CISA Urges Critical Infrastructure to Patch Urgent ICS Vulnerabilities Read the story here CISA warned critical infrastructure organizations about vulnerabilities in nine ICS products, urging immediate action to mitigate potential risks in sectors like energy, manufacturing and transportation. The vulnerabilities ranged from medium to critical in severity. US and Israel Warn of Iranian Threat Actor's New Tradecraft Read the story here In November, the US and Israel issued a joint warning about the Iranian hacking group Cotton Sandstorm, which is using advanced techniques, including AI, to target critical infrastructure and influence elections. The group, also known as Marnanbridge and Haywire Kitten, was observed to have from 'hack and leak' operations against organizations primarily in Israel to a broader range of attacks impacting numerous countries, including Israel, France, Sweden and the US.

NIST Scraps Passwords Complexity and Mandatory Changes in New Guidelines Read the story here New guidelines published by the US National Institute of Standards and Technology (NIST) highlighted that using a mixture of character types in your passwords and regularly changing passwords are officially no longer best password management practices. Nigerian 'Yahoo Boys' Behind Social Media Sextortion Surge in the US Read the story here Nigeria-based cybercriminals known as the Yahoo Boys were behind a serge in sextortion activity targeting teenagers from Western English-speaking countries. Social media was found to be the platform of choice for these schemes to unfold and extort victims out of large sums of money.

Change Healthcare Cyber-Attack Leads to Prescription Delays Read the story here Change Healthcare suffered a ransomware attack in 2024 which led to delays in prescriptions being issued to patients. The data breach was said to affect 100 million Americans. The healthcare insurance firm later admitted to paying attackers, understood to be BlackCat, a $22m ransom in order to restore systems. NIST National Vulnerability Database Disruption Sees CVE Enrichment on Hold Read the story here NIST almost completely stopped enriching software vulnerabilities listed in its National Vulnerability Database (NVD) from February 2024. In March, NIST unveiled that a new consortium would help it run the NVD. The NVD issues were alleged to be the result of a number of challenges, including NIST budget issues, discussions surrounding the replacement of some vulnerability standards and adoption of Package URLs, and the conclusion of a contract with an organization that works with NIST on the NVD. Over Six Million Hit by Ransomware Breach at Infosys McCamish Systems Read the story here Infosys McCamish Systems was hit by a ransomware attack in 2023. In 2024 it was revealed that the incident impacted over six million customers, exposing their Social Security Number, date of birth, medical treatment/record information and more. The company, which provides outsourcing services to financial and insurance companies, said it began notifying customers about the breach on June 27. CISA Urges Improvements in US Software Supply Chain Transparency Read the story here The US Cybersecurity and Infrastructure Security Agency (CISA) published its third edition of Framing Software Component Transparency document which aims to improve the clarity and use of Software Bills of Materials (SBOMs). The document outlined essential SBOM attributes and said that simply including baseline information in an SBOM is insufficient to address all use cases. As the use of SBOMs grows, organizations will need to adopt more advanced practices for sharing and managing this data.