Good Morning Security Gang,
Today’s episode is one of those that reminds us cybersecurity isn’t just about alerts and dashboards, it’s about heating plants, hospitals, industrial systems, and the very infrastructure that keeps society running.
What we’re seeing today is not loud ransomware headlines, it’s something far more dangerous: low-visibility, high-impact activity targeting the systems people rarely think about but depend on every day.
“You’re not waiting to be attacked, you’re already on someone’s scan list.”
Coffee cup cheers, let’s dive in.
Sweden Blames Russia for Energy Infrastructure Attack
We begin in Sweden, where officials have attributed a cyberattack on a heating plant to a pro-Russian group linked to intelligence services.
The attack itself failed, but that’s not the story. The story is intent.
This fits a broader European pattern: probing civilian infrastructure heating, power, utilities not necessarily to destroy, but to create instability and psychological pressure.
These aren’t battlefield operations. These are societal pressure campaigns.
The risk is clear: disruption of everyday life systems without triggering full-scale conflict. And that’s exactly the kind of gray-zone warfare we’re seeing more of.
AgingFly Malware Targets Ukrainian Government and Hospitals
Next, we move to Ukraine, where a new malware strain—AgingFly—is actively targeting government organizations and healthcare systems.
This is not opportunistic cybercrime. This is deliberate targeting of public service continuity.
Hospitals and government agencies are being hit because they represent stability. Disrupt them, and you disrupt society. This is cyber warfare in its purest form, pressure without kinetic escalation.
The takeaway here is that resilience in healthcare and public sector systems is no longer optional, it’s strategic.
12,000 Systems Scanned in Iranian-Style Recon Campaign
In the Middle East, more than 12,000 systems have been scanned in what mirrors Iranian reconnaissance tactics.
And this number matters. Because scanning is the beginning not the end.
This is patient threat actor behavior: map the environment, identify weaknesses, and come back later with precision. This aligns with everything we’ve been saying about pre-positioning. Attackers aren’t rushing, they’re preparing.
The risk is that today’s scan becomes tomorrow’s disruption.
"If we treated our power plants the way pilots treat an airplane, we would likely have less of these events on the engineering side. But that's just it, it doesn't have the same due care. It should, but it doesn't. As security practitioners, we ought to be planning for the day after. That day after is network obfuscation. That day after is inline data encryption even within your air-gapped networks." James Azar
CISA Flags Windows Task Host Flaw Under Active Exploitation
CISA has flagged a Windows Task Host vulnerability as actively exploited, allowing attackers to escalate privileges to SYSTEM.
This is a classic move. Initial access is just step one. Privilege escalation is where the real control begins.
Once attackers reach SYSTEM-level access, they own the box, and often the network. This is a reminder that even “local” vulnerabilities matter, especially in shared or high-value environments.
NGINX UI Zero-Day Under Active Exploitation
We also have active exploitation of a critical NGINX UI vulnerability.
And this one is painfully familiar. Management interfaces exposed to the internet. Admin panels left accessible. These are some of the easiest entry points for attackers, and they keep working.
Why? Because convenience keeps winning over security.
The risk is full server compromise through exposed administrative tooling.
Ivanti Vulnerabilities Continue to Surface
Ivanti is back again with two new vulnerabilities, including an RCE and an authentication bypass. At this point, this isn’t surprising, it’s expected.
Platforms that broker access and manage systems sit directly in the flow of trust. That makes them prime targets. And attackers know it.
The risk is control of the control plane, visibility, automation, and access all in one place.
ICS Patch Tuesday: Industrial Giants Face Ongoing Risk
Eight major industrial vendors, including Siemens, Schneider Electric, and Rockwell, released new advisories in ICS Patch Tuesday.
This highlights a persistent issue: OT environments are long-lived, hard to patch, and often ignored. Unlike IT systems, these environments accumulate risk over time.
“If it runs the physical world, attackers are already looking at it.”
And when vulnerabilities are finally exploited, the impact isn’t just data—it’s physical operations.
Privacy Research: Tracking Persists Despite Opt-Outs
New research suggests that major tech companies can still track users even after opt-out mechanisms are used. This isn’t just a privacy issue, it’s a trust issue.
If controls don’t behave as expected, then assumptions about compliance and protection break down. For defenders, this means we can’t just trust vendor claims, we have to validate them.
FCC Grants Netgear Exemption in Router Certification Rules
Finally, the FCC granted Netgear an exemption related to router certification rules tied to foreign-owned test labs. This may seem administrative, but it’s not.
It sits at the intersection of cybersecurity, geopolitics, and supply chain. Policy decisions now directly impact how secure or insecure, our infrastructure becomes.
Action Items for Security Leaders
Eliminate internet exposure for OT and industrial control systems
Implement network obfuscation and segmentation for critical infrastructure
Isolate healthcare and government systems from public-facing networks
Prioritize patching of privilege escalation vulnerabilities on key systems
Remove or restrict access to exposed management interfaces
Segment ITSM and administrative platforms from broader environments
Establish dedicated OT vulnerability management processes
Validate privacy and tracking controls independently of vendor claims
Monitor large-scale scanning activity as early indicators of future attacks
Plan for resilience—not just prevention—in critical infrastructure environments
James Azar’s CISOs Take
What stands out to me today is how much of the risk we face sits below the surface. These aren’t flashy ransomware attacks or headline-grabbing breaches. These are quiet, methodical campaigns targeting the systems that keep society functioning. And that’s what makes them dangerous, because they often go unnoticed until it’s too late.
The second takeaway is that we have to stop thinking about cybersecurity as purely digital. When attacks impact heating plants, hospitals, and industrial systems, the consequences are physical, human, and immediate. Our job as practitioners isn’t just to prevent compromise, it’s to ensure continuity. Because in today’s world, cyber resilience is societal resilience.
Stay Cyber Safe.
