critical infrastructure | Breaking Cybersecurity News | The Hacker News

The Dutch National Cyber Security Centre (NCSC-NL) has warned of cyber attacks exploiting a recently disclosed critical security flaw impacting Citrix NetScaler ADC products to breach organizations in the country. The NCSC-NL said it discovered the exploitation of CVE-2025-6543 targeting several critical organizations within the Netherlands, and that investigations are ongoing to determine the extent of the impact. CVE-2025-6543 (CVSS score: 9.2) is a critical security vulnerability in NetScaler ADC that results in unintended control flow and denial-of-service (DoS) when the devices are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. The vulnerability was first disclosed in late June 2025, with patches released in the following versions - NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46 NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19 NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP ...

Cybersecurity researchers have discovered a fresh set of security issues in the Terrestrial Trunked Radio (TETRA) communications protocol, including in its proprietary end-to-end encryption (E2EE) mechanism that exposes the system to replay and brute-force attacks, and even decrypt encrypted traffic. Details of the vulnerabilities – dubbed 2TETRA:2BURST – were presented at the Black Hat USA security conference last week by Midnight Blue researchers Carlo Meijer, Wouter Bokslag, and Jos Wetzels. TETRA is a European mobile radio standard that's widely used by law enforcement, military, transportation, utilities, and critical infrastructure operators. It was developed by the European Telecommunications Standards Institute (ETSI). It encompasses four encryption algorithms: TEA1, TEA2, TEA3, and TEA4. The disclosure comes a little over two years after the Netherlands-based cybersecurity company discovered a set of security vulnerabilities in TETRA standard called TETRA:BURST, c...

Malicious actors have been observed exploiting a now-patched critical security flaw impacting Erlang/Open Telecom Platform (OTP) SSH as early as beginning of May 2025, with about 70% of detections originating from firewalls protecting operational technology (OT) networks. The vulnerability in question is CVE-2025-32433 (CVSS score: 10.0), a missing authentication issue that could be abused by an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code. It was patched in April 2025 with versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. Then in June 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. "At the heart of Erlang/OTP's secure communication capabilities lies its native SSH implementation — responsible for encrypted connections, file transfers and most importantly, command execution," Palo Alto Networks U...

Threat actors have been observed exploiting a now-patched critical SAP NetWeaver flaw to deliver the Auto-Color backdoor in an attack targeting a U.S.-based chemicals company in April 2025. "Over the course of three days, a threat actor gained access to the customer's network, attempted to download several suspicious files and communicated with malicious infrastructure linked to Auto-Color malware," Darktrace said in a report shared with The Hacker News. The vulnerability in question is CVE-2025-31324 , a severe unauthenticated file upload bug in SAP NetWeaver that enables remote code execution (RCE). It was patched by SAP in April. Auto-Color, first documented by Palo Alto Networks Unit 42 earlier this February, functions akin to a remote access trojan, enabling remote access to compromised Linux hosts. It was observed in attacks targeting universities and government organizations in North America and Asia between November and December 2024. The malware has been...

Cybersecurity researchers have discovered over a dozen security vulnerabilities impacting Tridium's Niagara Framework that could allow an attacker on the same network to compromise the system under certain circumstances. "These vulnerabilities are fully exploitable if a Niagara system is misconfigured, thereby disabling encryption on a specific network device," Nozomi Networks Labs said in a report published last week. "If chained together, they could allow an attacker with access to the same network — such as through a Man-in-the-Middle (MiTM) position — to compromise the Niagara system." Developed by Tridium, an independent business entity of Honeywell, the Niagara Framework is a vendor-neutral platform used to manage and control a wide range of devices from different manufacturers, such as HVAC, lighting, energy management, and security, making it a valuable solution in building management, industrial automation, and smart infrastructure environments. I...

An international operation coordinated by Europol has disrupted the infrastructure of a pro-Russian hacktivist group known as NoName057(16) that has been linked to a string of distributed denial-of-service (DDoS) attacks against Ukraine and its allies. The actions have led to the dismantling of a major part of the group's central server infrastructure and more than 100 systems across the world. The joint effort also included two arrests in France and Spain, searches of two dozen homes in Spain, Italy, Germany, the Czech Republic, France and Poland, and the issuance of arrest warrants for six Russian nationals. The effort, codenamed Operation Eastwood, took place between July 14 and 17, and involved authorities from Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands, and the United States. The investigation was also supported by Belgium, Canada, Estonia, Denmark, Latvia, Romania and Ukraine. NoName057(16) has been operatio...

If you didn't hear about  Iranian hackers breaching US water facilities, it's because they only managed to control a single pressure station serving 7,000 people. What made this attack noteworthy wasn't its scale, but how easily the hackers gained access — by simply using the manufacturer's default password "1111." This narrow escape prompted  CISA to urge manufacturers to eliminate default credentials entirely, citing "years of evidence" that these preset passwords remain one of the most exploited weaknesses. While we wait for manufacturers to implement better security practices, the responsibility falls on IT teams. Whether you manage critical infrastructure or a standard business network, allowing unchanged manufacturer passwords in your environment is like rolling out the red carpet for attackers. Here's what you need to know about default passwords — why they persist, their business and technical consequences, and how manufacturers can imple...

U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber attacks from Iranian state-sponsored or affiliated threat actors.  "Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events," the agencies said . "These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices." There is currently no evidence of a coordinated campaign of malicious cyber activity in the U.S. that can be attributed to Iran, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) noted. Emphasizing the need for "incr...

The April 2025 cyber attacks targeting U.K. retailers Marks & Spencer and Co-op have been classified as a "single combined cyber event." That's according to an assessment from the Cyber Monitoring Centre (CMC), a U.K.-based independent, non-profit body set up by the insurance industry to categorize major cyber events. "Given that one threat actor claimed responsibility for both M&S and Co-op, the close timing, and the similar tactics, techniques, and procedures (TTPs), CMC has assessed the incidents as a single combined cyber event," the CMC said . The organization has categorized the disruption of the retailers as a "Category 2 systemic event." It's estimated that the security breaches will have a total financial impact of £270 million ($363 million) to £440 million ($592 million). However, the cyber attack on Harrods around the same time has not been included at this stage, citing a lack of adequate information about the cause and...

Iran's state-owned TV broadcaster was hacked Wednesday night to interrupt regular programming and air videos calling for street protests against the Iranian government, according to multiple reports. It's currently not known who is behind the attack, although Iran pointed fingers at Israel, per Iran International. "If you experience disruptions or irrelevant messages while watching various TV channels, it is due to enemy interference with satellite signals," the broadcaster was quoted as saying. The breach of state television is the latest in a string of cyber attacks inside Iran that have been attributed to Israel-linked actors. It also coincides with the hack of Bank Sepah and Nobitex, Iran's largest cryptocurrency exchange. The Nobitex breach led to the theft of more than $90 million, a brazen escalation in the cyber war that has simmered between Israel and Iran for more than a decade. "Iranian entities have experimented with virtual assets as bot...

Veeam has rolled out patches to contain a critical security flaw impacting its Backup & Replication software that could result in remote code execution under certain conditions. The security defect, tracked as CVE-2025-23121, carries a CVSS score of 9.9 out of a maximum of 10.0. "A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," the company said in an advisory. CVE-2025-23121 impacts all earlier version 12 builds, including 12.3.1.1139. It has been addressed in version 12.3.2 (build 12.3.2.3617). Security researchers at CODE WHITE GmbH and watchTowr have been credited with discovering and reporting the vulnerability. Cybersecurity company Rapid7 noted that the update likely addresses concerns shared by CODE WHITE in late March 2025 that the patch put in place to plug a similar hole ( CVE-2025-23120 , CVSS score: 9.9) could be bypassed. Also addressed by Veeam is another flaw in the same product (CVE-2025...

Iran has throttled internet access in the country in a purported attempt to hamper Israel's ability to conduct covert cyber operations, days after the latter launched an unprecedented attack on the country, escalating geopolitical tensions in the region. Fatemeh Mohajerani, the spokesperson of the Iranian Government, and the Iranian Cyber Police, FATA, said the internet slowdown was designed to maintain internet stability and that the move is "temporary, targeted, and controlled, to ward off cyber attacks." Data shared by NetBlocks shows a "significant reduction in internet traffic" around 5:30 p.m. local time. The development comes amid deepening conflict, with Israel and Iran trading missile attacks since Friday. These attacks have spilled over into cyberspace, as security experts warned of retaliatory cyber operations by Iranian state actors and hacktivist groups. The digital warfare unfolding behind the scenes goes two ways. Earlier this week, a pro...

A critical infrastructure entity within Ukraine was targeted by a previously unseen data wiper malware named PathWiper, according to new findings from Cisco Talos. "The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints," researchers Jacob Finn, Dmytro Korzhevin, and Asheer Malhotra said in an analysis published Thursday. The attack is assessed to be the work of a Russia-nexus advanced persistent threat (APT) actor based on the tradecraft observed and the overlapping capabilities with destructive malware used in attacks against Ukraine. Talos said the commands issued by the administrative tool's console were received by its client running on the victim endpoints and then executed as a batch (BAT) file. The BAT file, in turn, consisted of a command to run a malicious Visu...

The evolution of cyber threats has forced organizations across all industries to rethink their security strategies. As attackers become more sophisticated — leveraging encryption, living-off-the-land techniques, and lateral movement to evade traditional defenses — security teams are finding more threats wreaking havoc before they can be detected. Even after an attack has been identified, it can be hard for security teams to prove to auditors that they have fully mitigated the issues that allowed the attackers in. Security teams worldwide have prioritized endpoint detection and response (EDR), which has become so effective that threat actors have changed their tactics to avoid attack vectors protected by host-based defenses. These advanced threats are particularly vexing for critical infrastructure providers in financial services , energy and utilities , transportation , and government agencies that may have proprietary systems that cannot be protected by traditional endpoint securi...

The Czech Republic on Wednesday formally accused a threat actor associated with the People's Republic of China (PRC) of targeting its Ministry of Foreign Affairs. In a public statement, the government said it identified China as the culprit behind a malicious campaign targeting one of the unclassified networks of the Czech Ministry of Foreign Affairs. The extent of the breach is presently not known. "The malicious activity [...] lasted from 2022 and affected an institution designated as Czech critical infrastructure," it added . The attack has been attributed to a state-sponsored threat actor tracked as APT31 , which also overlaps with threat clusters known as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium). The hacking group, publicly associated with the Ministry of State Security (MSS) and the Hubei State Security Department, is assessed to be active since at least 2010, per the U.S. Departme...