All news with #critical infrastructure tag

🔎 Darktrace researchers have analyzed a newly identified malware called ZionSiphon that combines typical endpoint compromise techniques with functions tailored to industrial control systems, specifically targeting water treatment and desalination infrastructure. The sample includes privilege escalation, persistence, and USB-based propagation alongside environment and software checks for reverse osmosis and chlorine control. While it can scan OT protocols such as Modbus and attempt register modifications, implementation gaps and a country-validation flaw suggest the strain is an early-stage tool that may fail to activate in many environments.

🔒 The NCSC has published a coordinated plan to improve NHS cyber resilience, focusing on piloting tools via ACD 2.0, securing the software supply chain, managing vulnerability disclosures, enhancing visibility and promoting services such as Early Warning, the Cyber Action Toolkit and Cyber Essentials. The agency is applying the Software Security Code of Practice in procurement and using data science to prioritise supplier risk while its Vulnerability Reporting Service continues to support GP surgeries, trusts and health boards. Additional measures include the NHS App adopting passkeys, attack surface management, deception-technology experiments, DNS analytics and Threat Hunting Workshops to develop playbooks and strengthen sector collaboration.

⚠️ Researchers have identified a critical, systemic vulnerability in MCP, the open source model context protocol developed by Anthropic. An Ox Security report published on April 15 says an architectural decision in official MCP SDKs causes the STDIO interface to execute arbitrary commands even when a local server process fails to start, enabling attackers to run malicious commands without sanitization. The flaw could expose API keys, chat histories, internal databases and other sensitive data across thousands of instances, and Ox Security reports that Anthropic has declined to change the protocol.

🚚 Modern trucks are "rolling networks" loaded with communications systems, sensors, cloud-connected devices and Wi-Fi, creating expansive attack surfaces. Ben Wilkens of NMFTA warns that cybercriminals exploit the sector’s uptime pressure with ransomware, extortion and cyber-enabled cargo theft. Core hygiene—MFA, network segmentation, social engineering training and timely patching—can significantly reduce risk but must be adapted for small carriers. NMFTA advances research, guidance and an annual conference to help the industry collaborate and strengthen defenses.

🔒 Vice Admiral Thomas Daum warned that hybrid attacks on Germany's critical infrastructure and Bundeswehr forces abroad have risen noticeably since 2022. At NATO's Locked Shields exercise he cited targeted intrusions against Bundeswehr data centres, alleged phone tapping of deployed personnel and disinformation campaigns in Lithuania. Authorities suspect state actors including Russia, China, Iran and North Korea, while energy firms, banks and local authorities remain at risk.

🔒 A critical vulnerability in the wolfSSL TLS/SSL library (tracked as CVE-2026-5194) permits improper verification of hash algorithms and sizes when validating ECDSA and other signatures. Researchers warn attackers can present forged certificates with undersized digests that vulnerable implementations will accept, enabling impersonation of servers, files, or connections. Discovered by Nicholas Carlini of Anthropic, the issue was fixed in wolfSSL 5.9.1 (April 8); administrators should review deployments and apply updates or vendor patches promptly.

⚠️ CISA has ordered U.S. federal agencies to remediate a critical Ivanti Endpoint Manager Mobile flaw (CVE-2026-1340) that has been exploited since January. The agency added the bug to its Known Exploited Vulnerabilities catalog and invoked BOD 22-01, giving agencies until Saturday, April 11 to patch or mitigate affected systems. Ivanti released fixes on January 29 and urged all customers to update immediately.

⚠️Six US agencies warn an Iranian-affiliated group has compromised internet-exposed programmable logic controllers at water, energy, and government facilities since at least March 2026. The actors used leased overseas infrastructure and legitimate Rockwell Automation configuration tools to access CompactLogix and Micro850 controllers. Victims suffered operational disruption, project file theft, altered SCADA/HMI data, and persistent remote access.

⚠ Iranian-affiliated threat actors have been exploiting internet-facing operational technology (OT) assets to target US critical national infrastructure (CNI) providers since late March, according to a CISA advisory. Attackers used vendor configuration tools such as Rockwell Automation's Studio 5000 Logix Designer to create accepted connections to PLCs and manipulated HMI/SCADA displays. Observed inbound traffic used ports 44818, 2222, 102, 22 and 502 and included deployment of Dropbear SSH for remote access. Agencies urge immediate log review, segmentation, and removal of direct internet exposure for PLCs.

🔒 Iran-affiliated cyber actors are targeting internet-facing operational technology (OT) devices across U.S. critical infrastructure, including energy, water and government facilities. U.S. agencies warn attackers used third-party hosted infrastructure and Rockwell Automation tools to connect to CompactLogix and Micro850 PLCs, deploy Dropbear SSH, extract project files, and manipulate HMI/SCADA displays, causing degraded functionality and disruption. Organizations are advised to remove internet exposure, enforce multi-factor authentication, place firewalls or proxies in front of PLCs, disable unused features, keep devices up to date, and monitor for anomalous traffic.

⚠️ U.S. agencies warn that Iranian-affiliated APT actors are actively targeting Internet-exposed Rockwell/Allen-Bradley and other PLCs on networks supporting critical infrastructure sectors such as Water, Energy, and Government Services. The joint advisory from the FBI, CISA, NSA, DOE, EPA, and U.S. Cyber Command states intrusions since March 2026 have caused operational disruption, extraction of device project files, and manipulation of HMI/SCADA displays. Organizations are advised to disconnect PLCs from the Internet or protect them behind firewalls, apply the latest firmware, enable multifactor authentication for OT access, disable unused services and default keys, and monitor OT ports and logs for the advisory's indicators of compromise.

🚨 CISA, the FBI, NSA and partner agencies warn that Iranian-affiliated APT actors are actively exploiting internet-facing operational technology controllers, notably Rockwell Automation/Allen-Bradley PLCs. The actors used vendor configuration software and leased overseas hosting to access exposed PLCs, extracted project files, and altered data shown on HMIs and SCADA displays, causing operational disruption and financial loss. Organizations should urgently apply the advisory's IOCs and mitigations: remove PLCs from direct internet exposure, enforce access controls and MFA, and contact vendor and federal incident contacts if targeted.

🔒 Operational technology (OT) is rapidly moving online, creating new cyber-physical risks as industrial control systems connect to corporate IT. In a Fortinet Brass Tacks podcast, KPMG’s Hossain Alshedoki explains how visibility, culture, and measured extension of IT controls into OT are essential. He stresses resilience over replication of IT models, and prioritizes asset discovery before automation.

🔒 Siemens has identified vulnerabilities in SICAM 8 products that can cause denial-of-service conditions. Affected components include CPCI85 (CP-8031/CP-8050), RTUM85 (CP-8010/CP-8012) and SICORE/S8000 elements. Two CVEs were assigned: CVE-2026-27663 (resource exhaustion, CVSS 6.5) and CVE-2026-27664 (out-of-bounds write, CVSS 7.5). Siemens released firmware updates in the V26.10 family and recommends validated deployment and supervised update procedures; CISA advises minimizing network exposure, isolating control systems, and using secure remote access.

🔒 Yokogawa CENTUM VP contains a hardcoded password for the PROG account used in CENTUM Authentication Mode, tracked as CVE-2025-7741. Under specific conditions, an attacker with access to HIS screen controls could log in as PROG and modify permissions or configuration. The issue affects R5.x, R6.x, and vR7.01.00 product families; it is not remotely exploitable and has high attack complexity. Recommended mitigations include switching to Windows Authentication Mode or applying vendor patch R7.01.10.

⚠ Hitachi Energy disclosed a critical Java deserialization flaw in the Jaspersoft/Jasper Report library used by Ellipse, tracked as CVE-2025-10492, which can enable remote code execution. Affected versions include Ellipse 9.0.50 and earlier and the issue carries a CVSS 3.1 score of 9.8. Immediate mitigations include restricting loading of external custom reports to only administrator-approved Jasper files, isolating control systems from public networks, and following updates from Hitachi Energy PSIRT.

🔒 Cisco has released patches for a critical Integrated Management Controller (IMC) authentication bypass (CVE-2026-20093) that allows unauthenticated, remote attackers to gain Admin privileges by sending a crafted HTTP password-change request. The flaw affects CIMC on UCS C-Series and E-Series servers and permits altering any account password, including Admin. Cisco's PSIRT reports no known in-the-wild exploitation or public proof-of-concept yet and stresses there are no workarounds, so customers should upgrade to fixed software immediately.

🔒 A survey by e2e-assure of 250 UK critical national infrastructure (CNI) cybersecurity decision-makers found 80% of organisations expect operational technology (OT) downtime costs between £100,000 and £5m, with 23% reporting incidents exceeding £1m and 6% above £5m. Nearly two-thirds said they fear nation-state attacks, and the vendor warned attackers commonly pivot from IT into exposed OT environments. Respondents also highlighted limited OT visibility and supply-chain risks that hinder detection, response and remediation efforts.

🔒 New ESET polling of 500 senior IT, OT, operations, risk and security leaders shows 78% of UK manufacturers experienced a serious cyber incident in the past year. Most (95%) saw direct business impact and 53% reported financial losses, with supply chain disruption and missed commitments common. Respondents flagged AI-enabled attacks as the top production threat, yet only 22% assign cyber accountability to the board.

🔐 Microsoft Threat Intelligence warns that the cyber threat to critical infrastructure has shifted from opportunistic data theft to long-term, identity-driven persistence aimed at operational disruption. Hybrid IT–OT architectures, cloud-based identity, and exposed remote services enable adversaries—including nation-state actors—to establish low-visibility footholds using living-off-the-land techniques and valid credentials. Microsoft recommends continuous readiness, reducing exposure, and validating defenses through proactive compromise assessments to detect active or dormant intrusions before they are activated.