All news with #critical infrastructure tag

⚠️ France’s national postal service, La Poste, experienced a widespread network outage lasting more than twelve hours that affected its website, mobile app, digital document service Digiposte, and a digital ID service. Counter services remained operational, but the banking arm, Banque Postale, saw its app and online services go offline. Payments and SMS verification reportedly continued to function. Officials have not confirmed a cause; Le Monde Informatique has cited a suspected DDoS attack.

🚨 La Poste, France’s national postal service, reported a 'major network incident' that knocked its information systems offline and disrupted its website, mobile app, digital identity service and the Digiposte document platform. La Banque Postale said online and mobile banking were affected but core banking functions — ATM withdrawals, in-store card payments, interbank exchanges and WERO transfers — remained operational. French media cited a suspected DDoS attack; La Poste has not provided a restoration timeline.

🔒 The Danish Defence Intelligence Service (DDIS) publicly attributed two separate cyber operations to Russian-linked actors. It said a pro-Russian group known as Z-Pentest carried out a destructive intrusion against a Danish water utility in 2024, while NoName057(16), an actor with ties to the Russian state, mounted disruptive DDoS attacks against Danish websites ahead of municipal and regional elections in November. Danish authorities characterized the incidents as part of a broader pattern of state-aligned cyber coercion and disruption.

🚫 The FCC has placed foreign-made uncrewed aircraft systems (UAS) and critical UAS components on its Covered List, citing national security concerns and provisions of the 2025 NDAA. The action targets China-made vendors such as DJI and Autel Robotics and covers communications, flight controllers, navigation systems, batteries, motors, and related parts. The agency said the move will reduce risks of unauthorized surveillance, data exfiltration, and destructive operations over U.S. territory while permitting DHS to exempt specific models and allowing continued use and sale of previously approved devices.

🔒 Romanian Waters (Administrația Națională Apele Române) reported a ransomware incident over the weekend that affected roughly 1,000 computer systems across the national authority and 10 of its 11 regional offices. Investigators said servers running GIS, databases, email, web services, Windows workstations and DNS were impacted, while operational technology and water infrastructure controls remained operational. Authorities reported attackers used the built-in Windows BitLocker feature to lock files and left a ransom note demanding contact within seven days; the investigation is ongoing.

🔒 DXS International said it discovered a cyber-attack on 14 December that affected its office servers and disclosed the incident to the London Stock Exchange on 18 December. The company reported minimal impact, with front-line NHS clinical services remaining operational, and said it contained the breach and is investigating with NHS England and an external cybersecurity specialist. A threat actor calling itself Devman has claimed to have stolen 300GB and threatened to publish data on 20 December; that claim remains unconfirmed.

🚨 HPE has released patches for a critical remote code execution vulnerability in OneView Software, tracked as CVE-2025-37164 with a CVSS score of 10.0. The flaw affects all versions prior to 11.00; HPE published version 11.00 and hotfixes for 5.20–10.20 to mitigate it. Administrators should apply the update or hotfix promptly; certain hotfixes must be reapplied after specific upgrades or Synergy Composer reimaging.

🚨 French authorities arrested a Latvian crew member after discovery of a remote access tool aboard the Italian passenger ferry Fantastic, owned by Grandi Navi Veloci. A Bulgarian crewmember was released without charge. The malware was detected and neutralized by GNV while the ship was docked in Sète, and France's DGSI seized items for forensic analysis. Investigators are treating the case as suspected foreign interference and continue cooperation with Italian authorities.

🔔 CISA published nine Industrial Control Systems (ICS) advisories on 2025-12-18 that detail current security issues, vulnerabilities, and known exploits affecting a range of vendors and products. The advisories cover Inductive Automation Ignition, Schneider Electric EcoStruxure Foxboro DCS Advisor, National Instruments LabView, Mitsubishi Electric components, Siemens IP-Stack, Advantech WebAccess/SCADA, Rockwell Automation Micro controllers, Axis Communications Camera Station offerings, and an updated notice for Mitsubishi Electric CNC Series (Update C). Each advisory provides technical details, impact assessments, and recommended mitigations for administrators and asset owners. CISA urges users to review the advisories promptly and implement the suggested mitigations to reduce operational risk.

🔌 A Raspberry Pi with a cellular modem was discovered plugged into a French ferry's internal network as it prepared to sail from Sète to Algeria; investigators told Bloomberg that network segmentation and the absence of remote access to critical controls prevented lateral movement and possible sabotage. Security experts warn such rogue devices can create a new internal perimeter that bypasses monitored gateways and render SOCs blind if traffic exits over cellular. Recommended mitigations include 802.1X authentication, disabling unused switch ports by default, physical port locks and tamper-evident measures, deployment of advanced NACs and physical-layer fingerprinting tools like Sepio, and capturing a device's network traffic for forensic analysis before physical removal.

🔒 In mid-December, a Raspberry Pi paired with a cellular modem was found attached to a ferry owned by the Mediterranean Shipping Company, apparently intended to give remote access to the vessel’s internal network. Robust segmentation and disabled remote access to critical control systems prevented lateral movement and a potential sabotage scenario. Analysts warn many organizations remain vulnerable because physical security and port-level controls are often overlooked, and they recommend stronger NAC, 802.1X enforcement, port locks, and continuous external infrastructure monitoring.

🌐 The Taliban ordered a two‑day nationwide internet blackout in Afghanistan in September, cutting emergency communications, grounding flights, and interrupting banking. That incident is part of a global surge: Access Now and the #KeepItOn coalition documented 296 deliberate shutdowns in 2024 and at least 244 more in 2025 so far. Shutdowns range from full national cuts to targeted platform blocks and throttling, and are increasingly used for political, military, and social control. Workarounds like VPNs, mesh networks, and satellite terminals help some, but for most people loss of connectivity means loss of essential services and civil liberties.

🏟 CISA released the Venue Guide for Mitigating Dependency Disruptions to help stadium and arena owners reduce operational risk from outages in Energy, Water and Wastewater, Communications, and Transportation. Developed with government and industry partners, the concise, actionable resource offers baseline strategies, assessment steps, and partnership guidance tailored for major events including FIFA World Cup 2026 and the 2028 Summer Olympics. It encourages venues to assess lifeline dependencies, integrate contingency plans, and coordinate with local service providers and CISA Security Advisors to strengthen operational resilience.

🔎 Amazon Threat Intelligence reports a Russian state-sponsored cyber espionage team has increasingly targeted energy providers and other critical infrastructure, operating since at least 2021. The actors have shifted toward exploiting device misconfigurations while continuing to leverage known vulnerabilities such as CVE-2022-26318, CVE-2021-26084, CVE-2023-22518 and CVE-2023-2753. Observed tradecraft includes compromise of network-edge devices hosted on AWS EC2, passive credential capture and credential-replay attacks to move laterally across victim environments. Amazon provides indicators of compromise and specific mitigation guidance, including configuration audits, isolation of management interfaces and deployment of multi-factor authentication.

🔍 A Russian state-sponsored cyberespionage group has shifted to exploiting misconfigurations in network-edge devices to target energy companies and critical infrastructure. Amazon Threat Intelligence found the actor, active since at least 2021, pivoted from known CVEs to passive credential harvesting via compromised routers, VPN concentrators and management appliances. Telemetry shows overlaps with GRU-linked Sandworm and Bitdefender’s Curly COMrades, with attackers intercepting traffic to replay credentials. Amazon urges audits of edge devices, isolation of management interfaces, enforcement of MFA and monitoring for anomalous authentication.

🔒 Amazon Threat Intelligence disrupted active operations attributed to GRU-linked hackers who targeted customer cloud infrastructure by abusing misconfigured edge devices. The multi-year campaign, observed since 2021 and focused on Western critical infrastructure and the energy sector, shifted in 2025 from zero-day exploitation to targeting exposed management interfaces on routers, VPN gateways, and network management appliances. Amazon isolated compromised EC2 instances, shared indicators, and advised audits, credential monitoring, and AWS controls like isolating management interfaces, restricting security groups, and enabling CloudTrail, GuardDuty, and VPC Flow Logs.

🛢️ Petróleos de Venezuela (PDVSA) reported a weekend cyberattack it says was restricted to administrative systems and did not affect operational areas, asserting continuity via secure protocols. Despite that assertion, internal memos and multiple sources cited by Bloomberg and Reuters indicate staff were ordered to disconnect and that systems managing the main crude terminal remained offline. PDVSA publicly blamed the United States and domestic conspirators for the incident.

🛡️ Amazon's threat intelligence team disclosed a years-long campaign tied with high confidence to the GRU-affiliated APT44 (also tracked as FROZENBARENTS/Sandworm), which targeted Western critical infrastructure from 2021–2025. The actor shifted from zero-day exploitation to abusing misconfigured customer network edge devices and exposed management interfaces on AWS-hosted instances, enabling packet capture, credential harvesting, and credential replay against energy, telecom, and cloud providers. Amazon observed exploitation of WatchGuard (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532), notified affected customers, disrupted active operations, and recommended audits, stronger authentication, and monitoring for unexpected access and credential replay.

⚠️ A vulnerability in the web interface of Güralp Systems Fortimus, Minimus, and Certimus Series (CVE-2025-14466) allows an unauthenticated network attacker to send specially crafted HTTP requests that cause the web service process to restart. The restart produces a brief denial-of-service condition with a CVSS v3.1 base score of 5.3 (Medium). Güralp recommends operating affected systems behind a NAT or VPN firewall and contacting the vendor for further guidance. CISA advises minimizing network exposure, isolating control networks, and using secure, up-to-date remote access methods.

⚠️ A critical vulnerability (CVE-2024-3596, CVSS 9.0) in Hitachi Energy AFS/AFR/AFF series RADIUS implementations allows a local attacker to forge valid RADIUS responses by exploiting an MD5 chosen-prefix collision against the response authenticator. Successful exploitation can compromise product data integrity and disrupt availability. Hitachi Energy recommends immediately enabling the RADIUS message authenticator option; vendor-specific CLI commands and MIB objects vary by product family.