Aggregator

2023 and 2024 Ransomware Breaches Affected More Than 2.5M
Michigan-based McLaren Health Care has agreed to pay $14 million to settle consolidated class action litigation involving two ransomware attacks - allegedly by Alphv/BlackCat in 2023 and by Inc Ransom in 2024 - that affected about 2.5 million patients and employees.

AI Elevates CDO Job From Gatekeeper to Data-Driven Change Agent
The chief data officer is being pushed out of the shadows and into the C-suite spotlight with the rise of AI. While the role emerged as one rooted in compliance and risk management, it has evolved to be a business driver, holding the keys to value creation and human-centered transformation.

Security Service Says China-Linked Actor Compromised Vulnerable Network Devices
Norway's security service confirmed it was targeted by the China-linked Salt Typhoon campaign, marking one of Europe’s clearest public acknowledgements that the cyberespionage operation extended beyond U.S. telecom and federal networks into allied infrastructure.

Shadow Aeza International Directed Traffic to Malicious Adtech
A financially motivated threat actor hacked dozens of domain name system resolvers, connecting them to the infrastructure of a Russian bulletproof hosting service sanctioned by the U.S. Department of Treasury for its criminal links, researchers found.

The purpose of this Alert is to amplify Poland’s Computer Emergency Response Team (CERT Polska’s) Energy Sector Incident Report published on Jan. 30, 2026, and highlight key mitigations for Energy Sector stakeholders. 

In December 2025, a malicious cyber actor(s) targeted and compromised operational technology (OT) and industrial control systems (ICS) in Poland’s Energy Sector—specifically renewable energy plants, a combined heat and power plant, and a manufacturing sector company—in a cyber incident. The malicious cyber activity highlights the need for critical infrastructure entities with vulnerable edge devices to act now to strengthen their cybersecurity posture against cyber threat activities targeting OT and ICS.

A malicious cyber actor(s) gained initial access in this incident through vulnerable internet-facing edge devices, subsequently deploying wiper malware and causing damage to remote terminal units (RTUs). The malicious cyber activity caused loss of view and control between facilities and distribution system operators, destroyed data on human machine interfaces (HMIs), and corrupted system firmware on OT devices. While the affected renewable energy systems continued production, the system operator could not control or monitor them according to their intended design.1

CERT Polska’s incident report highlights:

• Vulnerable edge devices remain a prime target for threat actors.
  • As indicated by CISA’s Binding Operational Directive (BOD) 26-02: Mitigating Risk From End-of-Support Edge Devices, end-of-support edge devices pose significant risks.
• OT devices without firmware verification can be permanently damaged.
  • Operators should prioritize updates that allow firmware verification when available; if updates are not immediately feasible, ensure that cyber incident response plans account for inoperative OT devices to mitigate prolonged outages.
• Threat actors leveraged default credentials, a vulnerability not limited to specific vendors, to pivot onto the HMI and RTUs.
  • Operators should immediately change default passwords and establish requirements for integrators or OT suppliers to enforce password changes in the future.

CISA and the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (DOE CESER) urge OT asset owners and operators to review the following resources for more information about the malicious activity and mitigations:

• CERT Polska’s Energy Sector Incident Report - 29 December 2025.
• CISA’s joint fact sheet with FBI, EPA, and DOE Primary Mitigations to Reduce Cyber Threats to Operational Technology.
• DOE’s Energy Threat Analysis Center’s threat advisories.

Acknowledgements

DOE CESER and CERT Polska contributed to this Alert.

Disclaimer 

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. 

Notes

1. CERT Polska, “Energy Sector Incident Report - 29 December 2025,” Naukowa i Akademicka Sieć Komputerowa Poland, last modified January 30, 2026, https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/.

CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. 

• CVE-2026-21510 Microsoft Windows Shell Protection Mechanism Failure Vulnerability
• CVE-2026-21513 Microsoft MSHTML Framework Security Feature Bypass Vulnerability
• CVE-2026-21514 Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability
• CVE-2026-21519 Microsoft Windows Type Confusion Vulnerability
• CVE-2026-21525 Microsoft Windows NULL Pointer Dereference Vulnerability
• CVE-2026-21533 Windows Remote Desktop Services Elevation of Privilege Vulnerability 

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

NIST is allocating funding to eight small businesses in seven states under the Small Business Innovation Research (SBIR) program.

How to ensure the ‘organisational memory’ of past vulnerabilities is not lost.

Internet‑exposed and vulnerable SolarWinds Web Help Desk (WHD) instances are under attack by threat actors looking to gain an initial foothold into target organizations’ networks, Microsoft and Huntress researchers have warned. Once inside, the attackers are deploying legitimate remote access and digital forensics and incident response tools, using living-off-the-land techniques, setting up a reverse SSH shell, and stealing sensitive data. Attack details The initial access vector is known: SolarWinds WHD vulnerabilities. What’s unknown is which … More →

The post Unpatched SolarWinds WHD instances under active attack appeared first on Help Net Security.

NCSC call firms to ‘act now’ following disruptive malware attacks targeting Polish energy providers

Senegal closed its national ID card office after a ransomware cyberattack disrupted ID, passport, and biometric services. Senegal confirmed a cyberattack on the Directorate of File Automation, the government office that manages national ID cards, passports, and biometric data. After ransomware claims surfaced, authorities temporarily closed the office to contain the incident. The agency warned […]

January 5, 2026, Seattle, USA — ZAST.AI announced the completion of a $6 million Pre-A funding round. This investment came from the well-known investment firm Hillhouse Capital, bringing ZAST.AI's total funding close to $10 million. This marks a recognition from leading capital markets of a new solution: ending the era of high false positive rates in security tools and making every alert

某次高规格红队攻防演练，团队已在渗透阶段捕获一批明文密码，但始终无法拿到管理人员的用户名来突破网络边界，内网主机均部署了杀软常规横向手段无异于自投罗网。

Enterprise Wi-Fi is a high-risk but under-tested attack surface. Learn how modern wireless attacks work and how HTB CWPE builds real-world Wi-Fi pentesting skills.

В Microsoft нашли «кнопку отключения совести» у нейросетей.

Хотели написать книгу с помощью ИИ, а написали ее для всего интернета.

关键词黑客一款新型安卓恶意软件攻击活动正将 Hugging Face 平台当作仓库，存放数千个安卓应用安装包（