Senators try to save cyber threat sharing law, sans government funding

in brief A bipartisan Senate duo has introduced a bill to revive and extend America's cyber threat-sharing law for another ten years after its authorization lapsed during the government shutdown.

Senators Gary Peters (D-MI) and Mike Rounds (R-SD) introduced the Protecting America from Cyber Threats (PACT) Act in the upper legislative chamber on Thursday. The brief bill would extend the Cybersecurity Information Sharing Act of 2015 (CISA) by ten years - from September 30, 2025, to September 30, 2035 - and proposes renaming it as the PACT Act throughout the US code.

The CISA law was due for renewal along with the federal government's continuing funding resolution, but given the Senate's inability to pass it and the government shutdown that followed, Peters and Rounds want it extended without having to wait for the government to reopen in order to do so. 

The CISA law, for those unfamiliar, establishes a framework and legal protections for companies to share threat indicators with the government and each other. It's considered a crucial part of US cybersecurity policy by many, but detractors have long expressed worry over a lack of privacy protections for customer data that may get caught up in threat intel shared with Uncle Sam. Federal agencies also have the right to use information shared under the CISA law for the prosecution of certain crimes beyond cyber threats - another sticking point for those who want the law to die and never come back.

Peters doesn't appear to see it that way: He believes renewing the CISA law, or transforming it into PACT Act, is critical. 

"This bipartisan bill renews a proven framework that has helped defend critical networks at our hospitals, financial systems, and energy grids from cyberattacks for a decade," Peters said. "We must quickly renew these longstanding cybersecurity protections … to ensure we are prepared to defend our national and economy security against relentless attacks from cybercriminals and foreign adversaries."

Whether the cybersecurity staff needed to handle the refreshed bill is still working is another matter altogether, nor is it clear whether this initiative will pass. 

Hackers favored -200 to steal your data after DraftKings breach

Online sports betting outfit DraftKings acknowledged this week that cybercriminals accessed some accounts using credential stuffing.

To be fair, this incident isn't necessarily DraftKings' fault - attackers reused credentials stolen elsewhere, a classic case of customers' poor password hygiene, according to the breach letter sent to Massachusetts residents this week. 

Per the letter, the attackers broke in "by stealing login credentials from a non-DraftKings source and using them in this attack." That's the definition of credential stuffing, which relies on spamming login portals with credentials stolen from other attacks in the hope that some will work. It appears they did in this case. 

DraftKings said that by accessing user accounts, criminals may have been able to view names, addresses, phone and email details, dates of birth, profile photos, past transactions, balances, and the last four digits of payment cards - enough information to fuel further identity-theft attempts.

Affected users have been notified to change their passwords, the letter indicates. 

Zimbra Collaboration exploited again

It was just over a year ago that open-source collaboration suite Zimbra was hit by a mass remote-code-execution bug, and now it's under fire again - this time from a previously unknown cross-site-scripting flaw that attackers have already exploited in the wild.

The US Cybersecurity and Infrastructure Security Agency added CVE-2025-27915 to its known exploited vulnerabilities catalog this week, following a report from threat intel firm StrikeReady that the vulnerability, which relied on malicious ICS files, was found targeting the Brazilian military. 

• Feds cut funding to program that shared cyber threat info with local governments
• CISA program gave out $20k+ payments to unqualified employees, auditor says
• All your vulns are belong to us! CISA wants to maintain gov control of CVE program
• Lock down your critical infrastructure, CISA begs admins

According to the CVE, this time the issue is a cross-site scripting vulnerability that relies on JavaScript embedded in an ICS file's details tag. If a user views an email containing the malicious calendar invite, the attack can be triggered to give the attacker the ability to run arbitrary JavaScript commands within a user's web mail session. 

"As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration," according to NVD's CVE entry.

The vulnerability affects the Classic Web Client in Zimbra Collaboration 9.0, 10.0, and 10.1. Patches are available. 

Find a worm in your Apple? The bounty just doubled

Bounty hunters, start your engines: Apple announced a doubling of its maximum bug bounty payout this week along with new bounty categories, meaning you could pull down more than $5 million for a thorough enough exploit demo.

The biggest payout is reserved for researchers capable of replicating the kind of sophisticated exploit chains used by mercenary spyware vendors, which are the pricey, state-sponsored kits aimed at only a handful of high-value targets. A $2 million award is now available for exploit chains that can "achieve similar goals," Apple said. 

"Additional rewards for Lockdown Mode bypasses and vulnerabilities discovered in beta software can more than double this reward, with a maximum payout in excess of $5 million," Apple added. 

In addition to those top-tier payouts, Apple is upping rewards across the board, offering $100,000 for a complete Gatekeeper bypass and $1 million for "broad unauthorized iCloud access," and says no one has yet demonstrated a successful exploit in either category.

New categories, like one-click WebKit sandbox escapes and wireless proximity exploits, are also being added along with other new expansions, all of which will go into effect next month. 

"Until the updated awards are published online, we will evaluate all new reports against our previous framework as well as the new one, and we'll award the higher amount," Apple said - so don't sit on that big discovery. ®