From the cybersecurity policy and law enforcement front,

• Health ISAC reminds us,
  • “Despite widespread public and private interest in reauthorizing the U.S. Cybersecurity Information Sharing Act of 2015 (“CISA 2015”)[i], we are rapidly approaching September 30th, the date when the Act is set to expire barring congressional action to extend it. With time running short, let’s assess the options still being considered and breakdown how and why reauthorization is going down to the wire.” * * *
  • “The current most likely path for a CISA 2015 reauthorization is not a simple standalone bill that is quickly passed by both chambers. Instead, the most likely path runs through a short term extension as part of a continuing resolution (“CR”) and then through the National Defense Authorization Act (“NDAA”).
  • “For those who are unfamiliar, a CR is a “temporary spending [bill] that [allows] federal government operations to continue when final appropriations have not been approved by Congress and the President. Without final appropriations or a CR, there could be a lapse in funding that results in a government shutdown.”[ii] The NDAA is an annual end of year bill that provides appropriations for the Department of Defense (“DOD”). It is generally considered to be a “must pass” piece of legislation that lawmakers attempt to add otherwise unrelated policy matters.”

• Nextgov/FCW tells us,
  • “Greg Barbaccia, the federal chief information officer, says that the Office of Management and Budget is backing the General Services Administration’s overhaul of FedRAMP, the government’s cloud security assessment and authorization program. 
  • “GSA launched FedRAMP 20x — meant to use more automation in place of annual assessments, cut red tape and speed up authorizations — in March. It announced its phase two pilot on Wednesday.
  • “Barbaccia acknowledged the past problems with FedRAMP at a Wednesday event held by the Alliance for Digital Innovation. 
  • “I have done FedRAMP in my past life,” said Barbaccia, who previously worked at Palantir and more recently at a machine-learning enabled asset manager. “What a pain in the butt.”
  • “The FedRAMP program is planning on pursuing 10 pilot authorizations at the Moderate security level as part of the new phase of FedRAMP 20x, said FedRAMP Director Pete Waterman.”

• Per a Cybersecurity and Infrastructure Security Agency (“CISA”) news release,
  • Today [September 23, 2025], the Cybersecurity and Infrastructure Security Agency (CISA) announced the appointment of Stephen L. Casapulla as the Executive Assistant Director for Infrastructure Security.
  • “I am pleased to have Steve expand his role on CISA’s leadership team,” said Acting Director Madhu Gottumukkala. “With his extensive experience in critical infrastructure security and working with stakeholders, he is perfectly poised to lead our efforts in securing the nation’s critical infrastructure. I look forward to working with him on this important mission.”
  • Prior to joining CISA, Casapulla served as the Director for Critical Infrastructure Cybersecurity in the Office of the National Cyber Director. He previously spent over thirteen years at CISA and its predecessor, holding a variety of senior roles. His prior federal service includes work at the Small Business Administration and at the Department of State in Iraq. He also serves as an officer in the U.S. Navy Reserve, with over twenty years of service and multiple overseas deployments.

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency on Thursday [September 25, 2025,] ordered U.S. government agencies to patch multiple vulnerabilities in Cisco networking products, saying an “advanced threat actor” was using them in a “widespread” campaign.
  • “This activity presents a significant risk to victim networks,” CISA said in an emergency directive that laid out a mandatory timeline for agencies to identify, analyze and patch vulnerable devices.
  • “The hacking campaign — an extension of the sophisticated “ArcaneDoor” operation that Cisco first revealed in April 2024 — has compromised multiple federal agencies, two U.S. officials told Cybersecurity Dive. Both officials requested anonymity to discuss a sensitive and evolving investigation.”

• Cyberscoop adds,
  • “Cisco said it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May. The vendor, which attributes the attacks to the same threat group behind an early 2024 campaign targeting Cisco devices it dubbed “ArcaneDoor,” said the new zero-days were exploited to “implant malware, execute commands, and potentially exfiltrate data from the compromised devices.” 
  • “Cisco disclosed three vulnerabilities affecting its Adaptive Security Appliances — CVE-2025-20333, CVE-2025-20363 and CVE-2025-20362 — but said “evidence collected strongly indicates CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign.” 
  • “The Cybersecurity and Infrastructure Security Agency said those two zero-days pose an “unacceptable risk” to federal agencies and require immediate action.”

• Dark Reading points out,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) this week disclosed that threat actors breached a federal agency last year by exploiting a critical vulnerability in the open source GeoServer mapping server.
  • “In the advisory, CISA said it conducted incident response at a large, unnamed federal civilian executive branch (FCEB) agency after malicious activity was flagged by the agency’s endpoint detection and response (EDR) platform, but found the agency’s response playbook to be lacking; so lacking in fact that it hampered CISA’s investigation and allowed the attackers to burrow deeper into the network unchecked.

• Cybersecurity Dive adds,
  • “[On September 23, 2025,] the Cybersecurity and Infrastructure Security Agency urged security teams to monitor their systems following a massive supply chain attack that struck the Node Package Manager ecosystem. 
  • “The attack, tracked under the name Shai-Hulud, involved a self-replicating worm that compromised more than 500 software packages, according to StepSecurity. 
  • “After gaining access, a malicious attacker injected malware and scanned the environment for sensitive credentials. The credentials included GitHub Personal Access Tokens and application programming interface keys for various cloud services, including Amazon Web Services, Google Cloud Platform and Microsoft Azure. 
  • “The stolen credentials were uploaded to an endpoint controlled by the attacker and then uploaded to a public repository called Shai-Hulud. 
  • “Researchers at Palo Alto Networks said the attacker used an LLM to write the malicious script, according to an updated blog post released Tuesday.” 

• CISA added one known exploited vulnerability to its catalog this week.
  • September 23, 2025
    • CVE-2025-10585 Google Chromium V8 Type Confusion Vulnerability
      • Cybersecurity News discusses this KVE here.

• Cybersecurity Dive relates,
  • “Hackers are conducting brute force attacks against the MySonicWall.com portal in order to access the company’s cloud backup service for firewalls, SonicWall and federal authorities warned in advisories released Monday [September 22, 2025].
  • “SonicWall said its investigation found that hackers gained access to 5% of backup firewall preference files. The company warned that while credentials inside the files were encrypted, the files contained other information that could help attackers exploit the firewall, according to the advisory.  
  • “SonicWall also released a video explaining the scope of the incident. 
  • “In an advisory on Monday, the Cybersecurity and Infrastructure Security Agency urged customers to log into their accounts to determine whether their devices are at risk.” 

• Cyberscoop reports,
  • “The Secret Service said Tuesday [September 23, 2025] that it disrupted a network of electronic devices in the New York City area that posed imminent telecommunications-based threats to U.S. government officials and potentially the United Nations General Assembly meeting currently underway.
  • “The range of threats included enabling encrypted communications between threat groups and criminals or disabling cell towers and conducting denial-of-service attacks to shut down cell communications in the region. Matt McCool, special agent in charge of the Secret Service’s New York field office, said the agency’s early analysis of the network indicated “cellular communications between foreign actors and individuals that are known to federal law enforcement.”
  • “In all, the agency said it discovered more than 300 servers and 100,000 SIM cards spread across multiple sites within 35 miles of the U.N. meeting. The Secret Service announcement came the same day President Donald Trump was scheduled to deliver a speech to the General Assembly.
  • “The potential for disruption to our country’s telecommunications posed by this network of devices cannot be overstated,” U.S. Secret Service Director Sean Curran said in a news release.”

• Cyberscoop warns,
  • “Ambitious, suspected Chinese hackers with a slew of goals — stealing intellectual property, mining intelligence on national security and trade, developing avenues for future advanced cyberattacks — have been setting up shop inside U.S. target networks for exceptionally long stretches of time, in a breach that the researchers who uncovered it said could present problems for years to come.
  • “Mandiant and Google Threat Intelligence Group (GTIG) researchers described the campaign as exceptionally sophisticated, stealthy and complex, calling those behind it a “next-level threat.” But they don’t yet have a full handle on who the hackers are behind the malware they’ve dubbed Brickstorm, or how far it stretches. A blog post the company posted Wednesday sheds light on the group.
  • “The primary targets are legal services organizations and tech companies that provide security services, the researchers said. But the hackers aren’t limiting their interest to the primary targets, since they’ve used that access to infiltrate “downstream” customers. The researchers declined to describe those downstream customers or say whether U.S. federal agencies are among those targeted. A great many of them don’t know yet that they’re victims, they said.
  • “By stealing intellectual property from security-as-a-service (SaaS) firms, the hackers aim to find future zero-day vulnerabilities, a kind of vulnerability that is previously unknown and unpatched and thus highly prized, in order to enable more attacks down the line, the researchers from Mandiant and its parent company Google said.”

• Per Dark Reading,
  • “Salesforce Web forms can be manipulated by the company’s “Agentforce” autonomous agent into exfiltrating customer relationship management (CRM) data — a concerning development as legacy software-as-a-service (SaaS) providers race to integrate agentic AI into their platforms to zhuzh up the user experience and generate buzz among investors.
  • “Agentforce is an agentic AI platform built into the Salesforce ecosystem, which allows users to spin up autonomous agents for most conceivable tasks. As the story often goes though, the autonomous technology appears to be the victim of the complexity of AI prompt training, according to researchers at Noma Security. 
  • “To wit: The researchers have identified a critical vulnerability chain in Agentforce, carrying a 9.4 out of 10 score on the CVSS vulnerability-severity scale. In essence it’s a cross-site scripting (XSS) play for the AI era — an attacker plants a malicious prompt into an online form, and when an agent later processes it, it leaks internal data. In keeping with all of the other prompt injection proofs-of-concept (PoCs) coming out these days, Noma has named its trick “ForcedLeak.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “RTX Corp., the parent firm of Collins Aerospace, confirmed that ransomware was used in the hack of its airline passenger processing software, in a filing with federal regulators. 
  • “The attack, discovered on Sept. 19, has disrupted flights across Europe since last week, including at London’s Heathrow Airport, Brussels Airport, and airports in Berlin and Dublin. 
  • “The Multi-User System Environment software, known as MUSE, is used by multiple airlines to check-in and board passengers and is also used to track baggage, according to the filing with the U.S. Securities and Exchange Commission. 
  • “Virginia-based RTX said the MUSE system operates on a customer-specific network outside of the company’s enterprise network.
  • “U.K. authorities said Wednesday that a man in his 40s had been arrested on suspicion of violating the Computer Misuse Act. The police investigation is ongoing.” 

• Dark Reading points out,
  • “Volvo Group North America (Volvo NA) has been breached via a third-party human resources (HR) software provider.
  • “At the root of the story is Miljödata, a Swedish company specializing in occupational software-as-a-service (SaaS), whose cloud infrastructure was breached in August. Thanks to its centralized, multi-tenant arrangement, hundreds of customers and millions of individuals have been affected. In a recent letter to its staff, Volvo NA, whose parent company is based in Sweden, revealed itself to be one such victim.
  • “Like other Miljödata customers, Volvo NA’s systems were untouched by the attack. Still, its employees’ names and Social Security numbers (SSNs) were stolen, and potentially published to the Dark Web. According to its website, Volvo NA employs just shy of 20,000 people.
  • “For municipalities, universities, and even big corporations like Volvo, this isn’t just a security issue, it’s an integrity issue,” says Anders Askasen, vice president of product marketing at Radiant Logic. “People suddenly wonder whether the systems handling their most sensitive data are fit for the purpose, and with good reason. That loss of confidence is as damaging as the leak itself.”

• Industrial Cyber tells us,
  • “The Rhysida ransomware gang claimed responsibility for a late-August data breach at the Maryland Transit Administration. Exposed data includes names, surnames, dates of birth, driver’s licenses, SSNs, passports, and confidential information.
  • “The group is said to have demanded a ransom of 30 bitcoin, around US $3.4 million at the time of writing, to be paid within seven days. To support its claim, Rhysida posted images of documents allegedly stolen from the MTA, including scans of a Social Security card, driver’s license, passport, and several other records.
  • “Comparitech identified that to prove its claim, Rhysida posted images of what it says are documents stolen from the MTA. They include scans of a Social Security card, driver’s license, passport, and several other documents. 
  • “The Maryland Transit Administration is a division of the state’s Department of Transportation. It operates buses, light rail, subways, commuter trains, taxis, and a paratransit system. The MTA specifically mentioned the paratransit system, MobilityLink, being disrupted by the cyber attack.”

• Per the Record,
  • “Ransomware hackers stole Social Security numbers, financial information and more during a recent cyberattack on Union County in Ohio. 
  • “The county government began sending out breach notifications to 45,487 local residents and county employees this week. The letters say ransomware was detected on the county’s network on May 18, prompting officials to hire cybersecurity experts and notify federal law enforcement agencies.  
  • “The hackers stole documents that had names, Social Security numbers, driver’s license numbers, financial account information, fingerprint data, medical information, passport numbers and more.  
  • “No ransomware gang has taken credit for the attack publicly, and the letters said the county has been monitoring internet sources but have not found any indication the stolen information was released or offered for sale.  
  • “The county has about 71,000 residents and is 45 minutes outside of Columbus — which dealt with its own ransomware attack one year ago.” 

• HIPAA Journal lets us know,
  • “There’s good and bad news on the ransomware front. Attacks are down year-over-year; however, successful attacks are proving even costlier to mitigate, according to the Mid-Year Risk Report from the cyber risk management company Resilience. The company saw a 53% reduction in cyber insurance claims in the first half of the year, which indicates organizations are getting better at preventing attacks; however, when ransomware attacks succeed, they have been causing increased financial harm, with losses 17% year-over-year. While ransomware accounted for just 9.6% of claims in H1, 2025, ransomware attacks accounted for 91% of incurred losses.
  • “On average, a successful ransomware attack causes $1.18 million in damages, up from $1.01 million in 2024, and the cost is even higher in healthcare. Resilience’s healthcare clients suffered average losses of $1.3 million in 2024, and in the first half of 2025, some healthcare providers faced extortion demands as high as $4 million. While it is too early to tell what the severity of claims will be in 2025 until claims are settled, Resilience said there are indications that the average severity of incurred losses for healthcare ransomware attacks this year could be $2 million, up from an average of $705,000 in 2024 and $1.6 million in 2023.”

From the cybersecurity defenses front,

• Cyberscoop advises,
  • “Artificial intelligence is no longer a future concept; it is being integrated into critical infrastructure, enterprise operations and security missions around the world. As we embrace AI’s potential and accelerate its innovation, we must also confront a new reality: the speed of cybersecurity conflict now exceeds human capacity. The timescale for effective threat response has compressed from months or days to mere seconds. 
  • “This acceleration requires removing humans from the tactical security loop. To manage this profound shift responsibly, we must evolve our thinking from abstract debates on “AI safety” to the practical, architectural challenge of “AI security.” The only way to harness the power of probabilistic AI is to ground it with deterministic controls.”

• A Dark Reading commentator recommends that “With the emergence of AI-driven attacks and quantum computing, and the explosion of hyperconnected devices, zero trust remains a core strategy for security operations.”

• Per a CISA news releases,
  • “In today’s increasingly interconnected industrial landscape, operational technology (OT) systems are no longer isolated islands of automation—they’re deeply entwined with information technology and business networks, making them prime targets for cyber threats. Recognizing this growing risk, the Cybersecurity and Infrastructure Security Agency (CISA) collaborated with three U.S. federal agencies and five international partners and received contributions from twelve private sector stakeholders to develop and publish, “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators”.
  • “This key resource helps owners and operators of OT systems create stronger, more secure infrastructures by building a clear inventory and classification of their assets. By identifying, organizing, and managing OT assets effectively, organizations can not only improve cybersecurity but also enhance operational reliability, safety, and resilience.”

• Per National Institute of Standards news releases,
  • “NIST has released Special Publication (SP) 800-88r2 (Revision 2), Guidelines for Media Sanitization.
  • “Media sanitization is a process that renders access to the target data on media infeasible for a given level of effort. This guide will assist organizations and system owners in setting up a media sanitization program with proper and applicable methods and controls for sanitization and disposal based on the sensitivity of their information.”
• and
  • “NIST has released Special Publication (SP) 800-90C, Recommendation for Random Bit Generator (RBG) Constructions. It is the final document in the SP 800-90 series, which supports the generation of high-quality random bits for cryptographic and non-cryptographic use.
  • “SP 800-90C specifies constructions for implementing random bit generators (RBGs) that include deterministic random bit generator (DRBG) mechanisms as specified in SP 800-90A and use entropy sources as specified in SP 800-90B.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• The Wall Street Journal reports,
  • “The collapse on Friday [September 19] of an emergency federal funding bill leaves the fate of cybersecurity legislation that provides legal protection for companies sharing cyber-threat intelligence up in the air.
  • Without a reprieve of the expiring cyber legislation that had been included in the funding bill, companies face uncertainty on how to communicate about cyber threats as competing reauthorization bills work through a divided House and Senate.
  • “Both the private sector and the government need certainty, including the ability to allocate resources for long-term cybersecurity planning and implementation,” said Matthew Eggers, vice president of cybersecurity policy at the U.S. Chamber of Commerce. 
  • The 2015 Cybersecurity Information Sharing Act, or CISA, is set to expire at the end of September. Friday’s scuttled emergency funding measure, which applied to a number of federal programs and sought to avert a government shutdown, would have given lawmakers more time [until November 21] to iron out critical differences between House and Senate versions of CISA renewal bills. * * *
  • “A notable difference in the House bill is the forward-thinking inclusion of artificial intelligence in the renewal,” said Justine Phillips, a partner and co-chair of the data and cyber practice group at law firm Baker McKenzie. Despite these updates, she said, “the House bill is the functional equivalent of extending the act as is, because it leaves the legal liability protections intact.”
  • “The cyber bill’s renewal by the Senate may prove more problematic, cybersecurity experts say.”

• Cyberscoop informs us,
  • “Federal agencies are increasingly incorporating artificial intelligence into the cyber defenses of government networks, and there’s more still to come, acting Federal Chief Information Security Officer Michael Duffy said Thursday.
  • “We’re at an exciting time in the federal government to see that we’re not only putting AI in production, but we’re finding ways to accelerate emerging technology across the government, across all missions and all angles,” Duffy said at FedTalks, produced by Scoop News Group. In his “role overseeing federal cybersecurity policy,” he said, he is “able to see these at the ground level, as agencies bring excitement and enthusiasm and hope for what they can optimize through artificial intelligence.”
  • “Cyber attackers are moving faster than ever, and on a much larger scale than before, he said. They’re also using technology in new ways. But it’s not all “doom and gloom” when it comes to the cybersecurity of federal networks, especially because of feds’ move toward AI, Duffy said.
  • “I’m pleased to say that the advancements that we’ve made over the past decade in the federal government have brought us to this point: Agencies are poised now, postured, positioned, to take advantage of new capabilities, bring them into federal agencies and make them work for the mission,” he said.”

• In related news, Cybersecurity Dive tells us,
  • “The National Institute of Standards and Technology on Thursday [September 18] published guidance describing how implementation of post-quantum cryptography (PQC) both supports and relies on the safeguards in the agency’s major cybersecurity publications.
  • “The draft NIST document, derived from the output of the agency’s PQC migration project, is designed to illustrate the connections between the tools required for adopting quantum-resistant encryption and the security practices that NIST recommends in its Cybersecurity Framework and other guidance.
  • “The capabilities demonstrated in the project support several security objectives and controls identified” in other NIST guidance documents, the agency said in its new publication. “At the same time, responsible implementation of the demonstrated capabilities is dependent on adherence to several security objectives and controls identified in these risk framework documents.”
  • “Collecting information about which technologies use cryptography supports the Cybersecurity Framework practices of creating hardware and software inventories, the document notes. Similarly, analyzing cryptographic weaknesses supports the CSF practice of identifying vulnerabilities in technology assets.”

• A September 19, 2025, NIST news release adds,
  • “To help organizations protect their data against possible future attacks from quantum computers, the National Institute of Standards and Technology (NIST) has released a publication offering guidelines for implementing a class of post-quantum cryptography (PQC) algorithms known as key-encapsulation mechanisms, or KEMs.
  • “A KEM is a set of algorithms that can be used by two parties to securely establish a shared secret key over a public channel — a sort of first handshake between parties that want to exchange confidential information. Recent examples of KEMs include ML-KEM and HQC.
  • The new publication, Recommendations for Key-Encapsulation Mechanisms (NIST Special Publication 800-227), describes the basic definitions, properties and applications of KEMs and provides recommendations for implementing and using KEMs securely.

• Cyberscoop reports,
  • “Two teenagers were arrested in the United Kingdom this week, accused of associating with the sprawling criminal collective known as The Com, and participating in many high-profile and damaging cyberattacks on critical infrastructure globally.
  • “Thalha Jubair, 19 of London, and Owen Flowers, 18 of Walsall, England, were arrested at their residences Tuesday and charged with crimes related to the cyberattack on the Transport for London in September 2024, the U.K.’s National Crime Agency said.
  • “Jubair and Flowers were allegedly highly involved in many other cyberattacks attributed to Scattered Spider, a nebulous offshoot of The Com that commits ransomware and data extortion. The Com is composed of thousands of members, splintered into three primary subsets of interconnected networks that commit swatting, extortion and sextortion of minors, violent crime and various other cybercrimes, according to the FBI.
  • “The Justice Department on Thursday unsealed charges against Jubair, a U.K. national, accusing him of participating in at least 120 cyberattacks as part of Scattered Spider’s sweeping extortion scheme from May 2022 to September 2025, including 47 U.S.-based organizations. Victims of those attacks paid at least $115 million in ransom payments, authorities said.”

From the cybersecurity vulnerabilities and breaches front,

• While CISA did not add any known exploited vulnerabilities to its catalog this week, SC Media lets us know,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 18 issued a malware analysis report on two sets of malicious code from an organization compromised by threat actors exploiting two bugs in the Ivanti Endpoint Manager Mobile (EPMM) tool.
  • “CISA said the malware exploited two CVEs – CVE-2025-4427 and CVE-2025-4428. After exploitation, the malware let the threat actors inject and run arbitrary code on the compromised server.
  • “Lawrence Pingree, technical evangelist at Dispersive Holdings, said malware that’s instrumented to target specific vulnerabilities in centralized endpoint management solutions like these Ivanti tools is incredibly important to defend against.
  • “Isolating and microsegmenting sensitive systems like this is essential. Patching rapidly, ideally with an automated process, is essential in defending against vulnerabilities,” said Pingree.”

• Per Dark Reading,
  • “Security vendor SonicWall suffered a data breach that exposed customer firewall configuration file backups.
  • “On Sept. 17, SonicWall, a vendor best known for its network security appliances, published a knowledge base article disclosing what it described as a “cloud backup file incident.” The company said its security teams recently detected “suspicious activity targeting the cloud backup service for firewalls” and confirmed it to be a security event in the past few days.
  • “Unidentified threat actors accessed backup firewall preference files stored in the cloud representing “fewer than 5% of our firewall install base,” according to SonicWall. Attackers were able to access encrypted credentials as well as firewall configuration files “that could make it easier for attackers to potentially exploit the related firewall.”
  • “We are not presently aware of these files being leaked online by threat actors,” SonicWall said in its disclosure. “This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.”
    
• Per Cyberscoop,
  • “Researchers warned that a maximum-severity vulnerability affecting GoAnywhere MFT bears striking similarities with a widely exploited defect in the same file-transfer service two years ago.
  • “Fortra, the cybersecurity vendor behind the product, disclosed and released a patch for the vulnerability — CVE-2025-10035 — Thursday. The deserialization vulnerability “allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection,” the company said in a security advisory.
  • “File transfer services are a valuable target for attackers because they store a lot of sensitive data. If cybercriminals exploit these services, they can quickly access information from many users at once, making these services especially attractive for large-scale attacks. 
  • “Fortra didn’t provide any evidence of active exploitation and researchers from multiple security firms said they haven’t observed exploitation but expect that to change soon. “We believe that it’s just a matter of time and are monitoring the situation closely,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.
  • “The vulnerability, which has a CVSS rating of 10, is “virtually identical to the description for CVE-2023-0669,” a zero-day vulnerability exploited by Clop, resulting in attacks on more than 100 organizations, and at least five other ransomware groups, Caitlin Condon, vice president of security research at VulnCheck, said in a blog post.”
• and
  • “Apple’s latest operating systems for its most popular devices — iPhones, iPads and Macs — include patches for multiple vulnerabilities, but the company didn’t issue any warnings about active exploitation. 
  • “Apple patched 27 defects with the release of iOS 26 and iPadOS 26 and 77 vulnerabilities with the release of macOS 26, including some bugs that affected software across all three devices. Apple’s new operating systems, which are now numbered for the year of their release, were published Monday as the company prepares to ship new iPhones later this week.
  • “Users that don’t want to upgrade to the latest versions, which adopt a translucent design style Apple dubs “liquid glass,” can patch the most serious vulnerabilities by updating to iOS 18.7 and iPad 18.7 or macOS 15.7. Most Apple devices released in 2019 or earlier are not supported by the latest operating systems.
  • “None of the vulnerabilities Apple disclosed this week appear to be under active attack, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop.”

• Cybersecurity Dive points out,
  • “Most companies worry their networks aren’t safe against cyberattacks powered by artificial intelligence.
  • “Only 31% of IT leaders are at least somewhat confident that they can defend their organizations against AI-powered attacks, according to a Lenovo report published on Thursday.
  • “The report delves into why IT and security leaders are worried about hackers’ use of AI — and why they see their companies’ own use of AI systems as vulnerable.”
• and
  • “The number of healthcare organizations that have lost more than $200,000 to cyberattacks has quadrupled this year compared with the same period in 2024, data security firm Netwrix said in a report published Thursday [September 19].
  • “Nearly half of all healthcare organizations (48%) experienced at least one intrusion between March 2024 and March 2025, the report found.
  • “Healthcare organizations experienced more cyberattack-related losses of at least $500,000 than critical infrastructure firms did, on average: 12% of healthcare organizations, compared with 6% of all organizations.”

From the ransomware front,

• Infosecurity Magazine reports,
  • “Fifteen well-known ransomware groups, including Scattered Spider, ShinyHunters and Lapsus$, have announced that they are shutting down their operations.
  • “The collective announcement was posted on Breachforums, where the groups claimed they had achieved their goals of exposing weaknesses in digital infrastructure rather than profiting through extortion.
  • “In their statement, the gangs said they would now shift to “silence,” with some members planning to retire on the money they had accumulated, while others would continue studying and improving the systems people rely on daily.” * * *
  • “Organizations should take these announcements with a pinch of salt,” Nivedita Murthy, senior staff consultant at Black Duck, said.
  • “It could be possible that some of these groups may have decided to step back and enjoy their payday, [but] it does not stop copycat groups from rising up and taking their place.”

• IT Pro discusses the “top ransomware trends for businesses in 2025. A splintering of top groups and changing attitudes toward payments are changing attacker tactics at speed.”

• Morphisec calls attention to “The Top Exploited Vulnerabilities Leading to Ransomware in 2025 — and How to Stay Ahead.” 

From the cybersecurity defenses front,

• The American Hospital Association News reports,
  • “Microsoft Sept. 16 announced it had disrupted a growing phishing service that had targeted at least 20 U.S. health care organizations. The company said it used a court order granted by the U.S. District Court for the Southern District of New York to seize 338 websites associated with RaccoonO365, a cyber threat group known for stealing Microsoft 365 credentials through phishing tactics. RaccoonO365 offers subscription-based phishing kits that allow individuals to steal Microsoft credentials by mimicking official Microsoft communications. The company said the phishing kits use Microsoft branding to create fraudulent emails, attachments and websites. Since July 2024, the kits have stolen at least 5,000 Microsoft credentials from individuals in 94 countries. The group was recently observed offering a new artificial intelligence-powered service in an attempt to scale their operations.
  • “Credentials stolen through RaccoonO365 enabled ransomware attacks against hospitals, posing a direct threat to patient and community safety,” said John Riggi, AHA national advisor for cybersecurity and risk. “This operation also highlights a disturbing trend — cybercriminals’ increased use of ‘initial access brokers’ to steal credentials and AI to accelerate the effectiveness, sophistication and impact of cyberattacks. The need for continued and evolving social engineering training for staff is essential to defend against the latest deception tactics used by hackers.”

• Cybersecurity Dive tells us,
  • “Preemptive cybersecurity solutions will account for about half of all IT security spending by the year 2030, a significant increase from its 5% share in 2024, Gartner said in a report published Thursday.
  • “Preemptive cybersecurity will effectively replace standard detection and response technologies as the preferred defense against malicious hacking, Gartner predicted.
  • “The technology uses artificial intelligence and machine learning to anticipate threats and then neutralize them before they can compromise their targets, according to researchers.”

• Security Week reflects on the fifteen anniversary of the Zero Trust strategy.
  • “The implementation of zero trust is essential for cybersecurity: but after 15 years, we’re still not there. Implementation is like the curate’s egg: good in parts.
  • “Zero Trust turned fifteen years old on September 14, 2025. Its invention was announced with Forrester’s publication of John Kindervag’s paper, No More Chewy Centers: Introducing The Zero Trust Model of Information Security, on that date in 2010 (archived here).
  • “Zero trust recognizes that treating cybersecurity like an M&M (a hard crunchy shell impenetrable to hackers protecting a soft chewy center where staff can work freely and safely) simply doesn’t work. “Information security professionals must eliminate the soft chewy center by making security ubiquitous throughout the network, not just at the perimeter,” wrote Kindervag.
  • “This is the basis of zero trust (or ZT): abandon the old concept of a barrier between two separate networks (one untrusted: the internet; and one trusted: the enterprise). Instead, trust nothing and verify everything, regardless of source or destination. The concept is sound and rapidly gained approval, culminating in EO14028 mandating that federal agencies must move toward a zero trust architecture while private companies should do similar – but never defining how it could be achieved.
  • “There’s the rub. Zero trust is fundamentally a concept where implementation will depend on individual different corporate ecospheres.”

• Dark Reading recommends “Transforming Cyber Frameworks to Take Control of Cyber-Risk.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Nextgov/FCW reports,
  • “A top Cybersecurity and Infrastructure Security Agency official said the agency is prepared to accept any extension Congress authorizes for a fundamental cybersecurity threat intelligence-sharing law, which is set to expire Sept. 30 unless renewed by lawmakers.
  • “We’ll take whatever the Congress decides to authorize us, wherever they see fit within their purview, to authorize and to give us our authorities to be able to use,” Nick Andersen, CISA’s executive assistant director for cybersecurity, told reporters Thursday [September 11] on the sidelines of the Billington Cyber Summit.
  • “The Cybersecurity Information Sharing Act of 2015 lets private sector providers freely transmit cyber threat information to government partners with key liability protections in place, shielding firms from lawsuits and regulatory penalties when sharing threat data with the government.
  • “So at this point, I think my primary concern is if it lapses,” Andersen added. “Give us 30 days for the Congress to do what they need to do. Give us two years. Give us ten years. Give us 50. Whatever you take, we’ll take it. Obviously, we love stability for the organization and stability for our partners to understand how we’re going to protect and exchange information. But really, that’s up to Congress.”

• Cyberscoop tells us,
  • “The Cybersecurity and Infrastructure Agency is delaying finalization of a rule until May of next year that will require critical infrastructure owners and operators to swiftly report major cyber incidents to the federal government, according to a recent regulatory notice.
  • “Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, CISA was supposed to produce a final rule enacting the law by October of this year. But last week, the Office of Management and Budget’s Office of Information and Regulatory Affairs published an update that moved the final rule’s arrival to May 2026.
  • “A CISA official told CyberScoop that the move would give the agency time to consider streamlining and reducing the burden on industry of a previously proposed version of the rule, citing public comments in response to that version, as well as harmonizing the law with other agencies’ cyber regulations.”

• Cybersecurity Dive lets know,
  • “National Cyber Director Sean Cairncross said [on September 9] the Trump administration plans a whole-of-nation approach in order to combat the threat of malicious cyberattacks from the U.S.’s top geopolitical rivals. 
  • “Cairncross delivered the opening keynote at the Billington Cybersecurity Summit, saying the administration will push forward an aggressive new posture to counter the risks presented by authoritarian regimes like China.” * * *
  • “The Billington keynote marks the first major public remarks by Cairncross since he won Senate confirmation to lead the Office of the National Cyber Director in August.” 

• FedScoop informs us,
  • “The U.S. government’s acting chief information security officer outlined his three priorities for federal cyber officials over the next year at a cybersecurity event in Washington on Tuesday [September 9], emphasizing the need for collaboration across the government.  
  • “During a fireside chat at the Billington Cybersecurity Summit, acting cyber chief Michael Duffy said focusing enterprise cyber defense, increasing operational resilience, and securing a modern U.S. government are the areas he’s outlined as priorities for the next year in conversations with the federal cyber leaders on the CISO Council. 
  • “He also previewed an upcoming tabletop exercise the CISO Council will be doing in the next month to address operational resilience.” 

• Cybersecurity Dive points out,
  • “The Cybersecurity and Infrastructure Security Agency said it remains firmly committed to supporting and further enhancing the Common Vulnerabilities and Exposures program, which is a critical program for identifying and mitigating software flaws that can expose computer systems to exploitation. 
  • “Nick Andersen, the new executive assistant director for cybersecurity at CISA, expressed staunch support for the CVE program during a discussion on Thursday at the Billington Cybersecurity Summit in Washington, D.C. 
  • “CISA on Wednesday [September 10] released a road map that outlined its priorities for the CVE program, with the full intention to further develop the program and create a plan for robust funding and wider participation. 
  • Andersen told reporters after the presentation that it’s “exceedingly important” for CISA to be able to grow and expand the program.
  • “The feedback that we’ve gotten consistently is people are looking for somebody to call objective balls and strikes out there,” Andersen said. 

• Per Federal News Network,
  • “The Pentagon will soon issue more details on its much-hyped effort to “blow up” the Risk Management Framework used to accredit software.
  • “Katie Arrington, who is performing the duties of the Defense Department chief information officer, said DoD will unveil the “10 commandments” of the “new RMF” in the next couple of weeks. DoD’s work to revamp how it accredits software has been a top discussion point in federal technology circles in recent months.
  • “It’s the 10 tenants of the new RMF,” Arrington said at the Billington Cyber Summit on Thursday.

• Cyberscoop notes,
  • “The Department of Justice unsealed an indictment against a Ukrainian national alleged to be central to a ransomware campaign affecting hundreds of companies worldwide. 
  • “Volodymyr Viktorovych Tymoshchuk, known online as “deadforz,” “Boba,” “msfv,” and “farnetwork,” is accused of developing and deploying ransomware variants Nefilim, LockerGoga, and MegaCortex, all of which have been used in attacks on prominent organizations in the United States, Europe, and elsewhere since at least 2018.
  • “According to the indictment, filed in the Eastern District of New York, Tymoshchuk and his alleged co-conspirators are believed to have extorted more than 250 companies across the U.S. and hundreds more globally, generating tens of millions of dollars in damages. Victims suffered not just the loss of data and disabling of business operations, but high mitigation and recovery costs. * * *
  • “Additionally, the State Department announced rewards totaling up to $10 million for information leading to the arrest or conviction of Tymoshchuk, with a separate reward of up to $1 million for information on other key leaders of the groups deploying the ransomware variants.”

From the cybersecurity vulnerabilities and breaches front,

• CISA added one known exploited vulnerability to its catalog this week.
  • September 11, 2025
    • CVE-2025-5086 Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability
      • Bleeping Computer discusses this KVE here.
        
• Cybersecurity Dive reports,
  • “A sophisticated phishing-as-a-service operation has been targeting Google and Microsoft accounts and can bypass traditional defense mechanisms, including multifactor authentication, researchers at Okta Threat Intelligence warned in a blog post on Thursday, 
  • “The phishing operation, dubbed VoidProxy, uses adversary-in-the-middle techniques to bypass normal authentication flow. 
  • “Researchers first learned of attacks linked to the operation in January, but Dark Web advertisements for VoidProxy appear to have begun as early as August 2024, according to Okta researchers. The attacks are ongoing, and Okta said they have targeted valuable accounts.”  * * *
  • “Google agrees with recommendations in the Okta report that users should adopt passkeys as a strong method to protect against phishing, the spokesperson added.
  • “Microsoft declined to comment, however a spokesperson provided a link with general mitigation guidance.”

• Dark Reading adds,
  • “A recent phishing campaign that used the Salty2FA phishing kit demonstrates how the cybercriminal enterprise continues to evolve to the point where adversarial tools are nearly on par with enterprise-grade software, experts said.
  • “Researchers from Ontinue tracked a campaign using the phishing kit that shows various technical innovations in which cybercriminals are approaching phishing infrastructure “with the same methodical planning that enterprises use for their own systems,” Rhys Downing, an Ontinue threat researcher, wrote in a blog post published Tuesday.”

• CSO tells us,
  • “Attackers are increasingly exploiting generative AI by embedding malicious prompts in macros and exposing hidden data through parsers.
  • “The switch in adversarial tactics — noted in a recent State of File Security study from OPSWAT — calls for enterprises to extend the same type of protection they already apply to software development pipelines into AI environments, according to experts in AI security polled by CSO.
  • “Broadly speaking, this threat vector — ‘malicious prompts embedded in macros’ — is yet another prompt injection method,” Roberto Enea, lead data scientist at cybersecurity services firm Fortra, told CSO. “In this specific case, the injection is done inside document macros or VBA [Visual Basic for Applications] scripts and is aimed at AI systems that analyze files.”
  • “Enea added: “Typically, the end goal is to mislead the AI system into classifying malware as safe.”

• Per InfoSecurity Magazine,
  • “People are often described as one of the biggest security threats to any organization. At first glance, it would be hard to argue with such a sweeping statement.
  • “Whether the result of malice or negligence, the ‘human element’ featured in around 60% of data breaches over the past year, according to Verizon. A recent spate of attacks targeting corporate Salesforce instances highlights the evolving nature of the social engineering threat – and just what’s at stake.
  • “The challenge for CISOs is that insider risk is not just about negligence. Those intent on wrongdoing are usually harder to spot and exact a much heavier toll on their employer. To coincide with International Insider Threat Awareness Month, we take a look at what CISOs can do to push back the tide.”
  • Check it out.

From the ransomware front,

• Here are links to updates on recovery from the ransomware attacks against the State of Nevada and the City of St. Paul, Minnesota.

• Per Security Week,
  • “Ransomware remains the primary digital threat to business. Phishing, often the initial point of failure, further expands into voice triggered transfer fraud.
  • “An analysis of risk based on cyberinsurance claims history provides an accurate overview of the true risk of cybercrime. It doesn’t provide a full global picture of risk since it can only be drawn from known cyberinsurance claims. Resilience is a cyberinsurance provider with a deep knowledge of cybersecurity.
  • “There are three major takeaways from the 2025 Midyear Cyber Risk Report produced by Resilience: vendor-related risk is down but still significant; ransomware remains the main threat; and phishing has leapt to clear prominence as the most common point of failure (aided in scale and sophistication by AI).
  • “The report notes a reduction in vendor-related risk (down from 22% of incurred losses in 2024 to 15% in H1 2025), but stresses that the downstream loss to affected companies remains high. “While incidents dropped in frequency, clients who experienced business interruption from a vendor-related incident had significant losses that rivaled losses from companies directly affected by ransomware.” This is an unseen risk that can only be addressed by continuously monitoring the vendors’ security posture.”

• Per Check Point Research,
  • “First observed on September 5, Yurei is a newly emerged ransomware group that targeted a Sri Lankan food manufacturing company as its first leaked victim. The group follows a double-extortion model: they encrypt the victim’s files and exfiltrate sensitive data and then demand a ransom payment to decrypt and refrain from publishing the stolen information.
  • “Check Point Research (CPR) determined that Yurei’s ransomware is derived with only minor modifications from Prince-Ransomware, an open-source ransomware family written in Go. This highlights how open-source malware significantly lowers the barrier to entry for cybercriminals, enabling even less-skilled threat actors to launch ransomware operations.
  • “Yurei’s ransomware contains a flaw that may allow partial recovery through Shadow Copies, but the group primarily relies on data-theft-based extortion. As they stated on their blog, the fear and implications of data leakage are their main pressure point to get victims to pay the ransom.
  • “Since the first victim was listed on September 5, the number of victims has risen to three so far, pointing to a fast-growing operation.
  • “The investigation revealed hints that the threat actor’s origins may be in Morocco.”

• Per Cyberscoop,
  • “Researchers and authorities are warning that Akira ransomware attacks involving exploits of a year-old vulnerability affecting SonicWall firewalls are on the rise. 
  • “A burst of about 40 attacks linked to CVE-2024-40766 hit SonicWall firewalls between mid-July and early August. Researchers have since observed another wave of ransomware attacks linked to active exploits of the defect, which affects the secure sockets layer (SSL) VPN protocol in multiple versions of SonicWall firewalls, and configuration errors. 
  • “Rapid7 has responded to a “double-digit number of attacks” related to the vulnerability and a series of misconfigurations in victim environments, the company said, expanding on a blog it published earlier this week.
  • “The Australian Cyber Security Centre also issued an advisory Wednesday noting that it, too, is responding to a recent increase in active exploitation of the defect. “We are aware of the Akira ransomware targeting vulnerable Australian organizations through SonicWall SSL VPNs,” the agency said.”

• Per PC World,
  • “It’s a story almost as old as time: malware is wreaking havoc on Android devices again. Usually, Android malware aims to steal sensitive data and passwords in order to gain access to online accounts. Less commonly, it installs ransomware to extort large sums of money from users.
  • “A particularly dangerous malware variant that combines both techniques has now been discovered by security experts at ThreatFabric. Known as RatOn, the Trojan infiltrates an Android phone, accesses data, empties bank accounts, then locks the device to blackmail the owner.” * * *
  • “In the case of RatOn, the Trojan likely lands on Android devices through fake apps. Users are redirected to pages that imitate the Google Play Store, where attackers offer applications disguised as common social media apps like TikTok—except it’s malware.: * * *
  • To protect yourself, you should always check whether an app comes from a trustworthy provider. You should also always activate Google Play Protect in the Google Play Store so that apps are scanned for viruses and malware before they’re installed on your device.

• Bleeping Computer warns,
  • “A recently discovered ransomware strain called HybridPetya can bypass the UEFI Secure Boot feature to install a malicious application on the EFI System Partition.
  • “HybridPetya appears inspired by the destructive Petya/NotPetya malware that encrypted computers and prevented Windows from booting in attacks in 2016 and 2017 but did not provide a recovery option.
  • “Researchers at cybersecurity company ESET found a sample of HybridPetya on VirusTotal. They note that this may be a research project, a proof-of-concept, or an early version of a cybercrime tool still under limited testing.

• Cyberscoop adds,
  • “Researchers at New York University have taken credit for creating a piece of malware found by third-party researchers that uses prompt injection to manipulate a large language model into assisting with a ransomware attack.
  • “Last month, researchers at ESET claimed to have discovered the first piece of “AI-powered ransomware” in the wild, flagging code found on VirusTotal. The code, written in Golang and given the moniker “PromptLock,” also included instructions for an open weight version of OpenAI’s ChatGPT to carry out a series of tasks — such as inspecting file systems, exfiltrating data and writing ransom notes.
  • “ESET researchers told CyberScoop at the time that the code appeared to be unfinished or a proof of concept. Other than knowing it was uploaded by a user in the United States, the company had no further information about the malware’s origin. 
  • “Now, researchers at NYU’s Tandon School of Engineering have confirmed that they created the code as part of a project meant to illustrate the potential harms of AI-powered malware.”
  • In a corresponding academic paper, the researchers call the project “Ransomware 3.0” and describe it as a new attack method. This technique “exploits large language models (LLMs) to autonomously plan, adapt, and execute the ransomware attack lifecycle.”

From the cybersecurity business and defenses front,

• Cyberscoop informs us,
  • “Major cyber intrusions by the Chinese hacking groups known as Salt Typhoon and Volt Typhoon have forced the FBI to change its methods of hunting sophisticated threats, a top FBI cyber official said Wednesday.
  • “U.S. officials, allied governments and threat researchers have identified Salt Typhoon as the group behind the massive telecommunications hack revealed last fall but that could have been ongoing for years. Investigators have pointed at Volt Typhoon as a group that has infiltrated critical infrastructure to cause disruptions in the United States if China invades Taiwan and Americans intervene.
  • “Those hacks were stealthier than in the past, and more patient, said Jason Bilnoski, deputy assistant director of the FBI’s cyber division. The Typhoons have focused on persistent access and gotten better at hiding their infiltration by using “living off the land” techniques that involve using legitimate tools within systems to camouflage their efforts, he said. That in turn has complicated FBI efforts to share indicators of compromise (IOCs).
  • “We’re having to now hunt as if they’re already on the network, and we’re hunting in ways we hadn’t before,” he said at the Billington Cybersecurity Summit. “They’re not dropping tools and malware that we used to see, and perhaps there’s not a lot of IOCs that we’d be able to share in certain situations.”

• The Wall Street Journal reports,
  • “Japanese industrial giant Mitsubishi Electric said Tuesday that it intends to acquire U.S. cybersecurity company Nozomi Networks in a deal valued at about $1 billion.
  • “Nozomi will become a wholly owned subsidiary of Mitsubishi Electric under the terms of the deal and operate independently. The transaction value includes $883 million in cash as well as previous equity.
  • “Nozomi raised $100 million in a 2024 Series E funding round that included several heavyweights in operational technology, such as Mitsubishi Electric and Schneider Electric. Previous investors included Honeywell; the U.S. Central Intelligence Agency’s venture arm, In-Q-Tel; and Johnson Controls. 
  • “Nozomi Chief Executive Edgard Capdevielle said the company will continue to provide services to those prior investors and other companies after the acquisition, which is expected to close in the fourth quarter. 
  • “The fact that we’re now a wholly owned subsidiary of Mitsubishi does not change the fact that we will continue to be vendor-agnostic,” he said.”

• Dark Reading adds,
  • “F5, a software company that improves application speed and security, today announced its plans to acquire CalypsoAI, a provider of adaptive artificial intelligence (AI) security capabilities. CalypsoAI’s technology will be integrated into the F5 Application Delivery and Security Platform (ADSP), F5 said.
  • Founded in 2018, CalypsoAI focuses on real-time protection against threats targeting AI applications and models, such as prompt injection and jailbreaking. The platform brings threat defense, red teaming at scale, and data security to businesses preparing to launch or adopt generative and agentic AI. CalypsoAI came in second place at RSAC Conference’s Innovation Sandbox earlier this year as a company that protects models and agents with prompt firewalls.
  • “By integrating CalypsoAI features into ADSP, F5 hopes to build modern firewalls and point solutions that can secure AI models, agents, and data flows. Traditional options “can’t keep up,” said François Locoh-Donou, president and CEO of F5, in a statement.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• The Wall Street Journal reports,
  • “The clock is ticking on core federal cybersecurity legislation set to expire Sept. 30, as a divided Congress and a looming government shutdown threaten progress on a new bill that seeks to extend provisions encouraging cooperation in fighting hackers. 
  • “The decade-old Cybersecurity Information Sharing Act, or CISA, set the legal framework aimed at protecting companies that voluntarily share cyber threat intelligence with other businesses and the federal government, shielding them from antitrust and liability charges.
  • “Sunsetting the legislation risks weakening cybersecurity defenses, in both business and government, by discouraging information-sharing about hacking tactics and other cyberattacks, cybersecurity experts said.” * * *
  • “On Wednesday [September 3, 2025], the House Homeland Security Committee unanimously approved a revised version of CISA, renaming it the Widespread Information Management for the Welfare of Infrastructure and Government Act, or Wimwag.
  • “The proposed bill, which would extend the legislation until 2035, includes updated language to reflect new hacking tactics, while boosting privacy and liability protections for companies, among other changes.
  • “Democrats had called for an extension of the 2015 law while leaving any changes to be considered after the September deadline. “More improvements will be necessary as the legislative process moves forward,” based on input by cybersecurity experts, Rep. Bennie Thompson (D., Miss.) told the committee.
  • “The bill now moves to the full House for consideration.”

• On Thursday, the federal government’s Spring 2025 semi-annual regulatory and de-regulatory agenda was posted on reginfo.gov. Of note, the Department of Health and Human Services is projecting promulgation of an amended HIPAA Security Rule in May 2026.

• The American Hospital Association News tells us,
  • The Cybersecurity and Infrastructure Security Agency, National Security Agency and international agencies Sept. 3 released joint guidance outlining a “software bill of materials” for organizations to strengthen cybersecurity, reduce risk and decrease costs. An SBOM is a list of all components contained in a software product. 
  • “Whether it’s an application used on a computer or the software that runs a medical device, most software incorporates components to accomplish specific tasks,” said Scott Gee, AHA deputy national advisor of cybersecurity and risk. “It is critical to understand what components are used in a piece of software because if a flaw is discovered in any, it could make the entire piece of software — and the organization’s network— vulnerable to attack. A good analogy is the ingredients list on food packaging — it tells consumers exactly what additives and preservatives are in their food. Without an SBOM, an organization would have no way to determine that the vulnerable component was present in their systems.” 
  • Gee also highlighted the importance of automated monitoring of SBOMs, as they would alert of any vulnerabilities that would require patching and remediation. 
     
• Federal News Network informs us,
  • “The Cybersecurity and Infrastructure Security Agency has named a new top cyber official. Nick Anderson is now serving as executive assistant director of CISA’s cybersecurity division. Anderson is a Marine Corps veteran who previously led the Energy Department’s top cyber office during the first Trump administration. He most recently was president and chief operating officer of Invictus International Consulting. Anderson also was chief information security officer for Lumen Technologies Public Sector.”

From the cybersecurity vulnerabilities and breaches front,

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • September 2, 2025
    • CVE-2020-24363 TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability
    • CVE-2025-55177 Meta Platforms WhatsApp Incorrect Authorization Vulnerability
      • Security Affairs discusses these KVEs here.
  • September 3, 2025
    • CVE-2023-50224 TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
    • CVE-2025-9377 TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
      • Security Affairs discusses these KVEs here.
  • September 5, 2025
    • CVE-2025-38352 Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability
    • CVE-2025-48543 Android Runtime Unspecified Vulnerability
    • CVE-2025-53690 Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
      • Cybersecurity Dive discusses the Sitecore KVE here.
      • Security Week discusses the other two KVEs here.

• Cybersecurity Dive reports,
  • “In separate disclosures, Cloudflare Inc. and Proofpoint Inc. on Tuesday said they were impacted by the August supply chain attacks linked to Salesloft Drift. 
  • “The disclosures mark the latest in a wave of attacks, where a threat actor used compromised credentials linked to the Salesloft Drift AI chatbot to gain access to the Salesforce instances at hundreds of companies. 
  • ‘Cloudflare said it was notified last week of the incident, in which an outside attacker gained access to the text fields of support cases in its Salesforce instances, according to a blog post released Tuesday.
  • “Despite being part of a much larger supply chain attack, the company took full responsibility for the breach and issued an apology. 
  • “We are responsible for the tools we use in support of our business,” company executives said in the blog post. “For that, we sincerely apologize.”
  • ‘The incidents follow disclosures by Palo Alto Networks and Zscaler of their customer Salesforce environments being impacted by the supply chain attack.” 

• Dark Reading relates,
  • “In a blog post Thursday, SecurityBridge said it discovered an exploit for CVE-2025-42957 and confirmed it has been used in the wild. “While widespread exploitation has not yet been reported, SecurityBridge has verified actual abuse of this vulnerability,” the blog post said. “That means attackers already know how to use it – leaving unpatched SAP systems exposed.”
  • “SecurityBridge added that SAP’s patch for CVE-2025-42957 is “relatively easy” to reverse engineer, and that successful exploitation gives attackers access to the operating system and all data in the targeted SAP system.” * * *
  • “Even though an attacker would need a valid user account to exploit CVE-2025-42957, SecurityBridge said the vulnerability was “especially dangerous.” * * *
  • “SecurityBridge urged customers to immediately apply the patch for CVE-2025-42957, which was released in SAP’s August 2025 security updates. To defend against potential exploitation, the company recommended implementing SAP’s Unified Connectivity framework (UCON) to restrict RFC usage, and to monitor logs for suspicious RFC calls and newly created admin accounts.
  • “The exploitation of CVE-2025-42957 follows attacks in the spring on a critical SAP NetWeaver zero-day flaw tracked as CVE-2025-31324. The vulnerability came under subsequent waves of attacks in the weeks following its initial disclosure in late April.”
• and
  • “A young malware-as-a-service (MaaS) operation has been outed, shortly after the debut of its newest custom remote access Trojans (RATs).
  • “In recent weeks, researchers have been slowly, independently piecing together an emerging cybercrime threat cluster. First, they found a malware loader that had been spread hundreds of times and named it “CastleLoader.” Then, they uncovered the broader MaaS service around it, and called it “CastleBot.” Now, they’ve mapped out the infrastructure propping it all up, and identified new variants of its own Trojan, called “CastleRAT” (aka “NightShadeC2“), which various MaaS customers have distributed to victims via boobytrapped GitHub repositories, the ClickFix tactic, malicious websites advertising fake software, and other methods.”
  • “Plenty of questions still remain though, about the group that Recorded Future’s Insikt Group has labeled “TAG-150.” For instance, how has it managed to spread itself so far while maintaining essentially no visible presence on the Dark Web?”
    
• Bleeping Computer points out “six browser-based attacks all security teams should be ready for in 2025.

From the ransomware front,

• Industrial Cyber informs us,
  • “New data from Comparitech shows that of the 18 confirmed ransomware attacks in August, three hit manufacturers, two targeted healthcare companies, and another two struck the food and beverage sector. Overall, worldwide ransomware attacks rose from 473 in July to 506 in August, a 7% increase and the second consecutive month of growth after a decline from March through June 2025. While government systems remain a steady target, manufacturing recorded the sharpest rise, with attack claims surging 57% from 72 in July to 113 in August. Four of these incidents have been confirmed.
  • “August saw a first-of-a-kind attack on the state of Nevada. While hundreds of U.S. government organizations have suffered ransomware attacks, this is the first-ever statewide attack. The attack was first detected on August 24, 2025, and has left many citizens and state agencies without access to essential services. No hackers have claimed the attack as of yet, but if a ransom isn’t paid, it’s likely the group will come forward in the coming days/weeks.
  • “Comparitech reported that the healthcare and education sectors each recorded one confirmed attack in August, though both reported more unconfirmed attack claims compared with July. These numbers are expected to rise as additional incidents are confirmed in the coming weeks.”

• Here are links to updates on the ransomware attacks on the State of Nevada and Pennsylvania Attorney General’s office noted in last week’s Cybersecurity Saturday.

• BitDefender alerts us,
  • “Ransomware groups continue to evolve their tactics, but few have made as sharp an impact in 2025 as SafePay. Once a lesser-known player, the group has surged into prominence by quietly amassing hundreds of victims across the globe. In June, SafePay topped Bitdefender’s Threat Debrief rankings after claiming 73 victim organizations in a single month, and the group followed up with 42 more victims in July—its second-highest monthly tally to date. 
  • “With more than 270 claimed victims so far this year, SafePay’s discreet operations, rejection of the ransomware-as-a-service (RaaS) model, and rapid-fire victim disclosures signal a significant threat that security researchers and teams should understand.”

• CIO explains why “the latest research into cybercrime and those behind it illustrates why businesses must quickly adapt to the rising tide of high-stakes cyber extortion.”

• SC Media discusses “how AI has changed ransomware negotiations.”

From the cybersecurity defenses and business front,

• Cybersecurity Dive reports,
  • “The cyber insurance market is continuing to stall with organic growth slowing and rates declining, according to a report Wednesday from global insurance firm Swiss Re. 
  • “Increased competition among insurers has led to a third consecutive year of reduced rates, according to the report, as the available supply of cyber coverage has exceeded current demand. The market imbalances have forced insurers to make concessions on premiums, cybersecurity controls and coverage limits. 
  • “The insurance industry has grown increasingly concerned in recent years about systemic loss events and the risk of liability over data privacy. That has led to worries over whether additional premium cuts are sustainable.” 

• Cybersecurity Dive also explains how Tampa General Hospital’s “CIO and CISO teamed up to translate security decisions into dollars and cents.”

• HIPAA Journal notes,
  • “Healthcare organizations are relatively unlikely to have serious cybersecurity vulnerabilities compared to other industry sectors, as they are generally good at prevention; however, when vulnerabilities are identified, healthcare lags other sectors when it comes to remediation. These are the findings from a recent analysis of penetration testing data and a survey of 500 U.S. security leaders by the Pentest-as-a-service (PTaaS) firm Cobalt. The findings are published in its State of Pentesting in Healthcare 2025 report.”

• The Wall Street Journal adds,
  • “A study at UCSD Health found cybersecurity training had little effect on employees’ susceptibility to simulated phishing attacks.
  • “On average, four groups of employees who received training designed by the researchers had only a 1.7% lower failure rate than employees who had no training.
  • “Employees often didn’t engage with training, spending less than a minute on training pages over 75% of the time.”

• Per Cyberscoop,
  • “Israeli cybersecurity company Cato Networks has acquired AI security startup Aim Security in its first ever acquisition, reflecting the broader industry rush to address security challenges posed by artificial intelligence adoption.
  • “The deal combines Cato’s Secure Access Service Edge (SASE) networking platform with Aim’s AI security capabilities, allowing the company to protect customers from threats associated with generative AI tools and applications. Financial terms were not disclosed. 
  • “The acquisition underscores how cybersecurity companies are scrambling to develop solutions for AI-related risks as enterprises rapidly adopt AI tools without fully understanding potential vulnerabilities. Aim’s technology addresses three key areas: securing employee use of public AI applications, protecting private AI systems, and managing security throughout AI development lifecycles.”
• and
  • “Varonis has acquired SlashNext, an AI-driven email security company, for up to $150 million in a move that reflects the rising role of artificial intelligence in both attack and defense.
  • “The acquisition, announced Tuesday, brings together Varonis’ focus on data-centric security and threat detection with SlashNext’s technology for blocking phishing and social engineering attacks across email and collaboration platforms. The companies cited a rapidly evolving threat environment, as cybercriminals increasingly use AI to target victims on channels reaching beyond traditional email, including Slack, Microsoft Teams, WhatsApp, and Zoom.
  • “Founded by Atif Mushtaq, who worked on FireEye’s malware detection systems, SlashNext deploys predictive AI models to identify, remove and block socially engineered threats. Its technology leverages computer vision, natural language processing, and virtual browsers to pinpoint signs of compromise.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• The House Committee on Homeland Security will mark up the CISA 2025 reauthorization bill on Wednesday, September 3, at 10 am ET.

• Per a Congressional news release,
  • “U.S. Senators Bill Cassidy, M.D. (R-LA), chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Maggie Hassan (D-NH) requested information from Aflac following a recent cyberattack on their internal data systems.
  • “This comes amid increasing cyberattacks on the health care sector. In 2024, there were over 700 large data breaches that impacted approximately 276 million Americans. These attacks not only threaten Americans’ sensitive health data, but delay lifesaving care to patients.
  • “The recent cybersecurity incident affecting Aflac’s supplemental insurance systems highlights the continuing risk to patients and other stakeholders,” wrote the senators. “While Aflac has stated that it ‘stopped the intrusion within hours,’ additional transparency is needed about whether the intruders accessed private consumer and patient data, how Aflac safeguarded protected health information (PHI) prior to the incident, and steps that the company intends to take going forward.”

• Per a National Institute of Standards and Technology news release,
  • “A revision to NIST’s catalog of security and privacy safeguards [(NIST SP 800-53)] aims to help organizations better manage risks related to software updates and patches. 
  • “The catalog revision is part of NIST’s response to a recent executive order on strengthening the nation’s cybersecurity.
  • “Completed with the help of a real-time commenting system, the revision is available in several different formats, some of which are machine-readable.”

• Dark Reading tells us,
  • “Updated federal agency guidelines for software bills of materials (SBOM) were recently released by the US Cybersecurity and Infrastructure Security Agency (CISA) with rules intended to push for additional transparency among software and component vendors. Experts agree the new rules are a hopeful step forward but worry they overlook some serious issues facing today’s software supply chain. 
  • “Since 2021, when the federal minimum SBOM guidelines initially were released, the idea has been debated in information security circles as a great concept, but just not feasible in the real world. Vendors pushed back, arguing that the regulations are onerous. And in the ensuing years, with federal agencies leading the way, SBOMs have been embraced to varying degrees. The SBOM challenge has been connecting the gorge between the information they provide, and the ability for cyber teams operationalize it. 
  • “CISA recently released its 2025 update to SBOM guidelines for federal agencies, and while experts say they are hopeful things are headed in the right direction, they also acknowledge skepticism across the cybersecurity industry about some aspects of the new guidance.” 

• Per a CISA news release on August 26,
  • “Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the Software Acquisition Guide: Supplier Response Web Tool, a no-cost, interactive resource designed to empower information technology (IT) and industry decision makers, procurement professionals and software suppliers strengthen cybersecurity practices throughout the software procurement lifecycle.
  • “The Web Tool builds on the “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle”, offering a streamlined, digital experience that simplifies how users assess software assurance and supplier risk.
  • “This tool demonstrates CISA’s commitment to offering practical, free solutions for smarter, more secure software procurement,” said CISA Director of Public Affairs, Marci McCarthy. “Transforming the Software Acquisition Guide into an interactive format simplifies integrating cybersecurity into every step of procurement.”

• Per Cyberscoop,
  • “The Treasury Department on Wednesday [August 27] expanded efforts to disrupt the pervasive North Korean technical worker scheme by imposing sanctions on people and organizations serving as facilitators and fronts for the country’s years-long conspiracy effort to defraud businesses and earn money despite international sanctions. 
  • “Vitaly Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology and Korea Sinjin Trading Corp. were all sanctioned by the Treasury Department’s Office of Foreign Assets Control for their alleged roles in the scheme orchestrated by the North Korean government.”

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “Chinese government-backed hackers are targeting critical infrastructure and government computer systems as part of a yearslong campaign that includes the well-known Salt Typhoon activity, the U.S. and 12 other countries said on Wednesday.
  • “The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world,” the allied governments said in a joint advisory.
  • “The China-linked campaign has penetrated organizations in more than 80 countries, including more than 200 targets in the U.S., an FBI spokesperson told Cybersecurity Dive.
  • The advisory describes the attackers’ techniques, from initial access to data exfiltration; describes an incident in which the hackers tried to decrypt network traffic to collect administrator credentials; suggests strategies for threat hunting; and recommends mitigation activities.
• and
  • “Hackers stole user credentials from Salesforce customers in a widespread campaign earlier this month, according to researchers at Google Threat Intelligence Group, who warned that the thefts could lead to follow-up attacks.
  • “A threat actor that Google tracks as UNC6395 targeted Salesforce instances using compromised OAuth tokens that were associated with the customer engagement vendor Salesloft’s Drift AI chat agent.
  • “Researchers believe the hackers’ primary goal was to harvest credentials, as they stole large amounts of data from numerous Salesforce instances.
  • “Google’s Threat Intelligence Group “is aware of over 700 potentially impacted organizations,” Austin Larsen, a principal threat analyst at the company, told Cybersecurity Dive in a statement. “The threat actor used a Python tool to automate the data theft process for each organization that was targeted.”
  • “The attacks did not involve any vulnerability in the Salesforce platform, according to researchers. After stealing the data, the hackers looked for sensitive credentials, including access keys and passwords for Amazon Web Services as well as access tokens for the Snowflake cloud platform. 
  • “The attacks largely occurred between Aug. 8 and Aug. 18, researchers said. By Aug. 20, Salesloft had begun working with Salesforce to revoke all active access and refresh Drift tokens, according to Google.”

• Bleeping Computer adds,
  • “Consumer credit reporting giant TransUnion warns it suffered a data breach exposing the personal information of over 4.4 million people in the United States, with BleepingComputer learning the data was stolen from its Salesforce account.
  • “TransUnion is one of the three major credit bureaus in the United States, alongside Equifax and Experian. It operates in 30 countries, employs 13,000 staff, and has an annual revenue of $3 billion.”

• Per Security Week,
  • “Multiple phishing campaigns deploying ConnectWise ScreenConnect for remote control demonstrate the sophistication, extent, and danger of AI-supercharged social engineering.
  • “An ongoing ScreenConnect threat example highlights primary aspects of modern cybercriminality: AI-enhanced, scaled, and sophisticated social engineering; use of trust and stealth to deceive security controls; and maximum use of the professionalized crime-as-a-service (CaaS) ecosphere.
  • “Current ScreenConnect campaigns differ in their attack details, but all conform to the basic process: a phishing attack leading to deployment of ScreenConnect to allow remote access and potential control of the victim organization. Researchers have found more than 900 targeted enterprises around the world.”

• CISA added five known exploited vulnerabilities to its catalog this week.
  • August 25, 2025
    • CVE-2024-8069 Citrix Session Recording Deserialization of Untrusted Data Vulnerability
    • CVE-2024-8068 Citrix Session Recording Improper Privilege Management Vulnerability
    • CVE-2025-48384 Git Link Following Vulnerability
      • Cyber Press discusses these KVEs here.
      • Cybersecurity Dive adds more details on the Citrix KVEs here.
      • Bleeping Computer adds more details on the Git Link KVE here.
  • August 26, 2025
    • CVE-2025-7775 Citrix NetScaler Memory Overflow Vulnerability
      • Bleeping Computer discusses this KVE here.
  • August 29, 2025
    • CVE-2025-57819 Sangoma FreePBX Authentication Bypass Vulnerability
      • Bleeping Computer discusses this KVE here.

From the ransomware front,

• Cybersecurity Dive reports,
  • “Federal and state authorities are investigating a ransomware attack that has disrupted key services across the state of Nevada.
  • “The Sunday [August 24] attack interrupted multiple government services, including phone systems and state agency websites. 
  • “The attackers were able to exfiltrate data during the intrusion, but officials still don’t know what they took, Tim Galluzi, Nevada chief information officer and executive director of the Governor’s Technology Office, said during a press conference Wednesday.
  • “The process of analyzing the information to determine exactly what was taken is complex, methodical and time consuming,” Galluzi said, adding that it would be reckless to speculate on the nature of the stolen information.
  • “The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are helping Nevada officials respond to the intrusion. In a statement Wednesday [August 27], CISA said its threat hunters are helping analyze Nevada’s computer networks and mitigate any potential impact from the hack.
    
• Security Week adds on August 29,
  • “Four days after the hackers hit the state’s network, certain state offices have resumed working with the public, some Nevada state’s departments have reverted to pen and paper operations to serve the public, and the Nevada Health Authority has restored some of its operations, including Medicaid and the benefits program.
  • “However, the Access Nevada application portal remains inaccessible, certain phone lines are down, the Child Care & Development Program cannot access case files or certifications, and DMV offices were closed on Wednesday, although its website has been restored.
  • “Emergency services and essential operations have remained available throughout the outage. Additional information can be found on this recovery status page.”

• SpotlightPA reports,
  • “The Pennsylvania Office of Attorney General was the victim of a ransomware attack earlier this month, Spotlight PA has learned.
  • “The attack, first reported by the office on Aug. 11 as a “cyber incident,” has impaired many functions of the agency, as some staff and prosecutors remain unable to access archived emails, files, and internal systems crucial to pursuing cases on behalf of the commonwealth.
  • “The office confirmed the attack to Spotlight PA on Friday [August 29].

• KERA News relates,
  • A cybersecurity breach in Greenville [,Texas] has affected the city’s ability to access police and other records.
  • The city’s servers were attacked by a ransomware group on Aug. 5.
  • “Upon identification, the City immediately implemented protective measures, isolated affected systems where appropriate, contacted law enforcement and engaged a third-party cybersecurity firm to mitigate the event and restore services,” the city said in a news release.
  • Greenville’s emergency 911 service was not affected and remains in operation, however, some phone lines may experience intermittent outages or busy signals, the city said.

• Per Cyberscoop,
  • “A financially motivated threat group operating since 2021 has refined its technical tradecraft, honing its focus on cloud-based systems that allow it to expand ransomware operations beyond the scope of on-premises infrastructure, Microsoft Threat Intelligence said in a report released Wednesday [August 27].
  • “By leveraging cloud-native capabilities, Storm-0501 has exfiltrated large volumes of data with speed, destroying data and backups within victim environments and encrypted systems. “This is in contrast to threat actors who may have relied solely on malware deployed to endpoints,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, said in an email.
  • “This evolution is about both a technical shift and a change in impact strategy,” DeGrippo said. “Instead of just encrypting files and demanding ransom for decryption, Storm-0501 now exfiltrates sensitive cloud data, destroys backups, and then extorts victims by threatening permanent data loss or exposure.”
  • “Storm-0501 targets opportunistically by searching for unmanaged devices and security gaps in hybrid cloud environments. By exploiting these vulnerabilities, it can evade detection, escalate its access privileges and sometimes move between user accounts. This approach amplifies the impact of its attacks and raises its chance for a payout, according to Microsoft.”
• and
  • “Researchers at cybersecurity firm ESET claim to have identified the first piece of AI-powered ransomware in the wild.
  • “”The malware, called PromptLock, essentially functions as a hard-coded prompt injection attack on a large language model, causing the model to assist in carrying out a ransomware attack.
  • “Written in Golang programming code, the malware sends its requests through Ollama, an open-source API for interfacing with large language models, and a local version of an open-weights model (gpt-oss:20b) from OpenAI to execute tasks.
  • “Those tasks include inspecting local filesystems, exfiltrating files and encrypting data for Windows, Mac and Linux devices using SPECK 128-bit encryption.
  • “According to senior malware researcher Anton Cherepanov, the code was discovered Aug. 25 by ESET on VirusTotal, an online repository for malware analysis. Beyond knowing that it was uploaded somewhere in the U.S., he had no further details on its origins.
  • “Notably, attackers don’t need to deploy the entire gpt-oss-20b model within the compromised network,” he said. ”Instead, they can simply establish a tunnel or proxy from the affected network to a server running Ollama with the model.”
  • “ESET believes the code is likely a proof of concept, noting that functionality for a feature that destroys data appears unfinished. Notably, Cherepanov told CyberScoop that they have yet to see evidence of the malware being deployed by threat actors in ESET telemetry.”

From the cybersecurity defenses front,

• Cyberscoop lets us know,
  • “Chief information security officers are increasingly concerned about the risk of a cyberattack, and a growing number say they have experienced a material loss of data over the past year, according to a report released Tuesday by Proofpoint. 
  • “Two-thirds of CISOs said their organizations have experienced a material loss of sensitive information over the past year, compared with only 46% in the prior year, according to the report. Meanwhile, three-quarters of CISOs fear they are at risk of a material cyberattack over the next 12 months.
  • “The increase reflects not only heightened risk but also a cultural shift among CISOs, according to Proofpoint.
  • “CISOs are becoming more transparent, especially in light of increased regulatory scrutiny and evolving board expectations,” Patrick Joyce, global resident CISO at Proofpoint, told Cybersecurity Dive.
  • “The annual “Voice of the CISO” report is based on a survey of 1,600 CISOs at organizations in 16 countries. The survey took place during the first quarter of 2025, and all respondents worked at organizations with more than 1,000 employees.”

• Dark Reading offers ransomware defense tips here and cloud security tips here.

• The Wall Street Journal reports,
  • “Cybersecurity concierge services offer tailored protection against online threats for high-profile individuals, including monitoring and data scrubbing.
  • “These services, costing from $1,000 to tens of thousands annually, attract those with substantial assets and a significant digital footprint.
  • “Demand is rising, with wealth managers for cyber protection, especially after experiencing breaches.”

• Here is a link to Dark Reading’s CISO corner.

From the cybersecurity policy and law enforcement front,

• Federal News Network tells us,
  • “The House Homeland Security Committee plans to convene in early September to mark up a reauthorization bill for a soon-to-expire cybersecurity law that’s viewed as critical to cyber collaboration across government and industry.
  • “In a statement, House Homeland Security Committee Chairman Andrew Garbarino (R-N.Y.) confirmed the committee will mark up a reauthorization bill for the Cybersecurity Information Sharing Act of 2015 once Congress returns from August recess.
  • “Reauthorizing the Cybersecurity and Information Sharing Act is essential as the deadline nears and as threats evolve,” Garbarino said. “The House Committee on Homeland Security plans to mark up our legislative text for its reauthorization shortly after Congress returns from recess in September. In a 10-year extension, I will preserve the privacy protections in the law, and I aim to provide enhanced clarity to certain pre-existing provisions to better address the evolving threat landscape.”
  • “CISA 2015, as it’s known, expires at the end of September. The law provides liability protections and privacy guardrails to especially encourage private sector organizations to voluntarily share data with each other and government agencies.”

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) has updated its recommendations for the minimum features of a software bill of materials (SBOM), the latest step in the agency’s campaign to encourage transparency in the software market.
  • “The updates and additions included in this document will better position Federal Government agencies and other SBOM consumers to address a range of use cases, understand the generation process, and improve data quality,” CISA said in the new publication, which it released on Thursday [August 21].” * * *
  • “The publication, which is open for public comment through Oct. 3, is aimed primarily at government agencies but is also designed to help other organizations understand what to expect from their vendors’ SBOMs.”
• and
  • “The National Institute of Standards and Technology [NIST] wants public feedback on a plan to develop guidance for how companies can implement various types of artificial intelligence systems in a secure manner. 
  • “NIST on Thursday [August 14] released a concept paper about creating control overlays for securing AI systems based on the agency’s widely used SP 800-53 framework. The overlays are designed to help ensure that companies implement AI in a way that maintains the integrity and confidentiality of the technology and the data it uses in a series of different test cases. 
  • “The agency also created a Slack channel to collect community feedback on the development of the overlays.”

• Per NIST news releases,
  • “NIST SP 800-171, R3, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems, is a set of recommended security requirements for protecting the confidentiality of CUI.
  • “NIST has released a supplementary small business primer to SP 800-171, R3 to help smaller, under-resourced organizations better protect CUI.” * * * 
  • “This is the first part of an effort to begin breaking down components of 800-171, R3 for the small business community. Future resources will expand upon the primer’s content.”
• and
  • “NIST has released the initial public draft (IPD) of Special Publication (SP) 1331, Quick-Start Guide for Using CSF 2.0 to Improve the Management of Emerging Cybersecurity Risks, for public comment. The document highlights the topic of emerging cybersecurity risks and explains how organizations can improve their ability to address such risks through existing practices within the cyber risk discipline in conjunction with the NIST Cybersecurity Framework (CSF) 2.0. The guide also emphasizes the importance of integrating these practices with organizational enterprise risk management (ERM) to proactively address emerging risks before they occur. 
  • “The comment period is open through September 21, 2025, at 11:59 PM. Please send your feedback about this draft publication to csf@nist.gov.”

• Per an HHS news release,
  • “Today [August 18], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (“BST”), a New York public accounting, business advisory, and management consulting firm, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. BST is a HIPAA business associate and receives financial information that also contains protected health information (PHI) from a HIPAA covered entity.” * * *
  • “The settlement resolves an investigation of BST that OCR initiated after receiving a breach report that BST filed on February 16, 2020. BST reported that on December 7, 2019, BST discovered that part of its network was infected with ransomware, impacting the PHI of its covered entity client. OCR’s investigation determined that BST had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by BST.
  • “Under the terms of the resolution agreement, BST agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $175,000 to OCR.”

• Cybersecurity Dive informs us,
  • “Federal prosecutors on Tuesday [August 19] charged an Oregon man for allegedly running a global botnet-for-hire operation called Rapper Bot that used hacked IoT devices to conduct large-scale distributed denial-of-service (DDoS) attacks.
  • “Authorities charged Ethan Foltz, 22, with one count of aiding and abetting computer intrusions. Police executed a search warrant at Foltz’s house on Aug. 6, shut down the botnet and took control of its infrastructure, according to the U.S. Department of Justice.
  • “Rapper Bot allegedly used between 65,000 and 95,000 infected devices for DDoS attacks that often measured between two and three terabits per second. The largest attack may have exceeded six terabits per second, prosecutors said.
  • “Rapper Bot was “one of the most powerful DDoS botnets to ever exist,” said Michael Heyman, the U.S. attorney in Alaska, where authorities believe the botnet infected at least five devices.”

• Cyberscoop adds,
  • “A 20-year-old Florida man received a 10-year federal prison sentence Wednesday for his role in the notorious Scattered Spider cybercrime organization, marking the first conviction of a member from the group responsible for breaching more than 130 major companies.
  • “Noah Michael Urban, 20, of Palm Coast, Fla., pleaded guilty to conspiracy, wire fraud and aggravated identity theft charges in two separate federal cases spanning Florida and California. A federal judge sentenced Urban to 120 months in prison with three years of supervised release and ordered him to pay $13 million in restitution to victims.
  • “The sentence exceeded federal prosecutors’ recommendation of eight years, reflecting the scope of Urban’s criminal activities that investigators say caused between $9.5 million and $25 million in total losses.”

From the cybersecurity vulnerabilities and breaches front,

• The American Hospital Association News informs us,
  • “The FBI Aug. 20 released an advisory warning of malicious activity by Russian cyber actors targeting end-of-life devices running an unpatched vulnerability in Cisco Smart Install software. The agency said the actors, attributed to the Russian Federal Security Service’s Center 16, have been detected collecting configuration files for thousands of networking devices associated with U.S. entities across critical infrastructure sectors. On some devices, the files were modified to enable unauthorized access to the devices. The vulnerability was initially publicized in 2018.
  • “If you have vulnerable equipment in your network, please pay particular attention to ensuring that it is patched and running as securely as possible,” said Scott Gee, AHA deputy national advisor of cybersecurity and risk. “It is recommended that hospitals also make this equipment a priority for replacement since it’s no longer supported for updates by Cisco. It is also a good time to review the process for patch management and equipment upgrades, particularly focusing on patching known exploited vulnerabilities. The Cybersecurity Infrastructure and Security Agency maintains a catalog of KEVs.”

• CISA added two known exploited vulnerabilities to that catalog this week.
  • August 18, 2025
    • CVE-2025-54948 Trend Micro Apex One OS Command Injection Vulnerability
      • Cybersecurity News discusses this KVE here.
  • August 21, 2025
    • CVE-2025-43300 Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
      • Cyberscoop discusses this KVE here.

• Cyberscoop adds,
  • “The Chinese state-backed threat group Silk Typhoon has raised the pace of attacks targeting government, technology, legal and professional services in North America since late spring, according to CrowdStrike.
  • “We were calling this jokingly, ‘the summer of Murky Panda,’ because we’ve seen so much activity from them over the last couple of months,” said Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, using the firm’s nomenclature for the cyberespionage group.
  • “CrowdStrike has worked on more than a dozen cases involving Murky Panda during the past few months, including two active incident response cases, Meyers said. The group, which has been active since at least 2023, is “one of the top-tier Chinese threats that we’ve been seeing a lot this summer,” he said.
  • “Murky Panda exemplifies how Chinese attackers are gaining access to victim networks and infrastructure via vulnerabilities, unmanaged devices, the cloud and pivots between cloud services. 
  • “The group’s advanced techniques in cloud environments are evident, as it enables prolonged access and lateral movement to downstream victims by abusing delegated administrative privileges in cloud solution providers, CrowdStrike said in a research report released Thursday. [August 21].
    
• Bleeping Computer reports,
  • “Hackers have stolen the personal information of 1.1 million individuals in a Salesforce data theft attack, which impacted U.S. insurance giant Allianz Life in July.
  • “Allianz Life has nearly 2,000 employees in the United States and is a subsidiary of Allianz SE, which has over 128 million customers worldwide and ranks as the world’s 82nd largest company based on revenue.
  • “As the company disclosed last month, information belonging to the “majority” of its 1.4 million customers was stolen by attackers who gained access to a third-party cloud CRM system on July 16th.” * * *
  • “On Monday, data breach notification service Have I Been Pwned revealed the extent of the incident, reporting that the email addresses, names, genders, dates of birth, phone numbers, and physical addresses of 1.1 million Allianz Life customers were stolen during the breach.
  • “Bleeping Computer has also confirmed with multiple people affected by this breach that their data (including their tax IDs, phone numbers, email addresses, and other information) in the leaked files is accurate.
  • “Many other high-profile companies worldwide were also breached in this campaign, including Google, Adidas, Qantas, Louis Vuitton, Dior, Tiffany & Co., Chanel, and, most recently, human resources giant Workday.”

• Cybersecurity Dive notes,
  • The attack [on WorkDay] follows a string of social-engineering intrusions linked to ShinyHunters, a hacker group associated with an underground cybercrime collective known as The Com. The Com also has ties to the notorious hacker team Scattered Spider, which has targeted companies in multiple industries over the past several months, including retail, insurance and aviation. 
  • ShinyHunters has launched numerous attacks in recent months targeting Salesforce instances, according to researchers at Google. The group targeted one of Google’s own Salesforce instances earlier this month. 
  • Reliaquest recently published evidence of possible collaboration between ShinyHunters and Scattered Spider, including ticket-themed phishing domains and Salesforce credential-harvesting pages. 

• Per Dark Reading,
  • “In this interview from Black Hat USA 2025, Philippe Laulheret, a senior vulnerability researcher at Cisco Talos, discusses his discovery of the “ReVault” vulnerability affecting millions of Dell business laptops. 
  • “Laulheret found that the Control Vault (also called a unified secure hub) — a control board connecting peripherals like fingerprint readers and smart card readers to Dell Latitude and Precision laptops — contained multiple security flaws that allow any user to communicate with the board through undocumented APIs, potentially leading to memory corruption, code execution, extraction of secret keys, and permanent firmware modification.”

• Per Bleeping Computer,
  • “Six major password managers with tens of millions of users are currently vulnerable to unpatched clickjacking flaws that could allow attackers to steal account credentials, 2FA codes, and credit card details.
  • “Threat actors could exploit the security issues when victims visit a malicious page or websites vulnerable to cross-site scripting (XSS) or cache poisoning, where attackers overlay invisible HTML elements over the password manager interface.
  • “While users believe they are interacting with harmless clickable elements, they trigger autofill actions that leak sensitive information.
  • “The flaws were presented during the recent DEF CON 33 hacker conference by independent researcher Marek Tóth. Researchers at cybersecurity company Socket later verified the findings and helped inform impacted vendors and coordinate public disclosure.
  • “The researcher tested his attack on certain versions of 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce, and found that all their browser-based variants could leak sensitive info under certain scenarios.”
• and
  • “A new infostealer malware targeting Mac devices, called ‘Shamos,’ is targeting Mac devices in ClickFix attacks that impersonate troubleshooting guides and fixes.
  • “The new malware, which is a variant of the Atomic macOS Stealer (AMOS), was developed by the cybercriminal group “COOKIE SPIDER,” and is used to steal data and credentials stored in web browsers, Keychain items, Apple Notes, and cryptocurrency wallets.
  • “CrowdStrike, which detected Shamos, reports that the malware has attempted infections against over three hundred environments worldwide that they monitor since June 2025.”

From the ransomware front,

• Cybersecurity Dive reports on August 20,
  • “The pharmaceutical and biotechnology company Inotiv Inc. is investigating a cyberattack that led to hackers encrypting the firm’s data, it said in a filing on Monday with the U.S. Securities and Exchange Commission. 
  • “The Aug. 8 attack disrupted access to certain data storage and business applications, according to Innotiv. The company said it is working to bring certain systems back online and has moved some operations to offline alternatives in order to maintain business continuity.  
  • The company has restricted access to its systems, retained third-party experts and notified law enforcement, according to its SEC filing.” * * *
  • “The hackers behind the Qilin ransomware have claimed credit for the attack, according to researchers at Huntress and Kroll.”
    
• Bleeping Computer adds on August 22,
  • “Kidney dialysis firm DaVita has confirmed that a ransomware gang that breached its network stole the personal and health information of nearly 2.7 million individuals.
  • “DaVita serves over 265,400 patients across 3,113 outpatient dialysis centers, 2,660 in the United States, and 453 centers in 13 other countries worldwide. The company reported revenues of over $12 billion in 2024 and of $3.3 billion for the second quarter of 2025.
  • “In April, the healthcare provider revealed in a filing with the U.S. Securities and Exchange Commission (SEC) that its operations were disrupted after attackers partially encrypted its network over the weekend.
  • “According to a dedicated website with more information regarding the resulting data breach, the attackers gained access to DaVita’s network on March 24 and were evicted after the company detected the incident on April 12.” * * *
  • “Although the kidney dialysis firm hasn’t linked the attack to a specific ransomware operation, the Interlock ransomware gang claimed responsibility for the breach in late April.
  • “Interlock also leaked the allegedly stolen data on its dark web portal after negotiations with DaVita had failed, claiming it had stolen roughly 1.5 terabytes of data from the company’s compromised systems, or nearly 700,000 files containing what appeared to be sensitive patient records, insurance details, user account information, and financial data.”

• Dark Reading points out that “Researchers highlight how Warlock, a new ransomware heavyweight, uses its sophisticated capabilities to target on-premises SharePoint instances.”

From the cybersecurity business and defenses front,

• Cybersecurity Dive reports,
  • “Enterprise software spending will sustain double-digit growth through 2029, according to Forrester projections. Vendor revenues grew 11% on average during the first quarter of the year, the analyst firm said in a July report.
  • “Infrastructure software spend will lead the charge, increasing 13.3% over the next four years, as enterprises stock up on cloud services, security tools and AI capabilities. The market for application software, a category that includes IT operations management, enterprise resource planning, and supply chain tools, will see slower growth of 9.5%, the firm said.
  • “Database management services will help shore up software market growth, as enterprises lay the groundwork for generative AI and agentic automation tools. The firm previously estimated off-the-shelf AI governance software spend to more than quadruple from 2024 to 2030, nearing $16 billion and capturing 7% of the software market.”
• and
  • “Many business leaders still aren’t following cybersecurity best practices to protect their organizations from costly intrusions, according to a report that the consulting giant Unisys published on Tuesday [August 21].
  • “Only 62% of organizations have or are setting up a zero-trust network architecture, only 61% are prioritizing post-incident recovery and only 45% deploy or plan to deploy managed detection and response software.
  • “Only 42% of organizations said they use or plan to use digital identity and access management services, which are considered essential for stopping attacks that exploit legitimate credentials.”

• Dark Reading informs us,
  • “Cyber insurers are testing out new ways to hold policyholders accountable for outdated security, limiting payouts when policyholders fall prey to attacks that use older vulnerabilities or take advantage of holes in the organizations’ defenses.
  • “Potential risk-limiting approaches include a sliding scale of accountability — and payouts — based on an unpatched vulnerability’s half-life, or whether a company failed to fix a critical vulnerability within a certain number of days, according to a blog post penned by cyber insurer Coalition, which does not support such approaches. Dubbed CVE exclusions, after the Common Vulnerabilities and Exposures (CVE) system widely used to assign identifiers to software security issues, the tactic is not yet widely adopted, and most examples are from insurers outside the US, the firm stated.
  • The limits could start showing up in companies’ policies, however, if demand for cyber insurance continues to grow, creating a seller’s market, says John Coletti, head of cyber underwriting at Coalition
  • “While we will not name names, there are specific examples of this occurring within the industry,” he says. “A company should be highly skeptical of buying a policy with a CVE exclusion.”
    
• Info-Security Magazine relates,
  • “The US National Institute of Standards and Technology (NIST) has published new guidelines it claims will help organizations optimize their efforts to detect face morphing software.
  • “Face morphing is a type of deepfake technology that enables threat actors to blend the photos of two people into a single image. In doing so, it simplifies identity fraud by tricking face recognition systems into erroneously identifying an image as belonging to both original individuals.
  • “In this way, individual A can assume the identity of individual B and vice versa, NIST said.
  • “The new report, Face Analysis Technology Evaluation (FATE) MORPH 4B: Considerations for Implementing Morph Detection in Operations (NISTIR 8584), offers an introduction to the topic and key detection methods.
  • “It focuses mainly on the pros and cons of various investigatory techniques, and ways to prevent morphs from entering operational systems in locations such as passport application offices and border crossings.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive tells us,
  • “The Trump administration should slash cybersecurity regulations and double down on winning the trust of the private sector, the U.S. tech industry’s largest trade group said in a paper published Tuesday [August 12, 2025].
  • “In a report laying out recommendations for the White House’s Office of the National Cyber Director — now helmed by newly confirmed Trump appointee Sean Cairncross — the Information Technology Industry Council said the government should focus on “results-driven action.”
  • “There is a need to prioritize impactful security outcomes, slash red tape, rethink legacy network architectures, invest in secure modern systems, and strengthen trusted partnerships between the public and private sectors,” ITI said.
  • “Achieving results, the group argued, “means empowering defenders with what they need to win: efficiency, appropriate resourcing, and the freedom to focus on real threats, not on navigating a web of regulatory regimes.”

• Cyberscoop observes,
  • “Two executive orders President Donald Trump has signed in recent months could prove to have a more dramatic impact on cybersecurity than first thought, for better or for worse.
  • Overall, some of Trump’s executive orders have been more about sending a message than spurring lasting change, as there are limits to their powers. Specifically, some of the provisions of the two executive orders with cyber ramifications — one from March on state and local preparedness generally, and one from June explicitly on cybersecurity — are more puzzling to cyber experts than anything else, while others preserve policies of the prior administration which Trump has criticized in harsh terms. Yet others might fall short of the orders’ intentions, in practice.
  • But amid the flurry of personnel changes, budget cuts and other executive branch activity in the first half of 2025 under Trump, the full scope of the two cyber-related executive orders might have been somewhat overlooked. And the effects of some of those orders could soon begin coming to fruition as key top Trump cyber officials assume their posts.

• Federal News Network reports,
  • “The Cybersecurity and Infrastructure Security Agency has rolled out new guidance to help deal with what some cyber experts say is a rising concern: a lack of visibility into threats to operational technology.
  • CISA on Wednesday [August 13, 2025] published “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators.” CISA developed the guidance in conjunction with other agencies, including the Environmental Protection Agency, the National Security Agency, the FBI and several international partners.
  • The guidance focuses on operational technology, which refers to hardware and software that monitor and control physical processes in industrial settings.
  • “OT systems are essential to the daily lives of all Americans and to national security,” Acting CISA Director Madhu Gottumukkala said in a press release. “They power everything from water systems and energy grids to manufacturing and transportation networks. As cyber threats continue to evolve, CISA through this guidance provides deeper visibility into OT assets as a critical first step in reducing risk and ensuring operational resilience.”

• Federal News Network also interviews Steve Shirley, Executive director, National Defense Information Sharing and Analysis Center, and J.R. Williamson, “Vice president and chief information security officer, Leidos, about the evolution of zero trust. “Federal agencies are learning that implementing Zero Trust means more than deploying new tools. It requires rethinking how users, devices and data interact across every layer of the enterprise.”

• The American Hospital Association News informs us,
  • “The Department of Justice Aug. 11 announced a series of actions taken against the BlackSuit ransomware group, also known as “Royal,” including the disruption of four servers and nine domains July 24. BlackSuit attacks have targeted health care and other critical infrastructure sectors, DOJ said. 
  • “There is no doubt that the private sector also contributed information to facilitate this disruption, once again highlighting the value of public private operational engagement,” said John Riggi, AHA national advisor for cybersecurity and risk. “The BlackSuit/Royal ransomware group is directly responsible for multiple disruptive attacks against hospitals and health systems, posing a direct risk to patient and community safety. We hope these aggressive law enforcement operations continue at a pace that will meaningfully degrade foreign cyber adversaries’ abilities to harm the American public.”  

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft on Tuesday [August 12, 2025,] updated their mitigation guidance for a high-severity flaw in Exchange Server.
  • The flaw, tracked as CVE-2025-53786, could allow an attacker with administrative privileges for on-premises versions of Exchange to escalate privileges by exploiting vulnerable hybrid joined configurations, Microsoft and CISA said last week. 
  • In an update on Tuesday, CISA said it still saw no evidence of hackers exploiting the flaw, but it urged organizations to review Microsoft’s updated guidance on identifying Exchange Servers on a network and running the Microsoft Exchange Health Checker.
  • “In its updated security bulletin, Microsoft said an attacker could potentially escalate privileges from an on-premises server to a connected cloud environment without leaving an “easily detectable and auditable trace.” 

• Bloomberg Law reports,
  • “Russian government hackers lurked in the records system of the US courts for years and stole sensitive documents that judges had ordered sealed from public view, according to two people familiar with the matter and a report seen by Bloomberg News.
  • “The attackers had access to what was supposed to be protected information for multiple years, the report on the breach shows. They gained access by exploiting stolen user credentials and a cybersecurity vulnerability in an outdated server used by the federal judiciary, according to the report, which says the hackers specifically searched for sealed records. 
  • “The report, which was reviewed in part by Bloomberg, doesn’t identify the attackers. But investigators found evidence that they were a Russian state-sponsored hacking group, according to the people, who spoke on condition that they not be named because they were not authorized to discuss the matter.
  • “It’s unclear exactly when the hackers first penetrated the system and when the courts became aware of the breach. Last fall, the judiciary hired a cybersecurity firm to help address it, said one of the people.” * * *
  • “The intrusion was previously reported by Politico, while the New York Times earlier reported that Russia was at least in part behind the cyberattack.
  • “The hackers targeted sealed documents in espionage and other sensitive cases, including ones involving fraud, money laundering and agents of foreign governments, Bloomberg Law reported on Tuesday [August 12, 2025]. Such records often include sensitive information that, in the wrong hands, could be used to compromise criminal and national security investigations, or to identify people who provide information to law enforcement.”

• Per Cybersecurity Dive,
  • “Xerox has issued a security upgrade for critical and high-severity vulnerabilities in its FreeFlow Core product that researchers said could have allowed an attacker to remotely execute code.”
• and
  • Virtually all companies have experienced some type of intrusion due to vulnerable code, application security firm Checkmarx said in a report released Thursday [August 14, 2025.
  • Nearly eight in 10 firms reported experiencing such breaches in 2023, but that figure climbed more than 90% last year and reached 98% this year.
  • At the same time, eight in 10 companies said they sometimes or often released software with code they knew was vulnerable, up from two-thirds in 2024. “This isn’t oversight,” Checkmarx said. “It’s strategy.”

• CISA added five known exploited vulnerabilities to its catalog this week.
  • August 12, 2025
    • CVE-2013-3893 Microsoft Internet Explorer Resource Management Errors Vulnerability
    • CVE-2007-0671 Microsoft Office Excel Remote Code Execution Vulnerability
    • CVE-2025-8088 RARLAB WinRAR Path Traversal Vulnerability
      • Security Affairs discusses these KVEs here.
  • August 13, 2025
    • CVE-2025-8875 N-able N-central Insecure Deserialization Vulnerability
    • CVE-2025-8876 N-able N-central Command Injection Vulnerability
      • Dark Reading discusses these KVEs here.
        
• Per Bleeping Computer,
  • “Security researchers have created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking.
  • “These weaker login channels are vulnerable to adversary-in-the-middle phishing attacks that employ tools like Evilginx, enabling attackers to snatch valid session cookies and hijack the accounts.
  • “Although the attack doesn’t prove a vulnerability in FIDO itself, it shows that the system can be bypassed, which is a crucial weakness.
  • “This is especially worrying considering the increased adoption of FIDO-based authentication in critical environments, a consequence of the technology being touted as extremely phishing-resistant.”
• and
  • “Cisco is warning about a critical remote code execution (RCE) vulnerability in the RADIUS subsystem of its Secure Firewall Management Center (FMC) software.
  • “Cisco FCM is a management platform for the vendor’s Secure Firewall products, which provides a centralized web or SSH-based interface to allow administrators to configure, monitor, and update Cisco firewalls.
  • ‘RADIUS in FMC is an optional external authentication method that permits connecting to a Remote Authentication Dial-In User Service server instead of local accounts.”

From the ransomware front,

• Halcyon informs us,
  • “Black Hat 2025 had plenty of shiny new toys and buzzword-heavy sessions, but the real story was hiding in plain sight. No ransomware track. No packed panel on the threat that has cost organizations billions and taken down some of the most secure environments on the planet. The only time it truly took center stage was when Mikko Hyppönen made it impossible to ignore. 
  • “For those paying attention, three truths stood out. Agentic AI will accelerate ransomware campaigns to speeds that will overwhelm unprepared defenders. Ransomware is the next stage in the evolution of malware, and it will only become more capable. Modern security stacks, no matter how mature or expensive, are still being bypassed with troubling ease.” 

• Bleeping Computer adds,
  • Ransomware and infostealer threats are evolving faster than most organizations can adapt. While security teams have invested heavily in ransomware resilience, particularly through backup and recovery systems, Picus Security’s Blue Report 2025 shows that today’s most damaging attacks aren’t always about encryption.
  • Instead, both ransomware operators and infostealer campaigns often focus on credential theft, data exfiltration, and lateral movement, leveraging old-school stealth and persistence to achieve their objectives with minimal disruption.
  • The evolving adversary tactics are clearly visible when comparing the findings from the Blue Report 2025, based on over 160 million real-world attack simulations, and the Red Report 2025, which analyzes the latest trends in malware, threat actors, and exploitation techniques.
  • The overlap between the two reports reveals a clear and concerning signal: defenders are falling behind on detecting the very tactics that adversaries now favor the most.

• InfoSecurity Magazine reports,
  • “An ongoing data extortion campaign targeting Salesforce customers could soon turn its attention to financial services firms, security experts have warned.
  • “The notorious ShinyHunters group has been blamed for a series of data breaches impacting big names in the fashion (LVMH, Chanel, Pandora, Adidas) and aviation (Qantas, Air France-KLM) sectors. These victims are typically targeted with vishing for logins to their Salesforce accounts and are sometimes also tricked into downloading a malicious app for similar purposes.”

• Per Dark Reading,
  • “An emerging ransomware actor is using sophisticated techniques in the style of an advanced persistent threat group (APT) to target organizations with customized ransom demands, posing a significant risk to businesses.
  • “Charon is a new ransomware family (named for the ferryman from Greek mythology who carried souls across the River Styx to Hades); Trend Micro observed it being deployed in a targeted attack in the Middle East’s public sector and aviation industry — the first such record of Charon observed in the wild, according to new research from the firm.
  • “The ransomware leverages techniques such as DLL sideloading, process injection, and anti-EDR capabilities, which are typically the hallmark of advanced threat actors and — in this case — reminiscent of campaigns by the group Earth Baxia, according to a Trend Micro blog post published today.
  • “The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload,” Trend Micro threat researchers wrote in the post.”
• and
  • “Researchers spotted a new Crypto24 ransomware campaign that they say marks a “dangerous evolution” in the threat landscape.
  • “According to Trend Micro researchers, recent attacks by Crypto24 actors display a combination of advanced evasion techniques and custom tools that can disable EDR solutions — including Trend Micro’s own Vision One platform. Crypto24 was first spotted in 2024 but hadn’t made much of impact until recently, when it became the latest ransomware gang to bypass EDR platforms and security solutions.
  • Trend Micro’s report, published Thursday, details how Crypto24 has demonstrated a high level of skill that sets it apart from other ransomware gangs. For example, researchers noted how “Crypto24 actors deftly deploy a broad range of tools that include legitimate programs like PSExec and AnyDesk for remote access and lateral movement, as well as Google Drive for data exfiltration.
  • “More importantly, Crypto24’s successful deployment of a customized RealBlindingEDR (an open source tool for disabling security solutions) variant that neutralized our security controls shows their capability to maneuver around modern defenses,” the report said. “The threat actor’s customized version employs advanced evasion, likely via unknown vulnerable drivers, showcasing deep technical expertise and ongoing tool refinement.”

From the cybersecurity business and defenses front,

• Cyberscoop names its Cyberscoop 50 award winners for 2025.
  • “The CyberScoop 50 Awards recognize those who have been honored for their work in protecting vital networks, information and critical infrastructure. Through their hard work, ingenuity, and creativity, they aim to fend off hackers, stay ahead of adversaries and protect American networks.”

• HelpNet Security lets us know,
  • “Security leaders are rethinking their approach to cybersecurity as digital supply chains expand and generative AI becomes embedded in critical systems. A recent survey of 225 security leaders conducted by Emerald Research found that 68% are concerned about the risks posed by third-party software and components. While most say they are meeting regulatory requirements, 60% admit attackers are evolving too fast to maintain resilience.” * * *
  • “Penetration testing is no longer treated as a box to check. It has become a core element of enterprise security programs. Eighty-eight percent of security leaders now consider it vital. Over half say they use pentests to validate their own software. More than half also require third-party pentests before releasing software to customers.
  • “The survey found that 49% plan to use pentesting to identify software supply chain vulnerabilities, and 44% intend to use it to uncover insider threats. The practice is being integrated across the development life cycle and procurement workflows.
  • “Generative AI is emerging as a new and unpredictable risk. Sixty-six percent of respondents say GenAI helps attackers analyze data and evade defenses. More than half worry that AI can automate the entire attack lifecycle, and 62% are concerned that AI development tools may introduce hidden vulnerabilities into codebases.”

• Dark Reading discusses cybersecurity budgeting here and here.

• Following the Blackhat Conference, Dark Reading’s CISO Corner is back.

From the cybersecurity policy and law enforcement front,

• NextGov/FCW tells us,
  • “The Senate confirmed Sean Cairncross to serve as national cyber director in a 59-35 vote on Saturday night [August 2], making him the first Senate-approved cybersecurity official of President Donald Trump’s second term.
  • “Cairncross is a former Republican National Committee official and was CEO of the Millennium Challenge Corporation agency during Trump’s first term. As national cyber director, he will be tasked with overseeing an office first stood up under the Biden administration, which serves as the key White House cyber policy interlocutor across federal agencies and Capitol Hill.” 

• Cyberscoop adds,
  • “Sean Cairncross took his post this week as national cyber director at what many agree is a “pivotal” time for the office, giving him a chance to shape its future role in the bureaucracy, tackle difficult policy issues, shore up industry relations and take on key threats.
  • “The former White House official, Republican National Committee leader and head of a federal foreign aid agency became just the third Senate-confirmed national cyber director at an office (ONCD) that’s only four years old. He’s the first person President Donald Trump has assigned to the position after the legislation establishing it became law at the end of his first term.”

• Cybersecurity Dive informs us,
  • “The Cybersecurity and Infrastructure Security Agency [CISA] has continued its work to protect federal networks and support critical infrastructure providers despite massive job cuts and resource constraints, two senior CISA officials said during the Black Hat USA cybersecurity conference here Thursday.
  • “We are not retreating, we’re advancing in a new direction,” CISA CIO Robert Costello said during a panel discussion.
  • “Chris Butera, the acting head of CISA’s Cybersecurity Division, added that, while the agency “did lose people” to the Trump administration’s downsizing program — roughly a third of its employees — CISA still has “a very talented workforce.” He cited the agency’s around-the-clock response to major vulnerabilities in Microsoft SharePoint as an example of CISA’s continued capacity.”
• and
  • “The U.S. government is still pushing agencies to adopt zero-trust network designs, continuing a project that gained steam during the Biden administration, a senior cybersecurity policy official said on Wednesday.
  • “It must continue to move forward,” Michael Duffy, the acting federal chief information security officer, said during a panel at the Black Hat cybersecurity conference. “That architectural side of it is very important for us to get right as we integrate new technologies [like] artificial intelligence into the ways we operate.”
  • “Zero-trust networking emphasizes the concept of throwing up hurdles to hackers who penetrate a computer system, limiting the damage they can do by sealing off parts of the network and requiring strict user authentication.”

• Per Dark Reading,
  • “As the Department of Defense (DoD) continues to make deeper strides in implementing its Cybersecurity Maturity Model Certification (currently CMMC 2.0), we find ourselves at the cusp of what feels like its next iteration, CMMC 3.0, marking the next evolution in its efforts to strengthen cybersecurity across the defense industrial base (DIB). While the updated framework builds on the structure of CMMC 2.0, this new update would include clearer expectations and stricter enforcement, particularly for organizations handling controlled unclassified information (CUI). The DoD’s message is clear: Reducing risk and enhancing resilience are now mission-critical for any company supporting national defense.”

• Cybersecurity Dive adds,
  • “The Chinese government has such vast hacking resources that it’s targeting tiny companies in the U.S. defense industrial base that never imagined they would end up on Beijing’s radar, a National Security Agency official said here Wednesday.
  • “China’s hacking resources outnumber those of the U.S. and [its] allies combined, and China has stolen more corporate data from the United States than any other nation in the world,” Bailey Bickley, chief of DIB defense at the NSA’s Cybersecurity Collaboration Center, said during a session at the Black Hat USA cybersecurity conference.
  • “Although best known for its intelligence-collection role, the NSA is also responsible for helping defense contractors safeguard their systems. Recently, the agency has been doing that through free security services — including classified information sharing and a protective DNS offering — from the Cybersecurity Collaboration Center.
  • “When we engage with small companies” in the defense industrial base, “they often think that what they do is not important enough to be targeted” by China, Bickley said. “But when you have the significant resources like that to conduct mass scanning and mass exploitation, there is no company and no target too small.”
• and
  • “The Defense Advanced Research Projects Agency on Friday [August 8] unveiled the winners of a competition to spur the development of artificial intelligence tools designed to autonomously find and fix software vulnerabilities.
  • “Team Atlanta, Trail of Bits and Theori claimed the top three spots in DARPA’s AI Cyber Challenge, agency officials said at the DEF CON cybersecurity conference here. They will receive prizes of $4 million, $3 million and $1.5 million, respectively.
  • “All seven finalist teams will open source their AI tools so that the entire world can use them. Four of the tools debuted on Friday, while the remaining three will be released in the next few weeks.’

• Cyberscoop reports,
  • “BlackSuit’s technical infrastructure was seized in a globally coordinated takedown operation last month that authorities touted as a significant blow in the fight against cybercrime. The ransomware group’s leak site has displayed a seizure notice since July 24.
  • “The takedown followed a long investigation, which allowed authorities to confiscate “considerable amounts of data,” and identify 184 victims, German officials said in a news release last week. The group’s total extortion demands surpassed $500 million by August 2024, with demands typically in the range of $1 million to $10 million, the Cybersecurity and Infrastructure Security Agency said in an advisory last year. 
  • “U.S. authorities were heavily involved in the operation, but have yet to share details about the investigation or its results. BlackSuit’s extortion site was seized by the Department of Homeland Security’s Homeland Security Investigation department, a unit of U.S. Immigration and Customs Enforcement. 
  • “A spokesperson for ICE told CyberScoop the Justice Department has been waiting for court documents to be unsealed before releasing any information about the law enforcement action dubbed “Operation Checkmate.” The FBI, Secret Service, Europol and cyber authorities from the United Kingdom, Germany, France, Ireland, Ukraine, Lithuania and Romania-based cybersecurity firm Bitdefender were also involved in the operation.” 

• Dark Reading relates,
  • “Two senior executives and founders of the Samourai Wallet cryptocurrency mixer have pleaded guilty to charges involving washing more than $200 million for cybercriminals and other nefarious types.
  • “CEO Keonne Rodriguez and chief technology officer William Lonergan Hill admitted to operating a money-transmitting business that handled criminal proceeds. They have pleaded guilty to conspiracy and face a maximum sentence of five years in prison in addition to the fine.
  • “The US Department of Justice first arrested Rodriguez and Hill in April of last year on two counts of conspiracy: operating an unlicensed money-transmitting business and money laundering, the latter of which carries a maximum sentence of 20 years.”

From the cybersecurity breaches and vulnerabilities front,

• FedScoop reports,
  • “The U.S. judiciary announced plans to increase security for sensitive information on its case management system following what it described as “recent escalated cyberattacks of a sophisticated and persistent nature.”
  • “In a Thursday [August 7] statement, the federal judiciary said it’s “taking additional steps to strengthen protections for” that information. It also said it’s “further enhancing security of the system and to block future attacks, and it is prioritizing working with courts to mitigate the impact on litigants.”
  • “The statement from the third branch comes one day after a Politico report revealed that its case filing system had recently been breached. That report cited unnamed sources who were concerned that the identities of confidential court informants may have been compromised.”

• Cyberscoop tells us,
  • “Federal cyber authorities issued an alert Wednesday evening about a high-severity vulnerability affecting on-premises Microsoft Exchange servers shortly after a researcher presented findings of the defect at Black Hat. 
  • “Microsoft also issued an advisory about the vulnerability — CVE-2025-53786 — and said it’s not aware of exploitation in the wild. 
  • “While the public disclosure and advisories about the defect came late in the day amid one of the largest cybersecurity conferences, Tom Gallagher, VP of engineering at Microsoft Security Response Center, told CyberScoop the timing was coordinated for release following Mollema’s presentation.
  • “Gallagher stressed that exploitation requires an attacker to achieve administrative access to an on-premises Exchange server in a hybrid environment.” 
• and
  • “SonicWall warned customers to disable encryption services on Gen 7 firewalls in the wake of an active attack spree targeting a yet-to-be identified vulnerability affecting a critical firewall service. Attacks have increased notably since Friday, the company said in a blog post.
  • “Threat hunters and incident responders from Arctic Wolf, Google and Huntress have observed a wave of ransomware attacks beginning as early as July 15. Mounting evidence points to a zero-day vulnerability affecting the secure sockets layer (SSL) VPN protocol as the initial attack vector.
  • “A financially motivated threat actor is actively compromising victim environments and deploying Akira ransomware,” Charles Carmakal, CTO at Mandiant Consulting, said in a LinkedIn post Tuesday. “The speed and scale of the compromises suggests a potential zero-day vulnerability in SonicWall Gen 7 firewalls.”
  • “SonicWall said an ongoing investigation has yet to determine if the attacks involve a previously disclosed vulnerability or a zero-day. “If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop.”

• Per Bleeping Computer,
  • “Trend Micro has warned customers to immediately secure their systems against an actively exploited remote code execution vulnerability in its Apex One endpoint security platform.
  • “Apex One is an endpoint security platform designed to automatically detect and respond to threats, including malicious tools, malware, and vulnerabilities.
  • “This critical security flaw (tracked as CVE-2025-54948 and CVE-2025-54987 depending on the CPU architecture) is due to a command injection weakness in the Apex One Management Console (on-premise) that enables pre-authenticated attackers to execute arbitrary code remotely on systems running unpatched software.
  • “Trend Micro has yet to issue security updates to patch this actively exploited vulnerability, but it has released a mitigation tool that provides short-term mitigation against exploitation attempts.”
• and
  • “A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware.
  • “The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker.
  • “When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path,” reads the WinRAR 7.13 changelog.”
    
• CISA added three known exploited vulnerabilities to its catalog this week.
  • August 5, 2025
    • “CVE-2020-25078 D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability
    • “CVE-2020-25079 D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability
    • “CVE-2022-40799 D-Link DNR-322L Download of Code Without Integrity Check Vulnerability”
      • The Hacker News discusses these KVEs.

• Per SC Media,
  • “Dormant service accounts with privileges were found in more than 70% of enterprise environments according to new research released by BeyondTrust on Aug. 4 at BlackHat in Las Vegas.
  • “The researchers also reported that overly permissive Entra Service Principals create direct pathways to Global Admin privileges, exposing entire Microsoft 365 environments to potential takeover.
  • “According to BeyondTrust, credentials reused across multiple service accounts by human administrators can also let a single compromised password hack numerous non-human accounts.”
  • “Our data shows that many organizations lack the complete story when it comes to their identity attack surface,” said Marc Maiffret, chief technology officer at BeyondTrust. “For many, overlooked hygiene issues silently open the door to attackers. And with the rise of Agentic AI, the stakes have never been higher, especially as most organizations lack visibility into how compromised accounts can be leveraged to seize control of application secrets, which often carry elevated privileges.”

• Security Week points out,
  • “Five vulnerabilities in the ControlVault3 firmware and the associated Windows APIs expose millions of Dell laptops to persistent implants and Windows login bypasses via physical access, Cisco Talos reports.
  • “The issues, tracked as CVE-2025-24311, CVE-2025-25215, CVE-2025-24922, CVE-2025-25050, and CVE-2025-24919, were initially disclosed on June 13, when Dell announced that patches for them were rolled out for over 100 Dell Pro, Latitude, and Precision models.
  • “The affected component, ControlVault3 (and the ControlVault3+ iteration), is a hardware-based system meant to securely store passwords, biometric information, and security codes.”

From the ransomware front,

• Bleeping Computer reports,
  • “Ransomware gangs have recently joined ongoing attacks targeting a Microsoft SharePoint vulnerability chain, part of a broader exploitation campaign that has already led to the breach of at least 148 organizations worldwide.
  • “Security researchers at Palo Alto Networks’ Unit 42 have discovered a 4L4MD4R ransomware variant, based on open-source Mauri870 code, while analyzing incidents involving this SharePoint exploit chain (dubbed “ToolShell”).
  • “The ransomware was detected on July 27 after discovering a malware loader that downloads and executes the ransomware from theinnovationfactory[.]it (145.239.97[.]206).
  • “The loader was spotted following a failed exploitation attempt that revealed malicious PowerShell commands designed to disable security monitoring on the targeted device.
  • “Analysis of the 4L4MD4R payload revealed that it is UPX-packed and written in GoLang. Upon execution, the sample decrypts an AES-encrypted payload in memory, allocates memory to load the decrypted PE file, and creates a new thread to execute it,” Unit 42 said.”
• and
  • “A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of ‘EDRKillShifter,’ developed by RansomHub, has been observed in attacks by eight different ransomware gangs.
  • “Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on the network without being detected. 
  • “According to Sophos security researchers, the new tool, which wasn’t given a specific name, is used by RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.”

• CISA issued an Analysis report about Exploitation of SharePoint Vulnerabilities on August 6.

• InfoSecurity Magazine explains how ransomware actors have expanded tactics beyond encryption and exfiltration.

• Halcyon warns us,
  • “Ransomware remains one of the most destructive and expensive threats facing organizations today. With average ransom demands hitting $3.5M, victims are forced into high-stakes decisions under intense pressure: pay up or risk catastrophic disruption. 
  • “Nearly half of all targeted organizations end up paying, even after negotiations. The impact doesn’t end with encryption: recovery takes weeks, services stall, regulators circle, and trust erodes. Ransomware isn’t just a cybersecurity problem; it’s a full-blown operational crisis.  
  • “The Halcyon team of ransomware experts has put together this extortion group power rankings guide as a quick reference for the extortion threat landscape based on data from throughout Q2-2025, which can be reviewed along with earlier reports here: Power Rankings: Ransomware Malicious Quartile.”

• MSPP Alert adds,
  • “Ransomware doesn’t play fair—and now, neither are the defenders. Sophos and Halcyon are teaming up with a direct integration that goes far beyond traditional intel feeds or industry sharing forums. This partnership isn’t about exchanging threat data after the fact. It’s about coordinating active defenses in real time, within live customer environments.
  • “What makes this different? According to Simon Reed, Chief Research and Scientific Officer at Sophos, it’s not just another “threat feed” dropped into a dashboard. “Sophos and Halcyon’s approach to threat intelligence sharing shifts the status quo from out-of-context threat intelligence (which is still hugely useful as an industry standard approach) to sharing coordinated, real-time defense that meets attackers head-on,” he told MSSP Alert.
  • “Instead of piecing together siloed signals, both companies are now synchronizing responses against a common adversary.”

From the cybersecurity business and reporting front,

• Dark Reading reports,
  • “It was a memorable Black Hat 2025 USA for the founders of Prime Security, the winners of this year’s Startup Spotlight competition.
  • “The Startup Spotlight Competition is a pitch competition for cybersecurity startup companies to present their products and solutions in front of a live audience at Black Hat. In the first phase of the competition, startups of all stripes submitted a pitch describing the company and the products and solutions. A panel of judges reviewed submissions for the competition, looking for companies that fit the bill of “most innovative emerging companies in cybersecurity,” before narrowing down to four: FireTail, Keep Aware, Prime Security, and Twine Security. 
  • “Representatives from each of the four companies pitched their companies and products for the final time to a panel of judges at the Black Hat USA conference in Las Vegas, in a Shark Tank-style competition. While the judges deliberated on the winner, the audience also voted on their favorite. Prime Security won both the judges’ votes as well as the audience’s.”

• Here is a link to Dark Reading’s round up of Black Hat conference news.

• Also per Dark Reading,
  • “Investing in building a human-centric defense involves a combination of adaptive security awareness training, a vigilant and skeptical culture, and the deployment of layered technical controls.”
• and
  • “Data Dump from APT Actor Yields Clues to Attacker Capabilities. The tranche of information includes data on recent campaigns, attack tools, compromised credentials, and command files used by a threat actor believed to be acting on behalf of China or North Korea.”

Door prize from the artificial intelligence front

• Per Security Week,
  • “Red Teams Jailbreak GPT-5 With Ease, Warn It’s ‘Nearly Unusable’ for Enterprise
  • “Researchers demonstrate how multi-turn “storytelling” attacks bypass prompt-level filters, exposing systemic weaknesses in GPT-5’s defenses.”

From the cybersecurity policy and law enforcement front,

• Security Week tells us,
  • “Members of the Senate Homeland Security and Governmental Affairs Committee voted 9-6 [on July 31, 2025] to recommend Sean Plankey ’s nomination for director of the Cybersecurity and Infrastructure Security Agency, known as CISA, which sits under the Department of Homeland Security.”
    
• Federal News Network informs us that a “new CISA guide helps agencies with next steps on zero trust.”

• The American Hospital Association News points out,
  • “The FBI, Cybersecurity and Infrastructure Security Agency and international agencies July 29 released a joint advisory on recent tactics by the Scattered Spider cybercriminal group. The group, observed by federal agencies since November 2023, has members based in the U.S. and U.K. The group has targeted large companies and their IT help desks. Scattered Spider threat actors typically engage in data theft for extortion and also use ransomware variants once in a system to steal information, along with other tactics.  
  • “Scattered Spider often employs tactics like phishing, push bombing and subscriber identity module swap attacks to get credentials, bypass multifactor authentication and gain access to networks,” said Scott Gee, AHA deputy national advisor of cybersecurity and risk. “They have also impersonated company help desks to trick users into divulging credentials. These tactics serve as a reminder of the importance of training to recognize and stop these social engineering attacks. The fact that they are native English speakers can make their social engineering attacks more effective. There have been several arrests of group members recently, but their attacks persist, and their tactics are evolving to evade detection. They are currently targeting Snowflake data storage solutions and stealing customer information.”  

• Cyberscoop reports,
  • “Federal analysts are still sizing up what the Chinese hackers known as Volt Typhoon, who penetrated U.S. critical infrastructure to maintain access within those networks, might have intended by setting up shop there, a Cybersecurity and Infrastructure Security Agency official said Thursday.
  • “We still don’t actually know what the result of that is going to be,” said Steve Casapulla, acting chief strategy officer at CISA. “They are in those systems. They are in those systems on the island of Guam, as has been talked about publicly. So what [are] the resulting impacts going to be from a threat perspective? That’s the stuff we’re looking really hard at.”
  • “Casapulla made his remarks at a Washington, D.C. event hosted by Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security.”
  • FEHBlog observation: Ruh roh! 

• The National Institute of Standards and Technology announced,
  • “In December 2024, NIST’s Crypto Publication Review Board initiated a review of the following Special Publications (SP):
    • “NIST SP 800-56Ar3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography (2018)
    • “NIST SP 800-56Br2, Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography (2019)
    • “NIST SP 800-56Cr2, Recommendation for Key-Derivation Methods in Key-Establishment Schemes (2020)
  • “In response, NIST received public comments.
  • “NIST proposes to:
    • “update SP 800-56Ar3
    • “reaffirm SP 800-56Br2
    • “revise SP 800-56Cr2
  • “Submit comments on this decision by September 15, 2025, to cryptopubreviewboard@nist.gov with “Comments on SP 800-56 Decision Proposal” in the subject line. Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date.

• Per Cybersecurity Dive,
  • “The Department of Justice on Thursday announced a $9.8 million settlement with Illumina over allegations that the company sold genomic-sequencing systems with software vulnerabilities to federal agencies for multiple years.
  • “Between 2016 and 2023, the government said, the company sold the systems without having an adequate security program and knowingly failed to incorporate cybersecurity into its product design process.
  • “According to prosecutors’ complaint, Illumina is the dominant company in the global market, with a share of roughly 80%.
  • “Companies that sell products to the federal government will be held accountable for failing to adhere to cybersecurity standards and protecting against cybersecurity risks,” Assistant Attorney General Brett Shumate of the DOJ’s Civil Division said in a statement.”

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop reports,
  • “Social engineering — an expanding variety of methods that attackers use to trick professionals to gain access to their organizations’ core data and systems — is now the top intrusion point globally, attracting an array of financially motivated and nation-state backed threat groups. 
  • “More than one-third (36%) of the incident response cases Palo Alto Networks’ Unit 42 worked on during the past year began with a social engineering tactic, the company said this week in its global incident response report. 
  • “Threat groups of assorted motivations and origins are fueling the rise of social engineering. Cybercrime collectives such as Scattered Spider and nation-state operatives, including North Korean technical specialists that have infiltrated the employee ranks at top global companies, have adopted social engineering as the primary hook into IT infrastructure and sensitive data.” 
• and
  • “The average cost of a data breach for U.S. companies jumped 9% to an all-time high of $10.22 million in 2025, as the global average cost fell 9% to $4.44 million, IBM said in its 20th annual Cost of a Data Breach Report Wednesday [July 30].
  • While shorter investigations are pushing down costs globally, reflecting the first decline in five years, IBM found higher regulatory fines, along with detection and escalation costs, are driving up the ultimate recovery price in the United States. 
  • “This widening gap helps explain why U.S. organizations continue to face the highest breach costs globally, further compounded by more organizations in the U.S. reporting paying steeper regulatory fines,” Troy Bettencourt, global partner and head of IBM X-Force, said in an email.
  • “The report underscores that organizations face an uneven burden in the wake of data breaches, even as detection and containment times improve. On average, it took organizations 241 days to identify and contain a breach through the one-year period ending in February — a nine-year low, according to IBM.”

• Cybersecurity Dive adds,
  • “A coalition of information-sharing groups urged their members on Wednesday [July 30] to take additional steps to mitigate potential attacks by the cybercrime gang Scattered Spider, which has spent recent months attacking the insurance, retail and airline industries. 
  • “Threat actors such as Scattered Spider are constantly innovating, so organizations must be diligent in continually monitoring their processes and identities to look for new exploits,” the group of information sharing and analysis centers (ISACs) — representing the financial services, food and agriculture, information technology, healthcare, aviation, automotive, retail, maritime and electricity sectors — said in a joint advisory.
  • Their warning came one day after the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that Scattered Spider had developed an evolving set of tactics to conduct social-engineering attacks on its targets.
  • The ISACs said they expect the group to continue to find new ways to evade existing security measures.

• Bleeping Computer points out,
  • “Researchers have found that in roughly 80% of cases, spikes in malicious activity like network reconnaissance, targeted scanning, and brute-forcing attempts targeting edge networking devices are a precursor to the disclosure of new security vulnerabilities (CVEs) within six weeks.
  • “This has been discovered by threat monitoring firm GreyNoise, which reports these occurrences are not random, but are rather characterized by repeatable and statistically significant patterns.
  • “GreyNoise bases this on data from its ‘Global Observation Grid’ (GOG) collected since September 2024, applying objective statistical thresholds to avoid results-skewing cherry-picking.
  • “After removing noisy, ambiguous, and low-quality data, the firm ended up with 216 events that qualified as spike events, tied to eight enterprise edge vendors.
  • “Across all 216 spike events we studied, 50 percent were followed by a new CVE within three weeks, and 80 percent within six weeks,” explain the researchers.”

• CISA added three known exploited vulnerabilities to its catalog this week.
  • July 28, 2025
    • CVE-2025-20281 Cisco Identity Services Engine Injection Vulnerability
    • CVE-2025-20337 Cisco Identity Services Engine Injection Vulnerability
      • Bleeping Computer discusses the Cisco vulnerabilities.
    • CVE-2023-2533 PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability
      • Bleeping Computer discusses the PaperCut KVE.

From the ransomware front,

• HIPAA Journal tells us,
  • “A new report from the cybersecurity firm Semperis suggests ransomware attacks have decreased year-over-year, albeit only slightly. The ransomware risk report indicates healthcare is still a major target for ransomware gangs, with 77% of healthcare organizations targeted with ransomware in the past 12 months. 53% of those attacks were successful.
  • “The report is based on a Censuswide survey of 1,500 IT and security professionals across multiple sectors. While attacks are down slightly, 60% of attacked healthcare organizations report suffering multiple attacks. In 30% of cases, they were attacked more than once in the same month, 35% were attacked in the same week, 14% were attacked multiple times on the same day, and 12% faced simultaneous attacks.
  • “A general trend in recent years, as reported by several firms, is fewer victims of ransomware attacks paying ransoms, although across all industry sectors in the U.S., 81% attacked companies paid the ransom, an increase from last year. Ransom payment was far less common in healthcare. According to Semperis, 53% of healthcare victims paid a ransom to either prevent the publication of stolen data, obtain decryption keys, or both. The ransom paid was less than $500,000 for 55% of companies, 39% paid between $500,000 and $1 million, and 5% paid more than $1 million.”

• Cybersecurity Dive adds,
  • “Manufacturing, information technology and healthcare are top targets of cybercriminals, but ransomware attacks on the oil and gas industry increased dramatically between April 2024 and April 2025, spiking 935%, according to a new report from cybersecurity firm Zscaler.
  • “Oil and gas companies may be facing more attacks because their industrial control systems are increasingly automated and digitized, “expanding the sector’s attack surface,” Zscaler said.
  • “Half of all ransomware attacks listed on leak sites during the April-to-April survey period targeted the United States, and attacks on U.S. targets more than doubled, to 3,671, a figure that exceeds the combined number of ransomware events on the 14 other countries in the top 15 list.”

• Cybersecurity Dive further reports,
  • “A recent wave of ransomware attacks targeting SonicWall firewall devices may be related to a zero-day vulnerability in the products, according to researchers.
  • “Anomalous firewall activity that began on July 15 and involved VPN access through SonicWall SSL VPNs morphed into intrusions the following week, researchers at Arctic Wolf said.
  • “This appears to be affecting SonicOS devices from what we’ve seen so far,” Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf, told Cybersecurity Dive. “Our investigation is still preliminary, so I’m not able to offer much more detail yet.”
  • “Hackers deployed the Akira ransomware variant in hands-on-keyboard attacks after compromising SonicWall SSL VPNs, according to the researchers.”
• and
  • “Researchers from Palo Alto Networks say they are investigating a ransomware attack related to the recently disclosed ToolShell vulnerabilities in Microsoft SharePoint. 
  • “The hackers left the victim a ransom note on Sunday [July 27] claiming they had encrypted files using the 4L4MD4R ransomware. The note warned that any attempt to decrypt the files would result in their deletion.
  • The hackers used PowerShell commands to disable real-time monitoring in Windows Defender, according to Palo Alto Networks researchers. The intruders also bypassed certificate validation.
  • Researchers from Palo Alto Networks say they are investigating a ransomware attack related to the recently disclosed ToolShell vulnerabilities in Microsoft SharePoint. 
  • The hackers left the victim a ransom note on Sunday claiming they had encrypted files using the 4L4MD4R ransomware. The note warned that any attempt to decrypt the files would result in their deletion.
  • The hackers used PowerShell commands to disable real-time monitoring in Windows Defender, according to Palo Alto Networks researchers. The intruders also bypassed certificate validation.
• and
  • “Several major ransomware-as-a-service groups have stopped posting victims to popular leak sites, suggesting that the ecosystem is more dispersed than it used to be, according to a new report from Check Point Software Technologies.
  • “At the same time, many smaller groups that used to affiliate with larger players “are operating independently or seeking new partnerships,” Check Point said in its Thursday report.
  • “Established players are actively competing to recruit these ‘orphaned’ affiliates,” according to the report, which cited competition between prominent groups Qilin and DragonForce for affiliates of the now-defunct RansomHub.”

• Per Bleeping Computer,
  • “A wave of data breaches impacting companies like Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion group, which has been using voice phishing attacks to steal data from Salesforce CRM instances.
  • “In June, Google’s Threat Intelligence Group (GTIG) warned that threat actors tracked as UNC6040 were targeting Salesforce customers in social engineering attacks.
  • “In these attacks, the threat actors impersonated IT support staff in phone calls to targeted employees, attempting to persuade them into visiting Salesforce’s connected app setup page. On this page, they were told to enter a “connection code”, which linked a malicious version of Salesforce’s Data Loader OAuth app to the target’s Salesforce environment.”

• SC Media tells us,
  • “Epsilon Red ransomware is being spread via a unique ClickFix lure that convinces victims to download and execute HTML Application files.
  • “The campaign impersonates widely used online services such as Twitch, Kick, Rumble, OnlyFans and the popular Discord Captcha Bot, CloudSEK reported recently.
  • “Like other sites using the ClickFix social-engineering method, these impersonation sites display a fake CAPTCHA prompt, but rather than having the victim copy and paste malicious commands, this version directs them to go to a different page to complete “extra verification steps.”
  • “These extra steps include pressing CTRL + S to save a file, renaming the file to verify.hta, opening the file with Microsoft HTML Application Host (mshta.exe), clicking “YES” if a popup appears and then entering a decoy “verification code” on the original CAPTCHA page. This last step is designed to trick the user into believing they have completed a legitimate verification process.”

• Per InfoSecurity Magazine,
  • “A new ransomware operator called Chaos has launched a wave of intrusions impacting a wide range of sectors, Cisco Talos has reported.
  • “Victims have been predominantly based in the US, with some in the UK, New Zealand India, according to the actor’s data leak site.
  • “Targeting appears to be opportunistic and does not focus on any specific verticals. However, Chaos is focused on “big-game hunting” and uses double-extortion tactics.
  • “In one incident observed by Cisco, the group adopted a novel negotiation strategy, offering an extra ‘reward’ for making payment to the attackers, or additional ‘punishment’ for resisting demands, including the threat of a distributed denial-of-service (DDoS) attack.
  • “The Chaos ransomware actor is a recent and concerning addition to the evolving threat landscape, having shown minimal historical activity before the current wave of intrusions,” the researchers wrote in a blog dated July 24.”

• Per Trend,
  • “Gunra ransomware’s Linux variant broadens the group’s attack surface, showing the new group’s intent to expand beyond its original scope. 
  • “The Linux variant shows notable features including running up to 100 encryption threads in parallel and supporting partial encryption. It also allows attackers to control how much of each file gets encrypted and allows for the option to keep RSA-encrypted keys in separate keystore files.
  • “Since its first observed activity in April 2025, Gunra ransomware has victimized enterprises from Brazil, Japan, Canada, Turkiye, South Korea, Taiwan, and the United States. Its victims include organizations from the manufacturing, healthcare, IT and agriculture sectors, as well as companies in law and consulting.” 

From the cybersecurity business and defenses front,

• Cyberscoop reports,
  • “Palo Alto Networks has agreed to acquire identity security firm CyberArk for approximately $25 billion, marking the cybersecurity giant’s largest acquisition and its formal entry into the identity security market as the industry continues consolidating amid rising cyber threats.
  • “The transaction ranks among the largest technology acquisitions this year and underscores the market’s focus on identity security in an era of increasing artificial intelligence adoption.
  • “CyberArk, founded over two decades ago, specializes in privileged access management technology that helps organizations control and monitor access to critical systems and accounts. The company’s customers include major corporations such as Carnival Corp., Panasonic, and Aflac. Its technology addresses what security experts consider one of the most vulnerable aspects of enterprise security: managing privileged credentials for both human users and machine identities.
  • “The acquisition comes as cybersecurity companies face pressure to offer comprehensive solutions rather than point products, with customers seeking to streamline their vendor relationships following high-profile breaches. Recent cyberattacks, including Microsoft’s SharePoint vulnerabilities that affected over 100 organizations including U.S. government agencies, have heightened focus on identity protection and privileged access management.”

• ISACA discusses “Defending Against Human-Operated Ransomware Attacks.”

• Per a CISA news release,
  • “Today, the Cybersecurity and Infrastructure Security Agency (CISA) released an Eviction Strategies Tool, a no-cost resource designed to support cyber defenders in their efforts to respond to cyber incidents. CISA contracted with MITRE to develop this tool that enables cyber defenders to create tailored response plans and adversary eviction strategies within minutes. They will also be able to develop customized playbooks aimed at containing and evicting adversaries from compromised systems and networks.
  • “The tool includes COUN7ER, a database of atomic post-compromise countermeasures mapped to adversary tactics, techniques, and procedures (TTPs), and Cyber Eviction Strategies Playbook NextGen, a web-based application that matches incident findings with countermeasures obtained from COUN7ER. Together, these resources help defenders build systematic eviction plans with distinct countermeasures to thwart and evict unique intrusions.”

• Dark Reading adds,
  • “The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Department of Energy’s Sandia National Laboratories, has released Thorium, an automated malware and forensic analysis platform, to help enterprise defenders quickly assess malware threats.” * * *
  • “Thorium is available from CISA’s official GitHub repository. Organizations interested in using it will need a deployed Kubernetes cluster, block store, and object store. A successful deployment requires familiarity with Docker containers and compute cluster management.
  • “By making this platform publicly available, we empower the broader cybersecurity community to use advanced tools for malware and forensic analysis,” said Jermaine Roebuck, CISA’s associate director for threat hunting, in a statement. “Scalable analysis of binaries and digital artifacts strengthens our ability to identify and fix vulnerabilities in software.”
    
• Dark Reading offers Black Hat News. The Black Hat conference starts today in Las Vegas.