Ticker feed

Cybersecurity agencies from the US, UK, Canada, Germany, Netherlands, and New Zealand have jointly published new guidance for safely integrating artificial intelligence into critical infrastructure systems. The 25-page document outlines four key principles for securing AI in operational technology environments that control power grids, water systems, and other vital services.

The guidance addresses AI's benefits—like predictive maintenance and anomaly detection—while warning about risks including system compromise, safety impacts, and worker skill erosion from over-relying on automation. The principles cover understanding AI risks, defining clear business cases, establishing governance frameworks, and implementing oversight mechanisms with failsafe systems to ensure public safety.

Source: Security Week

A maximum-severity vulnerability in React's Server Components protocol is threatening millions of applications worldwide. The flaw, assigned CVE-2025-55182 and CVE-2025-66478, allows attackers to execute remote code through specially crafted HTTP requests with nearly 100% success rates.

Security researcher Lachlan Davidson discovered the vulnerability, which affects React's default configuration and popular frameworks like Next.js. Wiz research shows 39% of cloud environments are vulnerable to these exploits.

Cloudflare has already deployed protective firewall rules, while hosting providers are implementing temporary fixes. Organizations must immediately upgrade to React versions 19.0.1, 19.1.2, or 19.2.1, and corresponding Next.js updates to prevent potential breaches.

Source: Dark Reading

The Post Office avoided a potential £1.09 million fine after accidentally publishing names and addresses of 502 Horizon scandal victims online last June. The Information Commissioner's Office called the breach "entirely preventable" but issued only a reprimand, saying it didn't meet the "egregious" threshold for fining public bodies.

The leak occurred when staff mistakenly published an unredacted legal settlement document, exposing personal details of operators who had already suffered through wrongful prosecutions. Many victims hadn't even told their families about their cases.

Campaigners slammed the decision as "ludicrous," arguing it gives public organizations a green light to cause harm without real consequences. The Post Office had settled with 555 claimants for £57.75 million in 2019.

Source: The Guardian

A critical security flaw in React Server Components is sending developers into overdrive as they race to patch a vulnerability that affects nearly 40% of cloud environments. The bug, discovered by Lachlan Davidson and assigned CVE-2025-55182, allows attackers to execute remote code without authentication.

Meta worked with hosting providers to create patches before Wednesday's public disclosure, but security experts warn exploitation is "inevitable" and "truly imminent." The vulnerability affects major frameworks including Next.js, React Router, and RedwoodJS.

While no attacks have been reported yet, researchers expect exploit code to surface within hours, making this a race against time for organizations worldwide.

Source: CyberScoop

Iran's MuddyWater hacking group has significantly upgraded its cyber capabilities, deploying new custom malware called MuddyViper against Israeli and Egyptian targets from September 2024 through March 2025. The group, linked to Iran's intelligence ministry, used a sophisticated 64-bit loader called "Fooder" disguised as the Snake video game to execute attacks entirely in memory, evading traditional detection.

This marks a major evolution for MuddyWater, historically known for noisy, error-prone operations. The new toolkit includes advanced credential stealers and reverse tunneling capabilities. ESET researchers also observed collaboration with another Iranian group, Lyceum, suggesting increased coordination among Tehran's cyber units. Despite improvements, some operational weaknesses remain detectable.

Source: Dark Reading

Former Adams Township clerk Stephanie Scott, 53, and attorney Stefanie Lambert, 44, will stand trial for illegally accessing 2020 voter data in Michigan. Prosecutors say Scott ignored state orders to turn over voting equipment for maintenance and allowed unauthorized access to non-public voter information. Lambert, who previously tried to overturn Trump's 2020 Michigan loss, allegedly helped transmit election data from the township's electronic poll book.

Scott faces charges including computer crimes and misconduct in office. She was recalled from her position in 2023. Lambert faces similar computer crime charges and was previously disqualified from representing election conspiracy theorist Patrick Byrne in a Dominion Voting Systems case. Attorney General Dana Nessel called their actions "reckless and illegal."

Source: CBS News Detroit

Rep. August Pfluger (R-Texas) reintroduced the Cyber Deterrence and Response Act on Tuesday, legislation that would formally designate foreign hackers behind major cyberattacks as "critical cyber threat actors" subject to sanctions.

The bill would create a framework for attributing cyberattacks and target hackers who disrupt critical infrastructure, steal personal data or trade secrets, or undermine elections. The Office of the National Cyber Director would lead the designation process.

The legislation comes as Congress grows frustrated with cyberattacks like the Salt Typhoon campaign that infiltrated telecommunications networks. Similar legislation passed the House in 2018 but stalled in the Senate.

Source: CyberScoop

The Russian-speaking Tomiris cyber-espionage group has launched a sophisticated new campaign targeting foreign ministries and government entities across Commonwealth of Independent States countries. Kaspersky researchers discovered the attacks beginning in early 2025, marking two major tactical shifts for the group.

Tomiris now routes command-and-control traffic through popular platforms like Telegram and Discord, helping malicious activity blend with legitimate network use. The group also deploys malware written in multiple programming languages including Go, Rust, C++, Python, and C# to enhance stealth and adaptability.

The attacks begin with phishing emails containing password-protected archives that masquerade as legitimate documents. Once inside systems, Tomiris uses open-source frameworks like Havoc and AdaptixC2 to maintain control and steal internal government documents from countries including Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan.

Source: Dark Reading

Law enforcement agencies across Europe have taken down Cryptomixer, a cryptocurrency mixing service that helped launder $1.5 billion in Bitcoin over nearly a decade. The service allowed users to obscure their cryptocurrency transactions by pooling funds with other users before returning untraceable coins.

Operation Olympia, led by German and Swiss authorities with Europol support, targeted the platform frequently used by criminals to launder proceeds from ransomware attacks, credit card fraud, and drug trafficking. Investigators seized three servers in Switzerland, the platform's web domain, 12 terabytes of data, and $29 million worth of Bitcoin. No arrests have been announced yet.

Source: Security Week

A critical security flaw (CVE-2025-59789) in Apache bRPC framework allows remote attackers to crash servers by sending deeply nested JSON data. The vulnerability affects all versions before 1.15.0 and exploits the json2pb component's recursive parsing method, causing stack overflow crashes.

Servers handling HTTP+JSON requests from untrusted networks are particularly at risk. Apache has released version 1.15.0 with a complete fix, plus an official GitHub patch for immediate deployment.

The fix introduces a default recursion depth limit of 100, which administrators can adjust. Security teams should patch immediately to prevent denial-of-service attacks.

Source: Cyber Security News