Cybersecurity dominated the news last week as CISA mandated action against Cisco zero-days and China-based espionage against critical infrastructure came into focus. And DOGE was called out by Democrats on the Senate Homeland Security and Governmental Affairs Committee called out Elon Musk-led DOGE for violating privacy and cybersecurity rules earlier in the year.
CISA Emergency Directive Mandates Action on Cisco Zero-Days
The Cybersecurity and Infrastructure Security Agency (CISA) may have sent out an emergency directive regarding the exploitation of Cisco zero-day vulnerabilities but the agency still hasn’t determined the scope of the attacks, which started almost a year ago. The impacts could be vast, given that hundreds of firewalls throughout the federal government and infrastructure are vulnerable. Cisco has patched the flaws but the alert mandated organizations to take immediate action, identifying all Cisco ASA platforms and following CISA’s step-by-step Core Dump and Hunt Instructions Parts 1-3, among other measures.
Pair of China-based Global Espionage Campaigns Take Aim at Critical Infrastructure
It appears that China-based global espionage campaigns have been aimed at critical infrastructure, according to a pair of reports from security researchers. S 393-day campaign called Brickstorm was spotted by the Google Threat Intelligence Group while Recorded Future’s Insikt Group details how RedNovember (Microsoft tracks it as Storm-2077) targeted perimeter appliances at organizations that used a Go-based backdoor. In each campaign some defense contractors were victimized.
DOGE Trampled Cybersecurity and Privacy Rules
A report issued by Senate Homeland Security and Governmental Affairs Committee Democrats said Elon Musk’s DOGE violated federal requirements for protecting the personal data of Americans, “creating unprecedented privacy and cybersecurity risks,” when it ripped through the General Services Administration (GSA), Office of Personnel Management (OPM) and Social Security Administration (SSA) earlier this year. The reported also cited a whistleblower’s assertion that by uploading a computer database file, Numident, which housed sensitive personal data without taking measures to guard against unauthorized access, DOGE put the risk of a “catastrophic adverse effect” to between 35 percent and 65 percent.
Salesforce Sued After Partner Breaches Result in Data Theft
A series of recently filed lawsuits—at least 14—are casting aspersions on the security around Salesforce ‘s platform after a cascade of cyberattacks on the company’s partners, including Allianz, Workday, TransUnion and Pandora led to stolen data. The class-action suits were filed in late September in federal court of Northern California by 23 plaintiffs who are customers of those partners. Salesforce executives have claimed repeatedly that the attacks by the likes of ShinyHunters and others weren’t the result of weaknesses in Salesforce technology.
DoD Changes the Tone of Risk With CSRMC
As promised earlier in the summer, the Defense Department has replaced its Risk Management Framework with a Cybersecurity Risk Management Construct (CSRMC) that focuses on continuous monitoring, DevSecOps and resilience. In structure it mirrors the five phases of DevSecOps—design, build, test, onboard and operations--and is underpinned by ten principles, including automation and continuous monitoring and authority to operate (cATO). Developers had found the previous guidance too static and cumbersome.
Ransomware Groups ‘Retire,’ But May Have Regrouped
Claims of retirement by 15 ransomware groups on the underground Beachforums raised eyebrows and doubts. Criminal crews often announce retirements when the heat from law enforcement becomes too strong then rebrand, so they can vanish under one name and reappear under another. These same groups, which include Scattered Spider and Lapsus$, have promised retaliation and vowed to fight for the release of their colleagues currently in custody. So, security analysts remain deeply skeptical about the current “retirement” statements, which may serve as cover for operational resets. By shedding an old name, hackers dodge indictments and resurface with fresh branding.