InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Hackers breached a third-party contact center platform, stealing data from 6M customers. No credit cards or passwords were exposed, but the board still cut senior leader bonuses by 15%. The CEO alone lost A$250,000.
This isnât just an airline problem. Itâs a wake-up call: boards are now holding executives financially accountable for cyber failures.
Key lessons for leaders: 🔹 Harden your help desk â add multi-step verification, ban one-step resets. 🔹 Do a vendor âcontainment sweepâ â limit what customer data sits in third-party tools. 🔹 Prep customer comms kits â be ready to notify with clarity and speed. 🔹 Minimize sensitive data â donât let vendors store more than they need. 🔹 Enforce strong controls â MFA, device trust checks, and callback verification. 🔹 Report to the board â show vendor exposure, tabletop results, and timelines.
My take: Boards are done treating cybersecurity as âsomeone elseâs problem.â Linking executive pay to cyber resilience is the fastest way to drive accountability. If youâre an executive, assume vendor platforms are your systemsâbecause when they fail, youâre the one explaining it to customers and shareholders.
ASM Is Evolving Into Holistic, Proactive Defense Attack Surface Management has grown from merely tracking exposed vulnerabilities to encompassing all digital assetsâcloud systems, IoT devices, internal apps, corporate premises, and supplier infrastructure. Modern ASM solutions donât just catalog known risks; they continuously discover new assets and alert on changes in real time. This shift from reactive to proactive defense helps organizations anticipate threats before they materialize.
AI, Machine Learning & Threat Intelligence Drive Detection AI/ML is now foundational in ASM tools, capable of scanning vast data sets to find misconfigurations, blind spots, and chained vulnerabilities faster than human operators could. Integrated threat-intel feeds then enrich these findings, enabling contextual prioritizationâyour team can focus on what top adversaries are actively attacking.
Zero Trust & Continuous Monitoring Are Essential ASM increasingly integrates with Zero Trust principles, ensuring every device, user, or connection is verified before granting access. Combined with ongoing asset monitoringâboth EASM (external) and CAASM (internal)âthis provides a comprehensive visibility framework. Such alignment enables security teams to detect unexpected changes or suspicious behaviors in hybrid environments.
Third-Party, IoT/OT & Shadow Assets in Focus Attack surfaces are no longer limited to corporate servers. IoT and OT devices, along with shadow IT and third-party vendor infrastructure, are prime targets. ASM platforms now emphasize uncovering default credentials, misconfigured firmware, and regularizing access across partner ecosystems. This expanded view helps mitigate supply-chain and vendor-based risks
ASM Is a Continuous Service, Not a One-Time Scan Todayâs ASM is about ongoing exposure assessment. Whether delivered in-house or via ASM-as-a-Service, the goal is to map, monitor, validate, and remediate 24/7. Context-rich alerts backed by human-friendly dashboards empower teams to tackle the most critical risks first. While tools offer automation, the human element remains vitalâsecurity teams need to connect ASM findings to business context
In short, ASM in 2025 is about persistent, intelligent, and context-aware attack surface management spanning internal environments, cloud, IoT, and third-party ecosystems. It blends AI-powered insights, Zero Trust philosophy, and continuous monitoring to detect vulnerabilities proactively and prioritize them based on real-world threat context.
â90% arenât ready for AI attacks, are you?â, with remediation guidance at the end:
1. Organizations are lagging in AIâera security A recent Accenture report warns that while AI is rapidly reshaping business operations, around 90% of organizations remain unprepared for AIâdriven cyberattacks. Alarmingly, 63% fall into what Accenture labels the âExposed Zoneââlacking both a defined cybersecurity strategy and critical technical safeguards.
2. Threat landscape outpacing defenses AI has increased the speed, scope, and sophistication of cyber threats far beyond what current defenses can manage. Approximately 77% of companies do not practice essential data and AI security hygiene, leaving their business models, data architectures, and cloud environments dangerously exposed.
3. Cybersecurity must be integrated into AI initiatives Paolo Dal Cin of Accenture underscores that cybersecurity can no longer be an afterthought. Growing geopolitical instability and AIâaugmented attacks demand that security be designed into AI projects from the very beginning to maintain competitiveness and customer trust.
4. AI systems need governance and protection DanielâŻKendzior, Accentureâs global Data & AI Security lead, stresses the importance of formalizing security policies and maintaining realâtime oversight of AI systems. This includes ensuring secure AI development, deployment, and operational readiness to stay ahead of evolving threats.
5. Cyber readiness varies sharply across regions The report reveals stark geographic differences in cybersecurity maturity. Only 14% of North American and 11% of European organizations are deemed âReinvention Ready,â while in Latin America and the AsiaâPacific region, over 70% remain in the âExposed Zone,â highlighting major readiness disparities.
6. ReinventionâReady firms lead in resilience and trust The top 10% of organizationsâthe âReinvention Readyâ groupâare demonstrably more effective at defending against advanced attacks. They block threats nearly 70% more successfully, cut technical debt, improve visibility, and enhance customer trust, illustrating that maturity aligns with tangible business benefits.
Implement accountability structures and frameworks tuned to AI risks, ensuring compliance and alignment with business goals.
Incorporate security into AI design
Embed protections into every stage of AI system development, from data handling to model deployment and infrastructure configuration.
Secure and monitor AI systems continuously
Regularly test AI pipelines, enforce encryption and access controls, and proactively update threat detection capabilities.
Leverage AI defensively
Use AI to streamline security workflowsâautomating threat hunting, anomaly detection, and rapid response.
Conduct maturity assessments by region and function
Benchmark cybersecurity posture across different regions and business units to identify and address vulnerabilities.
Commit to education and culture change
Train staff on AIârelated risks and security best practices, and shift the organizational mindset to view cybersecurity as foundational rather than optional.
By adopting these measures, companies can climb into the âReinvention Ready Zone,â significantly reducing their risk exposure and reinforcing trust in their AIâenabled operations.
âWhether youâre a technology professional, policymaker, academic, or simply a curious reader, this book will arm you with the knowledge to navigate the complex intersection of AI, security, and society.â
The British Horseracing Authority (BHA) recently fell victim to a cyberattack, marking a significant security breach within the sports industry. The attack, believed to be a ransomware incident, led to the temporary closure of BHAâs London office, forcing staff to work remotely. Despite the disruption, race meetings continued unaffected, and the organization swiftly engaged external specialists to investigate and restore its systems.
Ransomware attacks involve malicious actors infiltrating vulnerable systems, encrypting critical data, and demanding a ransom for its release. This type of cybercrime has affected various industries, including retail giants like Marks & Spencer and Co-op. The BHA incident highlights the growing threat of cyberattacks targeting organizations reliant on digital infrastructure.
The sports industry, increasingly dependent on technology for operations, fan engagement, and event management, faces unique cybersecurity challenges. Sensitive data, including fan information and player performance metrics, could be exploited for fraud or blackmail if compromised. The BHA attack serves as a wake-up call for sports organizations to strengthen their cybersecurity measures.
While the full impact of the BHA cyberattack remains unclear, it underscores the urgent need for robust security protocols. Sports entities must prioritize cybersecurity to protect their operations, reputation, and financial stability. Implementing proactive defenses, such as regular security audits and employee training, can mitigate future risks.
Overall, the incident highlights the vulnerability of sports organizations to cyber threats. As digital reliance grows, cybersecurity must become a fundamental aspect of operational strategy. The BHA case should prompt industry-wide discussions on enhancing security frameworks to safeguard sensitive data and maintain trust.
This cyberattack serves as a crucial reminder that no industry is immune to digital threats. Sports organizations must recognize cybersecurity as a core responsibility, investing in advanced protections to prevent similar breaches. Strengthening defenses will not only protect data but also ensure the integrity and continuity of sporting events.
Google recently announced a significant advancement in its fight against online scams, leveraging the power of artificial intelligence. This initiative involves deploying AI-driven countermeasures across its major platforms: Chrome, Search, and Android. The aim is to proactively identify and neutralize scam attempts before they reach users.
Enhanced Scam Detection: The AI algorithms analyze various data points, including website content, email headers, and user behavior patterns, to identify potential scams with greater accuracy. This goes beyond simple keyword matching, delving into the nuances of deceptive tactics.
Proactive Warnings: Users are alerted to potentially harmful websites or emails before they interact with them. These warnings are context-aware, providing clear and concise explanations of why a particular site or message is flagged as suspicious.
Improved Phishing Protection: AI helps refine phishing detection by identifying subtle patterns and linguistic cues often used by scammers to trick users into revealing sensitive information.
Cross-Platform Integration: The AI-powered security measures are seamlessly integrated across Google‘s ecosystem, providing a unified defense against scams regardless of the platform being used.
Significance of this Development:
This initiative signifies a crucial step in the ongoing battle against cybercrime. AI-powered scams are becoming increasingly sophisticated, making traditional methods of detection less effective. Google‘s proactive approach using AI is a promising development that could significantly reduce the success rate of these attacks and protect users from financial and personal harm. The cross-platform integration ensures a holistic approach, maximizing the effectiveness of the countermeasures.
Looking Ahead:
While Google‘s initiative is a significant step forward, the fight against AI-powered scams is an ongoing arms race. Cybercriminals constantly adapt their techniques, requiring continuous innovation and improvement in security measures. The future likely involves further refinements of AI algorithms and potentially the integration of other advanced technologies to stay ahead of evolving threats.
This news highlights the evolving landscape of cybersecurity and the crucial role of AI in both perpetrating and preventing cyber threats.
âThe U.S. National Institute of Standards and Technology (NIST) has raised concerns about the security vulnerabilities inherent in artificial intelligence (AI) systems. In a recent report, NIST emphasizes that there is currently no foolproof method to defend AI technologies from adversarial attacks. The institute warns against accepting vendor claims of absolute AI security, noting that developers and users should be cautious of such assurances. â
NIST’s research highlights several types of attacks that can compromise AI systems:â
Evasion Attacks: These occur when adversaries manipulate inputs to deceive AI models, leading to incorrect outputs.â
Poisoning Attacks: In these cases, attackers corrupt training data, causing the AI system to learn incorrect behaviors.â
Privacy Attacks: These involve extracting sensitive information from AI models, potentially leading to data breaches.â
Abuse Attacks: Here, legitimate sources of information are compromised to mislead the AI system’s operations. â
NIST underscores that existing defenses against such attacks are insufficient and lack robust assurances. The agency calls on the broader tech community to develop more effective security measures to protect AI systems. â
In response to these challenges, NIST has launched the Cybersecurity, Privacy, and AI Program. This initiative aims to support organizations in adapting their risk management strategies to address the evolving landscape of AI-related cybersecurity and privacy risks. â
Overall, NIST’s findings serve as a cautionary reminder of the current limitations in AI security and the pressing need for continued research and development of robust defense mechanisms.
Many people frequently repeat the phrase, “The good guys have to be right all the time, but the bad guys only have to be right once,” without grasping its true meaning. This oversimplified view distorts the reality of cyberattacks. Attackers donât succeed with a single stroke of luck; they must overcome multiple security layers while avoiding detection.
To reach their objective, attackers must circumvent various security defenses, often exploiting several vulnerabilities in a sequence. A robust security infrastructure should not collapse due to a single flaw. If one vulnerability leads to a complete compromise, it signals critical weaknesses that require immediate remediation.
Attack path analysis provides insight into how adversaries advance toward high-value assets. By studying these pathways, defenders can identify the most effective points for detection and mitigation, significantly reducing the likelihood of a successful attack.
Even if attackers make progress at multiple stages, well-implemented security measures can obstruct or stop them. By strategically allocating security resources, organizations can increase the complexity and cost of an attack, discouraging potential threats.
An attackerâs progression toward valuable assets follows a structured, multi-step process, often referred to as the Cyber Kill Chain or attack path analysis. This process involves reconnaissance, initial access, privilege escalation, lateral movement, and ultimately, achieving their goalâwhether data exfiltration, system disruption, or financial fraud. Each step requires careful planning, evasion techniques, and exploitation of security gaps.
1. Reconnaissance & Initial Access
Attackers start by gathering information about their target, using publicly available data, scanning tools, or social engineering. They identify exposed assets, weak credentials, unpatched vulnerabilities, or employees who might be susceptible to phishing. Once they find an entry point, they exploit it to gain an initial footholdâthis could be via phishing emails, misconfigured cloud services, or exploiting software vulnerabilities.
2. Privilege Escalation & Persistence
After gaining initial access, attackers work to increase their privileges, allowing deeper control over the environment. This might involve exploiting misconfigured permissions, stealing admin credentials, or abusing system vulnerabilities. Simultaneously, they establish persistence through backdoors, scheduled tasks, or rootkits, ensuring they can maintain access even if detected at a later stage.
3. Lateral Movement & Discovery
With elevated privileges, attackers move laterally across the network, looking for valuable data and critical systems. They might pivot from one compromised machine to another, exploiting weak authentication mechanisms or using legitimate administrative tools like PowerShell or PsExec. Their goal is to map the infrastructure, identify high-value assets, and locate sensitive data.
4. Data Exfiltration, Impact, or Exploitation
Once attackers reach their target, they execute their final objective. This could involve exfiltrating sensitive data for financial gain, deploying ransomware to disrupt operations, or modifying critical configurations to maintain long-term access. At this stage, defenders who lack proper monitoring, anomaly detection, or incident response capabilities may struggle to prevent damage.
By understanding this attack progression, security teams can focus on key detection points, implement segmentation, and optimize defenses to disrupt the attack before it reaches critical assets.
American Water, the largest water and wastewater utility company in the U.S., experienced a cyberattack that prompted the shutdown of specific systems. The company took immediate action to secure its infrastructure, and an investigation is ongoing to determine the extent of the breach. The attack has raised concerns about the vulnerability of critical infrastructure to cyber threats.
While the affected systems were isolated to mitigate damage, it is unclear if any customer or operational data was compromised. American Water has stated that service to customers was not disrupted during the incident.
The breach highlights the growing risks faced by essential services and critical infrastructure sectors. This event underscores the importance of robust cybersecurity measures, particularly for utilities that deliver essential public services like water and power.
The Cybernews article discusses a groundbreaking cyberattack orchestrated by Israel’s Mossad using analog devices, such as pagers and walkie-talkies, to target Hezbollah members in Lebanon and Syria. The attacks occurred on September 17-18, 2024, resulting in over 4,000 injuries and nearly two dozen deaths. The devices were reportedly rigged with explosives and detonated remotely, marking the first time such devices were weaponized in a cyberattack. Hezbollah had previously switched to analog communication methods after Israel had infiltrated their mobile networks, but Mossad exploited this by using a supply chain strategy to distribute compromised devices through a fake company.
Mossad’s complex plan involved creating a shell company that supplied pagers and other devices to Hezbollah, which were secretly manufactured with explosives. The devices were later activated remotely, demonstrating the vulnerability of even low-tech solutions in modern warfare. This supply chain attack highlighted the risks of relying on unverified communication devices and prompted immediate security changes in Lebanon, such as a ban on pagers and walkie-talkies on flights. Iran’s Revolutionary Guard also stopped using communication devices in response to the incident.
Security experts predict that this attack will have far-reaching implications for global security, particularly in the West. The use of handheld devices as weapons could lead to stricter scrutiny of all electronic devices with batteries and communication links, especially in industries like healthcare, where pagers are still in use. Manufacturers are expected to strengthen their supply chain security to prevent such vulnerabilities from being exploited again. There is also concern that security measures in airports, government buildings, and other sensitive locations will be tightened, possibly leading to longer lines and more stringent screening processes.
The implications for security are profound, as this incident demonstrates the potential for even basic technology to be weaponized. Security systems and detection technologies may need to be enhanced to catch these types of attacks in the future. The use of analog devices in high-security environments, such as hospitals and government facilities, may also come under review, with industries either moving away from these tools or enforcing stricter security protocols. This attack underscores the evolving nature of cyber threats and the importance of securing both digital and physical supply chains to prevent similar incidents.
Microsoft has given administrators plenty of work to do with July’s security update that contains patches for a brutal 139 unique CVEs, including two that attackers are actively exploiting and one that’s publicly known but remains unexploited for the moment.
The July update contains fixes for more vulnerabilities than the previous two monthly releases combined and addresses issues that left unmitigated could enable remote code execution, privilege escalation, data theft, security feature bypass, and other malicious activities. The update included patches for four non-Microsoft CVEs, one of which is a publicly known Intel microprocessor vulnerability.
Lack of Details Heighten Urgency to Fix Zero-Days
One of the zero-day vulnerabilities (CVE-2024-38080) affects Microsoft’s Windows Hyper-V virtualization technology and allows an authenticated attacker to execute code with system-level privileges on affected systems. Though Microsoft has assessed the vulnerability as being easy to exploit and requiring no special privileges or user interaction to exploit, the company has given it only a moderate â or important â severity rating of 6.8 on the 10-point CVSS scale.
As is typical, Microsoft provided scant information on the flaw in its release notes. But the fact that attackers are already actively exploiting the flaw is reason enough to patch now, said Kev Breen, senior director threat research at Immersive Labs, in an emailed comment. “Threat hunters would benefit from additional details, so that they can determine if they have already been compromised by this vulnerability,” he said.
The other zero-day bug, tracked as CVE-2024-38112, affects the Windows MSHTML Platform (aka Trident browser engine) and has a similarly moderate CVSS severity rating of 7.0. Microsoft described the bug as a spoofing vulnerability that an attacker could exploit only by convincing a user to click on a malicious link.
That description left some wondering about the actual nature of the threat it represented. “This bug is listed as ‘spoofing’ for the impact, but it’s not clear exactly what is being spoofed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), wrote in a blog post. “Microsoft has used this wording in the past for NTLM relay attacks, but that seems unlikely here.”
Rob Reeves, principal cybersecurity engineer at Immersive Labs, viewed the vulnerability as likely enabling remote code execution but potentially complex to exploit, based on Microsoft’s sparse description. “Exploitation also likely requires the use of an ‘attack chain’ of exploits or programmatic changes on the target host,” he said in prepared comments. “But without further information from Microsoft or the original reporter ⊠it is difficult to give specific guidance.”
Other High-Priority Bugs
The two bugs that were publicly known prior to Microsoft’s July update â and hence are also technically zero-day flaws â are CVE-2024-35264, a remote code execution vulnerability in .Net and Visual Studio, and CVE-2024-37985, which actually is a third-party (Intel) CVE that Microsoft has integrated into its release.
In all, Microsoft rated just four of the flaws in its enormous update as being of critical severity. Three are of them, each with a near maximum severity rating of 9.8 on 10, affect the Windows Remote Desktop Licensing Service component that manages client access licenses (CALs) for remote desktop services. The vulnerabilities, identified as CVE-2024-38076, CVE-2024-38077, and CVE-2024-38089, all enable remote code execution and should be on the top of the list of bugs to prioritize this month. “Exploitation of this should be straightforward, as any unauthenticated user could execute their code simply by sending a malicious message to an affected server,” Child said in his post.
Microsoft wants organizations to disable the Remote Desktop Licensing Service if they are not using it. The company also recommends organizations immediately install the patches for the three vulnerabilities even if they plan to disable the service.
One eyebrow-raising aspect in this month’s Microsoft security update is the number of unique CVEs that affect Microsoft SQL Server â some 39, or more than a quarter of the 139 disclosed vulnerabilities. “Thankfully, none of them are critical based on their CVSS scores and they’re all listed as ‘Exploitation Less Likely,'” saysTyler Reguly, associate director of security R&D at Fortra. “Even with those saving graces, there are still a lot of CVSS 8.8 vulnerabilities that SQL Server customers will be looking to patch,” he noted.
As has been the trend in recent months, there were 20 elevation of privilege (EoP) bugs in this month’s update, slightly outnumbering remote code execution vulnerabilities (18). Though Microsoft and other software vendors often tend to rate EoP bugs overall as being less severe than remote code execution vulnerabilities, security researchers have advocated that security teams pay equal attention to both. That’s because privilege escalation bugs often allow attackers to take complete admin control of affected systems and wreak the same kind of havoc as they would by running arbitrary code on it remotely.
In this Help Net Security interview, Rob Greer, VP and GM of the Enterprise Security Group at Broadcom, discusses the impact of nation-state cyber attacks on public sector services and citizens, as well as the broader implications for trust and infrastructure.
Greer also discusses common vulnerabilities in government IT systems and the potential of AI and public-private collaborations to enhance cybersecurity defenses.
How do nation-state attacks affect the public sector and services provided to citizens?
All attacks, nation-state or not, have the potential to impact public sector services and the citizens who rely on them.
Just recently on June 3, 2024, Synnovis, a provider to the UK National Health Service (NHS), suffered a cyber attack preventing the processing of blood test results and impacting thousands of patient appointments and surgeries. In 2017, the WannaCry attack, which spread to 150 countries across the world, disrupted the UK NHS, limiting ambulance service, patient appointments, medical tests and results, and forcing the closure of various facilities.
In the United States, many private sector organizations that provide public or critical infrastructure services have been significantly affected by cyberattacks. In 2021, JBS Foods, the largest US meat processor, was breached, forcing it to cease operations at 13 of its meat processing plants, impacting the US meat supply. One month prior, Colonial Pipeline was hit with a ransomware cyberattack, causing a run on gas in the eastern seaboard and requiring a presidential executive order to allow gas transport via semi-trucks.
A cyber attack in the Ukraine in 2015 brought down power for 230,000 customers, and such attacks have continued to disrupt the Ukrainian power grid since then.
In the US, we have seen the same nation-states employ less aggressive but potentially more disruptive strategies of espionage and misinformation in an effort to undermine the publicâs trust in the electoral system.
While these are just a few notable examples, the impact ranges from delays and inconveniences to more significant repercussions like reduced capacity of healthcare services and other critical infrastructure. Whatâs harder to calculate is the degradation of trust when the public sector is compromised due to a cyber attack.
What are the most common vulnerabilities within government IT systems that cyber attackers exploit?
Many of the attack techniques that we see nation-states use are picked up by more common cyber criminals shortly after. While nation-states do have advanced capabilities and visibility that are hard or impossible for cyber criminals to replicate, the general strategy for attackers is to target vulnerable perimeter devices such as VPNs or firewalls as an entry point to the network. Next they focus on obtaining privileged credentials while leveraging legitimate software to masquerade as normal activity while they scout the environments for valuable data or large repositories to disrupt.
Itâs important to note that the commonly exploited vulnerabilities in government IT systems are not distinctly different from the vulnerabilities exploited more broadly. Government IT systems are often extremely diverse and thus, subject to a variety of exploits. CISA actively maintains a Known Exploited Vulnerabilities (KEV) Catalog. These are vulnerabilities known to be exploited in the wild and pose an increased risk of exploitation for government organizations using any of the technologies cataloged.
How can governments use AI to strengthen cybersecurity defenses against sophisticated attacks?
AIÂ has been in use for more than a decade in state-of-the-art security technologies, primarily to detect novel and constantly evolving attacks. Detecting the sheer volume of attacks today, as well as finding the singular âneedle in a haystackâ cannot be done by classic technologies, but is possible with sophisticated AI techniques. As a baseline, governments should evaluate their security technology to understand how effective AI and machine learning are at detecting the latest threats.
The more advanced capabilities can analyze the infrastructure to determine typical behavior and usage patterns and auto-configure security settings and policies, providing adaptive security that is even more efficient at detecting anomalous activities.
The latest generative AI technologies are also helping drive efficiency in the Security Operations Center (SOC). GenAI can help SOC analysts more quickly and fully understand attacks, and provide guidance to analysts using natural language. This is especially important as we face continued challenges staffing security professionals.
Are there any specific regulatory frameworks or policies that must be implemented or improved?
Currently, there are numerous policies and regulations, both domestically and internationally, which are inconsistent and vary in their requirements. These administrative requirements take significant resources which could otherwise be used to strengthen a companyâs cybersecurity program. Therefore, it is imperative that existing and forthcoming cybersecurity regulations be harmonized and policies be considered comprehensively.
The recent summary from the Office of the National Cyber Director (ONCD) on the 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI) shows that the U.S. Government understands this problem. The report finds that the âlack of harmonization and reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens.â The ONCD is working with other federal agencies as well as the private sector to address these issues by seeking to âsimplify oversight and regulatory responsibilities of cyber regulatorsâ and âsubstantially reduce the administrative burden and cost on regulated entities.â
This is a much-needed exercise and itâs encouraging to see steps being taken to ensure that cybersecurity regulations are comprehensive, effective, and efficient.
What role should the private sector play in supporting government cybersecurity efforts?
The private sector has threat intelligence that the government often doesnât have. This makes the bidirectional sharing of information between the private and public sectors essential in combating bad actors. Partnerships between leading cybersecurity research groups and vendors like the Cyber Threat Alliance (CTA), as well as public and private sector partnerships like the Joint Cyber Defense Collaborative (JCDC), help the cybersecurity community at large bring its combined intelligence to bear to help defend our global digital ecosystem.
The Polish computer emergency response team CERT.pl has issued a warning about an ongoing cyberattack campaign by the notorious APT28 hacking group, also known as Fancy Bear or Sofacy. The campaign is targeting various Polish government institutions with a new strain of malware.
According to the CERT.pl analysis, the attack begins with spear-phishing emails containing malicious attachments or links.
The malware is deployed once the victim opens the attachment or clicks the link, establishing a foothold in the targeted network.
Subject: I solved your problem
Hello PaweĆ!
I did a little research and found this mysterious Ukrainian woman.
Now she is in Warsaw.
She runs a rather unusual company that sells used underwear.
also has clients from senior authorities in Poland and Ukraine.
All information on this subject is available at this link - ALINA-BOKLAN (Link)
Threat actors are increasingly using free, commonly-used services like run.mocky.io and webhook.site to deliver malware while evading detection.
This technique involves redirecting through these services to obfuscate the final malicious payload. The link first goes to run.mocky.io, a free API testing service, which then redirects to webhook.site for logging requests.
A ZIP archive disguised as an image file (e.g. IMG-238279780.zip) is downloaded from webhook.site.
With default Windows settings hiding extensions and hidden files, the victim sees the ZIP as an image, potentially leading them to open the malicious payload.
entire attack flow
Using free services reduces costs and makes malicious links harder to flag as they blend in with legitimate developer traffic. This stealthy approach is becoming a trend across many APT groups.
âThe malware used in this campaign is a new variant of the X-Agent backdoor, which allows the attackers to execute arbitrary commands, exfiltrate data, and move laterally within the compromised network,â explained CERT.pl in their report.
CERT.pl urges all Polish government agencies and critical infrastructure operators to remain vigilant and implement security measures.
âŒïžThis week we observed a large-scale malware campaign targeting Polish government institutions. Based on technical indicators and similarity to attacks described in the past, the campaign can be associated with the APT28 activity set. MoreâĄïž https://t.co/Szv62K060q
APT28 is a highly sophisticated cyber-espionage group believed to be associated with the Russian military intelligence agency GRU.
The group has been active since at least 2007 and has been linked to numerous high-profile cyberattacks, including the 2016 Democratic National Committee email leak and the 2017 NotPetya ransomware outbreak.
This latest campaign highlights the persistent threat posed by state-sponsored hacking groups and the importance of maintaining robust cybersecurity measures, especially for critical government and infrastructure systems.
The report details the attack flow, providing indicators of compromise (IOCs) and recommendations for detecting and mitigating the threat.
2024 has already seen dozens of local governments slammed by ransomware incidents and cyberattacks, limiting services for millions of people across the United States.
The latest high-profile incident involves New York City, which was forced to take a city payroll website offline and remove it from public view after dealing with a phishing incident.
The incident was first reported by Politico, which spoke to city workers who complained of the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS) being offline right as many tried to file their taxes.
New York Cityâs Office of Technology and Innovation and told Recorded Future News that NYC Cyber Command âwas made aware of a smishing campaign targeting NYCAPS users.â Smishing is essentially phishing via text messages instead of emails.
âNYC Cyber Command has been advising and working with FISA-OPA and DCAS to implement enhancements to security measures,â the office said. âCity employees have been advised to remain vigilant and confirm the legitimacy of any NYCAPS and payroll-related communications and activity.â
A city official reiterated that the NYCAPS website is still online and accessible to all employees through the cityâs secure internal network.
The smishing campaign allegedly involved messages sent to city workers asking them to activate multi-factor authentication, with a link to a phishing domain.Â
Shashi Prakash, CTO at security firm Bolster.AI, told Recorded Future News that his team saw the domain âessnyc{.}onlineâ the day it was registered. Other researchers said the domain was registered in Lithuania.
Prakash explained that his teamâs data shows it has been live since December 9 and shared a screenshot of the page, which looks exactly like the NYCAPS website.
âThere is one additional domain cityofanaheim{.}online on the same infrastructure which does make it look like they were targeting other cities,â Prakash said.
Keeper Securityâs Teresa Rothaar said more than 80 percent of breaches happen because of weak or stolen passwords, credentials and secrets, much of which is acquired through the kind of phishing and smishing attacks New York City is currently dealing with.
To make matters worse, the New York City attackers clearly knew that multi-factor authentication is a critical layer of security and played on that concept while trying to steal credentials.
âOften, innocent people who are not trained on phishing prevention will focus on the âpinstripesâ of the email or illegitimate site, meaning the aesthetics that they are familiar with, such as the logo or colors of their banking site,â she said.
âCybercriminals spend a lot of time making âlookalikeâ sites appear authentic so that users are tricked into entering login credentials. Employees should always err on the side of caution and assume that all of their work-related (and even personal) passwords have been compromised â especially if they reuse the same passwords across accounts (a big no-no, and this situation illustrates why).â
Countrywide problem
The campaign targeting New York City is one of many specifically going after city, county and state-level governments across the United States.
Just in the last week, the cities of Birmingham, Alabama, and East Baton Rouge, Louisiana, have announced security incidents affecting public services. Jackson County in Missouri was forced to declare a state of emergency after discovering a ransomware attack last month.
On Thursday, the Florida Department of Juvenile Justice in Tallahassee admitted to local news outlets that it was dealing with a cyberattack that forced some systems offline.
Floridaâs Hernando County similarly announced a cyberattack on Thursday, warning that while 911, police and EMS systems were still operational, several other government services would be down for an unknown amount of time. Local news outlets reported that the FBI is involved in the response to the incident.
Rebecca Moody, head of data research at Comparitech, has been looking into ransomware attacks on U.S. government offices and said she has found 18 confirmed ransomware attacks so far this year.
Other researchers have tracked at least 25 ransomware attacks on U.S. government offices.
While several states have banned government organizations from paying ransoms to groups, the offices continue to be ripe targets for ransomware gangs and hackers. Washington County in Pennsylvania recently revealed that it paid a $350,000 ransom to hackers following a January ransomware attack.
James Turgal, who spent 22 years working at the FBI, told Recorded Future News that attacks against state, local and tribal governments have accelerated over the last year.
âFrom the threat actorsâ point of view, these municipalities are a target-rich environment with an abundant source of victims. By my estimation, with just around 95,000 soft targets nationwide, there are 40,000 cities, towns and municipalities, approximately 50,000 special government districts nationwide, and then the additional tribal governments that round out the numbers,â he said.
âThere needs to be a sense of urgency on the part of state and local governments and municipalities to get ahead of the threat, as these local entities have the most direct impact on our citizens, and a cyber focused disruption can be potentially life-threatening when considering the health and public safety services our local governments control.â
Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation, and growth.
However, this shift towards a more interconnected digital ecosystem has not come without its risks.
According to the â2024 State of SaaS Security Reportâ by Wing Security, a staggering 97% of organizations faced exposure to attacks through compromised SaaS supply chain applications in 2023, highlighting a critical vulnerability in the digital infrastructure of modern businesses.
The report, which analyzed data from 493 companies in the fourth quarter of 2023, illuminates the multifaceted nature of SaaS security threats.
From supply chain attacks taking center stage to the alarming trend of exploiting exposed credentials, the findings underscore the urgent need for robust security measures.
Supply Chain Attacks: A Domino Effect
Supply chain attacks have emerged as a significant threat, with 96.7% of organizations using at least one app that had a security incident in the past year.
The MOVEit breach, which directly and indirectly impacted over 2,500 organizations, and North Korean actorsâ targeted attack on JumpCloudâs clients are stark reminders of the cascading effects a single vulnerability can have across the supply chain.
The simplicity of credential stuffing attacks and the widespread issue of unsecured credentials continue to pose a significant risk.
The report highlights several high-profile incidents, including breaches affecting Norton LifeLock and PayPal customers, where attackers exploited stolen credentials to gain unauthorized access to sensitive information.
MFA Bypassing And Token Theft
Despite adopting Multi-Factor Authentication (MFA) as a security measure, attackers have found ways to bypass these defenses, targeting high-ranking executives in sophisticated phishing campaigns.
Additionally, the report points to a concerning trend of token theft, with many unused tokens creating unnecessary risk exposure for many organizations.
Looking Ahead: SaaS Threat Forecast For 2024
As we move into 2024, the SaaS threat landscape is expected to evolve, with AI posing a new threat.
The report identifies two primary risks associated with AI in the SaaS domain: the vast volume of AI models in SaaS applications and the potential for data mismanagement.
Furthermore, the persistence of credential-based attacks and the rise of interconnected threats across different domains underscore the need for a holistic cybersecurity approach.
Practical Tips For Enhancing SaaS Security
The report offers eight practical tips for organizations to combat these growing threats, including discovering and managing the risk of third-party applications, leveraging threat intelligence, and enforcing MFA.
Additionally, regaining control of the AI-SaaS landscape and establishing an effective offboarding procedure are crucial steps in bolstering an organizationâs SaaS security.
The â2024 State of SaaS Security Reportâ by Wing Security serves as a wake-up call for businesses to reassess their SaaS security strategies.
With 97% of organizations exposed to attacks via compromised SaaS supply chain apps, the need for vigilance and proactive security measures has never been more critical.
As the digital landscape continues to evolve, so must our approaches to protect it.
On an unexpected Tuesday, the collision of a container ship with the Francis Scott Key Bridge in Baltimore not only disrupted the normal flow of traffic and commerce but also sparked a vigorous debate on the potential causes of this incident. Among the various theories proposed, the role of cybersecurityâor the lack thereofâhas emerged as a focal point of discussion. This event has served as a catalyst for a broader examination of cybersecurity practices within the maritime industry, revealing both vulnerabilities and the sometimes-overlooked factors that suggest other causes for such incidents. In the digital age, the maritime industryâs reliance on technology for navigation, communication, and operational functions has grown exponentially. This shift towards digitalization, while beneficial in terms of efficiency and connectivity, has also increased the sectorâs exposure to cyber threats. Systems that control navigation, cargo handling, and engine operations are all potential targets for cyberattacks, which can lead to severe safety and financial risks.
EVALUATING THE POTENTIAL FOR A CYBERSECURITY BREACH
In recent years, the maritime industry has increasingly embraced technology, relying on digital systems for navigation, communication, and operational functions. This digital transformation has enhanced efficiency and connectivity but has also exposed the sector to cyber threats. Cyberattacks can target systems controlling navigation, cargo handling, and even the engines of these colossal vessels, posing a significant risk to safety and commerce.
Could Cybersecurity Have Been a Factor in the Baltimore Incident?
To understand whether a cybersecurity breach could have led to the collision with the Francis Scott Key Bridge, it is essential to consider several factors:
Navigation Systems Vulnerability: Modern ships use sophisticated navigation systems like the Automatic Identification System (AIS) and the Electronic Chart Display and Information System (ECDIS). If these systems were compromised, it could lead to inaccurate positioning information or erroneous navigational instructions.
Operational Control Systems: Beyond navigation, ships rely on complex systems for operational control, including engine management and steering control. A cyberattack on these systems could impair a vesselâs ability to maneuver, potentially leading to accidents.
Human Error vs. Cyber Intrusion: Distinguishing between human error and the consequences of a cyberattack can be challenging. Incidents might initially appear as operational or navigational errors but later investigations could uncover tampering with digital systems.
Historical Precedents: The maritime industry has witnessed cyberattacks before, such as the 2017 cyberattack on the shipping giant Maersk, which led to significant operational disruptions. These precedents highlight the plausibility of cybersecurity breaches leading to physical incidents.
While the possibility of a cybersecurity breach cannot be dismissed outright, several arguments suggest that other factors could be more plausible:
Technical Safeguards and Redundancies
Maritime vessels are equipped with numerous technical safeguards and redundant systems designed to prevent total system failure in case of a cyber intrusion. These include manual overrides for navigation and control systems, allowing crew members to maintain control over the vessel even if digital systems are compromised. Such safeguards can mitigate the impact of a cyber attack on a shipâs operational capabilities.
Cybersecurity Protocols and Training
The maritime industry has been increasingly aware of the potential cyber threats and has implemented stringent cybersecurity protocols and training for crew members. These measures are aimed at preventing unauthorized access and ensuring the integrity of the shipâs systems. Crews are trained to recognize and respond to cybersecurity threats, reducing the likelihood of a successful cyber attack impacting vessel navigation or control systems.
Physical Factors and Human Error
Many maritime incidents are the result of physical factors or human error rather than cyber attacks. These can include adverse weather conditions, navigational errors, mechanical failures, and miscommunication among crew members. Such factors have historically been the most common causes of maritime accidents and cannot be overlooked in any thorough investigation.
Complexity of Executing a Targeted Cyber Attack
Executing a cyber attack that leads to a specific outcome, such as causing a ship to collide with a bridge, requires an intimate knowledge of the vesselâs systems, current position, and intended course. It also necessitates overcoming the vesselâs cybersecurity measures without detection. The complexity and specificity of such an attack make it a less likely cause of maritime incidents compared to more conventional explanations.
Lack of Evidence Indicating a Cyber Attack
In the absence of specific evidence pointing to a cyber intrusion, such as anomalies in the shipâs digital systems, unauthorized access logs, or the presence of malware, it is prudent to consider other more likely causes. Cybersecurity investigations involve detailed analysis of digital footprints and system logs, and without concrete evidence suggesting a cyber attack, attributing the incident to such a cause would be speculative.
THE PATH FORWARD: STRENGTHENING CYBERSECURITY WHILE ACKNOWLEDGING OTHER RISKS
Regardless of whether a cyberattack played a role in the Baltimore bridge incident, this event underscores the importance of robust cybersecurity practices in the maritime industry. Enhancing cyber defenses, conducting regular security assessments, and training personnel in cybersecurity awareness are crucial steps in safeguarding maritime operations.
However, it is equally important to recognize and mitigate the non-cyber risks that ships face. A comprehensive approach to safety and security, encompassing both cyber and traditional factors, is essential for protecting the maritime industry against a wide range of threats.
The collision of a container ship with the Francis Scott Key Bridge has highlighted the critical role of cybersecurity in modern maritime operations, while also reminding us of the myriad other factors that can lead to such incidents. As the investigation into this event continues, the maritime industry must take a holistic view of security, embracing both digital and physical measures to ensure the safety of its operations in an increasingly complex and interconnected world.
“Our thoughts and prayers are with the U.S. Coast Guard Sector NCR, multiple first responders, and all those affected by the tragic incident at the Francis Scott Key Bridge in Baltimore. According to reports, a 948-foot Singapore-flagged containership collided with the bridge causing it to collapse, with persons reported to be in the water.”
Over 170,000 users have fallen victim to a meticulously orchestrated scheme exploiting the Python software supply chain.
The Checkmarx Research team has uncovered a multi-faceted attack campaign that leverages fake Python infrastructure to distribute malware, compromising the security of countless developers and organizations.
This article delves into the attack campaign, its impact on victims, the tactics, techniques, and procedures (TTPs) employed by the threat actors, and the critical findings from Checkmarxâs investigation.
Attack Campaign Description
The core of this malicious campaign revolves around an attackerâs ability to combine several TTPs to launch a silent attack on the software supply chain, specifically targeting the Python ecosystem.
By creating multiple malicious open-source tools with enticing descriptions, the attackers lured victims into their trap, primarily through search engines.
Python mirror -files.pythonhosted.org
The campaignâs sophistication is evident in distributing a malicious dependency hosted on a fake Python infrastructure, which was then linked to popular projects on GitHuband legitimate Python packages.
A chilling account from Mohammed Dief, a Python developer and one of the campaignâs victims, highlights the stealth and impact of the attack.
Dief encountered a suspicious error message while working on his laptop, the first sign of the compromise, leading to the realization that his system had been hacked.
Victims And Impact
Among the notable victims of this campaign is the Top.gg GitHub organization, a community boasting over 170,000 members.
The attackers managed to hijack GitHub accounts with high reputations, including that of âeditor-syntax,â a maintainer with write permissions to Top.ggâs repositories.
The Top.gg community (which boasts over 170K members) was also a victim of this attack
This allowed them to commit malicious acts and increase the visibility and credibility of their malicious repositories.
The attackâs impact is far-reaching, affecting individual developers and larger communities alike.
Social engineering schemes, account takeovers, and malicious packages published on the PyPi registry have underscored the software supply chainâs vulnerability to such sophisticated attacks.
The Checkmarx Research team has uncovered an attack campaign aimed at the software supply chain.
The campaign appears to have successfully exploited multiple victims.
Threat Actors And TTPs
The threat actors behind this campaign demonstrated high sophistication and planning.
They employed a range of TTPs, including:
Account Takeover via Stolen Cookies: The attackers gained access to high-reputation GitHub accounts by stealing session cookies, bypassing the need for passwords.
Publishing Malicious Packages: By setting up a custom Python mirror and publishing malicious packages to the PyPi registry, they could distribute malware under the guise of legitimate software.
Social Engineering: The attackers used social engineering to trick users into downloading malicious dependencies, further spreading the malware.
By deploying a fake Python package mirror and utilizing typosquatting techniques, the attackers could deceive users and systems into downloading poisoned versions of popular packages like âColorama.
âThe malicious payload delivered through these packages is designed to harvest sensitive information, including passwords, credentials, and data from various software applications.
Malicious Package
The malware targets web browsers, Discord, cryptocurrency wallets, and Telegram, and even includes a keylogging component to capture victimsâ keystrokes.
The final stage of the malware reveals its data-stealing capabilities, targeting not only personal and financial information but also attempting to gain unauthorized access to victimsâ social media and communication platforms.
This attack campaign highlights the critical vulnerabilities within the software supply chain, particularly in open-source ecosystems like Pythonâs.
The sophistication and success of the attackers in exploiting these vulnerabilities underscore the need for heightened vigilance and robust security practices among developers and organizations.
Through continuous monitoring, collaboration, and information sharing, the cybersecurity community can mitigate risks and protect the integrity of open-source software.
The FritzFrog botnet, originally identified in 2020, is an advanced peer-to-peer botnet built in Golang that can operate on both AMD and ARM-based devices. With constant updates, the malware has developed over time, adding and enhancing features.
A new strain of the FritzFrog botnet was discovered exploiting the Log4Shell vulnerability to target all hosts in the internal network.
Additionally, by using weak SSH credentials, the malware attacks servers that are accessible over the internet.
âNewer variants now read several system files on compromised hosts to detect potential targets for this attack that have a high likelihood of being vulnerable,â Akamai shared with Cyber Security News.
The Exploitation Chain
The only infection vector used by FritzFrog was SSH brute force; however, more recent iterations of the malware have added the Log4Shell exploitation dubbed âFrog4Shellâ.Â
A vulnerability called Log4Shell was found in the popular open-source Log4j web tool in 2021. Governments and security firms carried out a global initiative to patch the technology.
Presently, the malware targets every host on the internal network as part of its routine for spreading. The malware is attempting to connect to every address on the local network to accomplish this.
According to the researchers, internal computers, which were less likely to be exploited, were frequently overlooked and went unpatchedâa situation that FritzFrog takes advantage of.
FritzFrog scanning the local network to identify targets
âThis means that even if the âhigh-profileâ internet-facing applications have been patched, a breach of any asset in the network by FritzFrog can expose unpatched internal assets to exploitation,â researchers said.
FritzFrog searches for HTTP servers on ports 8080, 8090, 8888, and 9000 to find possible Log4Shell targets. The malware is currently targeting as many vulnerable Java applications as possible.
Log4Shell exploitation flow
Additionally, FritzFrog enhanced its capacity to identify targets for SSH brute force, which is its primary infection vector.
FritzFrog will now attempt to identify specific SSH targets by counting multiple system logs on each of its victims, in addition to targeting randomly generated IP addresses.
The malware now includes a module that exploits CVE-2021-4034, a privilege escalation in the polkit Linux component. On susceptible servers, this module allows the malware to operate as root.
âSince it is installed by default on most Linux distributions, many unpatched machines are still vulnerable to this CVE today,â researchers said.
Recommendation
The network segmentation can stop the lateral movement of the malware. Software-based segmentation has the potential to be a long-lasting protective measure that is comparatively easy to implement.
For use on SSH servers, a FritzFrog detection script is given that searches for the following FritzFrog indicators:
a. Running processes named nginx, ifconfig, php-fpm, apache2, or libexec, whose executable file no longer exists on the file system (as seen below)
The latest stable channel update for Google Chrome, version 120.0.6099.199 for Mac and Linux and 120.0.6099.199/200 for Windows, is now available and will shortly be rolled out to all users.
Furthermore, the Extended Stable channel has been updated to 120.0.6099.200 for Windows and 120.0.6099.199 for Mac.
There are six security fixes in this release. Three of these flaws allowed an attacker to take control of a browser through use-after-free conditions.
Use-after-free is a condition in which the memory allocation is freed, but the program does not clear the pointer to that memory. This is due to incorrect usage of dynamic memory allocation during an operation.
Use after free in ANGLE in Google Chrome presents a high-severity vulnerability that might have led to a remote attacker compromising the renderer process and using a crafted HTML page to exploit heap corruption.
Google awarded $15,000 to Toan (suto) Pham of Qrious Secure for reporting this vulnerability.
This high-severity flaw was a heap buffer overflow in ANGLE that could have been exploited by a remote attacker using a crafted HTML page to cause heap corruption.
Toan (suto) Pham and Tri Dang of Qrious Secure received a $15,000 reward from Google for discovering this vulnerability.
A high-severity use after free in WebAudio in Google Chrome might potentially allow a remote attacker to exploit heap corruption through a manipulated HTML page.
Google awarded Huang Xilin of Ant Group Light-Year Security Lab a $10,000 reward for finding this issue.
A remote attacker may have been able to exploit heap corruption through a specifically designed HTML page due to high severity vulnerability in Googleâs use after free in WebGPU.
The details about the reporter of this vulnerability were mentioned as anonymous.
The use after free conditions existed in Google Chrome before version 120.0.6099.199. To avoid exploiting these vulnerabilities, Google advises users to update to the most recent version of Google Chrome.
How To Update Google Chrome
Open Chrome.
At the top right, click More.
Click Help About Google Chrome.
Click Update Google Chrome. Important: If you canât find this button, youâre on the latest version.
Fortunately for Radioactive Waste Management (RWM), the first-of-its-kind hacker attack on the project was unsuccessful.
The United Kingdomâs Radioactive Waste Management (RWM) company overseeing the nationâs radioactive waste has revealed a recent cyberattack attempt through LinkedIn. While the attack was reportedly unsuccessful, it has raised eyebrows in the nuclear sector, sparking concerns about the security of critical nuclear infrastructure.
As reported by The Guardian, the hackers directed their attack at the company through LinkedIn. However, whether it was a phishing attack or an attempt to trick employees into installing malware on the system, the modus operandi remains unknown.
Typically, LinkedIn is exploited for phishing scams targeting employees of specific companies. An example from last year involves ESET researchers reporting a cyberespionage campaign by North Korean government-backed hackers from the Lazarus group. The campaign specifically targeted employees at a Spanish aerospace firm.
The RWM is spearheading the ÂŁ50bn Geological Disposal Facility (GDF) project, aimed at constructing a substantial underground nuclear waste repository in Britain. As a government-owned entity, RWM facilitated the merger of three nuclear bodiesâthe GDF project, the Low-Level Waste Repository, and another waste management entityâto establish Nuclear Waste Services (NWS).
âNWS has seen, like many other UK businesses, that LinkedIn has been used as a source to identify the people who work within our business. These attempts were detected and denied through our multi-layered defences,â stated an NWS spokesperson.
However, the incident raises concerns, as experts warn that social media platforms such as LinkedIn are becoming preferred playgrounds for hackers. These platforms provide multiple avenues for infiltration, including the creation of fake accounts, phishing messages, and direct credential theft.
The FBIâs special agent in charge of the San Francisco and Sacramento field offices, Sean Ragan, has emphasized the âsignificant threatâ of fraudsters exploiting LinkedIn to lure users into cryptocurrency investment schemes, citing numerous potential victims and past and current cases.
In October 2023, email security firm Cofense discovered a phishing campaign abusing Smart Links, part of the LinkedIn Sales Navigator and Enterprise service, to send authentic-looking emails, steal payment data, and bypass email protection mechanisms.
In November 2023, a LinkedIn database containing over 35 million usersâ personal information was leaked by a hacker named USDoD, who previously breached the FBIâs InfraGard platform. The database was obtained through web scraping, an automated process to extract data from websites.
In 2023, the Sellafield nuclear site in Cumbria experienced cybersecurity issues, indicating a need for improved safeguards and tighter regulations. The RWM incident highlights the growing interest of cybercrime syndicates to target nuclear sites.
The NWS acknowledges the need for continuous improvement to strengthen cybersecurity measures, highlighting that emergency response plans must match evolving business needs.
