My information Resource (blog.mir.net)

Reserve Your Virtual Seat: NCCoE Manufacturing Project Update

The NIST NCCoE will host a virtual event on June 4, 2026, to provide an overview of upcoming guidelines on improving cybersecurity incident response and recovery capabilities for organizations operating industrial control systems (ICS) and operational technology (OT) environments. This event will highlight approaches organizations can use to strengthen operational resilience.

Background

Operational Technology (OT) systems, such as ICS systems, are increasingly being targeted by cyber threats that can impact production, safety, and business continuity. Organizations operating these systems, such as those in the manufacturing sector, need to have plans and technical capabilities in place to respond to cyber incidents and restore operations to improve overall resilience.

To help organizations implement effective response and recovery and improve operational resilience, the NCCoE worked with 11 industry collaborators to develop reference architectures, describe response and recovery scenarios, and demonstrate relevant approaches and capabilities.

Event Details

During this webinar, the project team will share an overview of the guidelines, which will be released in the coming weeks with the initial public draft of NIST Special Publication (SP) 1800-41, Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector.

Additionally, the team will preview a forthcoming NCCoE project focused on Asset Management for OT systems, which is a critical foundation to support risk assessments, incident response, vulnerability management, and the implementation of modern security controls.

Register Now!

We encourage you to register for this webinar to learn more about this project and participate in the live Q&A. Attendance for this event is limited to 500 virtual participants.

Register Now!

As part of ongoing efforts to strengthen protections for securing controlled unclassified information (CUI) in nonfederal systems, NIST has released the following final publications:

• SP 800-172r3 (Revision 3), Enhanced Security Requirements for Protecting Controlled Unclassified Information, provides enhanced security requirements that support cyber resiliency objectives, focus on protecting CUI associated with critical programs and high value assets, and are consistent with the source controls in SP 800-53r5.
• SP 800-172Ar3 (Revision 3), Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides assessment procedures for the enhanced security requirements in SP 800-172r3.

In addition to these documents, NIST is also releasing both the enhanced security requirements and assessment procedures in the Cybersecurity and Privacy Reference Tool (CPRT) and in Open Security Controls Assessment Language (OSCAL) data formats, available through the publication details pages for both SP 800-172r3 and SP 800-172Ar3.

Learn More about the Protecting CUI Project.

Read More

Airline accounts contain a wealth of sensitive data, including passenger names, contact information, passport numbers, and financial information. These accounts may be linked to loyalty programs that allow passengers to earn miles or points that serve as a form of currency. These accumulated miles or points can be redeemed for free or discounted flights, seat upgrades, hotel stays, rental cars, airport lounge access, merchandise, gift cards, and other benefits. As the peak travel season approaches with increased reservations and high-value transactions, threat actors are intensifying their efforts to target the aviation industry and its major brands—such as American Airlines, Delta, and United—potentially resulting in disrupted travel, identity theft, monetary losses, and loyalty fraud.

The NJCCIC observed an uptick in reported compromised airline accounts in the past month. Threat actors obtain credentials through phishing campaigns, infostealers, data breaches, or data sold on darknet forums. Once they take over accounts, they engage in loyalty fraud by converting the miles or points into travel or rewards. They seek redemption options that yield the quickest and largest face value. The reports indicate that the threat actors made one or more redemptions, primarily for gift card purchases, as a one-time transaction or separate transactions over multiple days. Stolen redemptions ranged from 12,000 to 500,000 miles, valued at approximately $120 to $5,000 across popular gift card brands like Google Play, Sephora, and DoorDash. Threat actors target loyalty programs because they are less frequently monitored. They may plan their malicious activity for the weekend, when customer service or fraud departments may be closed or have limited hours or staff.

Multiple vulnerabilities have been discovered in NGINX. NGINX is a software used for web serving, reverse proxying, caching, and load balancing. Successful exploitation of the most severe of these vulnerabilities may allow an unauthenticated threat actor to crash vulnerable NGINX worker processes by sending crafted HTTP requests. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, exploitation may result in remote code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have less rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence

A proof-of concept exploit has been published by DepthFirst. In addition, an individual at VulnCheck has reported that CVE-2026-42945 has been exploited in the wild.

Systems Affected

NGINX Open Source 0.6.27 through 1.30.0 NGINX Plus R32 through R36 NGINX Instance Manager 2.16.0 through 2.21.1 F5 WAF for NGINX 5.9.0 through 5.12.1 NGINX App Protect WAF 4.9.0 through 4.16.0 and 5.1.0 through 5.8.0 F5 DoS for NGINX 4.8.0 NGINX App Protect DoS 4.3.0 through 4.7.0 NGINX Gateway Fabric 1.3.0 through 1.6.2 and 2.0.0 through 2.5.1 NGINX Ingress Controller 3.5.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.4.1

Risk

Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by F5 or other vendors which use this software to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References

F5: https://my.f5.com/manage/s/article/K000161019 DepthFirst: https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability VulnCheck: https://docs.vulncheck.com/initial-access/2026-05-15#cve-2026-42945-nginx-ngx_http_rewrite_module-heap-based-buffer-overflow-queries-and-signatures-only   CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42934 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42946 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40701

Now Available for Public Comment!
NIST SP 1800-41, Responding to and Recovering from a Cyber Attack

The NIST National Cybersecurity Center of Excellence (NCCoE) has released the initial public draft of NIST Special Publication 1800-41, Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector, which provides guidelines on response and recovery activities in an industrial control system (ICS) environment and recommendations to improve operational resilience. The comment period for this publication is open through July 8, 2026.

Background

As Operational Technology (OT) systems like ICS become more interconnected with IT networks, they are increasingly being targeted by cyber threats, putting factory operations, safety, and property at risk. Organizations operating these systems, such as those in the manufacturing sector, need to have plans and capabilities in place to respond to cyber incidents and restore operations to improve overall resilience.

The NCCoE worked with 11 industry collaborators to develop reference architectures, describe response and recovery scenarios, and demonstrate relevant approaches and capabilities.

This draft publication provides actionable guidelines on responding to and recovering from cyber attacks in manufacturing environments. Discover how to:

• Understand the risks and potential impact of cyber incidents on your operations
• Develop a comprehensive response and recovery plan
• Implement best practices to minimize downtime and restore operations quickly

Comment Now!

Review the publication and share your feedback by July 8, 2026. If you’re interested in staying up-to-date on this project, we encourage you to join the NCCoE Manufacturing Community of Interest (COI).

Upcoming Webinar

Join us for a webinar on June 4th, 2026, for an overview of these guidelines. Visit the event page to register and learn more about this event.

Comment Now!

The Federal Bureau of Investigation (FBI) issued this Public Service Announcement (PSA) to warn the public about an emerging Phishing-as-a-Service (PhaaS) platform called Kali365, first seen in April 2026. Kali365 has primarily been distributed via Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user’s credentials.

Through the Kali365 platform subscription, cyber threat actors can capture “OAuth” tokens and gain persistent access to targeted individuals/entities’ Microsoft 365 environments. Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.

This PSA contains an overview of how the scam works, tips to protect yourself, and is being provided to assist agencies, organizations, and individuals in guarding against the persistent malicious actions of cybercriminals.

The Federal Bureau of Investigation (FBI) released this FBI Liaison Alert System (FLASH) to disseminate indicators of compromise (IOCs) and identified tactics, techniques, and procedures (TTPs) associated with the First VPN Service. The service has been active since approximately 2014 and currently provides 32 exit node servers in 27 countries. At least 25 ransomware groups, such as Avaddon Ransomware, have used First VPN Service infrastructure to perform network reconnaissance and intrusions. First VPN Service IP addresses have been used for scanning activity, botnets, denial of service attacks, scams, and hacking. First VPN Service was almost exclusively advertised in known criminal dark web forums such as Exploit[.]in and XSS[.]is, two of the most prominent Russian-language online forums which provide marketplaces for cyber criminals to buy and sell unauthorized access to computer systems, stolen personal identifying information, hacking tools, and contraband.

This reporting applies solely to the First VPN Service and does not extend to other VPN providers with similar naming.

The release of this FLASH follows the coordinated takedown of the First VPN Service through a joint law enforcement operation supported by the FBI. This operation was conducted by France’s Direction Régionale de la Police Judiciaire Brigade de Lutte Contre la Cybercriminalité (BL2C), and the Dutch National Police, National High Tech Crime Unit (NHTC), with assistance from Ukraine, the United Kingdom, Switzerland, and Luxembourg.

This FBI FLASH contains technical details, indicators, MITRE ATT&CK mapping, recommended mitigations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals..

Administrative Note The information in this document is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients to protect against cyber threats. This data is provided to help cybersecurity professionals and system administrators guard against the persistent malicious actions of cyber actors. The FBI does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by the FBI.

On April 14, 2026, NIST announced a new Notice of Funding Opportunity (NOFO) to support Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development. The funding expands the existing RAMPS program and anticipates awarding up to sixteen (16) new awards of up to $200,000 through cooperative agreements. The authorized period of performance for awards issued pursuant to this NOFO is no more than two (2) years.  

Applicants must demonstrate through letters of commitment that, in additional to the applicant, at least one of each of the following types of organizations is committed to being part of the proposed regional alliance:

• at least one local employer or owner or operator of critical infrastructure (that is not the applicant), and
• at least one of the following (that is not the applicant):
  • K12 School,
  • Local State Agency,
  • Local Educational Agency,
  • Institution of Higher Education,
  • Non-Profit Organization, or
  • Training Organization.

The deadline to apply is Thursday, May 28, 2026, by 11:59 p.m. Eastern Time. 

More information about the RAMPS NOFO may be found in the recording of the webinar for interested applicants and an FAQ.

Deadline to apply: May 28, 2026

Register now for the NIST Workshop on Hardware CPE and CVSS Updates NIST will host a workshop on proposed updates to Common Platform Enumeration (CPE) and the Common Vulnerability Scoring System (CVSS) for hardware. The workshop gathers community feedback on draft revisions to how hardware is identified and how hardware vulnerabilities are scored, and that feedback will shape the next draft cycle. Date: June 22, 2026 Time: 10:00 AM – 5:00 PM Eastern Daylight Time (EDT) (morning coffee and snacks at 9:30 AM) Format: Hybrid — attend in person or virtually Registration fee: $96 in person / $46 virtual Register deadlines: June 15, 2026 at 6:00 PM EDT (in person). June 22, 2026 at 9:00 AM EDT (virtual) For more information on the event, or to register, click on the button below. Register Now Questions? contact cpe-workshop@nist.gov Stay involved beyond the workshop. CPE development and public comments continue on the cpe-dev mailing list. To follow or take part in ongoing CPE specification work, join here.

The Federal Bureau of Investigation (FBI) issued this Public Service Announcement (PSA) to warn the public that cyber threat actors are conducting spoofing attacks against the Fédération Internationale de Football Association (FIFA ) website in advance of the 2026 FIFA World Cup. A spoofed website is designed to pose as a legitimate website, with branding, product listings, etc., and malicious actors use them to further illegal activity like personal information theft and facilitating monetary scams.

Threat actors often create spoofed websites by slightly altering characteristics of legitimate website domains, with the purpose of gathering personally identifiable information (PII) entered by a user into the site, including name, home address, phone number, email address, and banking information. For example, spoofed website domains may feature alternate spellings of words or use an alternative top-level domain to impersonate a legitimate website. Members of the public could unknowingly visit spoofed websites while attempting to access FIFA’s website.

This PSA contains an overview of how the scam works, tips to protect yourself, and is being provided to assist agencies, organizations, and individuals in guarding against the persistent malicious actions of cybercriminals.