Image: Cottonbro Studio/Pexels
With the end of the government shutdown comes reauthorization of the Cybersecurity and Infrastructure Security Agency. The Department of Homeland Security agency has released a series of cybersecurity advisories and threat alerts for sectors, including healthcare.
CISA and the American Hospital Association this week offered hospitals and health systems updated guidance to defend against a new threat from Akira ransomware. The agency also released alerts for application security teams, including some needed patches for actively exploited Fortinet devices and Microsoft operating system vulnerabilities.
Information sharing did not stop during the 43-day government shutdown, but as Henry Young, senior director of policy at the Business Software Alliance (BSA), told Federal News Network, it had slowed down. He and others said they are urging Congress to authorize the CISA 2015 cyber information sharing law for the long term.
Mitigate against Akira ransomware
Akira, a lucrative cyberattack software service in operation since 2023, has been used in attacks on small to medium-sized businesses and critical infrastructure entities. As of late September, the group claimed that it amassed approximately $244.17 million in ransomware proceeds.
Following recent attacks, CISA, the FBI, Department of Defense Cyber Crime Center and Department of Health and Human Services, and international partners said healthcare and public health organizations, among others in education, information technology, financial services and others, are stepping up their attacks on VMware Elastic Sky X Integrated (ESXi) virtual machines.
Using encrypted Nutanix AHV VM disk files for the first time, threat actors using Akira are expanding on their past focus on Linux variant targeting. They are recommending mitigations to reduce the likelihood and impact of Akira ransomware incidents.
"Akira relies primarily on brute force attacks on virtual private networks without multi-factor authentication enabled to gain initial access, and then they exploit known vulnerabilities in victim systems," Scott Gee, the AHA's deputy national advisor for cybersecurity and risk, said in a statement on Friday. "Hospitals should ensure that their VPNs are properly configured and that they are quickly addressing published common vulnerabilities and exposures."
Akira threat actors are associated with other groups known as Storm-1567, Howling Scorpius, Punk Spider and Gold Sahara, the agencies said in the advisory, and may have connections with the thought-to-be-defunct Conti ransomware group.
Critical zero-day remediation advised
Fortinet's FortiWeb web application firewall devices are being actively exploited in the wild with a proof-of-concept exploit tool posted to GitHub over the weekend. Threat actors can use it to gain unauthorized access to networks and attempt to exfiltrate data or deploy malware.
CISA added the known exploited vulnerability, CVE-2025-64446, to the catalog on Friday.
"This type of vulnerability is a frequent attack vector for malicious cyber actors," the agency said in the alert, assigning federal agencies to follow the company's remediation processes. CISA added that it "strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice."
Privilege escalation flaw in Windows
Also, last week, CISA added three zero-day exploits to its KEV catalog, including a Windows OS kernel vulnerability flaw that Microsoft announced on the November Patch Tuesday along with security update patches marked important.
CISA's alert highlights CVE-2025-62215, also known as the Microsoft Windows Race Condition Vulnerability, along with two other newly discovered flaws in other companies' software.
"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kernel allows an authorized attacker to elevate privileges locally," the KEV catalog said.
"An attacker who successfully exploited this vulnerability could gain system privileges," Microsoft said.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
