The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State ISAC (MS-ISAC), both WaterISAC partners, have joined with the National Governors Association and the National Association of State Chief Information Officers in releasing a statement recommending state and local governments take immediate action to safeguard against ransomware attacks.
Business email compromise (BEC) scammers are now targeting company customers using a new indirect attack method designed to collect information on future scam targets by asking for aging reports from collections personnel. Aging reports, also known as a schedule of accounts receivable, are sets of outstanding invoices which allow a company's financial department to keep track of customers who haven't yet paid services or goods.
The National Cyber Security Alliance (NCSA) has announced the theme for this year’s National Cybersecurity Awareness Month (NCSAM), which is recognized every October. With the overarching theme of “Own IT. Secure IT. Protect IT.,” the NCSA says NCSAM 2019 will focus on encouraging personal accountability and proactive behavior in security best practices and digital privacy and draw attention to careers in cybersecurity. As it has in past years, WaterISAC will distribute its own messaging using the NCSAM theme.
The NCCIC has published an advisory on improper restriction of XML external entity reference and uncontrolled resource consumption vulnerabilities in Mitsubishi Electric FR Configurator2. Versions 1.16S and prior are affected. Successful exploitation of these vulnerabilities may enable arbitrary files to be read or cause a denial-of-service condition. Mitsubishi Electric has released Version 1.17T for the reported vulnerabilities. The NCCIC also advises of a series of measures for mitigating the vulnerabilities.
The NCCIC has published an advisory on a stack-based buffer overflow vulnerability in National Renewable Energy Laboratory (NREL) Energy Plus. Version 8.6.0 and prior versions (potentially) are affected. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code or cause a denial-of-service condition. It is recommended that users update the application to the latest available release, v9.0.1, or later. The NCCIC also advises of a series of measures for mitigating the vulnerabilities.
The U.S. State Department’s Overseas Security Advisory Council (OSAC) has published a one page report on tips and best practices for maximizing personal security when using public WiFi networks. The OSAC product references a Norton report in which it was noted that 71% of consumers consider a strong WiFi signal a deciding factor when traveling rather than security considerations.
The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has published a series of documents as part of its efforts to address and build resilience to foreign interference, particularly information activities (e.g., disinformation and misinformation). The first document, The War on Pineapple: Understanding Foreign Interference in 5 Steps, is intended to illustrate how information operations have been carried out in the past to sow divisions in the U.S.
The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has published an infographic providing an overview of the risk factors associated with the deployment of 5G technology, the next generation of wireless networks. 5G is expected to bring security improvements and a better user experience, but supply chain, deployment, network security, and competition and choice vulnerabilities may affect the security and resilience of networks.
The Canadian Centre for Cyber Security (CCCS) has released an advisory on an Astaroth fileless malware campaign affecting Microsoft Windows. Astaroth resides solely in memory, and an attacker can use it and other fileless malware to steal information, such as credentials and keystrokes, and obtain other sensitive data. The U.S.
The NCCIC has published an advisory on an unquoted search path or element vulnerability in Johnson Controls exacqVision Server. This vulnerability impacts exacqVision server versions 9.6 and 9.8. Successful exploitation of this vulnerability could allow an unauthenticated user to elevate their privileges. Johnson Controls recommends users upgrade to the latest product, version 19.03. The NCCIC also advises of a series of measures for mitigating the vulnerability. Read the advisory at CISA.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
