CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange
Article Link: https://thehackernews.com/2025/10/cisa-and-nsa-issue-urgent-guidance-to.html
- CISA, the NSA, and partners from Australia and Canada issued urgent guidance after active exploitation of CVE-2025-59287 against WSUS and Exchange servers.
- The WSUS flaw lets attackers run remote PowerShell commands; researchers say the issue “goes deeper than expected” after finding an alternate chain that uses mmc[.]exe to spawn cmd[.]exe when an admin opens the WSUS Admin Console or hits “Reset Server Node.”
- The path can trigger a 7053 Event Log crash and has been linked to compromises at over 50 organizations across education, manufacturing, and healthcare.
- The agencies recommend applying Microsoft’s out-of-band update, isolating Exchange, restricting admin access, disabling unnecessary PowerShell, and hunting for 7053 events or mmc[.]exe > cmd[.]exe activity.
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59287
U.S. Stands Out in Refusal to Sign UN Cybercrime Treaty
Article Link: https://www.darkreading.com/cybersecurity-operations/us-refuses-sign-un-cybercrime-treaty
- The United States declined to sign the United Nations Convention Against Cybercrime while more than 70 nations approved it. Washington D.C. officials cited privacy and human-rights concerns.
- The treaty permits surveillance, asset seizures, and remote control of corporate systems without prior notice, while failing to shield journalists, whistleblowers, or ethical hackers.
- Critics argue the pact, which is driven by Russia and China, could criminalize dissent and legitimate research under the label of “serious ICT-enabled offenses.” ICT stands for Information and Communication Technology (internet, computers, smartphones, etc.). Paradoxically, the large tech firms and human-rights advocacy groups share that concern.
- Human-rights organizations want real guardrails added, such as tight rules on surveillance, solid free-speech protection, and a crystal-clear line between policing crime and policing curiosity.
Canada Warns of Cyberattacks Targeting Industrial Control Systems
Article Link: https://www.esecurityplanet.com/news/canada-critical-infrastructure-attacks/
- Canadian authorities issued a national alert after hackers breached water, energy, and agricultural control systems, manipulating programmable logic controllers and automated devices.
- Attackers exploited internet-exposed industrial control systems with weak credentials and no network separation, triggering false alarms, altered readings, and disrupted community services.
- Officials attribute the intrusions to hacktivist groups seeking visibility rather than espionage. Even so, the tampering revealed how small changes in connected systems can ripple across industries and public safety.
- The alert outlines steps to map and separate OT networks from IT, as well public systems, restrict remote access, apply zero-trust principles, patch vulnerabilities, and test readiness through tabletop exercises.
Why Vendors Are Not the Only Problem with Third-Party Risk Management
- A Forbes analysis warns that third-party risk is no longer a compliance checkbox but a systemic weak point, leaving organizations exposed through both vendor flaws and internal gaps.
- Traditional, and lately lengthier, questionnaires and surface audits tend to overlook weaknesses such as missing multifactor authentication and unmanaged service accounts, allowing preventable breaches.
- Recent incidents show that visibility without accountability is meaningless. Shared responsibility between buyers and suppliers is now essential to avoid cascading failures across supply chains.
- The article stresses tailoring reviews to real business use cases, classifying vendors by data sensitivity, writing clear contract expectations, maintaining active monitoring, and reconciling questionnaires against the organization’s defined risk posture.
Everything We Know About the Massive New Data Center in Minnesota
Article Link: https://kxrb.com/minnesota-ai-data-centers/
- The AI boom has hit Minnesota, and it’s not slowing down. With over 60 data centers already running, Meta’s new Rosemount project is set to be the next big bet on digital horsepower.
- These facilities train and run the algorithms behind your Facebook feed, chatbots, and virtual worlds, gulping electricity and water like they’re going out of style.
- Neighbors worry about higher bills, water use, and noise, while city leaders see jobs, taxes, and shiny new infrastructure.
- The Rosemount build will show whether high-tech promise and hometown reality can share the same grid, or if this “AI gold rush” ends up costing more than it gives back.
Cybersecurity Risks in Connected Vehicles
Article Link: https://fastlaneonly.com/cybersecurity-risks-in-connected-vehicles/
- A new review serves as a reminder that vehicle hacking is far from a thing of the past, as connected cars remain exposed to digital tampering, data theft, and safety risks. It’s no longer about horsepower, it’s about hack-power.
- These dirty-rotten attackers continue to manipulate vehicle software flaws to control steering or braking, steal driver data, or disrupt systems, as seen in incidents involving Tesla, Honda, and Jeep.
- Despite years of warnings, vehicles are still melding convenience with exposure, becoming rolling computers, leaving both consumers and manufacturers vulnerable, affecting safety, privacy, and trust in the tech that we have come to rely on every day.
- Automakers such as Ford, GM, and Tesla, together with regulators like UNECE and NHTSA, are pushing for encryption, stronger authentication, prompt updates, coordinated standards, and better driver awareness to reinforce “smart car” security.
EPA Deepens Work with Water Sector Amid Rising Cyber Concerns
Article Link: https://federalnewsnetwork.com/cybersecurity/2025/10/epa-deepens-work-with-water-sector-amid-rising-cyber-concerns/
- The Environmental Protection Agency (EPA) is deepening its collaboration with water and wastewater utilities to uncover exposed devices and improve digital safety across the nation’s 68,000 systems.
- After a year of detective work, hunting discoveries that many were unaware of, revealed countless internet-exposed controllers and human-machine interfaces and resulted in a new procurement checklist and guidance seeking to help utilities ask sensible questions of vendors.
- Small, rural utilities seem to face the greatest challenge due to limited resources and outsourced system management. Past audits found major vulnerabilities in water networks serving over 26 million people.
- The EPA is offering grants, running tabletop exercises, and gathering success stories to guide utilities toward better asset awareness, vendor oversight, and stronger control system protection.
The 10 Biggest Issues CISOs and Cyber Teams Face Today
Article Link: https://www.csoonline.com/article/4077442/the-10-biggest-issues-cisos-and-cyber-teams-face-today-2.html
- A new ISACA report shows two-thirds of CISOs say the job feels tougher than ever as AI-fueled attacks, thin budgets, and nonstop pressure keep the stakes high.
- Security heads are scrambling to manage AI systems, faster intrusions, and looming quantum risks while stretching every resource they have.
- Deepfakes, data leaks, and automated threats have turned their work into a VIP high-stakes table where one wrong move can cost millions.
- Industry leaders emphasize a layered defense strategy with stronger AI oversight, targeted training, realistic funding, and closer ties with business priorities to keep operations steady and the cards in their favor.
- ISACA Report: https://www.isaca.org/about-us/newsroom/press-releases/2025/state-of-cybersecurity-2025-global-press-release
- Thales Report: https://cpl.thalesgroup.com/data-threat-report
U.S. Teen Indicted in 764 Network Case Involving Exploitation Crimes
Article Link: https://hackread.com/us-teen-indicted-764-network-case-crimes/
- Some crimes stop you in your tracks. A 19-year-old from California has been charged with crimes so vile they read like a manual for cruelty, accused of unspeakable abuse involving children, animals, and cyberstalking.
- Investigators say Tony Christopher Long, who hid behind the screen name “Inactive,” specifically targeted kids and animals while spreading threats meant to shock and destroy.
- “764” isn’t just another dark web hangout. It’s an extremist cult that feeds on misery, twisting abuse into some warped idea of rebellion.
- The FBI and local police are still hunting others in this network, and each arrest chips away at a movement that deserves nothing but exposure and justice.
