CISA's Sunday Deadline and $21B in Losses: Why This Week's Security News Should Keep You Up at Night
CISA’s Sunday Deadline and $21B in Losses: Why This Week’s Security News Should Keep You Up at Night
Another week, another emergency CISA directive. If you’re in federal IT right now, you’ve probably already gotten the memo about patching that critical Ivanti EPMM vulnerability by Sunday. But here’s what’s really bothering me about this week’s security roundup – it’s not just the individual incidents, it’s the pattern they’re painting.
When Emergency Patches Become Routine
Let’s start with the elephant in the room. CISA ordered federal agencies to patch a critical vulnerability in Ivanti Endpoint Manager Mobile by Sunday – and this flaw has been actively exploited since January. Four days to patch a vulnerability that’s been in the wild for months? That’s not a patch cycle, that’s crisis management.
The really concerning part isn’t the tight timeline – we’ve all been there. It’s that this represents yet another Ivanti product with a critical security flaw. If you’ve been keeping score, Ivanti has had a rough year with multiple zero-days and emergency patches. At some point, we need to have serious conversations about vendor risk management and whether our current approach to evaluating security products is actually working.
For those of us managing enterprise environments, this should be a wake-up call about our patch testing procedures. Yes, four days is tight, but when CISA issues a Known Exploited Vulnerability directive, they’re essentially telling us that attackers are already using this in the wild. The risk of not patching probably outweighs the risk of a rushed deployment.
The $21 Billion Reality Check
Speaking of wake-up calls, the FBI’s latest cybercrime report dropped some sobering numbers. Nearly $21 billion in losses from over a million complaints in 2025. Let me put that in perspective – that’s roughly $20,000 per reported incident. And we all know that reported incidents are just the tip of the iceberg.
What really caught my attention was the breakdown: investment scams, business email compromise, and tech support scams are still driving the highest losses. These aren’t sophisticated nation-state attacks with zero-days and custom malware. These are social engineering attacks that work because they exploit human psychology, not software vulnerabilities.
This tells us something important about where we’re focusing our security efforts. We spend enormous amounts of time and money on technical controls – and rightfully so – but the biggest financial losses are coming from attacks that bypass most of our technical defenses entirely.
APT28’s New Tricks and Old Targets
On the nation-state front, APT28 is back with a new malware suite called PRISMEX targeting Ukraine and NATO allies. What’s interesting about this campaign isn’t just the targets – we expect Russian groups to go after Ukraine and NATO – but the techniques they’re using.
The combination of steganography, COM hijacking, and legitimate cloud service abuse for command and control shows how sophisticated threat actors are adapting to our defenses. They’re not just finding new vulnerabilities; they’re finding new ways to hide in plain sight using legitimate services and obscure Windows features that most security tools don’t monitor closely.
For those of us doing threat hunting, this is a good reminder that we need to be looking beyond traditional indicators of compromise. When attackers are using legitimate cloud services for C2, our network monitoring needs to get a lot more nuanced about what “normal” cloud traffic actually looks like.
The Mobile Fraud Explosion
Meanwhile, down in Latin America, mobile fraud is absolutely exploding. What’s particularly concerning is the speed of these attacks – criminals are moving from device compromise to account takeover to funds transfer faster than most financial institutions can detect and respond.
This isn’t just a regional problem. Latin America is often a testing ground for attack techniques that eventually make their way to other markets. The mobile-first nature of many emerging economies makes them perfect laboratories for refining mobile-based fraud techniques.
If you’re working in financial services or any industry that handles payments, pay attention to what’s happening in these markets. The techniques being perfected there will likely show up in your environment sooner than you think.
The Honeypot Arms Race
Finally, there’s an interesting technical note from the SANS Internet Storm Center about honeypot fingerprinting. The short answer to whether attackers can detect honeypots? Yes, they absolutely can.
This matters more than you might think. If we’re deploying honeypots as part of our detection strategy, we need to understand that sophisticated attackers are actively trying to identify and avoid them. The arms race between honeypot operators and attackers is real, and it’s getting more sophisticated on both sides.
What This Means for Us
Looking at these stories together, I see a few clear themes. First, our vendor risk management processes need serious attention. Second, we’re still losing the social engineering battle despite all our technical advances. Third, nation-state actors are getting better at hiding in legitimate infrastructure. And finally, mobile fraud techniques are evolving faster than our detection capabilities.
None of this is insurmountable, but it requires us to be honest about where our current approaches are falling short. Emergency patches shouldn’t be routine, but when they happen, we need processes that can handle them. Technical controls are crucial, but they can’t be our only defense against attacks that target humans. And our monitoring needs to evolve to catch attackers who are getting better at looking legitimate.