The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
Alerts, Updates, and Bulletins:
The Chromium Project has posted a blog announcing the removal of the lock symbol used to represent whether a page is utilizing HTTPS in Chrome. The project’s reasoning behind this change is that HTTPS has become such a ubiquitous protocol that the purpose of the lock to signify whether a page is secure has become redundant.
Security Week has written an article covering the Superior Court of New Jersey Appellate Division’s ruling in favor of Merck in the company’s $1.4 billion claim against insurers for the fallout of the NotPetya attack it suffered in 2017. Insurers argued that the property insurance offered to Merck had a war exclusion clause that was “clear and unambiguous, and it plainly applies to the NotPetya attack.”
- by Jennifer Lyn Walker
Despite all the hype, many organizations implementing multifactor authentication (MFA) and complex passwords can still fall victim to cyber attacks. Multiple threat actor types are increasingly bypassing MFA controls, typically through MFA push notification fatigue or exploiting weaknesses in self-enrollment configurations, to gain access to a victim’s network.
Organizations large and small are adopting endpoint detection and response (EDR) solutions to provide visibility into their networks. However, according to security researchers, many organizations’ percentage of EDR coverage on endpoints is in the range of 60-70 percent, leaving 30-40 percent of devices out of their control, greatly increasing an organization’s cyber risk.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
Alerts, Updates, and Bulletins:
The Federal Communications Commission (FCC) maintains a Covered List of communications equipment and services that have been determined by the U.S. government to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons to national security pursuant to the Secure and Trusted Communications Networks Act of 2019.
Security Week has written an article discussing a spike in attacks exploiting CVE-2018-9995, a 5 year old critical authentication bypass vulnerability in TBK Vision devices, and CVE-2016-20016, a 7 year old vulnerability in MVPower devices.
Threat actors are increasingly capable of compromising enterprise networks by utilizing legitimate tools and social engineering techniques, instead of relying on malware, making it harder for network defenders to detect malicious activity.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
