CybserSecurity News

Tag: NCSC

  • The SaaS Killer? UK Cyber Sentinels Warn “Vibe Coding” is Creating a Security Time Bomb

    The United Kingdom’s paramount cybersecurity sentinel has issued a solemn caveat: a nascent paradigm of artificial intelligence-driven software genesis threatens to irrevocably transfigure the topography of the cloud computing bazaar. This pertains to the burgeoning phenomenon of “vibe coding”—a paradigm wherein digital services and applications are woven into existence with scarcely a whisper of human intervention. Whilst this methodology precipitates an extraordinary acceleration in developmental celerity, it concurrently inflates the agonizing toll of error—most notably where latent frailties inevitably metastasize into highly lucrative conduits for malicious incursions.

    The UK’s National Cyber Security Centre (NCSC) has proclaimed that the relentless proliferation of vibe coding possesses the profound capacity to violently convulse the entirety of the Software-as-a-Service (SaaS) echelon within the encroaching epochs. According to the sovereign agency’s estimations, commercial enterprises are increasingly gazing upon AI instruments as an avenue to swiftly and economically forge bespoke architectures, eschewing the financial tether of orthodox, pre-fabricated cloud subscriptions. This profound discourse was further catalyzed by the precipitous February hemorrhaging of equities across software and cloud conglomerates, an epoch wherein investors began murmuring with grave earnestness regarding the mounting existential pressure upon the orthodox SaaS paradigm.

    Amidst the crucible of the RSA convocation in San Francisco, NCSC sovereign Richard Horne fervently implored data protection sentinels to intercede in this evolution with supreme alacrity, ensuring these AI-driven architectural tools yield a harvest of profound utility rather than catastrophic ruin. Horne articulated with stark clarity that the digital ether is already buckling beneath a relentless deluge of sieges exploiting archaic, eminently eradicable architectural flaws. Set against this grim tapestry, the wholesale genesis of unfortified software via artificial intelligence threatens to magnify this tribulation to devastating proportions.

    The agency astutely observes that the siren song bewitching the commercial sector is undeniably potent. Rather than languishing beneath exorbitant subscription tolls and draconian functional strictures, developers are already endeavoring to synthesize flawless simulacra of established SaaS leviathans within the span of mere hours. Such a seismic transfiguration threatens to echo the primordial genesis of the cloud bazaar, an era when enterprises, intoxicated by the promise of effortless utility and profound economic salvation, initiated a mass exodus of their operational workflows unto nascent platforms.

    Concurrently, the NCSC issues a solemn caveat: code birthed from the intellect of AI frequently proves profoundly treacherous, agonizingly labyrinthine to steward, and deeply predisposed to calamitous security vulnerabilities. Should commercial entities elect to meekly swallow such harrowing perils, unfortified architectures shall cascade into live production environments with terrifying celerity. The agency fiercely counsels the preemptive enshrinement of “secure by default” code generation paradigms, alongside the rigorous auditing of model integrity and the sweeping proliferation of automated scrutiny and forensic validation.

    In the estimation of the NCSC, the transfiguration of the SaaS landscape shall unfurl gradually; its overarching cadence shall be dictated by the labyrinthine complexity of the architectures involved and the corporate appetite for courting ruin. Ultimately, those purveyors destined to endure within the bazaar are those whose offerings remain fiercely impervious to bespoke imitation—fortified by Byzantine regulatory mandates, their indispensability to core operational continuity, or the sheer, insurmountable mass of their accumulated patron telemetry.

  • The Rogue Peer Threat: CISA Issues Emergency Directive to Thwart Global Cisco SD-WAN Hijacking

    The offensives targeting Cisco networking infrastructure have reached such a critical magnitude that United States authorities have invoked an extraordinary regulatory protocol. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive, mandating immediate compliance from all civilian federal agencies.

    This mandate is predicated upon American statutory provisions that empower the Department of Homeland Security to demand instantaneous remedial action from agencies in the face of an imminent threat. This executive authority is delegated to the Director of CISA, and federal entities are legally compelled to execute such prescriptions, with the exception of national security systems and the clandestine networks of military and intelligence organs.

    In the directive, CISA explicitly delineates the persistent exploitation of vulnerabilities within Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Controller. Specifically, the agency highlights CVE-2026-20127, which facilitates the remote circumvention of authentication to secure administrative privileges, and CVE-2022-20775, enabling adversaries to escalate privileges to root status and execute arbitrary commands.

    The agency has dictated a rigorous, sequential protocol: identify all afflicted systems, harvest technical artifacts and logs, audit them for indicators of compromise, and implement requisite patches by February 27, 2026. Agencies must furnish progress reports in multiple stages through mid-March. Should a root-level account compromise be detected, the directive ordains immediate notification to CISA and the deployment of fresh management instances from fortified, sanitized images.

    Concurrently, the National Cyber Security Centre (NCSC) of the United Kingdom has disseminated a warning. A collaborative communique—authored alongside partners from Canada, New Zealand, and the United States—reveals that global adversaries are infiltrating Cisco Catalyst SD-WAN environments by introducing a spurious node into the infrastructure. This “imposter” participant gains the capacity to perform trusted operations, attain root access, and maintain long-term persistence within the system.

    The Australian Signals Directorate has also joined this unified front, publishing a technical manual to assist organizations in discerning whether their infrastructure has been breached. The documentation suggests that at least one sophisticated actor has been exploiting a zero-day vulnerability within Cisco SD-WAN environments since 2023. This defect remained clandestine until its discovery in late 2025 and has since been remediated.

    Authorities urge organizations to meticulously inspect their networks for signs of intrusion, install the latest software iterations, and adhere to fortified security recommendations. The communique emphasizes that SD-WAN management interfaces must remain sequestered from the public internet, as such exposed configurations reside within the zone of maximum peril. While the specific syndicates orchestrating these strikes remain unnamed, the gravity of the threat is undeniable.

  • New Security Default: CERT-FR Urges Users to Fully Disable Wi-Fi When Not Active

    If it already felt as though smartphone security advice had devolved into an endless catalogue of prohibitions, here is a new, officially endorsed level of paranoia: turn Wi-Fi off completely whenever you are not actively using it. Not merely “disconnect” from a network, but disable the interface altogether so the phone does not attempt to communicate with anything at all.

    This recommendation was issued by France’s CERT-FR, the national cyber incident response authority, in coordination with its British counterpart. In recent weeks, users have already been reminded of basic digital hygiene: use secure messaging apps, move away from SMS-based codes where possible, install updates as soon as they are released, be cautious with commercial VPNs, and avoid untrustworthy services. The call to “fully deactivate Wi-Fi,” however, goes far beyond the familiar advice of “don’t connect to open networks.”

    CERT-FR explains this stance by pointing to the ever-expanding “attack surface” of modern smartphones. Vulnerabilities may lurk not only in applications and the operating system, but also in wireless chips and even hardware components. In practical terms, this means that risk does not stem solely from phishing links or poorly written apps, but from the surrounding infrastructure itself—especially where wireless connectivity is involved.

    The agency also reiterates the dangers of public networks, including the classic “evil twin” scenario, in which an attacker sets up a fake access point with a plausible name. Victims can then be quietly redirected to counterfeit login pages designed to harvest credentials, or exposed to attempts at malware injection through traffic manipulation. For this reason, beyond disabling automatic connections to unknown networks, French authorities propose a more radical step: switch Wi-Fi off entirely so the device cannot latch onto rogue access points, even accidentally.

    For iPhone users, there is an important caveat. CERT-FR notes that disabling Wi-Fi via Control Center does not always shut the interface down completely; it often only severs the current connection. To truly turn Wi-Fi off, users are advised to do so through iOS Settings. They are also encouraged to disable automatic reconnection even to saved networks, including private ones, and to avoid public Wi-Fi whenever possible. If connectivity is unavoidable, traffic should be encrypted using a VPN.

    The guidance also revisits other long-standing yet still relevant risks: the insecurity of legacy 2G networks with weak encryption, classic man-in-the-middle attacks, and “juice jacking” when charging devices from public USB ports. In the latter case, users are advised to rely only on trusted power sources or to use USB data blockers, and to power down unattended devices altogether.

    How much inconvenience one is willing to endure in the name of security is a personal choice. Yet the very fact that national incident response centers are now recommending that Wi-Fi be disabled by default speaks volumes about the current threat landscape: convenience is no longer considered a safe default.

  • UK Sanctions 2 Chinese Firms: i-Soon & Integrity Tech Targeted for Cyberattacks on Allies

    The United Kingdom has announced sanctions against two Chinese technology companies, accusing them of reckless and indiscriminate cyberattacks targeting the UK and its allies. The measures apply to Sichuan Anxun Information Technology Co. Ltd—better known as i-Soon—and Integrity Technology Group Incorporated, referred to in Britain as Integrity Tech.

    According to London, i-Soon targeted more than 80 IT systems belonging to government bodies and private organizations worldwide and allegedly supported other actors planning malicious cyber activities. Integrity Tech, in turn, is accused of controlling and operating a covert cyber network and of providing technical assistance to third-party groups conducting cyberattacks; among the alleged targets were IT systems within the UK public sector.

    British authorities link these cases to a broader “cyber industry” in China, encompassing information security firms, data brokers that collect and sell personal information, and so-called hackers-for-hire. London maintains that some of these actors provide services to Chinese intelligence bodies, while the UK’s National Cyber Security Centre (NCSC) assesses it as “almost certain” that an ecosystem of private entities exists to support operations connected to the Chinese state.

    The statement also recalled that in August 2025, the UK, together with international partners, exposed three Chinese companies tied to the Salt Typhoon cyber-espionage campaign. London emphasizes that, taken together, these episodes illustrate the scale of attacks by China-based companies against governments, telecommunications providers, military institutions, and public services worldwide. Britain argues that such actions run counter to agreed United Nations principles governing cyberspace, and that the current measures are intended to reduce risks to UK security and international stability.

    The government further stressed that safeguarding security remains a “non-negotiable” responsibility of the state, while acknowledging China as a source of multiple national security threats. At the same time, the UK describes the PRC as a permanent member of the UN Security Council, the world’s second-largest economy, and a nuclear power with which it is prepared to cooperate where interests align, while responding firmly to threats. Against this backdrop, Britain noted that, together with France, it continues to advance the Pall Mall Process—an international initiative aimed at establishing frameworks for responsible behavior in the commercial cyber intrusion market—and reiterated its commitment to UN norms and to the principles guiding the country’s National Cyber Force.

  • London Cyber Crisis: Attack Forces Multiple Borough Councils to Shut Down Services

    Several London boroughs have been hit by a serious digital incident that has rendered parts of their online services and telephone lines inaccessible. Local authorities are shutting down individual systems and shifting to temporary operating modes in an effort to reduce risk.

    The Royal Borough of Kensington and Chelsea, Westminster City Council, and the London Borough of Hammersmith and Fulham have all reported a cyberattack. The first signs of trouble in Kensington and Chelsea emerged on the afternoon of 24 November, when a message appeared on social media warning of disruptions affecting access to online services. By the morning of 25 November, the council was already speaking of a significant problem with its IT infrastructure, one that continued to impede the delivery of municipal services.

    At the same time, Westminster City Council reported issues within its information systems. Staff at both councils received internal notices explaining that the shutdown of certain services was a defensive measure in response to the cyber incident. The Borough of Hackney was also alerted to a potential threat. Following emergency meetings, its internal cyber-threat level was raised to critical, and personnel were instructed to exercise heightened caution when working with systems and data.

    Employees of the Hammersmith and Fulham council likewise received a notification about a serious information-security incident. The municipality stresses that no confirmed evidence of a successful breach has been found so far, but a state of elevated readiness remains in effect.

    National bodies have intervened. Kensington and Chelsea notified the UK Information Commissioner’s Office and established coordination with the National Cyber Security Centre, part of the intelligence agency GCHQ. Information-security teams worked through the night, strengthening defensive mechanisms and maintaining the operation of key public services.

    Council representatives apologised to residents for delays and warned of potential disruptions in processing requests in the coming days. The boroughs intend to continue coordinating efforts with cybersecurity specialists and relevant agencies to restore their systems as swiftly as possible.

    The National Cyber Security Centre has also confirmed its involvement, assessing the impact on local authorities. Meanwhile, the Metropolitan Police stated that its cybercrime unit has opened an investigation following a report submitted via the Action Fraud service.

    The inquiry remains in its early stages and no arrests have been made. Residents of the affected boroughs may continue to experience difficulties accessing online services, telephone lines, and other council functions while restoration work continues and potential data exposure is assessed.

  • 48,000 Cisco Firewalls Remain Exposed to Active Zero-Day Attacks, Shadowserver Finds

    More than 48,000 Cisco ASA and Firepower Threat Defense (FTD) firewalls remain unprotected against two critical vulnerabilities that are already being actively exploited. Tracked as CVE-2025-20333 and CVE-2025-20362, these flaws allow remote code execution and unauthorized access to restricted VPN-related URL endpoints. Exploitation can be carried out remotely and requires no authentication.

    On September 25, Cisco disclosed that attacks had begun even before patches were released. There are no viable workarounds to mitigate the risks; the only temporary measures involve restricting access to the VPN web interface and closely monitoring suspicious logins or specially crafted HTTP requests.

    According to a Shadowserver Foundation scan on September 29, nearly 49,000 vulnerable devices remain exposed online. The United States accounts for the largest share, with over 19,000 instances. Other heavily impacted regions include the United Kingdom (2,800), Japan (2,300), Germany (2,200), Russia (2,100), Canada (1,500), and Denmark (1,200). These numbers underscore that many administrators have yet to respond to the warnings despite ongoing exploitation attempts.

    Evidence suggests the attacks were being prepared weeks in advance. Data from Greynoise revealed suspicious scans targeting Cisco ASA on September 4, with activity traced back to late August. Historically, 80% of such scanning behavior precedes the exploitation of newly discovered vulnerabilities.

    The severity of the situation was further confirmed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which issued an emergency directive requiring all federal agencies to audit their Cisco ASA and FTD appliances within 24 hours and apply patches to any devices intended for continued use. Systems that have reached end-of-life must be disconnected from government networks by the end of September.

    The UK National Cyber Security Centre (NCSC) also released its analysis, reporting that attackers deploy the Line Viper shellcode loader onto compromised devices, followed by the RayInitiator bootkit, which launches through GRUB. This indicates a highly sophisticated threat campaign with potentially severe consequences for affected networks.

    Given that exploitation of CVE-2025-20333 and CVE-2025-20362 has already persisted for over a week, Cisco urges administrators to immediately apply the available patches and thoroughly investigate their infrastructure for signs of compromise.

  • The Aftermath of the Attack: How a Cyberattack Crippled Jaguar Land Rover

    The cyberattack on Jaguar Land Rover, which has brought the company’s operations to a standstill, has escalated into one of the most severe crises ever faced by the British automaker. The company was forced to shut down its IT systems and halt production at its plants in Solihull, Halewood, and Wolverhampton. Assembly lines have been idle for nearly two weeks and will not restart until at least midweek. Losses are estimated in the tens of millions of pounds, with repercussions extending far beyond the company itself to its vast network of suppliers.

    Experts estimate JLR’s daily losses at between £5 and £10 million ($6.8 to $13.6 million), with cumulative damages already exceeding £50 million. The company retains some resilience: its annual pre-tax profits reached £2.5 billion ($3.4 billion), enough to weather the crisis if it does not drag on for months. The greater burden, however, falls on its suppliers, many of them small and medium-sized businesses. Their heavy reliance on JLR contracts leaves them vulnerable to bankruptcy from prolonged shutdowns. Former Aston Martin CEO Andy Palmer has warned that some of these firms will not survive the pause and will be forced into mass layoffs.

    Several businesses have already sent employees home under agreements to “work back” accumulated hours later, while others have begun cutting staff. One small supplier reported losing nearly half its workforce. Larger companies are striving to retain skilled employees, but if the shutdown continues, even they may have no choice but to downsize. In total, some 250,000 jobs in related sectors are at risk, with the ripple effect threatening the entire industry.

    The UK government is facing mounting pressure from unions and lawmakers to implement a wage subsidy scheme. Unite has called for an emergency job retention program to safeguard workers’ incomes during the disruption and to prevent the loss of vital manufacturing expertise. Union leader Sharon Graham stressed that thousands of supply chain employees are under immediate threat because of the incident, warning that delays could result in long-term economic damage.

    JLR admits that restoring its IT systems has proven far more complex than initially anticipated. With production processes and supply chains deeply entwined with automation, the shutdown of networks inevitably triggered the stoppage of assembly lines. Sales operations have also been affected, though temporary solutions have been put in place for dealers. The company has confirmed that some data may have been compromised and is working alongside the National Cyber Security Centre (NCSC) to investigate and mitigate the fallout.

    Authorities insist they remain in daily contact with JLR’s leadership and cybersecurity experts. Business and Trade Secretary Chris Bryant acknowledged the profound impact of the attack and stated that discussions are ongoing with the company about pathways out of the crisis. Yet for hundreds of suppliers and their employees, the decisive factor is time: the longer production remains idle, the greater the risk that a temporary shock evolves into long-term structural damage for the industry.

    Bryant also highlighted measures already in place to promote a Secure by Design ethos. These include mandatory protections for connected devices, codes of practice for software and AI developers, a cyber governance code for executives, and the Cyber Essentials certification, which government data suggests reduces the likelihood of an insurance claim following an attack by 92%. Free NCSC services — including training, security assessment tools, and early-warning systems — have also been made available. JLR has notified the ICO, not due to a confirmed breach but as a precautionary step “to set the record straight.” Meanwhile, the government reiterated its warning against ransom payments, noting that they fuel the criminal business model without guaranteeing recovery.

    Next on the agenda is the Cybersecurity and Resilience Bill, aimed at raising mandatory standards in critical sectors such as energy, water, and healthcare. Debate continues over extending these requirements to major private brands, with some MPs pushing for stricter obligations and mandatory incident reporting. Broader systemic issues have also surfaced — from revisiting the outdated Computer Misuse Act to expanding cyber insurance coverage. The need for end-to-end encryption in threat intelligence sharing between businesses, the NCSC, the Home Office, and new cyber units within the Ministry of Defence was also underscored.

    The minister reminded Parliament that last year 40% of UK companies admitted to experiencing cyberattacks, and that attackers’ arsenals continue to expand — from social engineering in call centers to AI-generated voice impersonations. The government’s strategy emphasizes relentless monitoring, the prosecution and imprisonment of offenders, and the modernization of outdated IT infrastructure. In the immediate term, attention is focused on keeping JLR staff and suppliers informed about the recovery timeline and reducing anxiety around pay and job security. In the medium term, the priority is strengthening baseline cyber hygiene across the spectrum — from multinational corporations to NGOs and small enterprises.

  • UK Data Breach: Hackers Exploit SharePoint Flaws, Leaking Confidential Data

    Hackers successfully exploited recently discovered vulnerabilities in local Microsoft SharePoint servers, resulting in the leakage of personal data in the United Kingdom. Within days of the flaws being disclosed, three British organizations reported breaches of confidential information to the Information Commissioner’s Office (ICO). The names of the affected entities remain undisclosed, yet experts note that SharePoint is extensively used across government agencies, universities, and corporations, where vast amounts of sensitive data are stored.

    On July 19, Microsoft issued what specialists described as an unprecedentedly severe warning. Clients were urged to immediately reconfigure their systems or disable SharePoint servers entirely until a patch became available. The urgency of the situation was heightened by the fact that exploits were weaponized almost immediately after discovery. The initial wave of attacks, dubbed ToolShell, was attributed by investigators to at least two state-sponsored Chinese groups. Shortly thereafter, another group — likely motivated by financial gain — joined the campaign. Whether these actors operated in coordination or independently remains unclear.

    On July 22, the UK’s National Cyber Security Centre (NCSC) announced that, in collaboration with Microsoft, it was monitoring a limited number of active attacks in the country. However, it did not specify which sectors had been targeted. Given that on-premises SharePoint servers remain prevalent within government institutions and organizations, the prospect of widespread repercussions has raised grave concern. At that point, exploitation of the zero-day vulnerability CVE-2025-53770 had already impacted at least 100 organizations, including multinational corporations and government agencies.

    According to an ICO response to a Freedom of Information request, as of July 28 the agency had received no fewer than three official breach notifications directly tied to the SharePoint vulnerability. The true number, however, may be higher. The ICO’s internal reporting system lacks a dedicated field for identifying specific cyberattacks behind incidents, and organizations filing notifications are not required to disclose such details.

    Some reports were manually linked to the SharePoint vulnerability based on information provided, while officials acknowledged that other submissions could also be related to this campaign, though definitive confirmation has yet to be established. Upon further analysis, some of these cases may ultimately be attributed to different causes.

  • NCSC Launches Initiative to Boost UK Cyber Defenses with External Experts

    The United Kingdom’s National Cyber Security Centre (NCSC) has unveiled a new program titled the Vulnerability Research Initiative (VRI), aimed at deepening collaboration with independent experts in vulnerability discovery. This initiative seeks to bolster the nation’s capabilities in identifying and analyzing security flaws across digital systems and critical infrastructure.

    Until now, the Centre’s internal specialists conducted extensive research across a broad array of technologies. However, the new initiative establishes a parallel framework designed to foster targeted engagement with external professionals whose expertise can enrich the process of uncovering and examining vulnerabilities. The overarching objective is to facilitate more timely and effective dissemination of insights within the cybersecurity community.

    The VRI framework is not merely about joint vulnerability discovery—it also seeks to cultivate enduring channels of cooperation with outside contributors. Selected researchers will be assigned specific tasks such as assessing the security of individual products, evaluating protection mechanisms, and transmitting their findings through a purpose-built procedure known as the Equities Process. This mechanism governs the responsible disclosure of vulnerabilities, ensuring a delicate balance between safeguarding public security and informing vendors and users.

    Participants in the program will also be required to disclose the tools and methodologies they employ, enabling the NCSC to catalog and refine best practices. A particular emphasis is placed on advancing the use of artificial intelligence in automated vulnerability discovery, positioning VRI as a pivotal step in aligning the nation’s cybersecurity posture with emerging technological paradigms.

    Professionals interested in contributing may submit a brief overview of their expertise, skillset, and areas of interest to the designated email address. It is important to note, however, that this channel is not intended for submitting detailed vulnerability reports—for such submissions, a dedicated portal exists.

    The creation of VRI underscores the NCSC’s strategic commitment to strengthening the United Kingdom’s position in global cybersecurity. By accelerating the pace, expanding the scope, and enhancing the quality of vulnerability research, this initiative becomes an integral component of the Centre’s broader mission: to protect government systems, critical infrastructure, businesses, and citizens from the ever-evolving spectrum of cyber threats.

  • Radix Ransomware Attack: Swiss Health Foundation Breach Exposes Federal Government Data on Dark Web

    The Swiss foundation Radix, engaged in healthcare-related initiatives, has fallen victim to a ransomware attack. As a result of the cyber intrusion, the perpetrators exfiltrated and encrypted data, which was later disseminated on the dark web. Among Radix’s clientele are various departments of the Federal Administration, prompting significant concern within government circles.

    The incident was swiftly detected, and following an initial assessment, Radix’s leadership notified the National Cyber Security Centre (NCSC). Experts from the center have since launched an investigation and are actively working to uncover the circumstances surrounding the breach.

    Although Radix does not possess direct access to the internal systems of the Federal Administration, the attackers were unable to infiltrate those government networks. Nevertheless, the ongoing investigation seeks to identify which specific departments and datasets were compromised. The National Cyber Security Centre is coordinating subsequent actions in close collaboration with Radix leadership, law enforcement authorities, and all affected federal entities. Additional details will be disclosed to the public as they emerge.

    Ransomware remains one of the most prevalent threats in the cybersecurity domain. Criminal actors typically gain unauthorized access to an organization’s systems, exfiltrate sensitive data, and then encrypt it—demanding a ransom for its return. If the demands go unmet, they threaten to release the stolen information. Continued refusal to comply often results in the gradual publication of the data, thereby intensifying pressure on the victim.

    In Radix’s case, this well-established extortion model was executed in full: the stolen data has surfaced on illicit platforms, and the analysis of the disclosed content is only just beginning. Specialists are now examining the scope of the breach to assess the extent of the damage and the potential repercussions for both governmental institutions and the public.