CyberSecure Specialist

CISA Releases Fact Sheet Detailing Embedded Backdoor Function of Contec CMS8000 Firmware

CISA released a fact sheet, Contec CMS8000 Contains a Backdoor, detailing an analysis of three firmware package versions of the Contec CMS8000, a patient monitor used by the U.S. Healthcare and Public Health (HPH) sector. Analysts discovered that an embedded backdoor function with a hard-coded IP address, CWE – 912: Hidden Functionality (CVE-2025-0626), and functionality that enables patient data spillage, CWE – 359: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2025-0683), exists in…

Read More

A Tumultuous Week for Federal Cybersecurity Efforts

Image: Shutterstock. Greg Meland. President Trump last week issued a flurry of executive orders that upended a number of government initiatives focused on improving the nation’s cybersecurity posture. The president fired all advisors from the Department of Homeland Security’s Cyber Safety Review Board, called for the creation of a strategic cryptocurrency reserve, and voided a Biden administration action that sought to reduce the risks that artificial intelligence poses to consumers, workers and national security. On…

Read More

Privacy-Preserving Federated Learning – Future Collaboration and Continued Research

Reflections and Wider Considerations This is the final post in the series that began with reflections and learnings from the first US-UK collaboration working with Privacy Enhancing Technologies (PETs). Since the PETs Prize Challenges, the ecosystem around these technologies has continued to develop, with a shift from more theoretical and academic conversations to greater uptake and consideration of PETs. Since our first post in December of 2023, this series has explored a variety of practical considerations…

Read More

MasterCard DNS Error Went Unnoticed for Years

The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals. A DNS lookup on the domain az.mastercard.com on Jan. 14, 2025 shows the mistyped…

Read More

CISA and FBI Release Advisory on How Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

CISA, in partnership with the Federal Bureau of Investigation (FBI), released Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications. This advisory was crafted in response to active exploitation of vulnerabilities—CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities—in Ivanti Cloud Service Appliances (CSA) in September 2024. CISA, and the use of trusted third-party incident response data, found that threat actors chained the listed vulnerabilities to…

Read More

CISA and FBI Release Updated Guidance on Product Security Bad Practices

In partnership with the Federal Bureau of Investigation (FBI), CISA released an update to joint guidance Product Security Bad Practices in furtherance of CISA’s Secure by Design initiative. This updated guidance incorporates public comments CISA received in response to a Request for Information, adding additional bad practices, context regarding memory-safe languages, clarifying timelines for patching Known Exploited Vulnerabilities (KEVs), and other recommendations. While this voluntary guidance is intended for software manufacturers who develop software products…

Read More

Chinese Innovations Spawn Wave of Toll Phishing Via SMS

Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. states. Last week, the Massachusetts Department…

Read More

CISA and Partners Release Call to Action to Close the National Software Understanding Gap

Today, CISA—in partnership with the Defense Advanced Research Projects Agency (DARPA), the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E), and the National Security Agency (NSA)—published Closing the Software Understanding Gap. This report urgently implores the U.S. government to take decisive and coordinated action.  Software understanding refers to assessing software-controlled systems across all conditions. Mission owners and operators often lack adequate capabilities for software understanding because technology manufacturers build software that…

Read More

CISA Releases Microsoft Expanded Cloud Logs Implementation Playbook

Today, CISA released the Microsoft Expanded Cloud Logs Implementation Playbook to help organizations get the most out of Microsoft’s newly introduced logs in Microsoft Purview Audit (Standard). This step-by-step guide enables technical personnel to better detect and defend against advanced intrusion techniques by operationalizing expanded cloud logs.  The playbook details analytical methodologies tied to using these logs. Specifically, the playbook offers: An overview of the newly introduced logs in Microsoft Purview Audit (Standard) that enable…

Read More

Microsoft: Happy 2025. Here’s 161 Security Updates

Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017. Rapid7‘s Adam Barnett says January marks the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of…

Read More