All news with #critical infrastructure tag

🚨 A critical remote code execution vulnerability, CVE-2026-21858 (CVSS 10.0), has been disclosed in n8n, allowing attackers to fully compromise locally deployed instances. Researchers estimate roughly 100,000 servers are affected and there are no official workarounds available. The n8n project has released a patched build; users must upgrade to n8n version 1.121.0 or later to remediate the issue. Administrators should prioritize patching and follow vendor advisories immediately.

🔍 Cisco Talos is tracking UAT-8837, an assessed China-nexus APT that since 2025 has focused on obtaining initial access to high-value and critical infrastructure organizations in North America. The actor uses both n-day and zero-day exploits (including CVE-2025-53690 in SiteCore) and often deploys open-source tooling—Earthworm, SharpHound, DWAgent, Certipy, and GoTokenTheft—to harvest credentials, enumerate Active Directory, and create remote tunnels. Operators perform hands-on-keyboard reconnaissance, create backdoored accounts and remote admin access, and cycle tools when endpoint protections block their payloads. Talos provides IOCs, Snort rules, and ClamAV signatures to detect and mitigate this activity.

🛡️ CISA, the UK’s NCSC, the FBI and international partners published the Secure Connectivity Principles for Operational Technology (OT), a joint guide led by NCSC‑UK to mitigate insecure and exposed connectivity and defend against opportunistic and nation‑state cyber threats. The guidance provides a practical framework and eight key principles to help OT owners and operators design, secure, and manage connectivity. Agencies also urge OT device manufacturers and integrators to embrace secure‑by‑design practices and recommend organizations assess OT connectivity and implement mitigations to strengthen critical infrastructure resilience.

🔒 CISA and the UK National Cyber Security Centre (NCSC-UK) issued Secure Connectivity Principles for Operational Technology (OT) to help asset owners manage increasing connectivity demands. The guidance provides an eight‑principle framework to design, secure, and operate network access into OT environments. It targets operators of essential services and aligns with federal and international collaboration. Stakeholder feedback is invited through a CISA product survey.

🚨 On Saturday, 10 January, the city of Halle (Saale) experienced a widespread false alarm when all sirens sounded around 10:00 p.m., accompanied by an English announcement: “Active shooter. Lockdown now.” City officials, including Mayor Alexander Vogt and security head Tobias Teschner, said the alert was likely triggered by external access to the siren system and not by local, state, or federal authorities. Authorities have secured the system, filed a police report, and are investigating; the municipal website was briefly unavailable due to high visitor traffic rather than a targeted DDoS, and resilience measures have been implemented.

🔒 Belgian hospital AZ Monica disconnected all servers at 6:32 AM after a cyberattack that forced the cancellation of scheduled procedures and slowed emergency operations. The Emergency Department is operating at reduced capacity and MUG and PIT services are currently offline; seven critical patients were transferred to other hospitals. The hospital has notified authorities and is monitoring the situation while staff rely on paper records; officials have not confirmed whether ransomware was involved.

🌐 Cloudflare observed a near-total Internet blackout in Iran beginning on January 8, 2026, as national traffic fell to effectively zero in a matter of hours. Measured indicators included a 98.5% reduction in announced IPv6 address space and rapid losses at major providers such as MCCI, IranCell, and TCI. Brief, localized restorations — including access to Cloudflare’s 1.1.1.1 resolver and several university networks — were transient. Cloudflare continues to monitor the situation through Cloudflare Radar and will report updates.

⚠️ Palo Alto discovered last year that several municipal crosswalk signal controllers were accessible with unchanged factory credentials. City staff never replaced the devices' default passwords, which allowed unauthorized parties to alter pedestrian signal timing remotely. The incident underscores failures in procurement and operational security. It also illustrates the need for continuous asset inventory, patching, and credential management across infrastructure.

⚠️ Many German critical infrastructure organizations are transmitting over unencrypted digital radio, creating an easily exploitable interception vector. Wirtschaftswoche reports that prisons, airports and energy providers are operating TETRA networks without encryption—often citing cost reasons—while police networks remain multi-layer encrypted. AG Kritis calls the situation a security-policy disgrace, warning that a laptop, free software and modest technical skill are sufficient to eavesdrop and capture confidential information, potentially endangering supply security and lives.

⚠️ Hitachi Energy has disclosed a critical remote code execution vulnerability in Asset Suite, caused by a Java deserialization flaw in the Jaspersoft library (CVE-2025-10492). The issue affects Asset Suite versions 9.7 and earlier and carries a CVSS v3.1 base score of 9.8 — allowing attackers to execute arbitrary code on vulnerable systems. Hitachi Energy advises upgrading to version 9.8 to remediate the defect. Until patched, administrators should restrict loading of external custom reports, segment networks, and deny internet exposure for control system devices.

🔍 Cisco Talos discloses UAT-7290, a China‑nexus APT active since at least 2022 that targets telecommunications infrastructure in South Asia and has recently expanded into Southeastern Europe. The actor conducts extensive reconnaissance, uses one‑day exploits and target-specific SSH brute force, and primarily deploys a Linux-centric toolset including RushDrop, DriveSwitch, SilentRaid, and Bulbature. Talos notes UAT-7290 also provisions Operational Relay Box (ORB) nodes that may support other China-nexus operators and provides ClamAV and Snort signatures for detection.

🔎 Taiwan’s National Security Bureau (NSB) reports a dramatic rise in Chinese-sourced cyber intrusion attempts against the island’s critical infrastructure in 2025, totaling 960,620,609 recorded attempts. The NSB highlights a tenfold surge against the energy sector and a 54% rise targeting emergency rescue and hospitals, while water resources and finance saw notable declines. Top groups named include BlackTech, Mustang Panda and APT41, which used vulnerability exploitation, DDoS, social engineering and supply-chain methods, often timed to coincide with military or political events.

⚠️ A maximum-severity flaw, CVE-2026-21858 (Ni8mare), in n8n allows unauthenticated remote attackers to read local files, forge administrator sessions, and achieve remote code execution by exploiting a Content-Type parsing confusion that can override req.body.files. The bug affects releases up to and including 1.65.0 and was fixed in 1.121.0 (released November 18, 2025). Operators should upgrade immediately, avoid exposing n8n publicly, and restrict or disable public webhooks and form endpoints until patched.

🛡️ Taiwan's National Security Bureau (NSB) reports a tenfold increase in cyberattacks against the country's energy sector in 2025 compared to 2024. The NSB said incidents tied to China rose 6% overall and affected nine critical sectors, with spikes timed around political events and military activity. Observed attack methods included exploitation of hardware and software vulnerabilities, DDoS, social engineering, and supply-chain compromises targeting industrial control systems and upgrade windows.

🔍 President Donald Trump suggested that U.S. cyber operations or other technical measures were used to cut power in Caracas during strikes that preceded the capture of Nicolás Maduro. If confirmed, this would be a rare, overt instance of U.S. offensive cyber action. Such operations are typically classified, and public details, technical indicators, and independent verification remain scarce. The claim raises significant legal and diplomatic concerns.

🔐 The UK government has launched a Government Cyber Unit and a Software Security Ambassador Scheme under a £210m Cyber Action Plan to boost public sector resilience. The unit, led by the Government Chief Information Security Officer within the Department for Science, Innovation and Technology, will coordinate risk management and incident response across departments. The ambassador scheme promotes the voluntary Software Security Code of Practice and has drawn participants such as Cisco and Santander. While welcomed by many, some experts warn the funding may be insufficient to address the scale of threats exposed by recent 2025 incidents.

⚠️ Taiwan's National Security Agency reported that Chinese cyberattacks targeting the island's critical infrastructure rose 6% in 2025, averaging 2.6 million attacks per day. The assaults mainly focused on the energy sector, hospitals, banks and emergency services, and extended to the semiconductor industry, including TSMC. Attackers employed large-scale denial-of-service and man-in-the-middle techniques to disrupt operations and exfiltrate data. Many incidents reportedly coincided with Chinese military exercises and high-profile political events, while Beijing denies involvement.

🔐 The convergence of operational technology (OT) and information technology (IT) creates major business opportunities but also introduces significant cybersecurity complexity and risk. Legacy OT equipment, cultural divides between OT and IT teams, and a historical focus on uptime over security increase exposure as organisations digitise critical infrastructure. Leaders must embed security by design, address compliance such as NIS2, and unite teams to manage cloud, AI and device proliferation.

🔒 Oltenia Energy Complex, Romania's largest coal-based energy producer, suffered a ransomware attack on the second day of Christmas that disrupted its IT infrastructure. Some documents were encrypted and key applications — including ERP, document management, email, and the corporate website — became temporarily unavailable. The company said operations were only partially affected and the National Energy System was not jeopardized while teams rebuild systems from backups and cooperate with authorities.

🔴 La Poste's main website and multiple digital services were taken offline by a major DDoS attack on Monday, and access remained impaired as of Wednesday morning. While email (laposte.net) and Digiposte reportedly stayed operational, online banking, the La Poste app and digital identity services were described as "temporarily inaccessible." The incident also disrupted physical operations, with some Paris post offices turning customers away. La Poste says teams are fully mobilized while analysts warn the timing suggests possible state-sponsored or hacktivist motives.