Red Lion's Sixnet RTUs provide advanced automation, control, and data acquisition capabilities in industrial automation and control systems, primarily across energy, water, and wastewater treatment, transportation, utilities, and manufacturing sectors. These industrial devices are configured using a Windows utility called Sixnet IO Tool Kit, with a proprietary Sixnet "Universal" protocol used to interface and enable communication between the kit and the RTUs.
The NCSC also reported that hostile states are using artificial intelligence (AI) to increase the efficiency and frequency of their existing attack methods, but are not yet using the technology for novel attacks. Actors linked to China, Russia, Iran and North Korea are starting to use large language models to evade detection, exfiltrate data, research security vulnerabilities and devise social engineering to gain access to systems.
Passkeys are credentials stored in an authenticator. Some are device-bound, others are synced across devices through consumer cloud services like iCloud and Google Cloud. Sync improves usability and recovery in low-security, consumer-facing scenarios, but shifts the trust boundary to cloud accounts and recovery workflows. The FIDO Alliance and Yubico, have both issued important advisories for enterprises to evaluate this split and to prefer device-bound options for higher assurance.
The nmap command (short for network mapper) is a network exploration/security auditing tool that can rapidly scan networks to help you find out what hosts are available. With nmap, you can discover open ports and services, and even find out what operating systems are on your network. I've used nmap to find out what machines are on a network and what ports/services are open. If I find a port that shouldn't be open, I can close it to avoid security issues.
Government data is highly segmented by design, often separated by security classification levels to protect sensitive data and operations. While this segmentation is essential for national security, it also presents data-sharing obstacles that must be overcome. Fortunately, Cross-Domain Solutions (CDS) can help overcome obstacles such as safely training AI models with untrusted data, sharing classified AI capabilities with partners and connecting users or systems to AI tools across classification boundaries.
Before an attacker ever sends a payload, they've already done the work of understanding how your environment is built. They look at your login flows, your JavaScript files, your error messages, your API documentation, your GitHub repos. These are all clues that help them understand how your systems behave. AI is significantly accelerating reconnaissance and enabling attackers to map your environment with greater speed and precision.
According to the U.S. government, it's assessed to be a publicly-traded, Beijing-based company known as Integrity Technology Group. "The group cleverly modified a geo-mapping application's Java server object extension (SOE) into a functioning web shell," the cybersecurity company said in a report shared with The Hacker News. "By gating access with a hardcoded key for exclusive control and embedding it in system backups, they achieved deep, long-term persistence that could survive a full system recovery."
A critical security flaw has been identified in Happy DOM, a widely used JavaScript library primarily employed for server-side rendering and testing frameworks. The vulnerability, cataloged as CVE-2025-61927, allows attackers to escape the library's virtual machine (VM) context, leading to potential remote code execution on vulnerable systems. This flaw threatens millions of applications that depend on Happy DOM. The root of this vulnerability lies in the improper isolation of the Node.js VM context within Happy DOM versions 19 and earlier.
The newly disclosed flaw, tracked as CVE-2025-61884 and slapped with a CVSS score of 7.5, affects the Runtime UI component in EBS, and Oracle's advisory warns that the flaw can be exploited remotely without authentication and "may allow access to sensitive resources." In other words, it's another wide-open door into one of Oracle's most business-critical systems, and the kind of bug that cybercrims love to chain with others for data theft, extortion, or to delve deeper into enterprise networks.
Researchers at ReliaQuest say that the espionage outfit, which Microsoft tracks as a China-based state-sponsored actor, modified a legitimate ArcGIS server object extension (SOE) to act as a web shell, giving them long-term, near-invisible access. By exploiting ArcGIS' extensibility features while avoiding traditional, signature-based malware, Flax Typhoon embedded itself so deeply that even restoring systems from backups simply reinstalled the implant.
Webhooks on Discord are a way to post messages to channels in the platform without requiring a bot user or authentication, making them an attractive mechanism for attackers to exfiltrate data to a channel under their control. "Importantly, webhook URLs are effectively write-only," Socket researcher Olivia Brown said in an analysis. "They do not expose channel history, and defenders cannot read back prior posts just by knowing the URL."
Dozens of Orgs Impacted by Exploitation of Oracle EBS Flaw - Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025, according to Google Threat Intelligence Group (GTIG) and Mandiant. The activity, which bears some hallmarks associated with the Cl0p ransomware crew, is assessed to have fashioned together multiple distinct vulnerabilities, including a zero-day flaw tracked as CVE-2025-61882 (CVSS score: 9.8), to breach target networks and exfiltrate sensitive data.
The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work.
Windows 10 was launched in July 2015. It was supposed to be the last major operating system (OS) upgrade, but Microsoft released Windows 11 in October 2021, and now Windows 10 has reached end of life, which means it will no longer be updated. Consumers who register for extended support and back up their PCs in the Microsoft cloud will be able to get free security updates until October 2026. Corporate PCs and devices connected to Active Directory will only receive Windows 10 security updates if they are covered by an Extended Security Updates (ESU) subscription.
"Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations," McAfee Labs researchers Harshil Patel and Prabudh Chakravorty said in a report. "When law enforcement or security researchers shut down their C2 infrastructure, Astaroth simply pulls fresh configurations from GitHub and keeps running."
The Qantas data, which was stolen from a Salesforce database in a major cyber-attack in June, included customers' email addresses, phone numbers, birth dates and frequent flyer numbers. It did not contain credit card details, financial information or passport details. On Saturday the group marked the data as leaked, writing: Don't be the next headline, should have paid the ransom.
The threat actor's use of the security utility was documented by Sophos last month. It's assessed that the attackers weaponized the on-premises SharePoint vulnerabilities known as ToolShell to obtain initial access and deliver an outdated version of Velociraptor (version 0.73.4.0) that's susceptible to a privilege escalation vulnerability ( CVE-2025-6264) to enable arbitrary command execution and endpoint takeover, per Cisco Talos.