructure Security Agency’s incident reporting requirements; the Department of Health and Human Services’ proposed update to health care security requirements; and the Securities and Exchange Commission’s 2023 cybersecurity risk management requirements.”

• FEHBlog note — As early as April 21, federal agencies will be announcing the withdrawal of certain proposed rules, such as the HIPAA Security Rule amendments, which stripped the rule of its most important feature — flexibility, and the repeal of certain final rules under a February 19, 2025, executive order which a Presidential memorandum supplemented last Wednesday.

• The American Hospital Association News explained on April 10,
  • The Trump administration yesterday released executive orders on reducing anti-competitive regulatory barriers and repealing certain regulations deemed unlawful.  
  • The order on reducing anti-competitive barriers directs federal agencies to review all regulations subject to their rulemaking authority and identify those that create de facto or de jure monopolies, create barriers to entry for new market participants, create or facilitate licensure or accreditation requirements that unduly limit competition, or otherwise impose anti-competitive restraints or distortions in the market.   
  • The order on repealing unlawful regulations is linked to a Feb. [19] executive order [published in the Federal Register on Feb. 25] that directed agencies within 60 days to identify unlawful and potentially unlawful regulations to be repealed. The new order instructs agencies to take steps to immediately repeal regulations and provide justification within 30 days for any identified as unlawful but have not been targeted for repeal, explaining the basis for the decision not to repeal.

• The Mintz law firm points out that on April 7, 2025, OMB issued new guidance for the Federal Government’s use of artificial intelligence (AI), and President Trump signed an EO for AI Data Centers.

• Security Week reports,
  • The National Institute of Standards and Technology (NIST) has announced that all CVEs published before January 1, 2018, will be marked as ‘Deferred’ in the National Vulnerability Database (NVD).
  • This means that, because the CVEs are old, NIST will no longer prioritize updating NVD enrichment or initial NVD enrichment data for them, unless they are or have been included in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
  • “CVEs marked as Deferred will display a banner on their CVE Detail Pages indicating this status. This change will take place over the span of several nights. We are doing this to provide additional clarity regarding which CVE records are prioritized,” NIST announced.
  • “We will continue to accept and review requests to update the metadata provided for these CVE records. Should any new information clearly indicate that an update to the enrichment data for the CVE is appropriate, we will continue to prioritize those requests as time and resources allow,” NIST said.

• Per an April 10, 2025, HHS press release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Northeast Radiology, P.C. (NERAD), a professional corporation that provides clinical services at medical imaging centers in New York and Connecticut, concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.” * * *
  • “OCR initiated its investigation of NERAD after receiving a breach report from NERAD in March 2020 about a breach of unsecured ePHI. NERAD reported that between April 2019 and January 2020, unauthorized individuals had accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.
  • “Under the terms of the resolution agreement, NERAD agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $350,000 to OCR.” * * *
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-settlement-nerad.pdf, opens in a new tab [PDF, 369 KB]“

From the cybersecurity breaches and vulnerabilities front,

• The Wall Street Journal reports,
  • “Chinese officials acknowledged in a secret December [2024] meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate.
  • “The Chinese delegation linked years of intrusions into computer networks at U.S. ports, water utilities, airports and other targets, to increasing U.S. policy support for Taiwan, the people, who declined to be named, said.  
  • “The first-of-its-kind signal at a Geneva summit with the outgoing Biden administration startled American officials used to hearing their Chinese counterparts blame the campaign, which security researchers have dubbed Volt Typhoon, on a criminal outfit, or accuse the U.S. of having an overactive imagination.” * * *
  • “A Chinese official would likely only acknowledge the intrusions even in a private setting if instructed to do so by the top levels of Xi’s government, said Dakota Cary, a China expert at the cybersecurity firm SentinelOne. The tacit admission is significant, he said, because it may reflect a view in Beijing that the likeliest military conflict with the U.S. would be over Taiwan and that a more direct signal about the stakes of involvement needed to be sent to the Trump administration.
  • “China wants U.S. officials to know that, yes, they do have this capability, and they are willing to use it,” Cary said.”

• Per Bleeping Computer,
  • “Laboratory Services Cooperative (LSC) has released a statement informing it suffered a data breach where hackers stole sensitive information of roughly 1.6 million people from its systems.
  • “LSC is a Seattle-based nonprofit organization that provides centralized laboratory services to its member affiliates, including select Planned Parenthood centers.
  • “It plays a crucial role within its niche, supporting organizations in the reproductive health services across more than 35 U.S. states, handling sensitive lab testing, billing, and personal data.”
• and
  • “Oracle finally confirmed in email notifications sent to customers that a hacker stole and leaked credentials that were stolen from what it described as “two obsolete servers.”
  • “However, the company added that its Oracle Cloud servers were not compromised, and this incident did not impact customer data and cloud services.
  • “Oracle would like to state unequivocally that the Oracle Cloud—also known as Oracle Cloud Infrastructure or OCI—has NOT experienced a security breach,” Oracle says in a customer notification shared with Bleeping Computer.”
• and
  • “Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities.
  • “Tycoon2FA was discovered in October 2023 by Sekoia researchers, who later reported significant updates on the phishing kit that increased its sophistication and effectiveness.
  • “Trustwave now reports that the Tycoon 2FA threat actors have added several improvements that bolster the kit’s ability to bypass detection and endpoint security protections.”
    
• The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerablities to its catalog this week.
  • April 7, 2025
    • CVE-2025-31161 CrushFTP Authentication Bypass Vulnerability
    • Huntress discusses this KVE here.
  • April 8, 2025
    • CVE-2025-30406 Gladinet CentreStack Use of Hard-coded Cryptographic Key Vulnerability
    • CVE-2025-29824 Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
    • The Hacker News discusses the Gladinet KVW here while Help Net Security discusses the MS KVE here.
  • April 9, 2025
    • CVE-2024-53197 Linux Kernel Out-of-Bounds Access Vulnerability
    • CVE-2024-53150 Linux Kernel Out-of-Bounds Read Vulnerability
    • Linux Security discusses these KVEs here.

• CISA announced yesterday,
  • Fortinet is aware of a threat actor creating a malicious file from previously exploited Fortinet vulnerabilities (CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475) within FortiGate products. This malicious file could enable read-only access to files on the device’s file system, which may include configurations. Fortinet has communicated directly with the account holders of customers identified as impacted by this issue based on the available telemetry with mitigation guidance.
  • See the following resource for more information: Analysis of Threat Actor Activity | Fortinet Blog

From the ransomware front,

• Morphisec discusses the most notable ransomware attacks from the last six months.

• Cybersecurity Dive informs us,
  • “Remote access tools were the initial entry point in eight of every 10 ransomware attacks in 2024, according to a report released Thursday by At-Bay. VPNs accounted for about two-thirds of ransomware attack entry points. 
  • “Indirect ransomware claims continue to rise, showing a 43% increase in 2024, according to At-Bay. Indirect ransomware is when an attack begins on a third-party vendor or business partner, often leading to a data breach or business interruption of a downstream client or partner. The report cites the 2023 MOVEit breaches and the 2024 CDK attacks. 
  • “Overall, the frequency of ransomware claims returned to record levels seen in 2021 after a decreased rate of attacks in 2022 and 2023, according to At-Bay.” 
• and
  • “Sensata Technologies was struck by a ransomware attack earlier this week that disrupted several of the company’s operations, according to a regulatory filing.
  • “Sensata disclosed that a ransomware attack on Sunday encrypted certain devices on the network. The Attleboro, Mass.-based company specializes in sensors, controls and other industrial technology for the automotive, aerospace and manufacturing sectors.
  • “The incident has temporarily impacted Sensata’s operations, including shipping, receiving, manufacturing production, and various other support functions. While the company has implemented interim measures to allow for the restoration of certain functions, the timeline for a full restoration is not yet known,” Sensata said in the SEC filing.”

• Dark Reading lets us know,
  • “While ransomware represented the costliest cyber-insurance claims in 2024, incidents of financial fraud continue to be far more numerous, with both often triggered by security failures at a third-party firm.
  • “That insight comes from the latest tranche of cyber-insurance data released this year, this time by cyber-insurance firm At-Bay. Financial fraud — most often following a phishing attack — remained the most common type of cyberattack leading to an insurance claim, according to At-Bay’s “2025 InsurSec Report,” released this week. While the cyber insurer saw 16% more claims in 2024 than the year before, the overall cost of each incident declined to $166,000, down from $213,000 in 2021.”

• Microsoft Security explains how cyber attackers exploit domain controllers using ransomware.

• CSO in a commentary article notes,
  • “If you didn’t pay much attention to news of the recent Codefinger ransomware attack, it’s probably because ransomware has become so prevalent that major incidents no longer feel notable.
  • “But Codefinger is not just another ransomware breach to add to the list of incidents where businesses lost sensitive data to attackers. In key respects, Codefinger represents a substantially new type of ransomware attack.
  • “By extension, the incident is a reminder of why conventional cybersecurity techniques won’t always protect businesses and their data — and why organizations need to think beyond the basics regarding defending against ransomware.”

• Tech Target discusses best practices on reporting ransomware attacks.

From the cybersecurity defenses front,

• Security Week notes,
  • “As the threat landscape grows more sophisticated, Chief Information Security Officers (CISOs) are continuously searching for innovative ways to safeguard their organizations. Yet one of the most potent tools in their arsenal remains underutilized – DNS (domain name systems).”

• An ISACA blog entry discusses how to build AI governance by design.

• Per Bleeping Computer,
  • “Microsoft is testing a new Defender for Endpoint capability that will block traffic to and from undiscovered endpoints to thwart attackers’ lateral network movement attempts.
  • “As the company revealed earlier this week, this is achieved by containing the IP addresses of devices that have yet to be discovered or onboarded to Defender for Endpoint.
  • “Redmond says the new feature will prevent threat actors from spreading to other non-compromised devices by blocking incoming and outgoing communication with devices using contained IP addresses.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• Nextgov/FCW reports,
  • “Rep. Eric Swalwell, the House Homeland Security Committee’s leading Democratic voice on cybersecurity matters, suggested Wednesday that government contractors could be deployed to conduct offensive cybersecurity operations against foreign adversaries.
  • “Speaking at an Axonius event in Washington, D.C., the California congressman said the concept is worth exploring, in part, because “the federal government does not have the resources to protect every company that gets hit,” and that the moves could deter adversaries like Russia from targeting low-resourced critical infrastructure sectors.
  • “The remarks make Swalwell one of the first Democrats to publicly suggest that the private sector take a broader role in hacking back against foreign rivals. The dynamic has been floated in recent months largely by Republicans as a way to respond to headline-making Chinese intelligence intrusions into U.S. telecom systems and other infrastructure.”

• Per a news release,
  • “Incident response is a critical part of cybersecurity risk management and should be integrated across organizational operations. The six Functions of the NIST Cybersecurity Framework (CSF) 2.0 all play vital roles in incident response.
  • “NIST has finalized Special Publication (SP) 800-61r3 (Revision 3), Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile, which describes how to incorporate incident response recommendations into cybersecurity risk management activities in alignment with CSF 2.0. This guidance will help organizations reduce the number and impact of incidents that occur and improve the efficiency and effectiveness of their incident detection, response, and recovery activities.
  • “SP 800-61r3 supersedes SP 800-61r2 (Revision 2), Computer Security Incident Handling Guide.
  • “Readers of SP 800-61r3 are encouraged to utilize the resources on NIST’s Incident Response project page in conjunction with this document to implement these recommendations and considerations.” 

• The American Hospital Association News tells us,
  • “The House Energy and Commerce Oversight and Investigations Subcommittee April 1 discussed cybersecurity threats in legacy medical devices during a hearing. The subcommittee heard from experts on the dangers of outdated devices as the hardware can last several years longer than software.”

From the cyber vulnerabilities and breaches front,

• The Cybersecurity and Infrastructure Security Agency added three known exploited vulnerabilities to its catalog this week.
  • March 31, 2025
    • CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
    • Cybersecurity Dive discusses this KVE here.
  • April 1, 2025
    • CVE-2025-24813 Apache Tomcat Path Equivalence Vulnerability
    • Fortiguard discusses this KVE here.
  • April 4, 2025
    • CVE-2025-22457 Ivanti Connect Secure, Policy Secure and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
    • Security Week discusses this KVE here.
      
• Cybersecurity Dive reports on April 2,
  • A recent surge in login attempts targeting Palo Alto Networks’ PAN-OS GlobalProtect portals mainly located in the U.S. could be a precursor to a large-scale exploitation of unpatched or zero-day vulnerabilities, researchers have found. 
  • The threat activity means defenders with exposed Palo Alto Networks VPN systems should review March 2025 logs and consider engaging in detailed threat hunting to detect signs of compromise.
  • Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals, activity that suggests a coordinated effort to identify exposed or vulnerable systems for targeted abuse of flaws, according to a report released this week from security intelligence firm GreyNoise.

• HelpNet Security points out “Attackers are targeting CrushFTP vulnerability with public PoC (CVE-2025-2825).”
  • “Exploitation attempts targeting the CVE-2025-2825 vulnerability on internet-facing CrushFTP instances are happening, the Shadowserver Foundation has shared on Monday, and the attackers have been leveraging publicly available PoC exploit code.”

From the ransomware front,

• The Wall Street Journal reports,
  • “The Federal Trade Commission in March identified impostor scams—in which someone impersonates a loved one, colleague or government official—as the most-reported type last year, resulting in losses of nearly $3 billion. 
  • “Criminals increasingly use generative AI to mimic a loved one’s voice, making these kinds of scams more believable, the Federal Bureau of Investigation has warned. It takes just three seconds of audio to clone a voice with 85% accuracy, according to the security-software firm McAfee, whose survey of 7,000 people globally found that more than half regularly share voice content online.
  • “Criminals can also use AI to approximate the voice of someone of any age, gender or dialect. During a high-stress situation, a generic voice of a young woman could be confused for the voice of a daughter, according to cybersecurity experts.”

• Per Cybersecurity Dive,
  • “The FBI, the Cybersecurity and Infrastructure Security Agency and a group of international partners on Thursday [April 3] warned that cyber threat groups are using a technique called “fast flux” to hide the locations of malicious servers, posing a significant threat to national security.
  • “Authorities warned that both criminal and state-linked threat groups have used fast flux to obfuscate the locations of these servers using fast-changing Domain Name System records. They also can create highly resilient command and control (C2) infrastructure to conceal their malicious operations, particularly in connection with botnets.
  • “Fast flux techniques are not only used for C2 communications but also in phishing campaigns to protect social engineering websites from being blocked or taken down, authorities said.” 
  • “Authorities did not specify whether there is an active campaign using fast flux or directly name any threat actor currently using the technique. However, they did reference past activity, noting that fast flux has been used in previous ransomware attacks linked to Hive and Nefilim. Additionally, a Russia-backed threat actor known as Gamaredon has also used fast flux to mask threat activities, according to the advisory.”
  • “Authorities did not specify whether there is an active campaign using fast flux or directly name any threat actor currently using the technique. However, they did reference past activity, noting that fast flux has been used in previous ransomware attacks linked to Hive and Nefilim. Additionally, a Russia-backed threat actor known as Gamaredon has also used fast flux to mask threat activities, according to the advisory.” 
    
• Beckers Health IT informs us on March 31,
  • “The FBI is investigating a cyberattack on Oracle’s computer systems in which hackers stole patient data to extort multiple U.S. healthcare providers, Bloomberg reported March 28.
  • “Oracle notified some healthcare customers earlier this month that the breach occurred sometime after Jan. 22. According to a notice sent to clients and obtained by Bloomberg, hackers accessed company servers and copied patient data to an external location.
  • “A person familiar with the matter, who spoke on condition of anonymity, told the publication that cybercriminals attempted to demand ransom from affected medical providers. The total number of targeted providers and stolen patient records remains unknown.
  • “Oracle did not respond to Bloomberg’s request for comment. An FBI spokesperson also declined to comment.”

• Per Bleeping Computer,
  • “​Port of Seattle, the U.S. government agency overseeing Seattle’s seaport and airport, is notifying roughly 90,000 individuals of a data breach after their personal information was stolen in an August 2024 ransomware attack.
  • “The agency disclosed the attack on August 24, saying the resulting IT outage disrupted multiple services and systems, including reservation check-in systems, passenger display boards, the Port of Seattle website, the flySEA app, and delayed flights at Seattle-Tacoma International Airport.
  • “Three weeks after the initial disclosure, the Port confirmed that the Rhysida ransomware operation was behind the August 2024 breach.
  • “After the incident, the Port also decided not to give in to the cybercriminals’ demands to pay for a decryptor even though they threatened to publish stolen data on their dark web leak site.
  • “We have refused to pay the ransom demanded, and as a result, the actor may respond by posting data they claim to have stolen on their darkweb site,” the Port of Seattle said on September 13, 2024.
  • “Our investigation of what data the actor took is ongoing, but it does appear that some Port data was obtained by the actor in mid-to-late August. Assessment of the data taken is complex and takes time.”

• Forta discusses,
  • “HellCat [which] is the name of a relatively new ransomware-as-a-service (RaaS) group that first came to prominence in the second half of 2024. Like many other ransomware operations, HellCat breaks into organisations, steals sensitive files, and encrypts computer systems – demanding a ransom payment for a decryption key and to prevent the leaking of stolen files.”

• GTSC brings us up to date on the Medusa ransomware gang.
  • The Medusa ransomware gang is a ransomware-as-a-service (RaaS) operation first identified in June 2021. Since then, it has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. ​

• Per SC Media,
  • “A threat actor using a combination of AI-powered vishing, the more conventional remote access tool Microsoft Quick Assist, and living-off-the-land techniques has demonstrated how a simple vishing attack can escalate into a full compromise.
  • “In an April 1 blog post, researchers from Ontinue reported that the techniques observed in this recent campaign align with those previously attributed to Storm-1811, a threat actor identified by Microsoft known for leveraging vishing, MS Quick Assist, and social engineering via MS Teams to gain network access.
  • “SC Media first reported on this group last May, in which it was reported the group abused Quick Assist to deploy the BlackBasta ransomware.”

From the cybersecurity defenses front,

• Cyberscoop reports,
  • “Businesses don’t always get what they pay for in cybersecurity. Some of the most expensive cloud network firewall vendors are among the worst performers against exploits and evasions, according to the most comprehensive, independent testing CyberRatings.org has conducted to date.
  • “Cisco, by far the most expensive cloud network firewall offering across the top 10 vendors on price per megabits per second, ranked seventh with an overall security effectiveness score of 53.5%, according to CyberRatings.org research released Wednesday. 
  • “The trio of big cloud providers — Amazon Web Services, Microsoft Azure and Google Cloud Platform — fared even worse, each landing at the bottom of the pack with a 0% security effectiveness score. 
  • “We’ve been told to use cloud-native technologies, that they’re better suited than using bolt-ons. Well, that’s clearly not the case here,” CyberRatings.org CEO Vikram Phatak told CyberScoop.”

• Dark Reading explains “How an Interdiction Mindset Can Help Win War on Cyberattacks. The US military and law enforcement learned to outthink insurgents. It’s time for cybersecurity to learn to outsmart and outmaneuver threat actors with the same framework.”
  
• In email news
  • Bleeping Computer lets us know “Google rolls out easy end-to-end encryption for Gmail business users.”
  • Dark Reading informs us “Microsoft Boosts Email Sender Rules for Outlook. Beginning on May 5, the tech giant will enforce new email authentication protocols for Outlook users who send large volumes of email.”

• Per a NIST news release, here are “7 Tips to Keep Your Smart Home Safer and More Private, From a NIST Cybersecurity Researcher.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• The American Hospital Association tells us,
  • The Trump Administration March 28 announced that it renewed for one year the public emergency for ongoing malicious cyber-enabled activities against the U.S. The national emergency was first issued in April 2015.”
    
• Cyberscoop tells us,
  • “Many cyber experts are panning a new Trump administration executive order that would shift more responsibilities for responding to cyberattacks to state and local governments, saying it will leave states holding the bag for a job they aren’t best equipped to handle.
  • “The executive order, issued last week, is entitled “Achieving Efficiency Through State and Local Preparedness.” Its stated purpose is to improve defenses against cyberattacks and other risks, but many expect it will do the opposite.
  • “Federal policy must rightly recognize that preparedness is most effectively owned and managed at the State, local, and even individual levels, supported by a competent, accessible, and efficient Federal Government,” it reads. “Citizens are the immediate beneficiaries of sound local decisions and investments designed to address risks, including cyber attacks, wildfires, hurricanes, and space weather.”
  • “A number of cyber experts said it was a misguided document, sometimes in harsh terms, especially as it pertains to where they believe responsibilities should be assigned.”

• Indiana University Professor Scott Shackleford, writing in the Wall Street Journal, offers ideas five federal cybersecurity reforms:
  • “The U.S. is spending more than ever on cybersecurity yet cyberattacks continue to proliferate.
  • “According to McKinsey, global losses to cyberattacks could exceed $10.5 trillion this year, a 300% increase from 2015 and an amount larger than the economies of Germany and Japan combined.
  • “I believe a new approach is needed—one in which the federal government plays a more assertive role.
  • “For at least two decades, U.S. cybersecurity policy has been stuck in a pattern of incremental tweaks focused on the same basic ideas—encouraging voluntary industry cooperation, offering information-sharing partnerships and establishing new bureaucratic offices. It isn’t working. We need bold changes, the most important of which is treating cybersecurity as a public good akin to national security and public safety.” 

• FCW/NextGov informs us,
  • “The General Services Administration launched FedRAMP 20x Monday, an effort it is pursuing with industry to use more automation and cut red tape around the government’s cloud security assessment and authorization program. 
  • “The Federal Risk and Authorization Management Program, or FedRAMP, is used to ensure services offered by cloud providers meet certain cybersecurity requirements before government agencies can use them.
  • “Our partnership with the commercial cloud industry needs serious improvement. Strengthening this relationship will help us fulfill our commitment to cutting waste and adopting the best available technologies to modernize the government’s aging IT infrastructure,” Stephen Ehikian, acting administrator of the General Services Administration, which runs FedRAMP, said in a statement. “FedRAMP 20x will give agencies access to the latest technology now — not months or years down the road.”

• Security Boulevard summarizes public comments on the proposed HIPAA Security Rule amendments and discusses next steps. The public comment deadline was March 7.

• Bleeping Computer points out,
  • “The U.S. Department of Justice (DOJ) has seized over $8.2 million worth of USDT (Tether) cryptocurrency that was stolen via ‘romance baiting’ scams.
  • “Previously referred to as ‘pig butchering,’ in this type of financial fraud victims are manipulated into making investments on fraudulent websites/apps that showcase massive returns.”

From the cybersecurity vulnerabilities and breaches front,

• Security Week lets us know,
  • “The National Institute of Standards and Technology (NIST) is still struggling to clear the growing backlog of CVEs in the official national vulnerability database and the problem will only get worse this year.
  • “That’s the gist of a fresh NIST update with an admission that the current pace of processing vulnerabilities is simply not enough to keep up with the surge in submissions.
  • “According to the update, while the National Vulnerability Database (NVD) is processing incoming CVEs at the same rate as before the slowdown in spring and early summer 2024, a 32 percent jump in submissions last year means that the backlog continues to grow.
  • “We anticipate that the rate of submissions will continue to increase in 2025,” the institute said, noting that it is exploring the use of AI and machine learning to automate certain processing tasks.”

• The Cybersecurity and Infrastructure Security Agency added five known vulnerabilities to it catalog this week.
• March 24, 2025
  • CVE-2025-30154 review dog action-setup GitHub Action Embedded Malicious Code Vulnerability
• March 26, 2025
  • CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
  • CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
    • Security Affairs discusses the March 24 and 26 KVEs here.
• March 27, 2025
  • CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
    • Bleeping Computer discusses a fix to this KVE here.

• Cybersecurity Dive reports yesterday,
  • “Information security firms are taking measures to protect customers and their own networks as they wait for official guidance following claims of a massive attack against Oracle Cloud. 
  • “A threat actor last week claimed to have stolen 6 million data records, including user credentials, from Oracle Cloud, which could affect more than 140,000 customers. After initially releasing strong denials, Oracle has been silent this week, while security researchers have compiled evidence backing claims of an actual attack.” * * *
  • “Orca Security said it was initially skeptical of the reported breach and has not seen any confirmation that the hacker obtained user credentials. However, the firm did not consider Oracle’s initial denials to be fully transparent.
  • “We still believe that the risk outweighs our skepticism and that organizations should take immediate action to rotate credentials and otherwise protect their Oracle Cloud tenants as appropriate,” Neil Carpenter, field CTO at Orca Security, said via email.” 
• and
  • “Researchers warn that three older vulnerabilities in DrayTek routers have been actively exploited in recent weeks, which coincides with widespread reports of devices automatically rebooting in recent days, according to GreyNoise Intelligence.  
  • “Researchers said exploitation activity has been observed against three vulnerabilities, tracked as CVE-2020-8515, CVE-2021-20123 and CVE-2021-20124. 
  • “GreyNoise researchers said they cannot directly link the exploitation to the reboots. However, in a post on X Wednesday morning, DrayTek said the reboots appear to be linked to vulnerabilities disclosed in early March.”
• and
  • “A prolific Russian threat actor is exploiting a zero-day flaw in the Microsoft Management Console (MMC) framework to execute malicious code on targeted systems in an ongoing cyberattack campaign that puts unpatched systems at risk.
  • “The attacks, by a group that Trend Micro tracks as Water Gamayun, uses the CVE-2025-26633 vulnerability, also known as MSC Evil Twin, to manipulate .msc files and the MCC console’s Multilingual User Interface Path (MUIPath). From there the attacker, better known as EncryptHub, downloads and executes malicious payloads, maintains persistence and steals sensitive data from infected systems.
  • Microsoft patched MSC Evil Twin as part of its March Patch Tuesday raft of fixes on March 11. The flaw was still a zero-day when EncryptHub exploited it by executing malicious .msc files through a legitimate one, according to Trend Micro. The flaw allows an attacker to bypass a security feature in the MMC after convincing a victim to click on a malicious link or open a malicious file. The weakness stems from the console’s failure to properly sanitize user input.

• Dark Reading reports,
  • “The rate of severe cloud security incidents affecting customers of Palo Alto Networks rose more than threefold over the course of 2024.
  • “By comparing the beginning and end of 2024, Palo Alto tracked a 388% increase in cloud security alerts affecting organizations. The overwhelming majority of that rise can be attributed to neither threats of a low severity (up 10% through the year) nor even medium-severity (up 21%), but high-severity incidents, which rose by a full 235%.
  • “The implication here is that malicious actors are not only attacking the cloud more often but also doing it more effectively.”
• and
  • “Bypassing multifactor authentication isn’t hard, if you’re willing to get a little evil.
  • “Sophos researchers this week detailed how Evilginx, a malicious version of the widely used open source NGINX Web server, can be used in adversary-in-the-middle (AitM) attacks to steal credentials and authentication tokens. Perhaps more importantly, the hacking tool can beat MFA protection.
  • “Evilginx has been around for many years as an AitM framework for capturing user credentials, but security researchers have recently deployed the tool for more complex attacks. For example, Accenture security research Yehuda Smirnov last year developed a technique to beat Microsoft’s Windows Hello for Business by downgrading the authentication via an Evilginx attack.
  • “Smirnov demonstrated the technique at Black Hat USA 2024, and Microsoft issued a fix to prevent the attack. However, Sophos researchers say Evilginx can still be used to sweep up credentials and bypass MFA.”

• Per Bleeping Computer,
  • “A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection.
  • “The platform also leverages DNS email exchange (MX) records to identify victims’ email providers and to dynamically serve spoofed login pages for more than 114 brands.
  • “Morphing Meerkat has been active since at least 2020 and it was discovered by security researchers at Infoblox. Although the activity has been partially documented, it went mostly under the radar for years.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “Ransomware actors are increasingly abusing vulnerable drivers to craft tools known as “EDR killers,” which can disrupt and even delete extended detection and response products in enterprise networks, according to an ESET report published Wednesday.
  • “Threat actors abuse vulnerable drivers because they have kernel access to operating systems, which enables attackers to kill processes for security products like EDR before they can detect malicious activity.
  • “ESET researchers analyzed a custom tool called “EDRKillShifter,” which was developed and maintained by the notorious RansomHub ransomware gang and is now available on the dark web. The researchers observed an increase in the use of EDRKillShifter among other ransomware-as-a-service gangs such as Play, Medusa and BianLian.”

• Beckers Health IT warns,
  • “The FBI and other federal authorities are warning healthcare organizations to safeguard against a ransomware group targeting the industry.
  • “The Medusa ransomware-as-a-service variant has been used to hack more than 300 victims from a variety of industries, including healthcare, most commonly through phishing campaigns and unpatched software vulnerabilities, according to a March cybersecurity advisory from the FBI, Cybersecurity and Infrastructure Security Agency, and Multi-State Information Sharing and Analysis Center.
  • “Medusa threat actors employ a “double extortion” model, where they both encrypt victims’ data and threaten to publicly release stolen information if their demands aren’t met, per the notice. They typically send ransom notes within 48 hours of an attack, offering to extend the deadline to pay by $10,000 a day.
  • “Healthcare organizations can protect against the threat by taking such steps as implementing a recovery plan, requiring multifactor authentication, and ensuring all operating systems, firmware and software are up to date, the agencies said.”

• Per the Silicon Alley,
  • A new report out today from cybersecurity company SquareX Inc. is warning of a dangerous new evolution in ransomware: browser-native attacks that bypass traditional defenses and put millions of users at risk.
  • “Browser-based ransomware differs from traditional ransomware that relies on downloaded files to infect systems in that the ransomware operates entirely within the browser and requires no download. Instead, the attack targets the victim’s digital identity, taking advantage of the shift toward cloud-based enterprise storage and the fact that browser-based authentication has become the primary gateway to accessing these resources.
  • “In a case study published by SquareX last week, the attacks leverage AI agents to automate the majority of the attack sequence, requiring minimal social engineering and interference from the attacker.”

• The Hacker News tells us,
  • “In what’s an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. 
  • “Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it possible to extract configuration files, credentials, as well as the history of commands executed on the server.
  • ‘The flaw concerns a “certain misconfiguration in the Data Leak Site (DLS) of BlackLock Ransomware, leading to clearnet IP addresses disclosure related to their network infrastructure behind TOR hidden services (hosting them) and additional service information,” the company said.”

• Security Week lets us know
  • “Ransomware Shifts Tactics as Payouts Drop: Critical Infrastructure in the Crosshairs
    Threats themselves change very little, but the tactics used are continually revised to maximize the criminals’ return on investment and effort.”

From the cybersecurity defenses front,

• Cyberscoop reminds us,
  • “Despite glitches and possible funding potholes along the road, experts have nothing but praise and optimism for the CVE program’s future. “It’s not perfect by any means, but it has stood the test of time,” Art Manion, a longtime CVE expert and deputy director of ANALYGENCE Labs, speaking in his personal capacity, told CyberScoop. “A world without CVE in it would get pretty ugly.”
  • “MITRE’S Summers says, “It’s been 25 years of this program, and I don’t know if it’s possible to name another such public-private partnership program that has lasted that long and has continued to be so impactful in an ongoing way. I’m excited about the opportunity to continue evolving in ways that bring value to the community.”
  • “Empirical Security’s Roytman echoes the enthusiasm of his peers when he says, “The fact that we’ve gotten together as an industry and have this public good, and vendors build whole products off of it is wonderful and excellent and should continue to improve.”

• Dark Reading offers “5 Considerations for a Data Loss Prevention Rollout; Strong DLP can be a game-changer — but it can also become a slow-moving, overcomplicated mess if not executed properly,” while SC Media provides “5 steps to protect against macOS security gaps.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• NextGov/FCW lets us know,
  • “A cornerstone federal program that certifies the security architecture of private sector cloud services for government use is expected to announce a fundamental overhaul to its processes on Monday [March 24], according to multiple people familiar with the matter.
  • “The moves, in the long term, are expected to automate many of the certification process steps for the Federal Risk and Authorization Management Program, or FedRAMP, which is used to ensure cloud providers meet strict cybersecurity requirements before government agencies can use their services, according to the people, who were granted anonymity to be candid about the forthcoming changes.
  • “FedRAMP has been a mainstay in government procurement for the last decade but has faced repeated complaints about the slow pace of cloud service approvals. FedRAMP has different approval levels that vary based on the sensitivity of the data a cloud service can handle, with higher levels requiring stricter security controls and generally longer review processes.”
• and
  • “Despite goals set last year by the National Institute of Standards and Technology to process a backlog of unanalyzed cybersecurity vulnerabilities, the agency said it’s not expecting a slowdown anytime soon.
  • “The National Vulnerability Database — NIST’s cornerstone repository for researchers who use its contents and measuring tools to assess the dangers of cyber exploits — has been backed up with unanalyzed vulnerabilities since February last year. The scientific standards agency was projected to clear the logjam this month based on rates observed this past summer, Nextgov/FCW previously reported.
  • “But NIST said Wednesday that vulnerability submissions increased 32% in 2024 and prior processing rates from spring and early summer last year are no longer sufficient to keep up with incoming submissions. The backlog is still growing as a result.
  • “We anticipate that the rate of submissions will continue to increase in 2025. The fact that vulnerabilities are increasing means that the NVD is more important than ever in protecting our nation’s infrastructure. However, it also points to increasing challenges ahead,” an agency spokesperson said. “To address these challenges, we are working to increase efficiency by improving our internal processes, and we are exploring the use of machine learning to automate certain processing tasks.”

• Per a March 21, 2025, HHS news release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Health Fitness Corporation (Health Fitness), located in Illinois, that provides wellness plans to clients across the country, resolving a potential violation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.” * * *
  • “The settlement resolves OCR’s investigation of Health Fitness, which OCR initiated after receiving four reports from Health Fitness, over a three-month period (October 15, 2018, to January 25, 2019), of breaches of unsecured protected health information.  Health Fitness filed the breach reports on behalf of multiple covered entities as their business associate.  Health Fitness reported that beginning approximately in August 2015, ePHI became discoverable on the internet and was exposed to automated search devices (web crawlers) resulting from a software misconfiguration on the server housing the ePHI. Health Fitness discovered the breach on June 27, 2018.  Health Fitness initially reported that approximately 4,304 individuals were affected and later estimated that the number of individuals affected may be lower.  OCR’s investigation determined that Health Fitness had failed to conduct an accurate and thorough risk analysis, until January 19, 2024, to determine the potential risks and vulnerabilities to the ePHI held by Health Fitness.
  • “Under the terms of the resolution agreement, Health Fitness agreed to implement a corrective action plan that OCR will monitor for two years and paid $227,816 to OCR.” * * *
  • The resolution agreement and corrective action plan may be found at:  https://www.hhs.gov/sites/default/files/health-fitness-ra-cap.pdf [PDF, 202 KB].

From the cybersecurity breaches and vulnerabilities front,

• Cyberscoop tells us,
  • “Cybercriminals used information-stealing malware to a devastating effect last year, capturing sensitive data that fueled ransomware, breaches and attacks targeting supply chains and critical infrastructure, according to a new report.
  • “Infostealers were used to steal 2.1 billion credentials last year, accounting for nearly two-thirds of 3.2 billion credentials stolen from all organizations, Flashpoint said in a report released Tuesday. By targeting identity and access, cybercriminals stole 33% more credentials in 2024 compared to the previous year. More than 200 million credentials were already stolen in the first two months of this year.
  • “Infostealers are proving to be incredibly versatile, contributing to account takeover, increasing data breach totals, acting as initial access vectors to ransomware, as well as assisting in exploitation via vulnerabilities,” Ian Gray, vice president of intelligence at Flashpoint, said in an email.”

• Security Week informs us,
  • “Browser security cannot be ignored. It’s where people spend most of their working day, and it’s where attackers focus most of their attacks.
  • “Statistics come from Menlo Security’s analysis of 750,000 browser-based phishing attacks targeting more than 800 entities detected over the last 12 months. This analysis reveals a 140% increase in browser phishing, including a 130% increase in zero-hour phishing attacks (effectively, a zero-day attack applied to phishing).
  • “The reasons for the growth are multiple: our growing reliance on the browser for much of our daily work, the prevalence of zero-day vulnerabilities, the increasing sophistication of the cybercriminal underworld, and, worryingly, the growing influence of gen-AI. Gen-AI is particularly concerning, both for its use today and its potential use in the future.
  • “Threat actors have advanced in speed and skills. They are using the same tools and infrastructure as professional engineers,” comments Andrew Harding, VP of security strategy at Menlo Security. “We’re seeing a dangerous combination of zero-day attacks, advanced social engineering techniques, sophisticated phishing techniques, and readily available phishing-as-a-service kits, all designed to infiltrate systems and steal valuable data.”
  • “He adds, “This trend is only poised to escalate dramatically in 2025 as attackers adopt AI to increase both scale and effectiveness.”

• Dark Reading adds,
  • “A nearly decade-long malware campaign known as “DollyWay World Domination” has compromised more than 20,000 WordPress websites over the past eight years.
  • “GoDaddy published a report this week claiming multiple threat campaigns tracked by various security researchers since 2016 are actually one larger operation perpetrated by VexTrio, a massive cybercrime network that leverages traffic distribution systems (TDSs) and lookalike domains to deliver malware and scams.
  • “GoDaddy’s Denis Sinegubko wrote in the company’s research blog that the operation is tracked as DollyWay World Domination due to a string of code found in variations of the DollyWay malware: “define(‘DOLLY_WAY’, ‘World Domination’);”.
• and
  • “Mobile phone jailbreaks are thriving, exposing users to anywhere between three- and 3,000-times greater risk of cyber compromise.
  • “Organizations already face a significant risk in bring your own device (BYOD) attacks. More than 70% of infected devices are personal, and a good chunk of organizations have watched as malware entered their walls through unmanaged devices belonging to employees.
  • “The risk is supercharged, though, when those devices are cracked. New data from Zimperium shows that rooted and jailbroken Android phones and iPhones are 3.5 times more likely to be infected with malware and 250 times more likely to be totally compromised.
  • “What we’ve seen is that the amount of jailbreaks and roots has decreased slightly in recent years,” says Kern Smith, vice president of global solutions engineering at Zimperium. However, he warns, “The risk of those has increased significantly. These jailbreaks and roots expose these devices to a much, much higher risk profile. And mobile devices in general are being exposed to a much higher risk profile today. So it becomes a multiplier effect.”
    
• Per Fedscoop,
  • “The Federal Bureau of Investigation has warned federal employees that cybercriminals are attempting to steal their login credentials in connection to a widely used government financial services platform, according to a notice viewed by FedScoop. 
  • “Hackers are targeting the Employee Personal Page, or MyEPP page, which is operated by the National Finance Center (NFC), a financial and human resources shared service within the Agriculture Department used by 661,000 employees across the federal government for payroll. The site, which is used to manage salary and benefits information, is typically accessed through an online account or with Login.gov credentials. 
  • “According to the FBI, cybercriminals hope to trick federal employees by running advertisements on search engines that impersonate the NFC website. If they click on the ad, employees are brought to a “sophisticated phishing website” that looks similar to the actual MyEPP page that aims to capture their login credentials when users enter them.”

• Per Bleeping Computer,
  • “Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations.
  • “The flaw was disclosed yesterday and affects Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds. The company fixed it in version 12.3.1 (build 12.3.1.1139), which was released yesterday.
  • “According to a technical writeup by watchTowr Labs, who discovered the bug, CVE-2025-23120 is a deserialization vulnerability in the Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary .NET classes.”

• Cybersecurity Dive tells us,
  • At least 11 state-sponsored threat groups since 2017 have been actively exploiting a Microsoft zero-day flaw allowing for abuse of Windows shortcut files to steal data and commit cyber espionage against organizations in various industries.
  • Researchers from Trend Micro’s Trend Zero Day Initiative (ZDI) have identified nearly 1,000 malicious .lnk files abusing the flaw, tracked as ZDI-CAN-25373, which allows attackers to execute hidden malicious commands on a victim’s machine by leveraging crafted shortcut files.
  • “By exploiting this vulnerability, an attacker can prepare a malicious .lnk file for delivery to a victim,” according to a Trend Micro blog post on Tuesday. “Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content.”
  • “The malicious files delivered by attackers include various payloads, including the Lumma infostealer and Remco’s remote access Trojan (RAT), that expose organizations to risks of data theft and cyber espionage.”

• CISA added five known exploited vulnerabilities to its catalog this week.
  • March 18, 2025
    • CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
    • CVE-2025-30066 tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
      • Dark Reading discusses the Fortinent KVE here, and Cybersecurity Dive discusses the Github KVE here.
  • March 19, 2025
    • CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
    • CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
    • CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
      • Hacker News discusses the Edimax KVE here and the NAVIKO KVE here. Cybersecurity News discusses the SAP KVE here.

• Cybersecurity Dive adds,
  • Johannes Ullrich of the SANS Internet Storm Center reported exploitation attempts this week against two critical Cisco vulnerabilities that were initially disclosed in September. CVE-2024-20439 is a static credential vulnerability in the Cisco Smart Licensing Utility, and CVE-2024-20440 is an information disclosure flaw in the utility. 
  • It’s unclear if the exploitation was successful, but Ullrich noted the static credential for CVE-2024-20439 was previously published by a security researcher and could be used to remotely access affected devices.
  • Ullrich told Cybersecurity Dive the exploitation attempts likely originate from a smaller botnet, with activity spiking over the last week.

• Fierce Healthcare lets us know,
  • “A new report by Clearwater Security found that incident response and resilience was a major issue for private equity-owned healthcare companies, which need to improve consistency in cybersecurity governance in light of their high-growth business model.
  • “The assessment found systemic gaps in security preparedness, as healthcare organizations need more documented policies for cybersecurity practices from provider practices to digital health companies. Private equity firms need to consider the cybersecurity risk profiles of companies when deciding whether to acquire them or merge them with other businesses, Clearwater writes.
  • “Because private equity firms prioritize rapid growth of their portfolio companies, Clearwater found that health IT infrastructures and cybersecurity practices often fall behind. A cybersecurity incident can devalue a company overnight or rack up regulatory fines, a dangerous prospect for PE firms.
  • “The report looked at consumer health companies, healthcare data and analytics companies and physician practices owned by private equity firms. It also evaluated pharma, biosciences and dental services companies.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “A Medusa ransomware campaign is using a malicious driver to disrupt and even delete endpoint detection and response (EDR) products on targeted organization networks.
  • “According to new research from Elastic Security Labs, the malicious driver, dubbed ABYSSWORKER, is deployed along with a packer-as-a-service called HeartCrypt to deliver Medusa ransomware. Elastic noted the driver was first documented in a ConnectWise post in January involving a different campaign of IT support scams using Microsoft Teams.
  • “In the Medusa ransomware attacks, Elastic discovered the malicious driver imitates a legitimate CrowdStrike Falcon driver and is using digital certificates from other companies to masquerade as a legitimate program. 
  • “All samples are signed using likely stolen, revoked certificates from Chinese companies,” Cyril François, senior research engineer at Elastic Security Labs, wrote in the blog post. “These certificates are widely known and shared across different malware samples and campaigns but are not specific to this driver.”

• Per Bleeping Computer,
  • “Two malicious VSCode Marketplace extensions were found deploying in-development ransomware, exposing critical gaps in Microsoft’s review process.
  • “The extensions, named “ahban.shiba” and “ahban.cychelloworld,” were downloaded seven and eight times, respectively, before they were eventually removed from the store.
  • “It is notable that the extensions were uploaded onto the VSCode Marketplace on October 27, 2024 (ahban.cychelloworld) and February 17, 2025 (ahban.shiba), bypassing safety review processes and remaining on Microsoft’s store for an extensive period of time.”

• Per Trend Research,
  • “Trend Research uncovered new versions of the Albabat ransomware. The development of these versions signifies the ransomware operators’ potential expansion of their targets from Windows to Linux and macOS. Research also reveals the group’s use of GitHub to streamline operations.
  • “Enterprises should remain vigilant against ransomware threats like Albabat as a successful attack can incur reputational damage, operational disruption, and financial losses once threat actors get a hold of and ransom critical data.
  • “To mitigate Albabat ransomware, organizations should have strong access controls for sensitive data, update and patch systems regularly and have proper backups.”

• Per TechSpot,
  • “Akira, one of the most dangerous ransomware strains floating around the internet, just met its match — an Indonesian programmer armed with cloud computing and sheer determination.
  • “As first reported by TechSpot, Yohanes Nugroho successfully cracked Akira, a multiplatform ransomware that has been wreaking havoc since 2023. Used by cyber criminals to target hundreds of businesses, government agencies, and industries, Akira has helped its developers earn millions.
  • “While this isn’t the first time someone has found a way to break Akira’s encryption, what makes this case remarkable is that Nugroho did it alone — and in just over 10 hours.”

From the cybersecurity business and defense front,

• NextGov/FCW reports,
  • “Google has moved to expand the security aspects of its cloud offering by agreeing to acquire Wiz in a $32 billion all-cash transaction, the global tech giant’s largest-ever.
  • “Wiz generates roughly $1 billion in annual revenue with FedRAMP-authorized cloud security products in areas such as prevention, active detection and response.
  • “Google sees the addition of Wiz as helping it support more agencies as they look to move their systems into multi-cloud and hybrid cloud environments.
  • “At the same time, software and (artificial intelligence) platforms are becoming deeply embedded across products and operations, bringing new and evolving risks for private enterprises, governments, and other public sector organizations,” Google Cloud CEO Thomas Kurian said in a release.”

• Dark Reading explains why “Cyber Quality Is the Key to Security. The time to secure foundations, empower teams, and make cyber resilience the standard is now — because the cost of waiting is far greater than the investment in proactive security.”

• TechTarget offers “13 API security best practices to protect your business. APIs are the backbone of most modern applications, and companies must build in API security from the start. Follow these guidelines to design, deploy and protect your APIs.”

• Here are links to
  • Dark Reading’s CISO Corner
  • A HelpNetSecurity video about “Pay, fight, or stall? The dilemma of ransomware negotiations”
  • A Cyberscoop podcast in which its editor in chief “Greg Otto talks with FTI Consulting’s Allie Bohan exploring the challenges organizations face in maintaining effective communication during cyberattacks.”
  • The FEHBlog watched the seven-minute-long video and listed to the podcast while drafting this post and he found them worthwhile.

From the cybersecurity policy and law enforcement front.

• Security Week informs us,
  • “The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 [(HR 872)] instructs the Office of Management and Budget (OMB) to consult with CISA, the Office of the National Cyber Director, NIST, and other relevant departments, and require federal contractors to have a [vulnerability disclosure program] VDP that is consistent with NIST guidelines. 
  • “The bill also instructs the Defense Department to require defense contractors to adopt similar policies. 
  • “The goal is to make it easier for individuals and companies who find vulnerabilities in contractors’ systems to responsibly disclose them. 
  • “Just days before the bill passed the House, several major cybersecurity and tech companies signed a letter urging the House and Senate to approve the legislation.” * * *
  • “The legislation is now in the Senate, where it has been referred to the Committee on Homeland Security and Governmental Affairs.”
     
• Speaking of NIST, earlier this week, NIST finalized “Guidelines for Evaluating ‘Differential Privacy’ Guarantees to De-Identify Data.”
  • “Using differential privacy can help organizations glean useful insights from databases while protecting individuals’ data. 
  • “NIST has put the finishing touches on guidelines intended to help organizations evaluate differential privacy claims. 
  • “The finalized publication expands upon draft guidelines that NIST released last year.”
    
• Bleeping Computer lets us know,
  • “U.S. authorities have seized over $23 million in cryptocurrency linked to the theft of $150 million from a Ripple crypto wallet in January 2024. Investigators believe hackers who breached LastPass in 2022 were behind the attack.
  • “Despite the threat actors’ efforts, law enforcement agents traced $23,604,815.09 of the stolen digital assets between June 2024 and February 2025 to the following cryptocurrency exchanges: OKX, Payward Interactive, Inc. (dba Kraken), WhiteBIT, AscendEX Technology SRL, Ftrader Ltd (dba FixedFloat), SwapSpace LLC, and Rabbit Finance LLC (dba CoinRabbit).
  • “A forfeiture complaint unsealed by the U.S. Justice Department yesterday [March 6] and first spotted by crypto fraud investigator ZachXBT reveals that U.S. Secret Service agents who interviewed the victim believe the attackers could have only stolen the cryptocurrency using private keys extracted by cracking the victim’s password vault stolen in a 2022 breach of an online password manager.”

• Cyberscoop tells us,
  • The Justice Department on Wednesday [March 6] indicted 12 Chinese nationals for their alleged involvement in an extensive nation-state-backed espionage campaign that included a spree of attacks on U.S. federal and state agencies, including the late 2024 attack targeting the Treasury Department. 
  • Officials accused the Chinese individuals, including two officers of China’s Ministry of Public Security, eight i-Soon employees and two members of the Chinese state-backed threat group APT27 or Silk Typhoon, of breaching numerous networks globally to steal and sell data to China’s intelligence and security services. Some of the alleged attacks date back to 2011, officials said.
  • The indictments reveal China’s alleged well-coordinated effort to use a hacker-for-hire ecosystem to conduct espionage while obscuring the government’s direct involvement. The pool of victims impacted by the alleged co-conspirators is immense, including U.S.-based critics and dissidents of China, a large U.S.-based religious organization and foreign ministries of multiple governments in Asia.

• Per a U.S. Justice Department news release,
  • “A federal jury in Cleveland convicted a Texas man today for writing and deploying malicious code on his former employer’s network.
  • “According to court documents and evidence presented at trial, Davis Lu, 55, of Houston, was employed as a software developer for the victim company headquartered in Beachwood, Ohio, from November 2007 to October 2019. Following a 2018 corporate realignment that reduced his responsibilities and system access, Lu began sabotaging his employer’s systems. By Aug. 4, 2019, he introduced malicious code that caused system crashes and prevented user logins. Specifically, he created “infinite loops” (in this case, code designed to exhaust Java threads by repeatedly creating new threads without proper termination and resulting in server crashes or hangs), deleted coworker profile files, and implemented a “kill switch” that would lock out all users if his credentials in the company’s active directory were disabled. The “kill switch” code — which Lu named “IsDLEnabledinAD”, abbreviating “Is Davis Lu enabled in Active Directory” — was automatically activated upon his termination on Sept. 9, 2019, and impacted thousands of company users globally.” 

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop relates,
  • “The Chinese state-backed threat group Silk Typhoon shifted tactics in late 2024 to broaden access and enable follow-on attacks against downstream customers of its initial targets, Microsoft Threat Intelligence said in a blog released Wednesday. 
  • “The Chinese espionage group, which is also known as APT27, has abused stolen API keys and credentials for privileged access management, cloud-based application providers and data management companies to intrude networks operated by state and local governments and organizations in the IT sector.
  • “After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives,” Ann Johnson, corporate vice president at Microsoft Security, said in a LinkedIn post.”

• Cybersecurity Dive reports,
  • “Cyberattacks targeting third-party vendors are causing more financial damage than ever before, cyber risk management firm Resilience said in a recent report.
  • “Nearly a quarter (23%) of cyber insurance claims filed with Resilience last year involved material losses resulting from a third-party breach, according to the analysis. It’s a first for the company, which hasn’t previously observed customer claims with material losses in the third-party risk category.
  • “Many of the vendor-related incidents from 2024 resulted in some sort of pause on our customers’ ability to conduct business and, as a result, had a much larger financial impact,” Ann Irvine, chief data and analytics officer at Resilience, said via email.”
• and
  • Broadcom on Tuesday disclosed three zero-day vulnerabilities that affect multiple VMware products, including ESXi, Workstation and Fusion. The vulnerabilities have been exploited in the wild.
  • More than 37,000 VMware ESXi instances remain vulnerable to CVE-2025-22224, a critical zero-day vulnerability, according to scanning data from the Shadowserver Foundation. 
  • Some customers with downgraded VMware licenses have been unable to download the patches because of an issue with the Broadcom Support Portal. The company said in an FAQ that the issue is “a high priority and will be fixed shortly.”

• The American Hospital Association News notes,
  • “A Microsoft report published March 5 identified recent tactics by Silk Typhoon, a Chinese state-sponsored cyberthreat group known for extensive espionage activities. The group has been recently targeting IT solutions such as remote management tools and cloud applications to gain access and potentially cause supply chain disruptions. Silk Typhoon is viewed as a significant threat to critical infrastructure, the Health Information Sharing and Analysis Center said.  
  • “Silk Typhoon is a highly skilled group, and it has shown the ability to move rapidly and exploit unpatched vulnerabilities in systems,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “The best way for hospitals to defend themselves is focusing on the basics of cybersecurity like patch management.” 

• The Cybersecurity and Infrastructure Security Agency (“CISA”) added nine known exploited vulnerabilities to its catalog this week.
  • March 3, 2025
    • CVE-2023-20118 Cisco Small Business RV Series Routers Command Injection Vulnerability (discussed here)
    • CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability (discussed here)
    • CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability (discussed here)
    • CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability (discussed here)
    • CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability (discussed here)
  • March 4, 2025
    • CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability (discussed here)
    • CVE-2025-22225 VMware ESXi Arbitrary Write Vulnerability
    • CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
    • CVE-2025-22226 VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability (all three VMware discussed here)

From the ransomware front,

• Per Cyberscoop,
  • “The FBI and threat researchers are warning executives to be on the lookout for physical letters in the mail threatening to leak sensitive corporate data. 
  • “The letters, which are stamped “time sensitive read immediately” and shipped directly to executives through the Postal Service, are part of a nationwide scamdesigned to extort victims into paying $250,000 to $500,000, the FBI said Thursday.
  • “The unidentified criminal or threat group behind the mail scam is masquerading as BianLian, a prolific ransomware and data extortion group that has attacked multiple U.S. critical infrastructure sectors since June 2022. 
  • “Cyber authorities and researchers have not confirmed BianLian’s involvement and believe the letters are an attempt to scam organizations into paying a ransom.” 

• Cybersecurity Dive lets us know,
  • “A zero-day vulnerability in a Microsoft-signed driver from Paragon Software is being exploited in ransomware attacks.
  • “CERT Coordination Center on Friday warned in a security advisory that five vulnerabilities were discovered in Paragon Partition Manager’s BioNTdrv.sys driver. Threat actors have already exploited one of the flaws in what are known as “bring your own vulnerable driver” (BYOVD) attacks, in which attackers use signed drivers to compromise systems and evade detection.
  • “According to the advisory, CVE-2025-0289 is an insecure kernel resource access vulnerability that can be used to either escalate privileges or execute DoS attacks on targeted devices. CERT warned the vulnerability can be executed on Windows devices even if Paragon Partition Manager, which partitions hard drives to optimize disk space and performance, is not installed.
  • “Microsoft has observed threat actors (TAs) exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level, then execute further malicious code,” CERT said in the advisory. “These vulnerabilities have been patched by both Paragon Software, and vulnerable BioNTdrv.sys versions blocked by Microsoft’s Vulnerable Driver Blocklist.”
    
• Per Bleeping Computer,
  • “The Akira ransomware gang was spotted using an unsecured webcam to launch encryption attacks on a victim’s network, effectively circumventing Endpoint Detection and Response (EDR), which was blocking the encryptor in Windows.
  • “Cybersecurity firm S-RM team discovered the unusual attack method during a recent incident response at one of their clients.
  • “Notably, Akira only pivoted to the webcam after attempting to deploy encryptors on Windows, which were blocked by the victim’s EDR solution.”

• Per Hacker News,
  • “The threat actors behind the Medusa ransomware have claimed nearly 400 victims since it first emerged in January 2023, with the financially motivated attacks witnessing a 42% increase between 2023 and 2024.
  • “In the first two months of 2025 alone, the group has claimed over 40 attacks, according to data from the Symantec Threat Hunter Team shared with The Hacker News. The cybersecurity company is tracking the cluster under the name Spearwing.
  • “Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom,” Symantec noted.
  • “If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site.”
  • “While other ransomware-as-a-service (RaaS) players like RansomHub (aka Greenbottle and Cyclops), Play (aka Balloonfly), and Qilin (aka Agenda, Stinkbug, and Water Galura) have benefited from the disruptions of LockBit and BlackCat, the spike in Medusa infections raises the possibility that the threat actor could also be rushing in to fill the gap left by the two prolific extortionists.
  • “The development comes as the ransomware landscape continues to be in a state of flux, with a steady stream of new RaaS operations, such as Anubis, CipherLocker, Core, Dange, LCRYX, Loches, Vgod, and Xelera, emerging in the wild in recent months.”

From the cybersecurity defenses front,

• Forbes discusses “How CISOs Will Navigate the Threat Landscape Differently In 2025.”
  
• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Next week, House of Representatives will fast track approval of H.R. 872 – Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025, as amended. This bill which would apply known exploited vulnerability (KEV) remediation rules to certain federal contractors has not received Senate consideration yet.
• CISA explains “Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate [CISA] identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.”
  

• Cyberscoop reports
  • “A push is gearing up to renew an expiring 10-year-old cybersecurity law that was viewed at its initial passage as the most significant cybersecurity legislation Congress had ever passed, and that advocates say now fosters several important threat-sharing initiatives.
  • “The 2015 Cybersecurity Information Sharing Act provides safeguards for companies that voluntarily share threat intelligence data with the government or each other, such as federal antitrust exemptions and shields against state and federal disclosure laws.
  • “Reauthorization of the law faces several hurdles, including uncertainty about who will take the lead on the bill in the House and Senate, potential privacy concerns, a tight timeline, and other competing priorities. There are also some who believe the law could use updates to fit today’s threats, potentially introducing further complications.
  • “But its renewal has some bipartisan support, including among leaders of committees important to its passage, and there is optimism among outside groups that it can win congressional approval. The push is in the very early stages, but there’s a “growing recognition” that it needs to be reauthorized, said Matthew Eggers, vice president of cybersecurity policy in the U.S. Chamber of Commerce’s cyber, intelligence and security division.
  • “We’re in a little bit of spring training in the sense that we haven’t advocated for this legislation for about 10-plus years,” he said. “A number of organizations, over the last 10 years, have probably taken for granted the work that’s been done to get the legislation passed.”
    
• Cybersecurity Dive tells us,
  • “The Cybersecurity and Infrastructure Security Agency confirmed that Karen Evans was named executive assistant director for cybersecurity under the Department of Homeland Security. 
  • “Evans, who first joined CISA in January as a senior adviser, will be responsible for leading the agency’s cybersecurity efforts as the national coordinator for critical infrastructure security and resilience. 
  • “Starting in 2018, Evans served as assistant secretary for cybersecurity, energy security and emergency response at the Department of Energy. She was named chief information officer at DHS and served from March 2020 to January 2021. She also served as managing director of the Cyber Readiness Institute before joining CISA.”

• Cyberscoop adds,
  • “President Donald Trump hasn’t yet selected an overall leader for CISA, although Sean Plankey has reportedly been in line for the Senate-confirmed job. But Evans’ appointment is the latest key position to get a name attached to it among top cyber jobs in the administration.
  • “The administration recently named Sean Cairncross as its pick for the Senate-confirmed position of national cyber director. It also picked Alexei Bulazel as senior director for cyber at the National Security Council.”

• The National Institute of Standards and Technology is celebrating the first anniversary of its Cybersecurity Framework 2.0.

• Dark Reading lets us know,
  • “The US Army soldier arrested for unlawful transfer of confidential phone records told a federal judge he intends to plead guilty to the charges.
  • “Cameron John Wagenius, who went by the online alias “Kiberphant0m,” was involved in the Snowflake hacking campaign alongside Connor Riley Moucka, known as “Judische,” who was arrested in October 2024.
  • “Wagenius was arrested after infiltrating 15 telecommunications providers while on active military duty. He then reportedly published the stolen AT&T call logs of high-ranking officials like President Donald Trump and former Vice President Kamala Harris on Dark Web forums.”

From the cybersecurity vulnerabilities and breaches front,

• Security Week informs us,
  • “CrowdStrike this week published its 2025 Global
Threat Report, which summarizes the latest adversary tactics and techniques, as well as important trends that defined 2024.
  • “The cybersecurity giant started tracking 26 new threat groups in 2024, which brought the total number of adversaries known by the company to 257. 
  • “CrowdStrike pointed out that China-linked activity surged, with a 150% increase seen across all sectors, and a rise of 200-300% in industries such as financial services, media, manufacturing, and industrials and engineering compared to 2023. 
  • “One interesting aspect that CrowdStrike has been tracking is breakout time, the time it takes threat actors to move from initial access to high-value assets. This breakout time is important because that is how much time defenders have to detect and respond to an attack before the hackers start establishing deeper control.
  • “In 2024, the average breakout time in the case of cybercrime intrusions dropped to 48 minutes, from 62 minutes in 2023, and the fastest breakout seen by CrowdStrike last year was just 51 seconds.
  • “Over half of the vulnerabilities seen by CrowdStrike last year were related to initial access, which the company says reinforces the need to secure exposed systems. It also noted that identity-based attacks are increasingly favored over traditional malware attacks.”  

• Cyberscoop lets us know,
  • “Cybercriminals intentionally disrupted operations at a growing rate last year, Palo Alto Networks’ threat intelligence firm Unit 42 said in an annual incident response report released Tuesday.
  • “Of the nearly 500 major cyberattacks Unit 42 responded to last year, 86% involved business disruption, including operational downtime, fraud-related losses, increased operating costs and negative reputational impacts. 
  • “Unit 42 called this trend the “third wave of extortion attacks,” another point of potential leverage for threat groups to impose on targets in addition to encryption and data theft. 
  • “These disruptive attacks stand out for the pain, impact and broader ripple effects they inflict on society and the economy at large, said Sam Rubin, senior vice president of consulting and threat intelligence at Unit 42.
  • “This is what organizations need to be worried about from a threat perspective and from a defensive strategy standpoint,” Rubin said.” 
    
• Cybersecurity Dive reports,
  • “Approximately 2,850 IP addresses are vulnerable to CVE-2025-22467, a critical stack buffer-overflow vulnerability that affects Ivanti Connect Secure VPNs, according to a post on X by the Shadowserver Foundation.
  • “Ivanti disclosed and patched CVE-2025-22467 on Feb. 11 and said it was not aware of any exploitation of the vulnerability prior to the public disclosure. Exploitation of the critical flaw can allow a remote authenticated attacker to achieve remote code execution.
  • ‘Shadowserver found the U.S. and Japan were the countries with the highest number of vulnerable IP addresses, with 852 and 384 instances, respectively.”

• CISA added four known exploited vulnerabilities to its catalog this week.
  • February 24, 2025
    • CVE-2017-3066 Adobe ColdFusion Deserialization Vulnerability
    • CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
    • Both KVEs are discussed here.
  • February 25, 2025
    • CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
    • CVE-2023-34192 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
    • Both KVEs are discussed here.

From the ransomware front,

• CSO points out five things to know about ransomware threats in 2025.

• Per Security Week,
  • “Threat Intelligence firm Kela warns of a new ransomware group called Anubis operating as a RaaS service with an extensive array of options for affiliates.
  • “The group emerged as recently as late 2024, although the researchers believe that its members have experience in ransomware, both malware and operations. Information on Anubis comes from an analysis of the group’s dark web footprint rather than code analysis of the ransomware.
  • “As with most ransomware groups today, Anubis uses double extortion. The researchers suggest that “Anubis appears to be an emerging threat, highlighting different business models employed by modern extortion actors.”

• Dark Trace discusses “Lynx ransomware, emerging in 2024, targets finance, architecture, and manufacturing sectors with phishing and double extortion.” 

• Cybersecurity Dive lets us know,
  • “Researchers analyzed leaked chat logs from the infamous Black Basta ransomware gang and found references to 62 unique CVEs, 53 of which are known to have been exploited in the wild.
  • “Black Basta favored vulnerabilities in “widely adopted enterprise technologies” that included Microsoft products, Citrix Netscaler and Atlassian Confluence, as well as flaws in network edge devices from Fortinet, Cisco, F5 Networks and Palo Alto Networks, according to the findings by VulnCheck.
  • “VulnCheck’s research revealed that in many cases Black Basta members began discussing CVEs within days of security advisories being published, underscoring the importance of prompt patching and mitigations for critical flaws in widely used applications and devices.”

• Cyberscoop adds,
  • “Black Basta’s inner workings reveal a cybercrime group rife with internal conflicts. Yet, the notorious ransomware-as-a-service group’s affiliates have wreaked havoc on organizations globally.
  • “Over a two-year period, the ransomware variant was used to encrypt and steal data from at least 12 of the 16 critical infrastructure sectors, impacting more than 500 organizations, according to the Cybersecurity and Infrastructure Security Agency. 
  • “The group pulled in at least $107 million in ransom payments by late 2023, research from Elliptic and Corvus Insurance found.
  • “The Black Basta leak followed a decrease in activities earlier this year, which was caused by key members defecting to other cybercriminal operations, like the Cactus ransomware group, according to Alptekin. “This exposure has further destabilized the group and impacted trust among its members,” he said.
  • “Rapid7 observed a resurgence of social engineering attacks linked to Black Basta operators in early October, but the group has been largely inactive this year.” 

From the cybersecurity defenses front,

• The Wall Street Journal reports,
  • “Every company needs a cybersecurity strategy but getting the money to enact it can be complicated. 
  • “Benchmarks that compare cyber spending across companies relative to their revenues, overall tech budget or head count can validate funding choices, but they aren’t useful in establishing the security needs of an organization, chief information security officers say. 
  • “That tactic never worked for me,” said Selim Aissi, a cybersecurity consultant who has held executive cyber roles at companies including Intel, Visa and Blackhawk Network Holdings, which sells gift cards.
  • “The CEO, the CFO will shut you down immediately and say, ‘Who cares? We’re not [company] XYZ.’”
  • “Cybersecurity is a necessary expense. Attackers exploit new vulnerabilities within days of discovery and malware multiplies by the day. It takes just 48 minutes, on average, for a hacker to move through a corporate network after getting in, according to cyber company ReliaQuest. International Business Machines found the average cost of a data breach in the U.S. was $4.9 million last year. But companies are wary of paying for more protection than they need, and it falls on CISOs to justify the expense.
  • “Understanding the costs of disruption is a useful way to allocate spending, said Mike Anderson, chief digital and information officer of cyber company Netskope. Some business functions are more critical than others or will take more resources to fix if they are disrupted, he said. 
  • “You can’t treat everything exactly the same,” Anderson said. “I align the investments to the criticality.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity history, policy, and law enforcement fronts,

• American Hospital Association (AHA) News reminds us,
  • “Nearly one year after the cyberattack on Change Healthcare, the AHA released a report highlighting the continued need for health care organizations to strengthen cybersecurity efforts and mitigate risk.  
  • “The cyberattack on Change Healthcare in February 2024 disrupted health care operations on an unprecedented national scale, endangering patients’ access to care, disrupting critical clinical and eligibility operations, and threatening the solvency of the nation’s provider network,” the report said.  
  • “Among other areas, the report highlights lessons learned, including how third-party cyber risk is the most significant and disruptive cyber threat to health care; actions health care organizations can take to mitigate cyber risk; and resources from the AHA and federal government that can assist organizations with strengthening cybersecurity efforts.”

• Cyberscoop lets us know,
  • “Republican leaders on a key House committee are canvassing the public for input on how best to move forward in Congress’ longstanding quest to tackle national data privacy and security standards.
  • “House Energy and Commerce Committee Chair Brett Guthrie, R-Ky., and Vice Chair John Joyce, R-Pa., issued a Request for Information on Friday that seeks guidance on how to best develop legislation to protect the digital data of Americans across an ever-widening range of essential services.
  • “Leadership in digital technologies, including artificial intelligence, underpins U.S. economic and national security, provides American consumers with access to lower cost goods and services, and enables small businesses to reach markets around the world,” Guthrie and Joyce said in a statement. “However, the challenge of providing clear digital protections for Americans is compounded by the fast pace of technological advancement and the complex web of state and federal data privacy and security laws, which in some cases create conflicting legal requirements.”
  • “Both Guthrie and Joyce are part of a Republican committee working group on data privacy, and the request includes questions that could guide lawmakers as they eye potential legislation. They include how to account for different roles and services that collect personal data, when a company should disclose the collection, processing, or transfer of user data, and what lessons can be learned from existing privacy frameworks in other countries.”
• and
  • “One of the most notable elements of the monumental hack of major telecommunications companies is just how “indiscriminate” it was in its pursuit of data, a top FBI official said Wednesday.
  • “The FBI has been investigating the breach, which it has blamed on Chinese government hackers commonly known as Salt Typhoon.
  • “What we found particularly remarkable in our investigation is the gigantic and seemingly indiscriminate collection of call records and data about American people, like your friends, your family, people in your community,” Cynthia Kaiser, deputy assistant director in the bureau’s cyber division, said at the 2025 Zero Trust Summit, presented by CyberScoop.
  • “Kaiser characterized the breach as “a different level of insidiousness” from Beijing, one that reflects its “ambition and reckless aggression in cyberspace.”

• Cybersecurity Dive tells us,
  • “The Securities and Exchange Commission on Thursday unveiled a revamped anti-fraud unit to protect retail investors in emerging technologies, reflecting the Trump administration’s evolving approach to cryptocurrency and cybersecurity.
  • “The Cyber and Emerging Technologies Unit, led by Laura D’Allaird, will have about 30 fraud specialists from across the agency and replaces the Crypto Assets and Cyber Unit. The revised CETU will complement a crypto task force launched in January under the leadership of Commissioner Hester Peirce.
  • “The unit will not only protect investors, but will also facilitate capital formation and market efficiency by clearing the way for innovation to grow,” Acting SEC Chairman Mark Uyeda said in a statement. “It will root out those seeking to misuse innovation to harm investors and diminish confidence in new technologies.”

• Per a Justice Department news release,
  • Health Net Federal Services Inc. (HNFS) of Rancho Cordova, California and its corporate parent, St. Louis-based Centene Corporation, have agreed to pay $11,253,400 to resolve [government] claims [under the federal False Claims Act] that HNFS falsely certified compliance with cybersecurity requirements in a contract with the U.S. Department of Defense (DoD) to administer the Defense Health Agency’s (DHA) TRICARE health benefits program for servicemembers and their families. In 2016, Centene acquired all of the issued and outstanding shares of Health Net Inc., HNFS’s corporate parent, and assumed the liabilities of HNFS.

• Per an HHS news release,
  • “Today [February 20], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $1,500,000 civil money penalty against Warby Parker, Inc., a manufacturer and online retailer of prescription and non-prescription eyewear, concerning violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following the receipt of a breach report regarding the unauthorized access by one or more third parties to customer accounts.” * * *
  • “OCR’s investigation found evidence of three violations of the HIPAA Security Rule, including a failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems, a failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a failure to implement procedures to regularly review records of information system activity.” * * *
  • “The Notice of Proposed Determination may be found at: https://www.hhs.gov/sites/default/files/ocr-warby-parker-npd.pdf – PDF
  • “The Notice of Final Determination may be found at: https://www.hhs.gov/sites/default/files/ocr-warby-parker-nfd.pdf – PDF“

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop lets us know,
  • “Salt Typhoon gained initial access to Cisco devices as part of the Chinese nation-state threat group’s sweeping attacks on U.S. telecom networks, the company confirmed Thursday [February 20] in a threat intelligence report.
  • “Cisco Talos, the networking vendor’s threat intelligence unit, said it observed one instance where Salt Typhoon likely exploited a seven-year-old critical vulnerability in Cisco IOS XE (CVE-2018-0171). Yet, researchers asserted Salt Typhoon gained initial access to Cisco devices with legitimate login credentials in all other incidents it’s investigated to date.
  • “The report marks the first time Cisco acknowledged the role its equipment played in Salt Typhoon’s attack spree on telecom networks. Recorded Future last week said five additional telecom networks were hit by Salt Typhoon via a pair of other vulnerabilities in Cisco IOS XE (CVE-2023-20198 and CVE-2023-20273) between early December and late January.
  • “Cisco Talos said it hasn’t identified any evidence to confirm Salt Typhoon’s exploitation of other known Cisco vulnerabilities. The company declined to answer questions.” 

• The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog this week.
  • February 18, 2025
    • CVE-2025-0108 Palo Alto PAN-OS Authentication Bypass Vulnerability
    • CVE-2024-53704 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability
    • The Palo Alto KVE is discussed here, and the Sonicwall KVE is discussed here.
  • February 20, 2025
    • CVE-2025-23209 Craft CMS Code Injection Vulnerability
    • CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability
    • The Craft KVE is discussed here, and the Palo Alto KVE is discussed here.
  • February 21, 2025
    • CVE-2025-24989 Microsoft Power Pages Improper Access Control Vulnerability
    • The Microsoft KVE is discussed here.

• Cybersecurity Dive informs us
  • “Horizon3.ai researchers on Wednesday released technical details and a proof-of-concept (PoC) exploit for four critical Ivanti vulnerabilities that were first disclosed and patched last month.
  • “The absolute patch-traversal flaws impact Ivanti Endpoint Manager and, according to Horizon3.ai, could allow unauthenticated attackers to manipulate the Ivanti EPM machine account credential into being deployed in relay attacks, potentially leading to server compromise.
  • “Ivanti products have become popular targets for attackers in recent years, as a wide range of cyber threat actors have exploited both zero-day and known vulnerabilities to compromise devices at the network edge and gain access to victim.”

• Security Week relates,
  • In a fresh report published Wednesday, Mandiant threat hunter Dan Black warns that several APT groups have perfected the abuse of Signal’s “linked devices” feature that enables the privacy-themed chat and voice messenger to be used on multiple devices concurrently.
  • By tricking users into scanning malicious QR codes embedded in phishing pages or disguised as group invite links, Mandiant says APT groups linked to the Kremlin are secretly adding their own device as a linked endpoint. 
  • Once this connection is established, every message sent by the user is duplicated to the attacker’s device in real time, effectively bypassing Signal’s heralded end-to-end encryption without having to break the underlying cryptography.

• Dark Reading offers an oddball article about state-of-the-art phishing software Darcula version 3 that can be purchased.

From the ransomware front,

• AHA News reports,
  • “A joint advisory released Feb. 19 by the FBI, Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center warns of cybercriminal activity by the Ghost ransomware group. The agencies identified actions as recently as last month by the group, which originates from China. 
  • “Since 2021, Ghost actors have targeted victims with outdated software and firmware, compromising organizations in more than 70 countries. Their victims include critical infrastructure, health care, schools and technology companies, among other organizations. 
  • “Ghost actors exploit well-known vulnerabilities and target networks where available patches have not been applied,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “They simply ‘hack before we patch.’ This group is also leveraging legitimate cybersecurity tools such as Cobalt Strike to enable access and other tools for privilege escalation. It is recommended that patching policies be reviewed to achieve maximum efficiency and speed. It is also recommended that network security tools be set to alert for activation of Cobalt Strike and privilege escalation applications.” 

• Bleeping Computer reports,
  • “An unknown leaker has released what they claim to be an archive of internal Matrix chat logs belonging to the Black Basta ransomware operation.
  • “ExploitWhispers, the individual who previously uploaded the stolen messages to the MEGA file-sharing platform, which are now removed, has uploaded it to a dedicated Telegram channel.
  • I”t’s not yet clear if ExploitWhispers is a security researcher who gained access to the gang’s internal chat server or a disgruntled member.
  • “While they never shared the reason behind this move, cyber threat intelligence company PRODAFT said today that the leak could directly result from the ransomware gang’s alleged attacks targeting Russian banks.
  • “As part of our continuous monitoring, we’ve observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors,” PRODAFT said.”

From the cybersecurity defenses front,

• Security Week shares a conversation with Kevin Winter, Global CISO at Deloitte, and Richard Marcus, CISO at AuditBoard.

• Here’s a link to Dark Reading’s CISO Corner.

• HelpNet Security points out cyber hygiene habits that many still ignore.

From the cybersecurity policy and law enforcement front,

• Cyberscoop lets us know,
  • “Cybercrimes could be punished more harshly under a new bill from a pair of senators that seeks to amend U.S. criminal code on computer fraud.
  • “The Cyber Conspiracy Modernization Act from Sens. Mike Rounds, R-S.D., and Kirsten Gillibrand, D-N.Y., would modify the Computer Fraud and Abuse Act (CFAA) to establish a specific penalty for conspiracy and boost penalties for violators. 
  • “As cyber technologies continue to rapidly evolve, we need more people working to secure cyberspace as well as harsher penalties for those perpetrating these crimes,” Rounds said in a statement. “As chairman of the Senate Armed Services Committee’s Subcommittee on Cybersecurity, I am committed to working on policies that strengthen the United States’ ability to respond quickly and decisively to cyberattacks which have been on the rise.”
  • “Under current law, the Department of Justice can only charge conspiracy to commit cybercrimes through a general statute unrelated to the CFAA. Individuals charged under the general conspiracy statute face a maximum five-year penalty.”

• Cybersecurity Dive informs us,
  • “President Donald Trump plans to nominate Sean Cairncross, a former official at the Republican National Committee, as the next national cyber director, according to a list of planned nominees obtained by Cybersecurity Dive. 
  • “Those nominees are expected to be sent imminently to the Senate to be considered for the confirmation process. 
  • “Cairncross would be the first major nominee for a top cybersecurity role since the Trump administration took office. 
  • “He is founder and president of the Cairncross Group, a strategic consultancy based in Washington, D.C.
  • “Cairncross previously worked as CEO of the Millennium Challenge Corp., an independent government agency that works to reduce poverty by promoting economic growth across the globe.”

• Federal News Network notes,
  • “A former cyber executive at the Department of Homeland Security and the Energy Department has joined the Cybersecurity and Infrastructure Security Agency.
  • “Karen Evans is now “senior advisor for cybersecurity” at CISA, an agency spokesman confirmed to Federal News Network today. Evans posted about joining CISA on LinkedIn last night.
  • “A CISA spokesman did not confirm whether Evans would be elevated to a permanent role at the agency. But multiple sources said Evans is likely to either be named as executive assistant director for cybersecurity at CISA or move on to a top position at DHS headquarters.
  • “During the first Trump administration, Evans was DHS CIO between June 2020 and January 2021. She also served as assistant secretary for cybersecurity, energy security and emergency response at the Energy Department between 2018 and 2020.”

• NextGov/FCW offers background on OPM’s new Chief Information Officer, Greg Hogan.

• Per a Justice Department news release,
  • The Justice Department today [February 10] unsealed criminal charges against Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, both Russian nationals, who allegedly operated a cybercrime group using the Phobos ransomware that victimized more than 1,000 public and private entities in the United States and around the world and received over $16 million in ransom payments. Berezhnoy and Glebov were arrested this week as part of a coordinated international disruption of their organization, which includes additional arrests and the technical disruption of the group’s computer infrastructure.
  • From May 2019, through at least October 2024, Berezhnoy, Glebov, and others allegedly caused victims to suffer losses resulting from the loss of access to their data in addition to the financial losses associated with the ransomware payments. The victims included a children’s hospital, health care providers, and educational institutions.

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop reports,
  • Microsoft threat researchers discovered a series of what they are calling “device code” phishing attacks that allowed a suspected Russia-aligned threat group to gain access to and steal data from critical infrastructure organizations, the company said in research released Thursday.
  • The group, which Microsoft tracks as Storm-2372, has targeted governments, IT services and organizations operating in the telecom, health, higher education and energy sectors across Europe, North America, Africa and the Middle East.
  • Microsoft observed attackers generating a legitimate device code sign-in request and then duping targeted users to input the code into a login page for productivity apps. By exploiting the device code authentication flow, Storm-2372 has gained access to targeted systems, captured authentication tokens and used those valid tokens to achieve lateral movement and steal data.
  • “They’ve been successful in these attacks, though Microsoft itself is not affected,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, said in a video summarizing the report’s findings.
• and
  • “Salt Typhoon, the Chinese nation-state threat group linked to a spree of attacks on U.S. and global telecom providers, remains active in its intrusion and has hit multiple additional networks worldwide, including two in the United States, Recorded Future said in a report released Thursday [February 13].
  • “Recorded Future’s Insikt Group observed seven compromised Cisco network devices communicating with Salt Typhoon infrastructure on five telecom networks between early December and late January. The compromised companies include an unnamed U.S. internet service provider and telecom company, a U.S.-based affiliate of a U.K. telecom provider, a large telecom provider in Thailand, an Italy-based ISP and a South Africa-based telecom provider.
  • “Salt Typhoon’s ongoing attack spree underscores the enduring challenge global cyber authorities and network defenders confront in trying to thwart the nation-state group’s activities. U.S. and White House officials in December warned they may never know if the group has been completely booted from networks.” 

• Cybersecurity Dive relates,
  • “The FBI and Cybersecurity and Infrastructure Security Agency on Wednesday [February 12] warned Ransomware gangs are adapting to stronger enterprise defenses and increased law enforcement pressure with more sophisticated tactics, according to Huntress’ 2025 Cyber Threat Report.
  • In 75% of the ransomware incidents Huntress observed in 2024, threat actors used remote access Trojans (RATs), while 17.3% of attacks featured abused of remote monitoring and management products like ConnectWise ScreenConnect, TeamViewer and LogMeIn.
  • In an effort to evade EDR protections, threat actors are shifting to data theft and extortion attacks instead of deploying ransomware and increasingly relying on “living off the land” techniques with legitimate system administrator tools. that hackers are abusing buffer overflow vulnerabilities to launch malicious attacks against organizations. 
  • “Buffer overflow vulnerabilities occur when a hacker gains access or writes information outside of the memory buffer, according to the advisory from the FBI and CISA. 
  • “Buffer overflow vulnerabilities are prevalent issues in memory-safety software design that can lead to data corruption, program crashes, exposure of sensitive data and remote code execution.

• Per Bleeping Computer,
  • “Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • “This security flaw (CVE-2024-53704), tagged by CISA as critical severity and found in the SSLVPN authentication mechanism, impacts SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, used by multiple models of Gen 6 and Gen 7 firewalls and SOHO series devices.
  • “Successful exploitation enables remote attackers to hijack active SSL VPN sessions without authentication, which grants them unauthorized access to targets’ networks.
  • “SonicWall urged customers to immediately upgrade their firewalls’ SonicOS firmware to prevent exploitation in an email sent before disclosing the vulnerability publicly and releasing security updates on January 7.”
    
• CISA added seven known exploited vulnerabilities to its catalog this week.
  • February 11, 2025
    • CVE-2024-40891 Zyxel DSL CPE OS Command Injection Vulnerability
    • CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
    • CVE-2025-21418 Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability
    • CVE-2025-21391 Microsoft Windows Storage Link Following Vulnerability
      • Zydek KVEs discussed here, and Microsoft KVEs discussed here.
  • February 12, 2025
    • CVE-2025-24200 Apple iOS and iPadOS Incorrect Authorization Vulnerability
    • CVE-2024-41710 Mitel SIP Phones Argument Injection Vulnerability
      • Apple KVE discussed here, and Mitel KEV discussed here.
  • February 13, 2025
    •  CVE-2024-57727 SimpleHelp Path Traversal Vulnerability
      • SimpleHelp KVE discussed here.

• The DC Health Link cybersecurity breach lawsuit settlement is explained here.

From the ransomware front,

• Cybersecurity Dive reports,
  • “Ransomware gangs are adapting to stronger enterprise defenses and increased law enforcement pressure with more sophisticated tactics, according to Huntress’ 2025 Cyber Threat Report.
  • “In 75% of the ransomware incidents Huntress observed in 2024, threat actors used remote access Trojans (RATs), while 17.3% of attacks featured abuses of remote monitoring and management products like ConnectWise ScreenConnect, TeamViewer and LogMeIn.
  • “In an effort to evade EDR protections, threat actors are shifting to data theft and extortion attacks instead of deploying ransomware and increasingly relying on “living off the land” techniques with legitimate system administrator tools.”

• Dark Reading tells us,
  • “A recent RA World ransomware attack utilized a tool set that took researchers by surprise, given that it has been associated with China-based espionage actors in the past.
  • “According to Symantec, the attack occurred in late 2024. The tool set includes a legitimate Toshiba executable named toshdpdb.exe that deploys on a victim’s device. It then connects to a malicious dynamic link library (DLL) that deploys a payload containing a PlugX backdoor.
  • “The threat actors in this case used the tool kit to ultimately deploy RA World ransomware inside an unnamed Asian software and services company, demanding a ransom of $2 million. No initial infection vector was found. However, the attacker claimed they compromised the victim’s network by exploiting a Palo Alto PAN-OS vulnerability (CVE-2024-0012), according to Symantec.”
  • “The attacker then said administrative credentials were obtained from the company’s intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers,” added the researchers, who hypothesized that based on tactics, techniques, and procedures, the attacker could be China-linked Emperor Dragonfly, aka Bronze Starlight, a group that has been known to deploy ransomware to obscure intellectual property theft in the past.”

• Reuters reports,
  • “The United States joined Australia and Britain in targeting Russia-based Zservers service provider for its role in supporting the Lockbit ransomware attacks, the U.S. Department of Treasury said on Tuesday [February 11], citing national security concerns.
  • “U.S. Treasury’s Office of Foreign Assets Control also designated two Russian nationals who they said were key administrators for Zservers, a bulletproof hosting services provider or BPH, it added.
  • “Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on U.S. and international critical infrastructure,” wrote Bradley Smith, acting Under Secretary of the Treasury for Terrorism and Financial Intelligence.
  • “The action follows joint U.S., UK and Australia cyber sanctions last year targeting the Evil Corp ransomware group, Treasury added.”

From the cybersecurity defenses and business front,

• Per Cyberscoop,
  • “Identity security giant CyberArk has acquired Boston-based Zilla Security, a cloud-native identity governance and administration startup, in a deal worth up to $175 million.
  • “The acquisition, announced Thursday [February 13], includes $165 million in cash and a $10 million earn-out contingent on performance milestones. Zilla’s co-founders, CEO Deepak Taneja and Nitin Sonawane, along with their team, will join CyberArk. Zilla’s flagship products — Zilla Comply and Zilla Provisioning — will be integrated into CyberArk’s Identity Security Platform as standalone offerings.
  • Founded in 1999, CyberArk has traditionally built its reputation on securing privileged access across enterprise systems. In recent years, the company has bolstered its portfolio through a series of acquisitions, the most significant being the $1.54 billion purchase of machine identity firm Venafi last year. Together with this latest move, CyberArk seeks to expand its reach into modern identity security — an area increasingly critical as organizations shift toward hybrid and cloud-based environments.

• An ISACA expert discusses how to define a security incident.
  • “[W]hat is a good definition of a security incident? In my opinion, I believe the NIST definition from NISTIR 8183A Vol. 3 is an amazing definition for small and medium-sized organizations. It states, “An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” The “or potentially” does a lot of heavy lifting here but is still a much better definition than those that allow people to more easily wiggle their way out of filling out a ticket for a potential incident. A common occurrence is cherry-picking more vague definitions that don’t have the built-in safeguards and controls around the definition such as the NIST SP 800-53 Rev. 5 for a non-federal system. 
  • “Besides the fact that leveraging this definition means that occurrences such as false positives and security investigations properly follow the ticketing process instead of being undocumented events, there are other helpful points to this definition. The terms “Confidentiality, Integrity and Availability” being in the definition ensures that incidents such as DDOS attacks are not reported as simply “outages” or “infrastructure changes.” The phrase “Constitutes a violation or imminent threat of violation of” expands the scope of what should be monitored and have alerts in place as well as points more eyes inward on internal incidents, which is a wonderful steppingstone toward zero trust.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• Cyberscoop lets us know,
  • “Bipartisan legislation to close a loophole in federal cybersecurity standards by requiring vulnerability disclosure policies for government contractors is getting another shot at passage in this Congress.
  • “The Federal Contractor Cybersecurity Vulnerability Reduction Act, a bicameral, bipartisan bill that stalled out last year in the Senate, was reintroduced Friday [January 31] in the House by Reps. Nancy Mace, R-S.C., and Shontel Brown, D-Ohio. 
  • “The bill, whose 2024 companion in the upper chamber came from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., calls on the Office of Management and Budget and the Defense Department to update federal acquisition policies to require all federal contractors to institute vulnerability disclosure policies (VDPs).
  • “This is a matter of national security,” Mace said in a press release. “Federal contractors handle some of the most sensitive information and critical infrastructure in the country. Without basic vulnerability disclosure policies, we are leaving a gaping hole in our cybersecurity defenses. This bipartisan bill ensures contractors uphold the same cybersecurity standards as federal agencies, reducing risks before they turn into catastrophic breaches.”

• The Wall Street Journal reports,
  • “Lawmakers announced Thursday they planned to introduce a bill to ban DeepSeek’s chatbot application from government-owned devices, over new security concerns that the app could provide user information to the Chinese government. 
  • “The legislation written by Reps. Darin LaHood, an Illinois Republican, and Josh Gottheimer, a New Jersey Democrat, is echoing a strategy that Congress used to ban Chinese-controlled TikTok from government devices, which marked the beginning of the effort to block the company from operating in the U.S. 
  • “This should be a no-brainer in terms of actions we should take immediately to prevent our enemy from getting information from our government,” Gottheimer said.  

• SC Media tells us,
  • “A U.S. cybersecurity agency issued a fresh set of guidance for organizations regarding best practices in securing their networks and data storage.
  • “The U.S. Cyber Security and Infrastructure Security Agency (CISA) posted a set of guidelines aimed at helping companies better secure the commonly used devices that sit at the edges of most networks.
  • “This set of guidance, led by international cybersecurity authorities, is intended to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, Internet of Things (IoT) devices, internet-facing servers, and internet-facing operational technology (OT) systems,” CISA explained.
  • “It’s thought that American organizations will be motivated in the new year to brush up on security and install updates for commonly exploited security vulnerabilities in their edge devices.”

From the cybersecurity vulnerabilities and breaches front,

• CISA added eleven known exploited vulnerabilities to its catalog this week.
  • February 4, 2025
    • CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability
    • CVE-2024-29059 Microsoft .NET Framework Information Disclosure Vulnerability
    • CVE-2018-9276 Paessler PRTG Network Monitor OS Command Injection Vulnerability
    • CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
  • February 5, 2025
    • CVE-2024-53104 Linux Kernel Out-of-Bounds Write Vulnerability
  • February 6, 2025
    • CVE-2025-0411 7-Zip Mark of the Web Bypass Vulnerability
    • CVE-2022-23748 Dante Discovery Process Control Vulnerability
    • CVE-2024-21413 Microsoft Outlook Improper Input Validation Vulnerability
    • CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
    • CVE-2020-15069 Sophos XG Firewall Buffer Overflow Vulnerability
  • February 7, 2025
    • CVE-2025-0994 Trimble Cityworks Deserialization Vulnerability
      
• Supplemental Information on the additional KEVs.
  • Bleeping Computer provides background on the February 4 additions.
  • This Linux Security article explains the February 5 addition.
  • ACA Global explains the 7-Zip (a file compression) tool addition on February 6.
  • WNE Security explains the Dante Discovery addition also on February 6.
  • Bleeping Computer discusses the Microsoft Outlook addition also on February 6.
  • Hacker News delves into the Trimble Cityworks addition on February 7.

• Cybersecurity Dive points out,
  • “Microsoft has identified more than 3,000 publicly exposed ASP.NET machine keys that could be used by threat actors in code injection attacks against enterprise servers.
  • “In a blog post Thursday, Microsoft Threat Intelligence said it observed “limited activity” in December, in which a threat actor used a publicly available ASP.NET machine key to inject malicious code and deploy the Godzilla post-exploitation framework. While Microsoft said the threat actor is “unattributed,” the U.S. government previously has tied the Godzilla framework, which creates malicious web shells that can be used as backdoors, to Chinese state-sponsored threat actor.
  • “In the course of investigating, remediating, and building protections against this activity, we observed an insecure practice whereby developers have incorporated various publicly disclosed ASP.NET machine keys from publicly accessible resources, such as code documentation and repositories, which threat actors have used to perform malicious actions on target servers,” Microsoft said in the blog post.”
• and
  • “Security researchers warned about a surge in web login brute force attacks against edge devices from a suspected botnet since mid-to-late January, according to a post on X from the Shadowserver Foundation. 
  • “The threat activity targeted devices from several major vendors, including Palo Alto Networks, SonicWall and Ivanti, with more than 2.8 million source IPs per day, according to Shadowserver. The observed threat activity goes well beyond scanning and involves actual login attempts, researchers said.
  • “We do not know who is being targeted in particular, we can only observe attacks against our own honeypots,” Piotr Kijewski, CEO of Shadowserver, said via email.

• Dark Reading reports
  • More than two weeks after China’s DeepSeek garnered worldwide attention with its low-cost AI model, threat actors have been busy capitalizing on the news by setting up phishing sites impersonating the company.
  • The fraudulent sites aim to deceive users into downloading malicious software or providing credentials and other sensitive information. Researchers at Israel-based Memcyco spotted at least 16 such sites actively impersonating DeepSeek earlier this week and believe the activity represents a coordinated attack campaign among threat actors.

• Per SC Media,
  • “Infostealers were identified as the largest group of new macOS malware, having increased by 101% in the last two quarters of 2024, according to the Palo Alto Networks Unit42 research group.
  • “The Unit42 research team pointed to three prevalent macOS infostealers in the wild: Poseidon, Atomic and Cthulhu.
  • “While infostealers are often seen as limited in capability compared with trojans, the researchers said in a Feb. 4 blog post that by exfiltrating sensitive credentials, financial records and intellectual property, infostealers often lead to data breaches, financial losses and reputational damage.
  • “Most infostealers are indiscriminate, aiming to maximize data collection for impact and monetization,” wrote the researchers. “This broad range of information stealing capabilities exposes organizations to significant risks, including data leaks and providing initial access for further attacks, such as ransomware deployment.”

From the ransomware front,

• Cyberscoop informs us,
  • “Ransomware payments saw a dramatic 35% drop last year compared to 2023, even as the overall frequency of ransomware attacks increased, according to a new report released by blockchain analysis firm Chainalysis. 
  • “The considerable decline in extortion payments is somewhat surprising, given that other cybersecurity firms have claimed that 2024 saw the most ransomware activity to date. Chainalysis itself warned in its mid-year report that 2024’s activity was on pace to reach new heights, but attacks in the second half of the year tailed off.
  • “The total amount in payments that Chainalysis tracked in 2024 was $812.55 million, down from 2023’s mark of $1.25 billion.
  • “Despite its small half-over-half (HoH) increase, we expected 2024 to surpass 2023’s totals by the end of the year,” the company wrote on its website. “Fortunately, however, payment activity slowed after July 2024 by approximately 34.9%. This slowdown is similar to the HoH decline in ransom payments since 2021 and the overall decline during H2 2024 in some types of crypto-related crime, such as stolen funds. Notably, the decline this year is more pronounced than in the last three years.”
  • “The disruption of major ransomware groups, such as LockBit and ALPHV/BlackCat, were key to the reduction in ransomware payments. Operations spearheaded by agencies like the United Kingdom’s National Crime Agency (NCA) and the Federal Bureau of Investigation (FBI) caused significant declines in LockBit activity, while ALPHV/BlackCat essentially rug-pulled its affiliates and disappeared after its attack on Change Healthcare. 
  • “As the industry has seen in past years, ransomware groups often fill the market after the heads of the pack have been dismantled by law enforcement. However, when LockBit and BlackCat disappeared, a well-known ransomware group did not immediately take the mantle. Instead, smaller groups took advantage of the situation, focusing on small to medium-sized targets and asking for small ransoms, according to Chainalysis’ report. 
  • “Additionally, the company says more organizations have become stronger against attacks, with many choosing not to pay a ransom and instead using better cybersecurity practices and backups to recover from these incidents.”

• Hacker News identifies the Top 3 Ransomware Threats Active in 2025.

• Per Bleeping Computer
  • “The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
  • “This is a sign of shifting tactics for Kimsuky, according to AhnLab SEcurity Intelligence Center (ASEC), who discovered the campaign.
  • “ASEC says the North Korean hackers now use a diverse set of customized remote access tools instead of relying solely on noisy backdoors like PebbleDash, which is still used.”

From the cybersecurity defenses and business / history front

• ISACA has released its 2025 State of Privacy Report.

• Here’s a link to Dark Reading’s CISO Corner.

• Cybersecurity Dive relates,
  • “Thoma Bravo-backed cybersecurity firm Sophos completed its acquisition of Secureworks Monday in an all-cash transaction valued at $859 million. 
  • “Sophos said the purchase of Secureworks positions Sophos as the largest pure-play provider of managed detection and response services, with a customer base of 28,000 organizations worldwide.
  • “The agreement also expands Sophos’s threat intelligence capabilities operating under the Sophos X-Ops name, with the addition of the Secureworks Counter Threat Unit and other security operations and advisory services.”
• and
  • “SolarWinds Corp. has agreed to a $4.4 billion deal with Turn/River Capital whereby the private equity firm buys the software firm in an all-cash transaction at $18.50 per share. 
  • “The observability and IT management software provider will become a privately held company and no longer trade on the New York Stock Exchange. 
  • “We have built a great track record of helping customers accelerate business transformations through simple, powerful, secure solutions designed for hybrid and multicloud environments,” Sudhakar Ramakrishna, president and CEO of SolarWinds said in a statement. 
  • “The Austin, Texas-based firm took center stage in one of the most consequential cyberattack campaigns in history when state-linked hackers infected its Orion platform. The attack, disclosed in late 2020, led to massive reforms in how the industry developed software and attempted to secure IT systems against increasingly sophisticated state actors.”