Microsoft: US Rural Hospitals Need $75M to Strengthen Cybersecurity; Apple Challenges Alleged UK Backdoor Order; US Financial Orgs Urge CISA to Revise CIRCIA

Microsoft is to be commended for investing in its Cybersecurity Program for Rural Hospitals which provided free assessments and free/discounted Microsoft security products. But some context: The report recommends $75M of near-term fixes to rural hospital systems, which works out to be less than three hours of Microsoft's 2024 revenue or 4.5% of its 2024 advertising budget. Imagine if Microsoft and other IT companies reduced the ads touting AI by 4.5% and applied the savings to directly helping their customers achieve the key recommendations of this report: 'addressing basic cyber hygiene through tools and polices such as MFA, unified identity management and separation of user and privileged accounts.'

John Pescatore

Good on MSFT for shining a light on the cyber-underserved rural hospitals. The report confirms many of our collective suspicions on the state of cybersecurity within this community. Conducting a free security assessment only goes so far; who's stepping up to *actually* fix the problems identified? With how things are going in the Federal space, that 'cash cow' may no longer be available.

Curtis Dukes

Rural hospitals serve about 14% of the US Population, are often the largest employer in their community and operate on extremely thin margins, making that $30-40K almost unobtainable. When they are unavailable, due to service outage or closure, patients have to drive an additional 20 to 40 miles for services. Of the 2100 rural hospitals identified, more than 500 have signed up for Microsoft's program which includes both security assessments and discounts on licenses and support. This also underscores the value of efforts to require systems (IT, OT, etc.) be secure in their default configuration, raising the bar for small business and home users.

Lee Neely

This has been on my mind for the last 2 decades. Hospitals have a terrible track record regarding cybersecurity, and rural hospitals are not doing any better; they are significantly underfunded.

Moses Frost

"An ounce of prevention is worth a pound of cure."

William Hugh Murray

A necessary and prudent assumption is that, while the UK government cannot read all the traffic that it might like, it, indeed many nation states, can read anything that it wants to read badly enough. Three observations: First, this is about the efficiency of cryptanalysis. Said another way, it is about who is going to pay for code breaking. This directive is about transferring cost from the government to Apple, their competitors, and their customers. Second, assertions to the contrary notwithstanding, this is more about surveillance than about investigation. While it may even be well intended, it will create a capability that will invite abuse, an invitation that bureaucracy will not resist. Third, such a capability will break communication security in a fundamental way; it is demonstrable that the UK government cannot restrict access and use of such a capability to itself. It will be the most attractive target in the world. Those who are successful in breaching it are not likely to talk about it. We are lucky to have Apple, and its competitors, to fight this battle for us.

William Hugh Murray

It is good to see Apple pushing back. There is still a bit of secret-squirrel here as the UK Home Office continues to refuse to confirm or deny the existence of the notice to provide this backdoor, and under their Investigatory Powers Act of 2016, a.k.a. the Snooper's Charter, Apple is prevented from revealing details about the request. While it is expected the case will be heard this month, it is possible the results will be restricted on the grounds of national security.

Lee Neely

This was to be expected. Removing ADP from the UK market only satisfies one part of the order. AAPL would still be required to provide access to data on UK citizens outside of the UK; in effect making the backdoor available to every country. Given that it's a duly enacted law, I'm not sure that the IPT will be able to overturn the order. What, if any, response the US has will be the next piece that falls into place.

Curtis Dukes

Here's a thought: If companies reduced their spending on creative marketing writers who produce those post-incident 'Due to an abundance of caution,' press releases, they would have the funds available for post-incident reporting to CISA. Another thought: On the government side, before enacting CICRIA, CISA needs to show progress on federal 'harmonization' of cyber incident reporting recommended in the CISA September 2023 'Harmonization of 'Cyber Incident Reporting to the Federal Government' aimed at reducing duplicative reporting burdens.

John Pescatore

There always needs to be a balance between response and reporting, and ideally the team reporting to regulators should not be impacting the response efforts. The requirements, as stated, appear to parallel to SEC requirements. The core argument appears to be that the reporting requirement (as implemented) exceeds the desired intent. That said, I suspect the requirement for financial institutions to report ransomware payments, which likely would mean they violated OFAC rules, would be a deal breaker in this case. Hopefully a compromise can be reached.

Lee Neely

Well played by the various banking and financial associations to potentially delay or remove reporting requirements of the CIRCIA statute. I for one don't believe that a 72-hour reporting window would cause harm to the company. A similar reporting requirement mandated as part of the SEC rule changes doesn't seem to have had a material impact on financial institutions. The associations are simply playing the long game to minimize any sort of regulatory oversight, and that's their job.

Curtis Dukes

There is no public release for this combination of exploits, but ransomware actors are actively using this to do VM Escape and get onto networks. I have so many thoughts on this. One of them is that I hope companies can get to the patches since the 'Broadcomization' of VMWare has not gone so smoothly. The second one is that people must patch ESXi, which is not commonly done. Many companies co-mingle 'DMZ' and internal systems on the same ESXi host, which makes this particularly dangerous.

Moses Frost

In short, an attacker with admin privileges on your VM could use the flaws to escape the Hypervisor and access the host or other VMs. There are no workarounds other than to apply the updates. The ESXi updates are cumulative, so you need only apply the latest update. Note that while VMWare Fusion is only subject to CVE-2025-22226, you should make sure the update the is installed as well. Not a bad idea to check for 'free' ESXi installations, not managed by VCenter, etc. to make sure they are also updated.

Lee Neely

CVE-2025-25015, arbitrary code execution, CVSS score 9.9, is described as a case of prototype pollution, which is a security flaw which allows attackers to manipulate JavaScript objects and properties. Exploitation requires an authenticated user in a particular role depending on Kibana version, the easy fix is to update to Kibana 18.7.3. If you cannot update immediately, you can set the Integration Assistant flag to false, and you're still going to need to update.

Lee Neely

This is a good trend, and the spend needs to be directed carefully based on risks. While unpatched vulnerabilities are often targeted, the survey found it is more common for employees to be targeted via e-mail phishing (63%), sms phishing (34%), spear phishing (34%) and business email compromise (31%), meaning they are going to need to double down on effective security awareness training as well as technical controls to support that, such as perimeter and endpoint protections. HIPAA requires security awareness training, the survey indicated it was not always provided or when provided, ineffective. I am reminded of a friend who, after seven years of taking the annual cyber security training, finally clicked with this as being relevant to their job, we need to do better than that.

Lee Neely

Put this survey up against the recently released MSFT Rural Hospital Cybersecurity Landscape report and the cybersecurity problem doesn't look so bad. That is, if you place a lot of value on the survey; I don't. I guess rural hospitals aren't part of the majority to increase cybersecurity investment this year.

Curtis Dukes

POLSA is pulling in all the right people to help investigate and remediate the attack and has demonstrated support from Poland's Minister of Digital Affairs. The question is, do you know who you'd pull in, to include having needed public statements of support? Make sure their information is current and the players know what is expected. Don't forget to map out communication plans for scenarios where your websites are offline.

Lee Neely

The email campaign relied on compromised email accounts sending messages to a impersonated domain web server with the malicious ZIP file. The zip file contained ostensibly innocuous fies, including an XLS that actually had a double extension and PDFs which were both polyglots, which are files which can be interpreted as multiple different formats depending on how they are read. This group is targeting aviation and satellite communications organizations as well as critical transportation infrastructure, focused on the UAE. Even so, have your threat hunters take a look at the IOCs, these were first detected in October of last year.

Lee Neely

Given the skillset and the nature of the payload, you have to think this was more targeted than opportunistic. Geopolitically, it's hard to tell what was behind this. Still, any disruption in things like oil in this area will have impacts downstream, given the current economic and military issues globally.

Moses Frost

Categorize this as supply chain security. These are Android based TV streaming devices, after-market car infotainment systems, etc., not smartphones, arriving through a supply chain compromise with malware pre-installed, although there are also cases of users installing 'evil twin' versions of legitimate apps, indicating these devices are not implementing Google's Play Protect services. The current takedown involves sinkholing the Badbox 2.0 Internet traffic, which is only a bandaid. The best approach is to purchase devices from well-known manufacturers, rather than generic off-brand devices.

Lee Neely

Many companies have Android-based devices for signage and displays. These are not just home users; keep that in mind.

Moses Frost

Almost anytime one does business online one leaves behind PII. Given the porous nature of our infrastructure, information that has leaked is actively traded for dimes to dollars. We cannot rely upon its secrecy for protection against application fraud or even identity theft. Consumers must lock their credit bureau records. Enterprises must notify consumers via text, e-mail, and post of all transactions or changes to their data. My observation is that few consumers have bothered to lock their credit bureau records but that business is doing a pretty good job of notifying consumers about activity involving their PII.

William Hugh Murray

The Akira ransomware gang has taken credit for the breach and has published the data on their dark web leak site. The Zoo is notifying current and former employees, as well as guests who were affected by the breach and offering credit monitoring. With summer vacation/travel not that far ahead of us, it'd be prudent to not only make sure that your monitoring is updated and in place, but also that you've configured alerts on your credit/debit cards for any unexpected activity.

Lee Neely

What's disappointing is that the final notification doesn't include any details on how the perpetrators gained access to the network, nor what cybersecurity defenses were in place. This sort of knowledge can be used by cyber defenders to strengthen others against future attack.

Curtis Dukes