Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Australian Insurer P ...

 Firewall Daily

Australian insurance provider Prosura is investigating a cyber incident after detecting unauthorized access to parts of its internal systems, which has resulted in fraudulent emails being sent to some customers. The Prosura cyberattack, identified in early January, led the insurer to temporarily shut down key online   show more ...

services while it works to secure its systems and determine the full extent of the breach.  Prosura confirmed that it first identified the cyberattack on Prosura on January 3, 2026. In a media statement, the company said it discovered “unauthorized access to parts of our systems” and acted immediately to limit further risk.  “As a precaution, we have temporarily disabled the ability to purchase a policy, submit or manage a claim, or administer an existing policy via our self-service portal while we investigate and secure our environment,” Prosura said.  A subsequent Security Incident Update issued on Thursday, 8 January, provided additional clarity. According to the insurance provider, an unknown third party gained unauthorized access to a portion of its internal IT systems. Prosura also acknowledged that it was aware of online activity related to the incident and was prioritizing efforts to verify those claims.  While services remain offline, Prosura said it is conducting an urgent review of its systems and deploying additional security measures to prevent a recurrence of the Prosura cyberattack.  Fraudulent Emails Linked to the Prosura Cyberattack Alongside the system intrusion, Prosura reported that some customers received fraudulent emails connected to their existing or completed policies. These messages may reference the cyberattack on Prosura and instruct recipients to contact a third-party email address. The insurer urged customers not to respond to these emails, not to contact any external addresses mentioned, and to avoid clicking on links or opening attachments in unexpected messages. Customers were also advised to remain alert to phishing attempts via email, phone calls, or text messages that may use personal information to appear legitimate. Customer Information Potentially Impacted  Based on its investigation so far, Prosura believes some customer data may have been accessed during the cyberattack. The information potentially affected includes names, email addresses, phone numbers, country of residence, travel destinations, invoicing and pricing details, as well as policy start and end dates.  For customers who have previously made claims, the breach may also have exposed additional claim-related information. This could include driver’s licenses and associated images that were submitted as part of supporting documentation.  Prosura noted that there is no evidence that payment data was compromised. “Importantly, there is no indication that payment information (including credit card details) have been accessed,” the company stated, adding that it does not store credit card details within its systems.  Regulatory Notifications and Ongoing Response  The insurance provider confirmed it has notified both the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, and will alert other regulatory bodies as required. Prosura is also working with external cybersecurity specialists to investigate what happened, strengthen system security, and monitor for further developments.  “We are taking this incident extremely seriously. We will work with specialist cybersecurity experts to investigate what happened, secure our systems, and restore services safely,” the company said.  Despite the disruption, Prosura reassured customers that active policies remain valid. Policyholders with upcoming travel plans were advised that they can proceed as planned, as policy validity has not been affected by the incident. Customers needing claim support were instructed to contact Prosura directly via its official support email with “Claim” included in the subject line.  Company Apology and Next Steps  In a statement signed by Managing Director Mike Boyd, Prosura acknowledged the concern caused by the incident. “We know this is concerning, and we are sorry this has happened,” Boyd said. “Our focus is on protecting our customers, supporting those affected, and restoring services safely.”  Prosura said it will contact impacted parties directly once it confirms what information was involved and will provide further guidance and support as required. The company added that it will continue to issue updates as new facts emerge, noting that premature disclosures could lead to misinformation.  As the Prosura cyberattack investigation continues, the insurer has reiterated its advice for customers to stay vigilant, avoid suspicious communications, and rely only on official updates published through Prosura’s website and direct customer communications. 

image for UK Moves to Close Pu ...

 Cyber News

The UK government has revealed the Government Cyber Action Plan as a renewed effort to close the growing gap between escalating cyber threats and the public sector’s ability to respond effectively. The move comes amid a series of cyberattacks targeting UK retail and manufacturing sectors, incidents that have   show more ...

underscored broader vulnerabilities affecting critical services and government operations. Designed to strengthen UK cyber resilience, the plan reflects a shift from fragmented cyber initiatives to a more coordinated, accountable, and outcomes-driven approach across government departments. A Growing Gap Between Threats and Defences Recent cyber incidents have highlighted a persistent challenge: while threats to public services continue to grow in scale and sophistication, defensive capabilities have not kept pace. Reviews conducted by the Department for Science, Innovation and Technology (DSIT) revealed that cyber and digital resilience across the public sector was significantly lower than previously assessed. This assessment was reinforced by the National Audit Office’s report on government cyber resilience, which warned that without urgent improvements, the government risks serious incidents and operational disruption. The report concluded that the public sector must “catch up with the acute cyber threat it faces” to protect services and ensure value for money. Building on Existing Foundations The Government Cyber Action Plan builds on earlier collaborative efforts between DSIT, the National Cyber Security Centre (NCSC), and the Cabinet Office. Notable achievements to date include the establishment of the Government Cyber Coordination Centre (GC3), created to manage cross-government incident response, and the rollout of GovAssure, a scheme designed to assess the security of government-critical systems. Despite these initiatives, officials acknowledged that structural issues, inconsistent governance, and limited accountability continued to hinder effective cyber risk management. GCAP is intended to address these gaps directly. Five Delivery Strands of the Government Cyber Action Plan At the core of the Government Cyber Action Plan are five delivery strands aimed at strengthening accountability and improving operational resilience across departments. The first strand focuses on accountability, placing clearer responsibility for cyber risk management on accounting officers, senior leaders, Chief Digital and Information Officers (CDIOs), and Chief Information Security Officers (CISOs). The second strand emphasises support, providing departments with access to shared cyber expertise and the rapid deployment of technical teams during high-risk situations. Under the services strand, GCAP promotes the development of secure digital solutions that can be built once and used across multiple departments. This approach is intended to reduce duplication, improve consistency, and address capability gaps through innovation, including initiatives such as the NCSC’s ACD 2.0 programme. Response is another key focus, with the introduction of the Government Cyber Incident Response Plan (G-CIRP). This framework formalises how departments report and respond to cyber incidents, improving coordination during national-level events. The final strand addresses skills, aiming to attract, develop, and retain cyber professionals across government. Central to this effort is the creation of a Government Cyber Security Profession—the first dedicated government profession focused specifically on cyber security and resilience. Role of the NCSC and Long-Term Impact The NCSC will play a central role across all five strands of the Government Cyber Action Plan, from supporting departments during incidents to helping design services that improve resilience. This approach aligns with the NCSC’s existing work with critical national infrastructure and public sector organisations, offering technical guidance, assurance, and incident response support. While GCAP’s implementation will be phased through to 2029 and beyond, officials say the framework is expected to deliver measurable improvements even in its first year. These include stronger risk management practices and faster coordination during cyber incidents. According to Johnny McManus, Deputy Director for Government Cyber Resilience at the NCSC, the combination of DSIT’s delivery leadership and the NCSC’s technical authority provides a foundation for transforming UK cyber resilience across the public sector.

image for Trump Orders US Exit ...

 Governance

President Donald Trump has ordered the immediate withdrawal of the United States from several premier international bodies dedicated to cybersecurity, digital human rights, and countering hybrid warfare, as part of a major restructuring of American defense and diplomatic posture. The directive is part of a memorandum   show more ...

issued on Monday, targeting 66 international organizations deemed "contrary to the interests of the United States." While the memorandum’s cuts to climate and development sectors have grabbed headlines, national security experts will be worries of the targeted dismantling of U.S. participation in key security alliances in the digital realm. The President has explicitly directed withdrawal from the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE), the Global Forum on Cyber Expertise (GFCE), and the Freedom Online Coalition (FOC). "I have considered the Secretary of State’s report... and have determined that it is contrary to the interests of the United States to remain a member," President Trump said. This move signals a pivot toward a unilateral approach to digital sovereignty, rejecting the multilateral frameworks that have defined Western cyber strategy for the last decade. Dismantling the Hybrid Defense Shield Perhaps the most significant strategic loss is the U.S. exit from the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE). Based in Helsinki, the Hybrid CoE is unique as the primary operational bridge between NATO and the European Union. The Centre was established to analyze and counter "hybrid" threats—ambiguous, non-military attacks such as election interference, disinformation campaigns, and economic coercion, tactics frequently attributed to state actors like Russia and China. By withdrawing, the U.S. is effectively blinding the shared intelligence and coordinated response mechanisms that European allies rely on to detect these sub-threshold attacks. The U.S. participation was seen as a key deterrent; without it, the trans-Atlantic unified front against hybrid warfare could be severely fractured. Also read: Russia-Linked Hybrid Campaign Targeted 2024 Elections: Romanian Prosecutor General Abandoning Global Cyber Capacity Building The administration is also pulling out of the Global Forum on Cyber Expertise (GFCE). Unlike a military alliance, the GFCE is a pragmatic, multi-stakeholder platform that brings together governments, private tech companies, and NGOs to build cyber capacity in developing nations. The GFCE’s mission is to strengthen global cyber defenses by helping nations develop their own incident response teams, cyber crime laws, and critical infrastructure protection. A U.S. exit here opens a power vacuum. As the U.S. retreats from funding and guiding these capacity-building efforts, rival powers may step in to offer their own support, potentially embedding authoritarian standards into the digital infrastructure of the Global South. A Blow to Internet Freedom Finally, the withdrawal from the Freedom Online Coalition (FOC) marks an ideological shift. The FOC is a partnership of 42 governments committed to advancing human rights online, specifically fighting against internet shutdowns, censorship, and digital authoritarianism. The U.S. has historically been a leading voice in the FOC, using the coalition to pressure regimes that restrict internet access or persecute digital dissidents. Leaving the FOC suggests the Trump administration is deprioritizing the promotion of digital human rights as a foreign policy objective. This could embolden authoritarian regimes to tighten control over their domestic internets without fear of a coordinated diplomatic backlash from the West. The "America First" Cyber Doctrine The administration argues these withdrawals are necessary to stop funding globalist bureaucracies that constrain U.S. action. By exiting, the White House aims to reallocate resources to bilateral partnerships where the U.S. can exert more direct leverage. However, critics could argue that in the interconnected domain of cyberspace, isolation is a vulnerability. By ceding the chair at these tables, the United States may find itself writing the rules of the next digital conflict alone, while the rest of the world—friend and foe alike—organizes without it. Also read: Trump’s Team Removes TSA Leader Pekoske as Cyber Threats Intensify

image for New n8n Vulnerabilit ...

 Firewall Daily

Cybersecurity researchers have disclosed a new critical flaw in the popular workflow automation platform n8n that could allow unauthenticated attackers to fully compromise vulnerable systems. The issue, tracked as CVE-2026-21858 and assigned a maximum CVSS score of 10.0, is being described as one of the most   show more ...

severe n8n vulnerabilities reported to date.  The n8n vulnerability was discovered and responsibly disclosed by security researcher Dor Attias on November 9, 2025. n8n later confirmed the issue in a security advisory, warning that attackers could access files on the underlying server through certain form-based workflows.  According to n8n, “A vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker.” The company noted that the flaw could expose sensitive data and potentially enable further compromise depending on configuration and usage.  CVE-2026-21858 is a Content-Type confusion bug tied to how the n8n webhook processes incoming HTTP requests. The webhook parses requests differently based on the Content-Type header, creating a gap that attackers can exploit to manipulate file-handling behavior.  How the n8n Webhook Content-Type Confusion Is Exploited  The vulnerability stems from how n8n handles form submissions. When a request is processed, the platform uses parseRequestBody() to determine whether to invoke a file upload parser or a regular body parser. If multipart/form-data is specified, uploaded files are parsed and stored in req.body.files.  However, researchers found that certain file-handling functions are executed without verifying the Content-Type header. As a result, attackers can override req.body.files even when no file upload is present.  “Since this function is called without verifying the content type is ‘multipart/form-data,’ we control the entire req.body.files object,” Attias explained. This allows an attacker to copy any local file from the server instead of an uploaded file, exposing sensitive system data to downstream workflow nodes.  n8n Vulnerability Enables Admin Bypass and Remote Code Execution  The impact of CVE-2026-21858 extends beyond arbitrary file reads. Researchers demonstrated how attackers could escalate the flaw into a full system compromise. By abusing the n8n vulnerability, a threat actor could read the internal SQLite database at /home/node/.n8n/database.sqlite, extract administrator credentials, and then retrieve encryption secrets from /home/node/.n8n/config.  Using this information, attackers could forge a valid admin session cookie, bypass authentication, and gain full administrative access. From there, they could create a malicious workflow containing an “Execute Command” node, achieving remote code execution on the host system.  Cyera warned that the centralized nature of n8n significantly amplifies the risk. “A compromised n8n instance doesn’t just mean losing one system; it means handing attackers the keys to everything,” the company said, citing stored API credentials, OAuth tokens, and database connections as high-value targets.  Patch Status and Mitigations for CVE-2026-21858  The n8n vulnerability affects all versions up to and including 1.65.0 and was patched in version 1.121.0, released on November 18, 2025. Users are strongly urged to upgrade to a fixed or newer release, such as versions 1.123.10, 2.1.5, 2.2.4, or 2.3.0.  As additional mitigations, administrators are advised to avoid exposing n8n instances to the internet, enforce authentications for all Forms, and restrict or disable publicly accessible n8n webhook and form endpoints until patches can be applied.  The disclosure of CVE-2026-21858 follows several other critical issues in n8n, including CVE-2025-68668 and CVE-2025-68613, highlighting the need for rigorous security controls around automation platforms that manage sensitive integrations and credentials. 

image for CISA Warns of Attack ...

 Cyber News

A 16-year-old Microsoft PowerPoint flaw and a new maximum-severity HPE vulnerability are the latest additions to CISA’s Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-37164 is a 10.0-rated Code Injection vulnerability in Hewlett Packard Enterprise’s OneView IT infrastructure management software, while   show more ...

CVE-2009-0556 is a 9.3-severity Code Injection vulnerability present in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac. Per standard practice, CISA didn’t provide any details on how the PowerPoint and HPE vulnerabilities are being exploited, but it’s not unusual for the agency to add older vulnerabilities to the CISA KEV catalog. CISA added a 2007 Microsoft Excel vulnerability to the KEV catalog last year, while the oldest vulnerability in the catalog remains CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used by ransomware groups. The PowerPoint and HPE vulnerabilities are the first to be added to the KEV catalog in 2026, following 245 vulnerabilities added in 2025. CISA KEV Addition Follows CVE-2025-37164 PoC CISA’s addition of CVE-2025-37164 to the KEV catalog follows a Proof of Concept (PoC) exploit published by Rapid7 on Dec. 19. HPE notes that CVE-2025-37164 could allow a remote unauthenticated user to perform remote code execution. The company acknowledged Nguyen Quoc Khanh for reporting the issue. HPE has released a security hotfix for any version of HPE OneView from 5.20 through version 10.20, which must be reapplied after an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00, including any HPE Synergy Composer reimage. While the HPE advisory says all versions through v10.20 are affected, the Rapid7 PoC notes that “Based on our analysis, we suspect that only ‘HPE OneView for VMs’ version 6.x is vulnerable to CVE-2025-37164, whereas all unpatched versions of ‘HPE OneView for HPE Synergy’ are vulnerable to CVE-2025-37164. More clarification is needed from the vendor to confirm or deny this hypothesis.” Rapid7 also released a Metasploit module for CVE-2025-37164. CVE-2009-0556 PowerPoint Flaw First Attacked in 2009 The Microsoft PowerPoint flaw could allow remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption. The National Vulnerability Database (NVD) notes that CVE-2009-0556 was initially exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen. Microsoft’s May 2009 security bulletin notes that an attacker who successfully exploited the remote code execution vulnerability “could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The vulnerability triggers memory corruption when PowerPoint reads an invalid index value in a maliciously crafted PowerPoint file, which could allow an attacker to execute arbitrary code. Microsoft notes that “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”  

 Cybercrime

Although the list does not include what are perceived to be the more consequential multilateral bodies shaping global cyber governance and state behaviour in cyberspace, some of the organizations play a role in shaping international law broadly.

 Government

Datamasters bought and resold the names, addresses, phone numbers and email addresses of millions of people with Alzheimer’s disease, drug addiction, bladder incontinence and other medical conditions for targeted advertising, according to the CPPA.

 Feed

Artificial intelligence (AI) company OpenAI on Wednesday announced the launch of ChatGPT Health, a dedicated space that allows users to have conversations with the chatbot about their health. To that end, the sandboxed experience offers users the optional ability to securely connect medical records and wellness apps, including Apple Health, Function, MyFitnessPal, Weight Watchers, AllTrails,

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting Microsoft Office and Hewlett Packard Enterprise (HPE) OneView to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities are listed below - CVE-2009-0556 (CVSS score: 8.8) - A code injection vulnerability in Microsoft Office

 Feed

Chainguard, the trusted source for open source, has a unique view into how modern organizations actually consume open source software and where they run into risk and operational burdens. Across a growing customer base and an extensive catalog of over 1800 container image projects, 148,000 versions, 290,000 images, and 100,000 language libraries, and almost half a billion builds, they can see

 Feed

Cisco has released updates to address a medium-severity security flaw in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) with a public proof-of-concept (PoC) exploit. The vulnerability, tracked as CVE-2026-20029 (CVSS score: 4.9), resides in the licensing feature and could allow an authenticated, remote attacker with administrative privileges to gain access to

 Feed

Cybersecurity researchers have discovered three malicious npm packages that are designed to deliver a previously undocumented malware called NodeCordRAT. The names of the packages, all of which were taken down as of November 2025, are listed below. They were uploaded by a user named "wenmoonx." bitcoin-main-lib (2,300 Downloads) bitcoin-lib-js (193 Downloads) bip40 (970 Downloads) "The

 Feed

Cybersecurity researchers have disclosed details of multiple critical-severity security flaws affecting Coolify, an open-source, self-hosting platform, that could result in authentication bypass and remote code execution. The list of vulnerabilities is as follows - CVE-2025-66209 (CVSS score: 10.0) - A command injection vulnerability in the database backup functionality allows any authenticated

 Feed

Cybersecurity researchers have disclosed details of a new campaign that uses WhatsApp as a distribution vector for a Windows banking trojan called Astaroth in attacks targeting Brazil. The campaign has been codenamed Boto Cor-de-Rosa by Acronis Threat Research Unit. "The malware retrieves the victim's WhatsApp contact list and automatically sends malicious messages to each contact to further

 Feed

A China-nexus threat actor known as UAT-7290 has been attributed to espionage-focused intrusions against entities in South Asia and Southeastern Europe. The activity cluster, which has been active since at least 2022, primarily focuses on extensive technical reconnaissance of target organizations before initiating attacks, ultimately leading to the deployment of malware families such as RushDrop

 Podcast

Romance scammers have apparently discovered astrology... and Taurus is their secret weapon. In episode 449 of "Smashing Security", we take a look inside an actual romance-fraud handbook - complete with scripts, personality “types”, corporate jargon, and a seven-day plan to get victims from hello to hand   show more ...

over the crypto. Then Lesley "hacks4pancakes" Carhart delivers a reality check on the dire cybersecurity jobs market for juniors: why entry-level roles are evaporating, how automated CV screening is chewing candidates up, and what hopeful newcomers (and weary veterans) can do about it. Plus, Graham talks to ThreatLocker CEO Danny Jenkins about why misconfigurations are behind an uncomfortable number of breaches, how default-deny security actually works in practice, and why detecting attacks after they’ve started is already too late.

2026-01
Aggregator history
Thursday, January 08
THU
FRI
SAT
SUN
MON
TUE
WED
JanuaryFebruaryMarch