FI NESA Huoltovarmuuskeskus 2025

Guide de la protection physique

site: https://www.huoltovarmuuskeskus.fi/tietoa-huoltovarmuudesta/aineistopankki/fyysisen-suojauksen-opas

pdf: https://www.huoltovarmuuskeskus.fi/files/c644cc9d787691c720fda8a845543d10b680a16d/hvk-fyysisen-suojauksen-opas-2025.pdf

#criticalinfrastructure #InfrastructuresCritiques #sécuritédapprovisionnement #supplychain #supplychainsecurity
#CERDirective #NIS2Directive

https://www.danskindustri.dk/medlemsforeninger/foreningssites/fos/arrangementer/events/2026/februar/DDAC-2026/
🔔 1 Day to Go – Meet SecPoint at the Danish Defence Annual Conference (DDAC) 2026

Tomorrow, the Danish Defence Annual Conference (DDAC) 2026 opens its doors at Bella Arena, Copenhagen, bringing together key stakeholders from defence, security, and cybersecurity at a time of increased geopolitical uncertainty and evolving threat landscapes.

#SecPoint #DDAC2026 #CyberSecurity #Defense #NATO #HybridThreats #CriticalInfrastructure #VulnerabilityManagement

Qilin ransomware has listed Tulsa International Airport as an alleged victim, releasing a small number of documents as proof of access.

While the operational impact remains unclear, the claim places aviation back in focus as ransomware groups continue targeting complex, high-availability environments.

From an InfoSec standpoint, this raises questions around segmentation, third-party exposure, and incident disclosure practices in critical transport infrastructure.

What defensive controls do you see as most effective for airport environments today?

Source: https://cybernews.com/news/qilin-ransomware-tulsa-airport-cyberattack-2026/

Join the conversation and follow @technadu for objective cybersecurity analysis.

#InfoSec #Ransomware #AviationSecurity #CriticalInfrastructure #CyberDefense

Alright team, it's been a busy 24 hours in the cyber world with significant updates on supply chain attacks, actively exploited zero-days, evolving threat actor tactics, and a few stark reminders about fundamental security hygiene. Let's dive in:

Recent Cyber Attacks & Breaches ⚠️

Notepad++, eScan, and Open VSX Hit by Supply Chain Attacks
- The popular Notepad++ text editor's update mechanism was hijacked for six months by a suspected Chinese state-sponsored group (Lotus Blossom/Billbug), redirecting select users to malicious servers to deliver custom backdoors.
- eScan Antivirus update servers were compromised, distributing multi-stage malware globally by replacing a legitimate 'Reload.exe' with a rogue, unsigned version that disabled updates and fetched further payloads.
- A supply chain attack on the Open VSX Registry saw a legitimate developer's account compromised to push malicious updates embedding the GlassWorm malware loader, designed to steal macOS credentials and crypto wallet data, notably avoiding Russian locales.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
📰 The Hacker News | https://thehackernews.com/2026/02/notepad-official-update-mechanism-hijacked-to-deliver-malware-to-select-users.html
🤫 CyberScoop | https://cyberscoop.com/china-espionage-group-lotus-blossom-attacks-notepad/
📰 The Hacker News | https://thehackernews.com/2026/02/escan-antivirus-update-servers-compromised-to-deliver-multi-stage-malware.html
📰 The Hacker News | https://thehackernews.com/2026/02/open-vsx-supply-chain-attack-used-compromised-dev-account-to-spread-glassWorm.html

NationStates, Panera Bread, and a Belgian School Suffer Breaches
- The browser game NationStates confirmed a data breach after a player exploited an RCE vulnerability in a new feature, gaining access to the production server and copying user data including email addresses and MD5 password hashes.
- Panera Bread's data breach, attributed to the ShinyHunters extortion gang via a vishing campaign targeting Microsoft Entra SSO, impacted 5.1 million unique accounts, exposing names, phone numbers, and physical addresses.
- A high school in Antwerp, Belgium, OLV Pulhof, was hit by cybercriminals (falsely claiming to be LockBit) who attempted to extort the school for €15,000, and upon refusal, directly targeted parents for €50 per child, threatening data leaks.
- The anti-ICE alert service StopICE reported a server attack, blaming a US Customs and Border Protection agent for sending alarming text messages to users, though admins state no personal data (names, addresses, GPS) was stored or compromised.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/nationstates-confirms-data-breach-shuts-down-game-site/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/panera-bread-data-breach-impacts-51-million-accounts-not-14-million-customers/
🗞️ The Record | https://therecord.media/hackers-attempt-to-extort-parents-after-school-refuses-ransom-demand
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/stopice_alerts_hacked/

Vulnerabilities & Active Exploitation 💥

APT28 Actively Exploiting New Microsoft Office Zero-Day
- Russia-linked APT28 (UAC-0001/Fancy Bear) is actively abusing CVE-2026-21509, a Microsoft Office security feature bypass zero-day, targeting Ukrainian government agencies and EU organisations.
- The attack chain involves malicious DOC attachments that, when opened, initiate a WebDAV connection to download a shortcut file, leading to DLL sideloading, shellcode deployment, and persistence via COM hijacking and scheduled tasks.
- The campaign deploys the COVENANT post-exploitation framework, routing traffic through legitimate cloud storage to evade detection, with CERT-UA urging monitoring or blocking of Filen-related traffic.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/

OpenClaw/Moltbot RCE and Database Exposure Patched
- A one-click RCE exploit chain was discovered in OpenClaw (formerly Moltbot/ClawdBot), allowing attackers to gain control by exploiting a cross-site WebSocket hijacking vulnerability due to a lack of origin header validation.
- The exploit, which takes milliseconds, could allow an attacker to retrieve authentication tokens, disable sandboxing, and execute privileged operations via node.invoke requests after a user visits a malicious webpage.
- Separately, the Moltbook social media network for AI agents, associated with OpenClaw, had its database exposed, making secret API keys freely accessible and potentially allowing attackers to post as high-profile AI agents.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/openclaw_security_issues/

New Threat Research on Threat Actors/Malware 🕵🏼

North Korean Labyrinth Chollima Splits into Specialised Entities
- The prolific North Korean cyber threat group Labyrinth Chollima has evolved into three distinct, coordinated entities: Golden Chollima, Pressure Chollima, and the original Labyrinth Chollima.
- Golden Chollima focuses on small-value cryptocurrency and fintech thefts in regions like the US, Europe, and South Korea, while Pressure Chollima handles high-profile financial and crypto heists, showcasing advanced technical capabilities.
- The original Labyrinth Chollima now exclusively targets malware-driven espionage against defence and manufacturing sectors, with Crowdstrike warning organisations in these sectors to be vigilant against DPRK social engineering, especially employment-themed lures and trojanised software.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/01/opensource_ai_is_a_global/

Malicious OpenClaw/Moltbot Skills Deliver NovaStealer
- Over 230 malicious "skills" (plugins) for the OpenClaw AI assistant were published on its official registry and GitHub, impersonating legitimate utilities to deliver information-stealing malware.
- The infection occurs when users follow documentation instructions to run a fake 'AuthTool,' which on macOS is a base64-encoded shell command downloading NovaStealer, and on Windows, a password-protected ZIP archive.
- NovaStealer targets a wide array of sensitive data, including cryptocurrency exchange API keys, wallet files, seed phrases, browser wallet extensions, macOS Keychain data, browser passwords, SSH keys, and cloud credentials.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-moltbot-skills-used-to-push-password-stealing-malware/

Threat Landscape & Industry Commentary 📈

Open-Source AI: A Global Security Monoculture
- Researchers warn that open-source AI deployments, particularly Ollama instances, are forming a global monoculture, with 175,108 hosts found exposed across 130 countries, largely running similar models and configurations.
- This homogeneity means a single vulnerability in how specific quantized models handle tokens could simultaneously affect a substantial portion of the exposed ecosystem, leading to widespread exploitation.
- Many exposed instances have tool-calling capabilities via API, vision capabilities, and uncensored prompt templates lacking safety guardrails, posing risks of resource hijacking, remote execution, and identity laundering if not treated as critical infrastructure with proper authentication, monitoring, and network controls.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/01/opensource_ai_is_a_global/

Infrastructure Cyberattacks Are on the Rise
- Cyberattacks on critical infrastructure are becoming more prevalent and integrated into military strategies, as seen in attempts to disrupt the Polish grid and the US-attributed power outages in Caracas during a military operation.
- The "democratisation" of attack technologies, with open-source tools like Shodan and resources like MITRE ATT&CK, has made infrastructure attacks more accessible beyond nation-state specialisation.
- While such attacks can cause short-term disruption and confusion, their effectiveness for political extortion or as singular game-changers is limited, highlighting the need for increased awareness, spending on resilience, and clear national policies on responses.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/energy_infrastructure_cyberattacks/

"Move Fast and Break Things" Culture Undermines Supply Chain Security
- The "move fast and break things" development culture has led to vulnerable applications and services, making supply chain attacks a primary concern, as demonstrated by incidents like Microsoft Sharepoint and Ivanti VPN exploits, and the Trust Wallet breach.
- Attackers increasingly target older applications with legacy code vulnerabilities and complex cloud platforms by compromising third-party integrations, software dependencies, and poorly managed APIs.
- To counter this, software publishers must prioritise security by adopting "zero vulnerability" goals, testing compiled binaries, and embracing transparency through Software Bills of Materials (SBOMs, MLBOMs, SaaSBOMs) to ensure secure and resilient technology.

🤫 CyberScoop | https://cyberscoop.com/move-fast-break-things-cybersecurity-supply-chain-security-op-ed/

Data Privacy & Best Practices 🔒

Booz Allen Hamilton Loses Treasury Contracts Over Data Leak
- The US Treasury Department has terminated 31 contracts with consulting firm Booz Allen Hamilton, totaling $4.8 million annually, citing the company's failure to implement adequate safeguards for sensitive taxpayer data.
- This decision follows a former BAH employee, Charles Littlejohn, pleading guilty to stealing and leaking confidential tax returns of high-profile US citizens, including Donald Trump and Elon Musk, between 2018 and 2020.
- The incident underscores the severe consequences for contractors who fail to protect sensitive government data, highlighting the critical need for robust internal security controls and data handling policies.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/01/opensource_ai_is_a_global/

McDonald's Urges Better Password Hygiene
- McDonald's Netherlands used "Change Your Password Day" to highlight poor password practices, noting that terms like "bigmac" and its leetspeak variants appear over 110,000 times in compromised password corpuses.
- The campaign, including public advertisements, warns against using easily guessable product names or simple character substitutions (e.g., Ch!ck3nMcN4gg€t$) as these are easily brute-forced by attackers.
- This serves as a reminder for all users, not just "normies," to adopt stronger password practices, such as long passphrases, randomised passwords, password managers, and multi-factor authentication, to counter widespread cybercriminal reliance on weak credentials.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/mcdonalds_password_advice/

Regulatory & Policy Changes 📜

Microsoft Begins NTLM Phase-Out to Kerberos
- Microsoft has initiated a three-phase plan to phase out the legacy NTLM authentication protocol in Windows environments, aiming to shift towards more secure, Kerberos-based options.
- NTLM, deprecated in June 2024 due to its susceptibility to replay, relay, and man-in-the-middle attacks, is still prevalent in enterprise environments due to legacy dependencies, posing significant security risks.
- The transition involves enhanced NTLM auditing (Phase 1, available now), addressing migration roadblocks with features like IAKerb and local KDC (Phase 2, H2 2026), and finally disabling NTLM by default in future Windows Server and client versions (Phase 3), requiring explicit re-enablement.

📰 The Hacker News | https://thehackernews.com/2026/02/microsoft-begins-ntlm-phase-out-with.html

#CyberSecurity #ThreatIntelligence #SupplyChainAttack #ZeroDay #RCE #APT #Malware #Ransomware #DataBreach #InfoSec #IncidentResponse #Vulnerability #AI #CriticalInfrastructure #PasswordSecurity #NTLM #Kerberos #Pentesting

It's been a busy 24 hours in the cyber world with significant updates on actively exploited zero-days, nation-state attacks on critical infrastructure, sophisticated vishing campaigns, and the evolving threat landscape of AI. Let's dive in:

Ivanti EPMM Zero-Days Under Active Exploitation ⚠️

- Ivanti has patched two critical zero-day vulnerabilities (CVE-2026-1281, CVE-2026-1340) in its Endpoint Manager Mobile (EPMM) product, both rated CVSS 9.8 for unauthenticated remote code execution (RCE).
- These flaws are actively being exploited in a limited number of customer environments, allowing threat actors to gain administrative access, move laterally, and potentially access sensitive data like phone numbers and GPS locations.
- While specific IOCs are scarce, defenders should scrutinise Apache access logs for unusual GET requests with bash commands in In-House Application Distribution and Android File Transfer Configuration features, and look for unexpected web shells or WAR/JAR files. If compromised, a full restore from backup or migration to a new EPMM instance is recommended.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/30/ivanti_epmm_zero_days/

Coordinated Cyber Attacks on Polish Critical Infrastructure 🚨

- CERT Polska has detailed coordinated destructive cyber attacks on over 30 wind and solar farms, a manufacturing company, and a combined heat and power (CHP) plant in Poland on December 29, 2025.
- The attacks, attributed to Russia's FSB-linked Static Tundra (aka Berserk Bear, Ghost Blizzard), involved reconnaissance, firmware damage, file deletion, and deployment of custom wiper malware like DynoWiper and LazyWiper.
- Initial access was gained via vulnerable Fortinet perimeter devices and statically defined accounts lacking two-factor authentication, with attackers also exfiltrating data related to OT network modernisation and SCADA systems from M365 services.

📰 The Hacker News | https://thehackernews.com/2026/01/poland-attributes-december-cyber.html

ShinyHunters-Style Vishing Bypasses MFA for SaaS Data Theft 🔒

- Mandiant has observed an expansion of financially motivated ShinyHunters-style (UNC6240) activity, tracked as UNC6661 and UNC6671, using advanced vishing and fake credential harvesting sites.
- These groups impersonate IT staff to trick employees into providing SSO credentials and MFA codes, then register their own devices for MFA to access cloud SaaS platforms, exfiltrate sensitive data, and extort victims.
- Organisations should enhance help desk verification processes, enforce strong passwords, remove SMS/phone/email as MFA options, restrict management access, and implement robust logging and detection for MFA lifecycle changes and SaaS export behaviours, moving towards phishing-resistant MFA like FIDO2.

📰 The Hacker News | https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html

Iran-Linked RedKitten Uses AI for Human Rights NGO Targeting 🐱

- A Farsi-speaking threat actor, RedKitten, linked to Iranian state interests, is targeting human rights NGOs and activists, likely leveraging large language models (LLMs) for tooling development.
- The campaign uses macro-laced Excel documents (fabricated protestor death details) in 7-Zip archives as lures, dropping a C#-based SloppyMIO implant via AppDomainManager injection.
- SloppyMIO uses GitHub as a dead drop resolver for Google Drive URLs, steganographically retrieving configuration for its Telegram Bot API-based command-and-control, enabling command execution, file exfiltration, and persistence.

📰 The Hacker News | https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.html

Agentic AI: The Next Big Attack Surface 🤖

- A Dark Reading poll indicates that agentic AI is widely expected to become the top attack vector by the end of 2026, due to the expanded attack surface from agents' high access and autonomy, especially with insecure code and "shadow AI."
- Experts highlight that the primary vulnerability lies in what compromised AI agents can access, stressing that authentication and access control, rather than AI safety features, are the critical battleground for securing autonomous systems.
- Deepfakes are also rising as a major social engineering vector for high-value targets, while the adoption of phishing-resistant passkeys is lagging, leaving organisations vulnerable as agentic systems proliferate.

🕶️ Dark Reading | https://www.darkreading.com/threat-intelligence/2026-agentic-ai-attack-surface-poster-child

#CyberSecurity #ThreatIntelligence #Vulnerabilities #ZeroDay #RCE #Ivanti #NationState #APT #CriticalInfrastructure #Poland #Russia #Wiper #ShinyHunters #Vishing #MFA #SaaS #Extortion #Iran #RedKitten #LLM #AI #Deepfakes #ThreatLandscape #InfoSec #CyberAttack #Malware #IncidentResponse

Raften – Hệ thống lõi quan trọng offline đã vận hành 240+ giờ liên tục không cần mạng, tự khôi phục sau mất điện <15 s. Dựa trên NixOS + systemd, lưu trữ USB 1 TB, tiêu thụ <50 W. Ứng dụng: quốc phòng, an ninh, hạ tầng trọng yếu, homelab cá nhân. Yêu cầu: 32 GB RAM (ECC), SSD 2 TB+, GPU RTX 3060 (tùy chọn). #OfflineSystem #Raften #CriticalInfrastructure #HệThốngOffline #CôngNghệ

https://www.reddit.com/r/LocalLLaMA/comments/1qr6xrl/offline_critical_core_system/

Excellent bedtime read 📘 @cert_polska has just published a detailed report on attacks targeting critical infrastructure at the end of 2025. A must-read for anyone tracking cyber threats.
#CyberSecurity #ThreatIntelligence #CERT #CriticalInfrastructure
https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf

> These antennas are used for both #civilian and #military communications. ​#Eutelsat is #Starlink's ‌only #European competitor. It is clearly a #strategic asset.

https://finance.yahoo.com/news/france-prevented-eutelsat-selling-ground-070410243.html?guccounter=1

#satcom #eupol #criticalinfrastructure

German #CER directive implementation #KritisDG just passed the parliament. Only 3 years after the directive passed the European Law making process.. #criticalinfrastructure

Exciting to attend “Digital Warfare – Who Defends Denmark in Cyberspace?” in Copenhagen,
arranged by IT-Branchen, PROSA, and DIT Akademi.
Important discussions on cyber threats, digital defense, critical infrastructure, and Denmark’s role in an increasingly contested cyberspace.

#CyberSecurity #CyberDefense #DigitalWarfare #Denmark #CyberResilience #CriticalInfrastructure

Sandworm-linked wiper attacks hit Poland’s power grid — destructive cyber ops crossing from disruption to sabotage. When malware turns lights off, resilience is national security. ⚡️🛑 #CriticalInfrastructure #CyberSabotage

https://www.darkreading.com/threat-intelligence/sandworm-wiper-attack-poland-power-grid

Dragos reports a cyberattack affecting OT control and communications at ~30 distributed energy facilities tied to Poland’s power grid.

No transmission impact or outages occurred, but adversaries reportedly accessed operational systems and disabled some equipment. The case highlights growing risk across decentralized energy assets that depend heavily on remote access and often receive limited OT security investment.

Source: https://therecord.media/poland-electrical-grid-cyberattack-30-facilities-affected

What controls matter most for distributed grid resilience?

Share insights and follow @technadu

#OTSecurity #ICS #CriticalInfrastructure #EnergyCyber #ThreatActors #GridSecurity #CyberDefense

Wednesday, January 28, 2026

https://activitypub.writeworks.uk/2026/01/wednesday-january-28-2026/

SE MSB Swedish Civil Defence and Resilience Agency, Publication, January 2026

Preparedness for businesses : In case of crisis or war

Strengthen the #resilience of businesses

Site:
• https://www.mcf.se/en/the-brochure-preparedness-for-businesses/
• https://www.mcf.se/en/news/2026/new-brochure-to-strengthen-the-role-of-businesses-in-total-defence/

Pdf: https://rib.msb.se/filer/pdf/31178.pdf
#criticalinfrastructure #Preparedness #BusinessContinuity #CrisisPreparedness #InfrastructuresCritiques

@msb

I don't always post to Mastodon, but when I do, I have some nice news to share about my PhD journey 🤩!

This March, I am traveling to Thessaloniki, Greece for the 41st ACM/SIGAPP Symposium On Applied Computing conference 🇬🇷. I will be presenting my first published paper, which explores the developments in cyber and hybrid threats to water utilities.

In this research, I have examined how the discourse in most recent peer-reviewed academic publications has evolved from 2020 to 2025. It was very interesting to examine how major global events, such as the COVID-19 pandemic and Russia’s 2022 full scale attack on Ukraine, have shifted the discourse regarding the security of critical infrastructure.

If you are attending SAC 26, it would be very nice to see you there!

#cybersecurity #hybridthreats #criticalinfrastructure

Monday, January 26, 2026

https://activitypub.writeworks.uk/2026/01/monday-january-26-2026/

It's been a bit light on news over the last 24 hours, but we've got a couple of noteworthy updates: a failed nation-state attack on critical infrastructure and a new feature from a popular password manager to help combat phishing. Let's dive in:

Sandworm's Failed Wiper Attack on Poland's Energy Grid ⚠️

- The Russian state-sponsored group Sandworm (also known as APT44, UAC-0113, or Seashell Blizzard) has been linked to a failed cyberattack on Poland's energy infrastructure in late December 2025.
- The group attempted to deploy a new destructive data-wiping malware, dubbed DynoWiper (detected as Win32/KillFiles.NMO), targeting combined heat and power plants and renewable energy management systems.
- Polish officials confirmed the attacks were stopped, highlighting the ongoing threat from nation-state actors to critical infrastructure and the importance of robust defensive measures.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/sandworm-hackers-linked-to-failed-wiper-attack-on-polands-energy-systems/

1Password Boosts Phishing Protection 🔒

- 1Password has rolled out new pop-up warnings for suspected phishing sites, aiming to prevent users from manually entering credentials on malicious or typosquatted domains.
- This feature adds an extra layer of defence beyond the existing URL matching, which prevents auto-filling, by explicitly alerting users who might otherwise overlook subtle domain discrepancies.
- Available automatically for individual and family plans, and configurable for enterprise admins, this update addresses the growing threat of sophisticated, AI-enhanced phishing scams.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/1password-adds-pop-pup-warnings-for-suspected-phishing-sites/

#CyberSecurity #ThreatIntelligence #NationState #Sandworm #CriticalInfrastructure #Wiper #Phishing #PasswordManager #InfoSec #CyberAttack #IncidentResponse