Transportation Security Administration (TSA) Vendor Cyber Rating & Cyber Score

Description: Critical F5 BIG-IP APM Vulnerability Exploited in the Wild, CISA Flags Urgent Risk The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53521 a critical vulnerability in F5 BIG-IP APM to its Known Exploited Vulnerabilities (KEV) Catalog, signaling active exploitation in the wild. Initially disclosed by F5 in October 2025 as a denial-of-service (DoS) flaw with a CVSS score of 7.5, the vulnerability has since been reclassified as a pre-authentication remote code execution (RCE) issue, now carrying a CVSS score of 9.8. The flaw affects BIG-IP APM systems, including those in Appliance mode, and allows unauthenticated attackers to execute arbitrary code remotely. Unlike the initial assessment, which suggested no control plane exposure, the updated risk profile has prompted urgent warnings from security experts, including watchTowr CEO Benjamin Harris, who described the shift as a "big ‘yikes’ moment." ### Affected Versions & Mitigation The vulnerability impacts the following BIG-IP APM versions: - 17.5.0 – 17.5.1.3 (fixed in 17.5.1.3) - 17.1.0 – 17.1.3 (fixed in 17.1.3) - 16.1.0 – 16.1.6.1 (fixed in 16.1.6.1) - 15.1.0 – 15.1.10.8 (fixed in 15.1.10.8) F5 has released an updated advisory, urging organizations to upgrade to patched versions or apply mitigations if immediate patching is not feasible. The company confirmed that no control plane exposure exists, but the data plane remains vulnerable until remediated. ### Exploitation & Response With evidence of in-the-wild exploitation, security teams are prioritizing patching and investigating potential breaches. The CISA KEV listing underscores the severity, as federal agencies and private sector organizations are now required to address the flaw under binding operational directives. The shift from a DoS to RCE classification highlights the evolving threat landscape, where initial vulnerability assessments may underestimate risk.

Description: Cybersecurity Alert: Heightened Threat Activity Following Middle East Escalation On February 28, 2026, coordinated U.S. and Israeli military strikes in Iran resulted in the death of Supreme Leader Ayatollah Ali Khamenei, triggering immediate retaliatory missile attacks by Iran. The escalation has raised concerns about a surge in state-aligned and ideologically motivated cyber threats, particularly from Iran-linked actors. ### Threat Assessment Security researchers, including Sophos X-Ops Counter Threat Unit (CTU), warn of an elevated risk of disruptive cyber operations in the near term (days to weeks). Likely targets include: - Government agencies - Critical infrastructure - Financial services - Defense-adjacent commercial entities ### Anticipated Attack Methods Historically, Iran-backed groups have employed: - Website defacements (e.g., propaganda-driven messaging) - DDoS attacks (disrupting services) - Ransomware & wiper malware (destructive payloads) - Hack-and-leak operations (data theft extortion) - Phishing & password spraying (credential-based attacks) - Exploitation of internet-exposed systems (unpatched vulnerabilities) Notable threat actors include: - "HomeLand Justice" – Linked to wiper and hack-and-leak operations against Albanian government entities (2022–present). - "Handla Hack" – A hacktivist persona tied to Iran’s Ministry of Intelligence and Security (MOIS), which claimed attacks in Jordan on February 28 and has threatened further regional targets. ### Historical Context & MITRE ATT&CK Techniques Iran-aligned groups have previously conducted multi-stage attacks, combining: - Initial access (phishing, exploiting public-facing apps, VPN breaches) - Credential theft (password spraying, OS credential dumping) - Lateral movement (process injection, account manipulation) - Defense evasion (disabling security tools, obfuscating files) - Impact (ransomware, wiper malware, defacement, data destruction) ### Defensive Recommendations Organizations are advised to prioritize: - Identity & access controls (MFA enforcement, least-privilege access) - Exposure reduction (patching vulnerabilities, minimizing attack surfaces) - Detection & response (EDR/XDR monitoring, phishing alert triage) - Resilience & recovery (validating backups, incident response playbooks) Cyber activity tied to geopolitical tensions may persist beyond immediate news cycles, requiring sustained vigilance. Security teams should monitor for MITRE ATT&CK techniques associated with Iran-linked operations, particularly around identity infrastructure, exposed services, and backup systems. Further updates will be provided as the situation evolves.

Description: State-Backed Hackers Target Government and Critical Infrastructure in 37 Countries On February 5, 2026, cybersecurity firm Palo Alto Networks uncovered a large-scale espionage campaign orchestrated by state-aligned threat actors. The operation, spanning 37 nations, focused on infiltrating government agencies and critical infrastructure sectors, including energy, telecommunications, and defense. The attack leveraged sophisticated tactics, techniques, and procedures (TTPs) to evade detection, suggesting involvement by well-resourced adversaries. While specific attribution remains undisclosed, the scale and precision of the campaign point to a coordinated effort with geopolitical motivations. The breach highlights the growing threat posed by nation-state cyber operations, underscoring vulnerabilities in global digital infrastructure. Authorities and affected organizations are assessing the extent of the compromise, though details on data exfiltration or operational disruptions remain limited. The incident serves as a reminder of the persistent risks faced by high-value targets in an increasingly contested cyber landscape.

Description: Critical RCE Vulnerability in SolarWinds Web Help Desk Demands Immediate Action A severe remote code execution (RCE) vulnerability, CVE-2025-40551, has been identified in SolarWinds Web Help Desk, posing a major risk to organizations using the platform. The flaw stems from unsafe deserialization of untrusted data (CWE-502), allowing attackers to execute arbitrary commands on vulnerable systems without authentication. The unauthenticated nature of the exploit makes it particularly dangerous, as threat actors can target exposed instances directly no credentials or insider access are required. Successful exploitation could lead to arbitrary command execution, persistent backdoor access, malware deployment (including ransomware), lateral movement within networks, and compromise of sensitive IT ticketing data. CISA has classified the vulnerability as critical, setting a remediation deadline of February 6, 2026, and urging organizations to act swiftly. Recommended mitigations include: - Applying the latest SolarWinds patches immediately. - Isolating unpatched systems from internet exposure. - Discontinuing use if mitigations cannot be implemented. - Monitoring logs for signs of compromise. The flaw highlights the ongoing threat posed by deserialization vulnerabilities in enterprise software, particularly those that bypass authentication. Security teams are advised to prioritize patching and investigate affected systems for potential breaches.

Description: CISA Releases New Guidance to Combat Rising Insider Threats in Critical Infrastructure The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidance to help critical infrastructure organizations particularly in healthcare proactively defend against insider threats, a growing source of data breaches. According to a 2018 Verizon study, insiders were responsible for 56% of healthcare data breaches, surpassing external actors (43%). A 2024 report by Metomic found that the percentage of healthcare organizations reporting no insider incidents dropped from 34% in 2019 to just 24%, highlighting the escalating risk. Insider threats stem from negligence, malicious intent, or policy violations, such as employees snooping on medical records or exfiltrating patient data for financial gain or personal motives. These incidents can lead to severe consequences, including reputational damage, financial losses, and operational disruptions. CISA warns that insiders’ legitimate access and institutional knowledge make detection particularly challenging. To address this, CISA’s new resource provides a framework for assembling a multi-disciplinary insider threat management team, emphasizing collaboration across cybersecurity, physical security, human resources, legal, and external partners like law enforcement and mental health professionals. The guidance outlines a four-stage POEM framework Plan, Organize, Execute, and Maintain to structure threat mitigation efforts. Key steps include scoping the team’s role, fostering a culture of reporting, enforcing policies, and continuously refining the program. Acting CISA Director Dr. Madhu Gottumukkala emphasized that insider threats "erode trust and disrupt critical operations," while CISA Executive Assistant Director Steve Casapulla noted that organizations with mature programs are better equipped to withstand disruptions. The guidance aims to help state, local, tribal, and territorial governments, as well as critical infrastructure sectors, reduce the frequency and impact of insider incidents.

Description: Cyberattack Targets ICE List Wiki Ahead of Federal Agent Data Leak A major cyberattack disrupted the ICE List Wiki a Netherlands-based activist platform just as it prepared to publish the identities of thousands of U.S. federal agents, primarily from Immigration and Customs Enforcement (ICE). The site, run by activist Dominick Skinner, was hit by a sustained distributed denial-of-service (DDoS) attack last Tuesday evening, flooding its servers with malicious traffic and forcing it offline. The leaked data, provided by a Department of Homeland Security (DHS) whistleblower, includes names, personal phone numbers, and work histories of approximately 4,500 ICE and Border Patrol employees. The whistleblower’s decision to release the information was reportedly triggered by the fatal shooting of 37-year-old Renee Nicole Good by an ICE agent in Minneapolis on January 7, 2026. Activists quickly identified the officer involved as Jonathan E. Ross, with the incident described as the "last straw" for the whistleblower. While the site has since resumed operations, Skinner noted that much of the attack traffic appeared to originate from a Russian bot farm, though the true source remains obscured by proxy networks. The sophistication of the assault suggests a coordinated effort to suppress the leak. Despite the disruption, Skinner’s team operating from the Netherlands to avoid U.S. jurisdiction plans to proceed with publishing the data, though they intend to exclude certain personnel, such as medical and childcare staff. The group is also migrating to more secure servers to prevent future disruptions.

Description: Massive DHS Data Breach Exposes Thousands of ICE and Border Patrol Agents A whistleblower leak has exposed sensitive details of approximately 4,500 U.S. Department of Homeland Security (DHS) employees, including nearly 2,000 frontline Immigration and Customs Enforcement (ICE) and Border Patrol agents. The dataset believed to be the largest breach of DHS staff data to date includes names, work emails, phone numbers, job roles, and some résumé information. The leak was published by *ICE List*, a volunteer-run accountability project led by Dominick Skinner, a Netherlands-based activist. Skinner stated the data was received on Monday, following the fatal shooting of Renee Nicole Good, a protester killed by ICE agent Jonathan Ross in Minneapolis on January 7. The incident has sparked nationwide outrage, with critics accusing DHS of failing to hold agents accountable. Skinner, whose project operates outside U.S. jurisdiction to avoid takedowns, said the leak reflects growing internal discontent within federal immigration agencies. Since Good’s death, public submissions to *ICE List* which documents agent identities and raid details have surged, with reports coming from hotel staff, bar employees, and neighbors of agents. The site previously held data on around 2,000 staff but now possesses records on approximately 6,500. DHS has long shielded agent identities for safety reasons, but Skinner argues transparency is necessary for reform. He plans to publish verified names, stating that working for ICE or Customs and Border Protection (CBP) is "a bad move on a moral level." Two former ICE employees have already requested removal from the site after quitting. DHS officials condemned the leak, warning it endangers agents and their families. Assistant Secretary Tricia McLaughlin defended ICE’s work, citing arrests of violent criminals, but acknowledged exceptions for roles like childcare providers and nurses. Meanwhile, the agency faces backlash over Ross, who allegedly misled neighbors about his job, claiming to be a botanist. The breach underscores escalating tensions between federal immigration enforcement and public accountability efforts.

Description: DHS Warns of Escalating Cyber Threats from Iran-Backed Hackers Amid Rising Tensions The U.S. Department of Homeland Security (DHS) issued a National Terrorism Advisory System (NTAS) bulletin on Sunday, warning of heightened cyberattack risks from Iran-backed hacking groups and pro-Iranian hacktivists following recent geopolitical escalations. The advisory highlights a "heightened threat environment" in the U.S., with low-level cyberattacks likely targeting vulnerable networks. The DHS cautioned that violent extremists within the U.S. could mobilize in response to the Israel-Iran conflict, particularly if Iranian leadership issues a religious ruling calling for retaliatory violence. The bulletin also noted that anti-Semitic and anti-Israel sentiment has already motivated recent domestic attacks, raising concerns about further violence. The warning follows a pattern of Iranian state-affiliated hackers and hacktivists exploiting poorly secured U.S. networks. In October, authorities in the U.S., Canada, and Australia reported that Iranian hackers were acting as initial access brokers, breaching organizations in healthcare, government, IT, engineering, and energy sectors through brute-force attacks, password spraying, and MFA fatigue (push bombing). A separate August advisory from CISA, the FBI, and the Defense Department’s Cyber Crime Center (DC3) identified Br0k3r (also known as Pioneer Kitten, Fox Kitten, and other aliases) as a state-sponsored Iranian threat group involved in selling access to compromised networks to ransomware affiliates in exchange for a share of profits. While the DHS did not explicitly link the NTAS bulletin to recent events, the warning comes after U.S. strikes on Iranian nuclear facilities including Fordow, Natanz, and Isfahan on Saturday, just over a week after Israel targeted Iranian nuclear and military sites on June 13. Iran’s Foreign Minister, Abbas Araghchi, responded by warning of "everlasting consequences" and asserting Iran’s right to defend its sovereignty.

Description: CISA Issues Emergency Directive for MongoBleed Vulnerability in MongoDB The Cybersecurity and Infrastructure Security Agency (CISA) has mandated U.S. federal agencies to urgently patch a critical vulnerability in MongoDB, dubbed *MongoBleed*, following active exploitation by cyber attackers. The flaw enables threat actors to extract credentials, API keys, and other sensitive data from vulnerable databases, posing severe risks to data integrity and confidentiality. MongoBleed exploits default or misconfigured security settings, allowing unauthorized access, data theft, manipulation, or deletion. Attackers may also intercept network traffic in poorly secured environments. The vulnerability underscores persistent risks in database systems with inadequate hardening. CISA’s directive requires immediate patch deployment to mitigate potential breaches, which could lead to operational disruptions, reputational damage, and legal consequences. Agencies must also enforce stronger password policies, implement continuous monitoring, and conduct security audits to address misconfigurations. Additional measures include personnel training and advanced threat detection to bolster defenses. The alert highlights the urgency of maintaining up-to-date cybersecurity protocols to protect national data infrastructure from evolving threats.

Description: Critical Cisco Secure Email Gateway Vulnerability Exploited in Ongoing Attacks Cisco has disclosed an active cyberattack campaign targeting vulnerabilities in its Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running Cisco AsyncOS Software. The flaw, tracked as CVE-2025-20393 (CVSS 10.0), allows threat actors to execute arbitrary commands with root privileges, enabling full system compromise. The vulnerability affects both physical and virtual instances of the appliances when the Spam Quarantine feature is enabled and exposed to the internet a configuration not enabled by default per Cisco’s deployment guidelines. Cisco Secure Email Cloud remains unaffected, and there is no evidence of exploitation targeting Cisco Secure Web. ### Attack Details & Timeline The campaign was first detected through a Cisco Technical Assistance Center (TAC) case, with Cisco Talos confirming active exploitation. Attackers exploited exposed ports to gain unauthorized root access, disable security tools, and establish persistence mechanisms for long-term control. Compromised appliances may require a full rebuild to remove embedded threats. ### Mitigation & Hardening Measures Cisco has stated that no direct workarounds exist for CVE-2025-20393. Organizations are advised to: - Restrict appliance access to trusted hosts and avoid direct internet exposure. - Deploy behind firewalls, filtering traffic to allow only authorized communication. - Separate mail and management interfaces to limit internal access risks. - Monitor web logs and forward them to external servers for analysis. - Disable unnecessary services (HTTP, FTP) and enforce SSL/TLS with trusted certificates. - Upgrade to the latest AsyncOS release and implement strong authentication (SAML, LDAP). ### Broader Impact The incident highlights risks posed by misconfigured network services, emphasizing the need for immediate exposure assessment, access restrictions, and continuous monitoring. Organizations should consult Cisco TAC if compromise is suspected.

Description: Notepad++ Patches Critical Update Hijacking Vulnerability Notepad++, the widely used text and code editor, recently addressed a severe security flaw in its update mechanism that could allow attackers to hijack the update process. The vulnerability, stemming from insufficient file authentication in the Notepad++ updater, was identified by security researcher Kevin Beaumont. The flaw enabled threat actors to intercept and manipulate update traffic, tricking the software into accepting malicious update files. Without proper verification, users risked downloading compromised updates, potentially leading to unauthorized access, data theft, or further exploitation. In response, the Notepad++ development team implemented enhanced authentication measures to secure the updater utility. The patched version now prevents unauthorized modifications to update files, reducing the risk of exploitation. Users running older versions are urged to upgrade immediately to mitigate potential threats. The incident underscores the importance of robust update verification in software distribution, particularly for widely adopted tools. While the vulnerability has been resolved, the discovery highlights ongoing risks in update mechanisms across applications.

Description: The article highlights systemic vulnerabilities in the E-Verify system (administered jointly by USCIS and SSA), where Social Security Numbers (SSNs) critical for employment verification, credit applications, and government benefits are at risk of exploitation in identity theft schemes. While the article promotes proactive measures like SSN locks and credit freezes, it implicitly reveals that unauthorized access to SSNs via data breaches or phishing could enable criminals to impersonate individuals for fraudulent employment, tax refunds, or benefit claims.The E-Verify Self Lock feature, though a protective tool, underscores a reactive approach to a persistent threat: leaked or misused SSNs due to inadequate safeguards in government databases or third-party breaches. The reliance on manual locks (expiring annually) and credit freezes suggests gaps in automated, real-time fraud detection, leaving individuals responsible for mitigating risks. The potential for large-scale SSN exposure whether through insider threats, system exploits, or external attacks poses a direct risk to financial stability and public trust in federal identity verification infrastructure.The article’s emphasis on post-breach mitigation (e.g., IRS identity protection PINs) rather than prevention implies that SSN-related breaches are frequent enough to warrant systemic warnings, signaling a high-stakes vulnerability in a foundational component of U.S. identity management.

Description: A large-scale cyber breach targeted FEMA (Federal Emergency Management Agency) over several weeks, compromising its network and exposing sensitive employee data from both FEMA and Customs and Border Protection (CBP). The attacker exploited vulnerabilities in Citrix remote access software, gaining deep access across regions including New Mexico, Texas, and Louisiana. While initial claims by Homeland Security Secretary Kristi Noem stated *no sensitive data was extracted*, internal documents later confirmed the theft of FEMA and CBP employee data, affecting over 250,000 employees and raising concerns about DHS’s cybersecurity capabilities. The breach led to the dismissal of 20 FEMA IT workers, including senior leaders, accused of security failures. Remediation efforts spanned months, with DHS and FEMA struggling to contain the intrusion until at least September 2025. The attack underscored systemic vulnerabilities in federal network defenses, prompting emergency directives to strengthen protections against advanced hacker groups. The incident remains under investigation, with no confirmed attribution or link to broader espionage campaigns.

Description: Taiwan’s Government Agencies Face 637 Cybersecurity Incidents in Six Months, Revealing Key Attack Trends Taiwan’s public sector reported 637 cybersecurity incidents over the past six months, accounting for the majority of 723 total cases logged by government and select non-government organizations, according to the Cybersecurity Academy (CSAA). The findings, published in its *Cybersecurity Weekly Report*, highlight four dominant attack patterns targeting government agencies reflecting broader global threats. Illegal intrusion was the most prevalent threat, comprising 410 cases, where attackers exploited both technical vulnerabilities and human behavior to gain unauthorized access. The CSAA identified four recurring tactics behind these incidents: 1. Malicious Software Disguised as Legitimate Tools – Attackers distributed infected files masquerading as trusted applications, often used in government operations. Once installed, these programs established backdoors for data exfiltration or remote control. 2. USB-Based Worm Infections – Despite being an older technique, USB-driven malware remained effective, particularly in environments where portable media is routinely used. Infected devices triggered automatic code execution, enabling lateral movement within networks. 3. Social Engineering Phishing Emails – Highly targeted phishing campaigns impersonated administrative or legal communications, leveraging urgency and authority to trick recipients into engaging with malicious links or attachments. 4. Watering Hole Attacks – Attackers compromised legitimate websites frequented by government officials, silently executing malicious commands during normal browsing to compromise endpoints. Beyond government agencies, critical infrastructure providers including emergency response, healthcare, and communications sectors reported incidents, though many stemmed from equipment malfunctions or environmental disruptions (e.g., typhoons) rather than direct cyberattacks. The Cybersecurity Research Institute (CRI) emphasized that operational resilience, alongside digital security, is critical in mitigating disruptions. In response, experts advocate for strengthened endpoint protection, including abnormal behavior monitoring and stricter controls on portable media and software sourcing. Governance reforms, such as ongoing cybersecurity training and clear policies for external website access, are also recommended to address both technical and human vulnerabilities. The report underscores the need for proactive, layered defenses as digital threats grow more persistent and adaptive.

Description: BlackSuit Ransomware Infrastructure Disrupted in Coordinated Global Takedown On July 24, 2026, a multinational law enforcement operation led by the U.S. Department of Homeland Security’s Homeland Security Investigations (HSI) dismantled key infrastructure tied to the BlackSuit (Royal) ransomware group, a persistent threat targeting critical U.S. sectors since 2022. The effort, which included the FBI, U.S. Secret Service, IRS Criminal Investigation (IRS-CI), and international partners from the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania, resulted in the seizure of four servers, nine domains, and over $1 million in cryptocurrency. BlackSuit, known for its high-impact attacks, has compromised more than 450 U.S. victims, including schools, hospitals, energy providers, and government entities. The group’s operations have drawn scrutiny for their direct threat to public safety and critical infrastructure. While officials hailed the takedown as a significant step in disrupting ransomware operations, cybersecurity experts cautioned that the impact may be temporary. Craig Jones, Chief Security Officer at Ontinue, noted that without arrests, the group’s operators retain the skills, funding, and infrastructure to reemerge under a new identity a pattern observed with other ransomware crews. The operation reflects a proactive, disruption-first approach by U.S. agencies, with officials emphasizing that accountability for cybercriminals remains a priority. Deputy Assistant Director Michael Prado of HSI’s Cyber Crimes Center (C3) underscored the need to dismantle the entire ecosystem enabling ransomware, while U.S. Attorney Erik S. Siebert reaffirmed law enforcement’s commitment to aggressive action against such threats. Though the takedown neutralized only a portion of BlackSuit’s infrastructure, it marks a broader effort to curb ransomware’s global reach. Authorities continue to pursue further measures to hold operators accountable and prevent future resurgences.

Description: Iranian Cyberattacks Surge 133% Amid Geopolitical Tensions, Targeting U.S. Critical Infrastructure Nozomi Networks Labs reported a sharp escalation in cyberattacks linked to Iranian threat groups, with a 133% increase in incidents during May and June 2024 compared to the previous two months. The surge peaking at 18 attacks in May before declining to 10 in June coincided with heightened regional conflicts involving Iran, with U.S. organizations as the primary targets. At least 28 confirmed attacks were attributed to six Iranian state-sponsored or affiliated groups: MuddyWater, APT33, OilRig, CyberAv3ngers, FoxKitten, and Homeland Justice. The transportation and manufacturing sectors bore the brunt of the activity, though critical infrastructure, energy, and government entities were also heavily targeted. ### Key Threat Actors & Their Campaigns - MuddyWater emerged as the most active, compromising at least five U.S. companies in transportation and manufacturing. The group, operational since 2017, has historically focused on the Middle East but expanded its reach to North America, Europe, Asia, and the Middle East, targeting government, telecommunications, and energy sectors. - APT33 conducted attacks against three U.S. firms, with infrastructure traced to operations spanning North America, Europe, the Middle East, and Asia, including Germany, France, Saudi Arabia, and Japan. The group’s focus on strategic geopolitical and economic hubs suggests intelligence-gathering and disruption objectives. - OilRig maintained its long-standing campaign against Gulf region targets, including energy, government, and telecommunications sectors, but also extended operations to the U.S., Spain, and Turkey. Attack paths originating from Iran indicate a broader geopolitical and intelligence-driven agenda. - CyberAv3ngers, known for targeting operational technology (OT), reused an IP address from a prior attack and deployed the OrpaCrab (IOCONTROL) malware, first identified in December 2023. The group’s recent activity targeted the U.S., Ukraine, Iraq, and Cyprus, with a focus on critical infrastructure and industrial sectors. - FoxKitten concentrated on Israel, Greece, and North Macedonia, aligning with its history of espionage and long-term access within government and critical infrastructure networks in the Eastern Mediterranean and Middle East. - Homeland Justice, a hacktivist collective, demonstrated a global reach, striking targets in the U.S., Canada, Saudi Arabia, India, and Australia. The group’s politically motivated attacks spanned critical infrastructure and government entities, reflecting a broad disruption strategy. ### Geopolitical Context & U.S. Response The surge in Iranian cyberactivity follows escalating regional tensions, prompting U.S. security agencies to issue warnings last week. Critical infrastructure operators were advised to monitor for threats and isolate OT/ICS assets from public internet access, particularly those with ties to Israeli defense or research entities. The agencies emphasized the heightened risk to the defense industrial base (DIB) and other high-value sectors in the near term. Nozomi Networks confirmed that its threat intelligence feeds including a Mandiant TI Expansion Pack already contain signatures to detect these groups, though the broader threat landscape underscores the expanding scope and sophistication of Iranian cyber operations.

Description: U.S. Indicts Ukrainian National for Role in Russian-Backed Cyberattacks on Critical Infrastructure The U.S. Department of Justice (DoJ) has indicted 33-year-old Ukrainian national Victoria Eduardovna Dubranova (also known as "Vika," "Tory," and "SovaSonya") for her alleged involvement in cyberattacks targeting global critical infrastructure. Dubranova, extradited to the U.S. earlier this year, is accused of supporting two Russian-aligned hacking groups: NoName057(16) and CyberArmyofRussia_Reborn (CARR), also referred to as Z-Pentest, both suspected of receiving backing from Russian state entities. Dubranova faces charges in two separate cases one tied to CARR and another to NoName and has pleaded not guilty. Her trial is scheduled for 2026. While her extradition details remain undisclosed, authorities in July 2025 dismantled over 100 servers linked to NoName057(16) and arrested two individuals in France and Spain, though no direct connection to Dubranova has been publicly confirmed. The attacks were not financially motivated but instead aimed at disrupting essential services. CARR claimed responsibility for breaches of U.S. drinking water systems, causing spills and failures, as well as an attack on a Los Angeles meat processing facility that resulted in food spoilage and an ammonia leak. NoName057(16), meanwhile, deployed its custom DDoSia tool to take down government websites, recruiting global volunteers with cryptocurrency rewards and leaderboard incentives. The group’s infrastructure was reportedly built by CISM, a Russian state-sponsored IT group operating under a 2018 presidential order. The DoJ alleges both groups received direction and funding from Russian intelligence, including a GRU officer who guided CARR’s targeting and paid for cybercriminal services. At its peak, CARR had over 100 members, including minors, and an online following in the tens of thousands. The U.S. State Department is offering a $2 million reward for information leading to the identification or location of three key CARR associates: Yuliya Pankratova, Denis Degtyarenko, and "Cyber_1ce_Killer", the latter linked to a GRU officer. Dubranova faces severe penalties up to 27 years in the CARR case for conspiracy, damaging protected systems, fraud, and identity theft, and a five-year maximum in the NoName case for a separate conspiracy charge. The indictment underscores how cybercriminal networks exploit geopolitical tensions, operating across borders even as traditional conflicts persist. Similar operations in 2025 saw the arrest of the suspected administrator of XSS.IS, a major Russian-language cybercrime forum with alleged intelligence ties, during a joint French-Ukrainian Europol operation. In 2024, Ukrainian authorities detained a cryptor-developer accused of aiding Conti and LockBit ransomware groups by creating tools to evade antivirus detection.

Description: An unidentified hacker executed a months-long breach targeting FEMA’s computer network, compromising sensitive data of Customs and Border Protection (CBP) and FEMA employees across a region spanning New Mexico, Texas, and Louisiana. The attacker exploited vulnerabilities in Citrix remote-access software, gaining deep access to operational systems. Despite initial containment efforts by DHS in mid-July, remediation extended into September, with confirmations that employee data was stolen, contradicting earlier official denials. The breach led to the firing of 24 FEMA IT staff, including top executives, amid accusations of 'severe security lapses.' The incident exposed systemic weaknesses in DHS’s cybersecurity posture, raising concerns about the protection of over 250,000 employees’ information and potential broader threats to national security. The attacker’s identity and motives remain unknown, though the prolonged intrusion suggests targeted espionage or data exfiltration for malicious use.

Description: A hacker infiltrated FEMA’s computer networks via compromised credentials in Citrix Systems’ remote desktop software, gaining unauthorized access for nearly two months (June 22 to August 5). The breach targeted FEMA Region 6 (covering Arkansas, Louisiana, New Mexico, Oklahoma, and Texas) and compromised employee identity data from both FEMA and U.S. Customs and Border Protection (CBP), another DHS component. The attacker exploited weak security measures, including the absence of multifactor authentication (MFA), to move laterally across the network, install VPN software, and exfiltrate data from Microsoft Active Directory, which manages access controls. The incident led to the termination of two dozen FEMA employees, including IT executives, after DHS Secretary Kristi Noem cited systemic failures like agencywide MFA gaps and 'incompetence' in cybersecurity protocols. While initial statements claimed no sensitive citizen data was stolen, investigations confirmed the theft of federal employee identity information. The breach underscored vulnerabilities in critical government infrastructure, though officials asserted no direct harm to American citizens occurred. The attack’s duration and depth raised concerns about persistent threats to federal agencies, compounded by a separate disclosure of hackers exploiting Cisco firewall devices in U.S. government systems around the same period.

Description: Cybersecurity Subcommittee Chair Opposes CISA’s Mobile App Vetting Program Shutdown After Salt Typhoon Attack Rep. Andrew Garbarino (R-N.Y.), chair of the House Homeland Security Subcommittee on Cybersecurity, has voiced strong opposition to the planned termination of the Cybersecurity and Infrastructure Security Agency’s (CISA) Mobile App Vetting (MAV) Program. The move follows the Salt Typhoon cyberattack, which targeted U.S. telecommunications firms and impacted federal agencies, raising concerns about mobile device security vulnerabilities. In a letter to Department of Homeland Security (DHS) Secretary Kristi Noem, Garbarino argued that ending the MAV program would leave a critical gap in assessing mobile device risks and undermine confidence among Federal Civilian Executive Branch (FCEB) agencies, which remain on high alert due to the fallout from Salt Typhoon. He also called for a priority review of CISA’s role as the sector risk management agency for telecommunications, emphasizing the need for stronger oversight in light of recent threats. Garbarino has demanded that DHS provide a justification for the program’s termination and outline CISA’s updated strategy for securing the telecommunications sector by June 13. The request underscores growing congressional scrutiny over federal cybersecurity measures in the wake of high-profile attacks.

Description: The U.S. government shutdown has severely weakened CISA, the nation’s leading civilian cybersecurity agency, by furloughing 65% of its 2,540-strong workforce (1,651 employees) and issuing Reductions in Force (RIF) notices that may lead to permanent layoffs. Critical divisions like the Infrastructure Security Division (ISD), responsible for protecting power grids, water treatment plants, and chemical facilities, face deep cuts including the elimination of the Chemical Security subdivision, which secured high-risk chemical sites from cyber-physical threats. The Stakeholder Engagement Division (SED), which coordinates national and international cybersecurity partnerships, is also targeted. Experts warn that this reduction amid rising nation-state cyber threats, ransomware, and misinformation campaigns creates exploitable blind spots, crippling the U.S. government’s ability to detect, respond, and recover from attacks. The shutdown and political redirection of CISA’s mission (e.g., accusations of censorship) further destabilize its operational capacity, leaving critical infrastructure (energy, water, chemical sectors) vulnerable to cyberattacks that could disrupt essential services or trigger cascading failures. The long-term impact includes eroded national resilience, increased risk of state-sponsored espionage or sabotage, and potential physical harm if industrial control systems (e.g., power grids, water treatment) are compromised.

Description: The FBI issued a public warning about a sophisticated smishing (SMS phishing) and vishing (voice phishing) campaign targeting current/former senior U.S. government officials and their contacts since April 2025. Malicious actors impersonate high-ranking officials using AI-generated voice cloning and fraudulent text messages to deceive victims into revealing sensitive personal data, login credentials, or financial information. The attack exploits trust in authoritative figures, leveraging publicly available data (e.g., job titles, photos) to craft convincing lures. Victims are tricked into clicking malicious links, downloading malware, or granting access to accounts under false pretenses (e.g., switching to a 'secure' messaging platform).The stolen credentials risk further impersonation, disinformation campaigns, or financial fraud, with potential cascading effects on national security if government communications or networks are compromised. While no large-scale data breach has been confirmed, the campaign’s targeted nature focusing on high-profile individuals poses a severe risk of credential harvesting, identity theft, and unauthorized access to classified or sensitive systems. The FBI emphasizes the threat’s evolving sophistication, combining social engineering with AI-driven deception to bypass traditional defenses.

Description: Cybersecurity & Privacy Roundup: AI Flaws, ICE Surveillance, FBI Raids, and Military Cyber Ops This week’s cybersecurity developments highlight critical vulnerabilities, government surveillance practices, and high-stakes digital warfare with implications for privacy, national security, and AI-driven risks. ### ICE & CBP’s Controversial Face Recognition App A *WIRED* investigation revealed that U.S. Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) are deploying Mobile Fortify, a facial recognition app used nationwide to identify individuals. However, the app was not designed to verify identities and was approved for DHS use only after relaxing the agency’s own privacy rules. The report also exposed the militarized tactics of ICE and CBP units, including agents linked to shooting deaths of U.S. citizens in Minneapolis. Meanwhile, a Public Service Alliance report warned that data brokers are fueling threats against public servants, whose personal information remains largely unprotected under state privacy laws. ### AI-Generated Code Exposes Major Security Flaw Security firm Wiz uncovered a critical vulnerability in Moltbook, a social network for AI agents billed as a "Reddit-like" platform. The flaw, stemming from mishandled private keys in AI-generated JavaScript code, exposed thousands of user email addresses and millions of API credentials, enabling full account impersonation and access to private AI communications. Moltbook’s founder, Matt Schlicht, admitted the site was "vibe-coded" entirely by AI raising concerns about the security risks of AI-written software. While the flaw has been patched, it underscores the dangers of over-reliance on AI for critical infrastructure. ### FBI Raid Highlights iPhone Security Safeguards The FBI’s raid on *Washington Post* reporter Hannah Natanson’s home, part of an investigation into alleged leaks by a federal contractor, demonstrated how biometric authentication can be exploited to access devices. However, Apple’s Lockdown Mode designed to block spyware like NSO Group’s Pegasus prevented the FBI’s Computer Analysis Response Team (CART) from extracting data from Natanson’s iPhone. The incident, detailed in a court filing reported by *404 Media*, reveals how Lockdown Mode’s peripheral-blocking feature can thwart forensic tools like Graykey and Cellebrite. ### Starlink Disrupts Russian Military Communications In a major win for Ukraine, SpaceX’s Starlink disabled Russian military access to its satellite network, causing a communications blackout for frontline troops. The move followed a request from Ukraine’s defense minister and dealt a severe blow to Russia’s drone operations, with one Ukrainian adviser calling it a "catastrophe" for enemy forces. The development adds another layer to Starlink’s complex role in the war, which has previously seen Elon Musk’s company restrict Ukrainian drone strikes over concerns about escalation. ### U.S. Cyber Command Disables Iranian Missile Defenses A 2023 U.S. Cyber Command operation, revealed by *The Record*, used digital weapons to disrupt Iran’s air missile defense systems during a kinetic strike on Iran’s nuclear program. The cyberattack, leveraging NSA intelligence, exploited a vulnerability to prevent Iran from launching surface-to-air missiles at American warplanes. A Cyber Command spokesperson confirmed the operation, stating the unit is "fully equipped to execute the orders of the commander-in-chief" in any theater. From AI-generated security flaws to government surveillance overreach and cyber warfare, these incidents underscore the evolving threats in digital security and the high stakes of getting it wrong.

Description: The Cybersecurity and Infrastructure Security Agency (CISA) faced a tumultuous period marked by significant breaches, including the Salt Typhoon espionage campaign linked to Beijing, which compromised American telecoms, collecting sensitive data such as call logs, recordings, and potential location information. The largest hack in US telecom history occurred under the leadership of Jen Easterly, who was not asked to stay post-Inauguration Day. Her departure coincided with demands for CISA to become 'smaller' and 'more nimble' and the dismissal of the Cyber Safety Review Board members who were investigating the breaches, potentially jeopardizing the agency’s future and national cybersecurity.

Description: As a relatively new and essential cyber-security component of the DHS, CISA faces a significant potential setback. With changing political climates and Trump’s apparent intentions to reshape the agency, its core missions of protecting government systems and supporting private and nonprofit entities could be compromised. Employees fear that reduced corporate oversight and a possible dismantling or repurposing of the agency may impair its ability to safeguard against cyber threats, potentially weakening national cybersecurity infrastructure. There is a palpable fear among the staff of a decline in efficacy and a change in direction that could pose threats not just to the agency's mandate but also to the broader security landscape.

Description: The DHS encountered growing threats from commercial drones being modified to carry hazardous payloads, impacting national security. Attempted mitigations include improved detection and response capabilities through local law enforcement training and technology deployment. These clandestine drone activities pose a significant risk, requiring urgent action and cooperation between federal and local agencies to ensure public safety and preserve critical infrastructure.

Description: CISA Issues Emergency Directive Over Actively Exploited Microsoft Configuration Manager Vulnerability The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive on Thursday, mandating federal agencies to patch a critical vulnerability in Microsoft Configuration Manager that is being actively exploited in attacks. The flaw, addressed in Microsoft’s October 2024 patch cycle, has been assigned CVE-2024-XXXX and poses severe risks to system security. The vulnerability enables unauthorized command execution and privilege escalation, allowing attackers to compromise data integrity and intercept sensitive information. Due to its high severity, CISA has imposed strict remediation deadlines, requiring agencies to take immediate action. Federal organizations must: - Apply the Microsoft-released patch without delay. - Conduct system audits to verify no unauthorized access has occurred. - Enhance monitoring to detect and respond to further exploitation attempts. The directive highlights the urgency of addressing the flaw to prevent potential breaches of federal networks and data. Agencies are also instructed to assess residual risks and ensure comprehensive mitigation strategies are in place.

Description: A hacker infiltrated FEMA’s computer networks via compromised Citrix remote desktop credentials, maintaining unauthorized access from June 22 to August 5, 2024. The breach targeted FEMA Region 6 (covering Arkansas, Louisiana, New Mexico, Oklahoma, and Texas) and involved the theft of employee identity data from FEMA and U.S. Customs and Border Protection (CBP). The attacker exploited weak security controls, including the absence of multifactor authentication (MFA), to move laterally across the network, install VPN software, and exfiltrate data from Active Directory.The incident led to the termination of 24 FEMA employees, including IT executives, after an investigation revealed systemic failures in cybersecurity protocols. While initial statements claimed no sensitive data was stolen, a DHS internal review confirmed the theft of federal employee identity information. The breach underscored vulnerabilities in government cybersecurity, compounded by a separate disclosure of hackers exploiting Cisco firewall devices in U.S. agencies, though no direct link to the FEMA attack was established.

Description: Amid rising cyber threats, the Heritage Foundation's Project 2025 proposes to significantly reduce the scope of CISA, which could undermine the agency's ability to protect against cyber attacks and misinformation. This move aligns with former President Trump's agenda and his critique of CISA's role in debunking electoral misinformation. If implemented, CISA's counter-misinformation efforts would be halted, its relationship with social media firms would change, and its cyber defense responsibilities could be redistributed to military and intelligence agencies. As a result, the United States could face an increased risk of cyber threats that can disrupt societal stability, influence elections, or compromise sensitive information.

Description: CISA faces potential undermining from elements within the Heritage Foundation who seek to scale back its operations, especially concerning its role in mitigating misinformation online. This approach could significantly weaken the agency, impacting its principal cybersecurity functions and potentially affecting its efforts to combat foreign propaganda. If the 2024 election leads to an administration aligning with the Project 2025 playbook, CISA could experience reduced effectiveness or an existential crisis. Such a shift could have far-reaching consequences for national cybersecurity and the protection against online falsehoods that threaten societal stability.

Description: FEMA suffered a cyberattack in June 2024 where threat actors exploited CitrixBleed 2 (CVSS 9.3) via stolen credentials to breach its Citrix Netscaler ADC/Gateway, bypassing MFA. Attackers exfiltrated data from Region 6 servers (covering Arkansas, Louisiana, New Mexico, Oklahoma, Texas), including sensitive government and citizen information. The breach remained undetected until July, despite prior CISA warnings about active exploitation. FEMA initially denied data loss but later evidence confirmed unauthorized uploads. The incident led to the termination of the CISO, CIO, and 22 staff for negligence, including falsified security audits. Remediation included forced password resets, MFA enforcement, and a complete IT overhaul. The attack exposed systemic failures in patch management and incident response, risking national security data, emergency response capabilities, and public trust in a critical federal agency.

Description: A new warning issued jointly by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Canadian Centre for Cyber Security documents an ongoing campaign by Chinese hackers making use of the sophisticated BRICKSTORM malware to target public sector organizations and IT companies for long-term espionage purposes. The average dwell time for these documented breaches is a little over a year, and the total victim count is impossible to know at this point. The BRICKSTORM malware was first documented by Google security researchers in 2024 and is considered one of the most advanced current threats. It targets Windows and VMware vSphere environments and serves as a long-term backdoor for stealthy data exfiltration. It has numerous advanced obfuscation features and will also reinstall itself if removed or disrupted. Once inside a target network, the Chinese hackers look to capture legitimate credentials through various means and create hidden virtual machines to conceal their activities. Chinese hackers may have been active since 2022 Though BRICKSTORM first came to broad attention in 2024, the researchers believe the Chinese hackers may have been successfully running this campaign since as far back as 2022. The average dwell time among documented victims of the malware is 393 days. If true, this would mean the attackers had been actively penetrating targets with this approach for at least two years before even being detected by security resear

Description: CISA Flags Actively Exploited VMware vCenter Server Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-37079, a critical remote code execution (RCE) vulnerability in Broadcom’s VMware vCenter Server, to its Known Exploited Vulnerabilities (KEV) catalog. The move follows confirmed reports of active exploitation in the wild, heightening risks for enterprises using vCenter for virtualization management. The flaw allows attackers with network access to the vCenter Server to execute arbitrary code, potentially gaining full control over the system. No additional user interaction or privileges are required, making it a high-severity threat. Organizations running affected versions of vCenter are urged to prioritize patching, as exploitation could lead to unauthorized access, data breaches, or lateral movement within networks. VMware released patches for the vulnerability earlier this month, but the inclusion in CISA’s KEV catalog underscores its urgency. Federal agencies under CISA’s binding operational directive (BOD 22-01) must remediate the flaw by a specified deadline, though private sector entities are also advised to act swiftly. The incident highlights the growing targeting of virtualization infrastructure, a critical component in enterprise IT environments. Details on attack vectors and threat actors remain limited, but the vulnerability’s inclusion in the KEV catalog signals its immediate operational risk.

Description: In order to assist critical infrastructure organizations in thwarting ransomware gang attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new information detailing security flaws and configuration errors that ransomware gangs have exploited. This information was made public by CISA as part of the Ransomware Vulnerability Warning Pilot (RVWP) program, and said that it would notify critical infrastructure organizations of any ransomware-vulnerable devices found on its network. Since its launch, CISA's RVWP has found and exchanged information about more than 800 susceptible systems with internet-accessible flaws regularly targeted by various ransomware activities. The U.S. cybersecurity agency has also released a dedicated website, StopRansomware.gov, which acts as the focal point for CISA's initiative to give defenders all the information they need to anticipate and neutralize ransomware assaults.

Description: CISA’s Secure Software Tool Found Vulnerable to XSS Attack A tool designed by the Cybersecurity and Infrastructure Security Agency (CISA) to help government agencies procure secure software was itself found to contain a cross-site scripting (XSS) vulnerability. The flaw was discovered by Jeff Williams, former leader of OWASP and co-founder of Contrast Security, who reported it to CISA in September 2023. The vulnerability allowed attackers to inject malicious JavaScript into the *Software Acquisition Guide: Supplier Response Web Tool*, potentially enabling defacement of the site or attacks on other users. Williams noted that the flaw was basic and should have been easily detected, calling it "hypocritical" for an agency promoting secure software development to overlook such a fundamental issue. Initially dismissed as non-critical under CISA’s bug bounty program, the vulnerability gained attention through the agency’s Vulnerability Information and Coordination Environment (VIC) program. The fix, which Williams estimated would take only minutes to implement, was delayed until December, partly due to the government shutdown. CISA’s Chief Information Officer, Robert Costello, confirmed the agency patched the flaw and found no evidence of exploitation. The incident was documented as a CVE, and CISA acknowledged the researcher’s report while citing process improvements for future vulnerability handling. The discovery follows a separate 2024 breach at CISA, underscoring that even cybersecurity authorities remain targets for attacks.

Description: In March–May 2023, a misconfigured DHS Homeland Security Information Network (HSIN-Intel) platform exposed sensitive but unclassified intelligence data including investigative leads shared with the FBI, National Counterterrorism Center, and local law enforcement to tens of thousands of unauthorized users. The access controls were incorrectly set to 'everyone,' granting visibility to non-intelligence government workers (e.g., disaster response teams), private contractors, and foreign government personnel. The breach stemmed from poor access management and lack of segmentation, highlighting systemic failures in cloud security governance. While no classified data was compromised, the exposure risked operational security, counterterrorism efforts, and trust in interagency intelligence-sharing. The incident underscored how human error and process gaps rather than sophisticated cyberattacks remain a dominant cause of high-impact breaches in critical infrastructure.

Description: A misconfigured data hub within the DHS Office of Intelligence and Analysis (I&A) exposed sensitive national security information to thousands of unauthorized users including government workers, private-sector employees, and foreign nationals over a two-month period (March–May 2023). The breach stemmed from a programming error, allowing improper access to 439 I&A products, which were accessed 1,525 times without authorization. Among these, 518 accesses were from the private sector, and 46 were by non-American citizens, primarily targeting cybersecurity intel (39% of accessed data), including details on foreign hacking campaigns, state-sponsored hacker groups, and domestic protest surveillance. The exposed records included surveillance data on American citizens, law enforcement investigations, and foreign disinformation operations, raising concerns about the integrity of the Homeland Security Information Network (HSIN), which DHS markets as a secure platform for critical national security sharing. While the memo confirmed some records were accessed, it lacked an impact assessment on affected agencies, leaving uncertainties about broader operational or intelligence compromises. The incident underscores systemic vulnerabilities in handling classified intelligence, with potential repercussions for national security, diplomatic relations, and public trust in government cybersecurity protocols.

Description: In January 2023, the BianLian ransomware group shifted its tactics from encrypting files to data theft-based extortion, leveraging stolen Remote Desktop Protocol (RDP) credentials often obtained via phishing or initial access brokers. The group deployed custom Go-based backdoors, remote management tools, and credential-harvesting utilities to infiltrate networks undetected. Once inside, they exfiltrated sensitive data and threatened to publish it on a leak site, demanding ransom payments in cryptocurrency. To evade security measures, BianLian disabled antivirus processes using PowerShell and Windows Command Shell, escalating risks for targeted organizations. The attack posed severe threats to critical infrastructure sectors, prompting warnings from CISA, FBI, and ACSC. Victim organizations faced potential operational disruptions, financial losses, and reputational damage, with stolen data ranging from employee records to proprietary business information. While no specific company was named, the group’s focus on high-value targets such as healthcare, energy, or government-adjacent entities suggested systemic risks. Mitigations included auditing RDP access, restricting PowerShell, and enforcing multi-factor authentication (MFA), but the breach’s scale and sophistication highlighted vulnerabilities in defensive postures.

Description: US Immigration and Customs Enforcement accidentally exposed the names, birthdates, nationalities and locations of more than 6,000 immigrants who claimed to be fleeing torture and persecution to its website. The unprecedented data dump exposed the immigrants to retaliation from the very individuals, gangs and governments they fled, attorneys for people who have sought protection in the U.S

Description: CISA and Partners Release Updated #StopRansomware Guide to Strengthen Incident Response In May 2023, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, NSA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC), released an updated *#StopRansomware Guide* to standardize ransomware response protocols. The guide outlines a structured approach for organizations to detect, contain, eradicate, and recover from ransomware attacks, emphasizing coordinated action to minimize damage. The response process begins with detection and analysis, where impacted systems must be isolated immediately either by disconnecting networks at the switch level or physically unplugging devices. For cloud environments, snapshots of volumes should be taken for forensic review. Organizations are advised to use out-of-band communication (e.g., phone calls) to avoid tipping off attackers, who may monitor internal activity to escalate attacks. If isolation isn’t feasible, powering down devices is recommended, though this risks losing volatile memory evidence. Critical systems such as those tied to health, safety, or revenue should be prioritized for restoration, while unaffected systems are deprioritized to streamline recovery. Security teams are urged to examine logs for precursor malware (e.g., Bumblebee, QakBot, or Cobalt Strike) and signs of data exfiltration, as ransomware often follows earlier compromises. Threat hunting should focus on anomalous activity, including unauthorized Active Directory accounts, suspicious VPN logins, and misuse of built-in Windows tools (e.g., *vssadmin.exe*, *PsExec*) to inhibit recovery. Reporting and notification are critical, with organizations directed to engage internal stakeholders (IT, leadership, cyber insurers) and external agencies like CISA, the FBI, or the U.S. Secret Service. If a data breach occurs, legal and communications teams must follow incident response plans to manage disclosures. Containment and eradication involve capturing system images, memory dumps, and malware samples for analysis. Trusted guidance (e.g., from CISA or security vendors) should be followed to disable ransomware binaries and remove associated registry entries. Breaches often involve credential theft, requiring measures like disabling remote access and resetting passwords. Forensic analysis should identify persistence mechanisms, such as rogue accounts or backdoors, before systems are rebuilt using clean images or infrastructure-as-code templates. Recovery prioritizes reconnecting systems from offline backups while preventing reinfection. Post-incident, organizations are encouraged to document lessons learned and share indicators of compromise with CISA or sector-specific ISACs to bolster collective defense. The guide underscores that ransomware incidents may signal deeper compromises, necessitating thorough investigation to prevent recurrence.

Description: Medusa Ransomware Surges, Targeting Critical Infrastructure with Double Extortion Tactics The Medusa ransomware operation, tracked by Symantec as *Spearwing*, has claimed nearly 400 victims since its emergence in January 2023, with attacks rising 42% between 2023 and 2024. In the first two months of 2025 alone, the group has attributed over 40 incidents, signaling an aggressive expansion amid the disruption of other major ransomware-as-a-service (RaaS) players like LockBit and BlackCat. Medusa employs *double extortion*, stealing sensitive data before encrypting networks to pressure victims into paying ransoms ranging from $100,000 to $15 million. Targets span healthcare, financial services, government, education, legal, and manufacturing sectors many within critical infrastructure. If victims refuse to pay, the group threatens to leak stolen data via its dedicated leak site. ### Attack Methods & Tools Medusa’s intrusion chains often begin with exploiting known vulnerabilities in public-facing applications, particularly Microsoft Exchange Server, or through initial access brokers. Once inside, attackers deploy remote management tools like *SimpleHelp*, *AnyDesk*, and *MeshAgent* for persistence, alongside the *Bring Your Own Vulnerable Driver (BYOVD)* technique to disable antivirus software using *KillAV* a tactic previously seen in BlackCat attacks. Other tools in Medusa’s arsenal include: - PDQ Deploy for lateral movement and payload delivery - Navicat for database access - RoboCopy and Rclone for data exfiltration - Advanced IP Scanner and SoftPerfect Network Scanner for reconnaissance - Ligolo and Cloudflared for command-and-control (C2) evasion The group also employs *living-off-the-land (LotL)* techniques, such as PowerShell commands (Base64-encoded to avoid detection) and *Mimikatz* for credential theft, alongside legitimate remote access tools like *ConnectWise* and *PsExec* to move undetected. ### Evasion & Triple Extortion Risks Medusa actors take steps to evade detection, including deleting PowerShell command histories and terminating endpoint detection and response (EDR) tools. In at least one case, a victim who paid the ransom was later contacted by a separate Medusa affiliate, who claimed the original negotiator had stolen the funds and demanded an additional payment suggesting a potential *triple extortion* scheme. ### CISA Advisory & Historical Context A joint advisory from CISA, the FBI, and MS-ISAC, released on March 12, 2025, revealed that Medusa has compromised over 300 critical infrastructure victims as of December 2024. The group, unrelated to *MedusaLocker* or the *Medusa mobile malware*, first appeared in June 2021 as a closed ransomware variant before shifting to an affiliate-based model. While affiliates execute attacks, core developers retain control over ransom negotiations. Recent campaigns have exploited vulnerabilities in *ConnectWise ScreenConnect (CVE-2024-1709)* and *Fortinet EMS (CVE-2023-48788)*. Despite the RaaS landscape’s volatility with new groups like *Anubis*, *LCRYX*, and *Xelera* emerging Medusa has established itself as a persistent threat, ranking among the top ransomware actors in late 2024.

Description: Daniil Kasatkin, a 26-year-old Russian professional basketball player, was arrested at Charles de Gaulle Airport in Paris on June 21, 2023, for his alleged involvement in a ransomware gang that operated between 2020 and 2022. The gang is accused of targeting around 900 organizations, including two US federal agencies. Kasatkin is facing charges of 'conspiracy to commit computer fraud' and 'computer fraud conspiracy.' His lawyers deny the allegations, claiming he is not tech-savvy and was unaware of any unlawful activities. The US has not yet released any statements or evidence regarding the crimes.

Description: The Cybersecurity and Infrastructure Security Agency (CISA), created in 2018, faces uncertain times as the return of former President Trump could significantly alter its function and direction. Trump's promises to reduce government spending and oversight have CISA staffers concerned about the potential dismantling of cybersecurity initiatives and a shift in focus toward immigration enforcement. The agency, which has a reputation for bipartisanship and was involved in election security and countering online misinformation, now finds itself at odds with Republican claims of censorship and surveillance. The fear of policy reversal and mission compromise looms among the employees, who remain dedicated to protecting national cyber infrastructure.

Description: DHS had a privacy incident that resulted in the exposure of information for 247,167 active and retired federal employees. The database utilised by the DHS Office of the Inspector General (OIG) and kept in the Department of Homeland Security OIG Case Management System was compromised by a data breach. Employee names, Social Security numbers, dates of birth, jobs, grades, and duty locations are among the data that has been made public. In addition to putting additional security measures in place to restrict access to this kind of information, the Department of Homeland Security notified those who were impacted through notification letters.

Description: FEMA stated that they mistakenly exposed the personal information, including addresses and bank account information, of 2.3 million disaster victims. The breach occurred because FEMA did not ensure a private contractor only received the information it required to perform its official duties. The victims affected include survivors of Hurricanes Harvey, Irma, and Maria and the 2017 California wildfires. The report found FEMA's failure to protect their data put them at risk of identity theft and fraud. According to the report, some of the data collected, such as addresses and Social Security numbers, were necessary to give aid. but other information, like electronic bank account information, was not considered necessary.

Description: A Department of Justice employee's email account was compromised by a hacker, who took 200GB of data, including records of 20,000 FBI workers and 9,000 DHS employees. Delving deeper into the archive, one finds information about DHS security experts, programme analysts, IT, infosec, and security, as well as 100 individuals who hold the title of intelligence. Motherboard claims that a hacker gained access to a Department of Justice employee's email account. As evidence, the hacker used the hacked account to send the email directly to Motherboard contributor Joseph Cox. The apparent job titles, names, phone numbers, and email addresses of over 9,000 purported Department of Homeland Security (DHS) workers and over 20,000 purported FBI employees.

Description: The lapse of the Cybersecurity Information Sharing Act (CISA 2015) and the State and Local Cybersecurity Grant Program, combined with a staffing reduction to under 900 employees (from ~2,500) due to government funding expiration, has left CISA critically under-resourced. Without liability protections for private-sector threat-sharing, companies may hesitate to report cyber threats, increasing systemic vulnerabilities. The absence of grant funding further weakens state/local defenses (e.g., hospitals, schools, water systems), raising risks of cascading disruptions. Experts warn of potential major cyberattacks during this period, with CISA lacking sufficient personnel to respond effectively. Legal uncertainties (e.g., antitrust exposure, FOIA disclosures) and reduced real-time intelligence-sharing exacerbate the threat landscape, particularly for critical infrastructure. Senators and industry leaders emphasize the urgency of reauthorization, citing risks to national/economic security, but partisan delays persist.