Category: XP

Now Available for Public Comment!
NIST SP 1800-41, Responding to and Recovering from a Cyber Attack

The NIST National Cybersecurity Center of Excellence (NCCoE) has released the initial public draft of NIST Special Publication 1800-41, Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector, which provides guidelines on response and recovery activities in an industrial control system (ICS) environment and recommendations to improve operational resilience. The comment period for this publication is open through July 8, 2026.

Background

As Operational Technology (OT) systems like ICS become more interconnected with IT networks, they are increasingly being targeted by cyber threats, putting factory operations, safety, and property at risk. Organizations operating these systems, such as those in the manufacturing sector, need to have plans and capabilities in place to respond to cyber incidents and restore operations to improve overall resilience.

The NCCoE worked with 11 industry collaborators to develop reference architectures, describe response and recovery scenarios, and demonstrate relevant approaches and capabilities.

This draft publication provides actionable guidelines on responding to and recovering from cyber attacks in manufacturing environments. Discover how to:

• Understand the risks and potential impact of cyber incidents on your operations
• Develop a comprehensive response and recovery plan
• Implement best practices to minimize downtime and restore operations quickly

Comment Now!

Review the publication and share your feedback by July 8, 2026. If you’re interested in staying up-to-date on this project, we encourage you to join the NCCoE Manufacturing Community of Interest (COI).

Upcoming Webinar

Join us for a webinar on June 4th, 2026, for an overview of these guidelines. Visit the event page to register and learn more about this event.

Comment Now!

The Federal Bureau of Investigation (FBI) issued this Public Service Announcement (PSA) to warn the public about an emerging Phishing-as-a-Service (PhaaS) platform called Kali365, first seen in April 2026. Kali365 has primarily been distributed via Telegram, enabling cyber threat actors to obtain Microsoft 365 access tokens and bypass multi-factor authentication (MFA) protocols without intercepting the user’s credentials.

Through the Kali365 platform subscription, cyber threat actors can capture “OAuth” tokens and gain persistent access to targeted individuals/entities’ Microsoft 365 environments. Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities.

This PSA contains an overview of how the scam works, tips to protect yourself, and is being provided to assist agencies, organizations, and individuals in guarding against the persistent malicious actions of cybercriminals.

The Federal Bureau of Investigation (FBI) released this FBI Liaison Alert System (FLASH) to disseminate indicators of compromise (IOCs) and identified tactics, techniques, and procedures (TTPs) associated with the First VPN Service. The service has been active since approximately 2014 and currently provides 32 exit node servers in 27 countries. At least 25 ransomware groups, such as Avaddon Ransomware, have used First VPN Service infrastructure to perform network reconnaissance and intrusions. First VPN Service IP addresses have been used for scanning activity, botnets, denial of service attacks, scams, and hacking. First VPN Service was almost exclusively advertised in known criminal dark web forums such as Exploit[.]in and XSS[.]is, two of the most prominent Russian-language online forums which provide marketplaces for cyber criminals to buy and sell unauthorized access to computer systems, stolen personal identifying information, hacking tools, and contraband.

This reporting applies solely to the First VPN Service and does not extend to other VPN providers with similar naming.

The release of this FLASH follows the coordinated takedown of the First VPN Service through a joint law enforcement operation supported by the FBI. This operation was conducted by France’s Direction Régionale de la Police Judiciaire Brigade de Lutte Contre la Cybercriminalité (BL2C), and the Dutch National Police, National High Tech Crime Unit (NHTC), with assistance from Ukraine, the United Kingdom, Switzerland, and Luxembourg.

This FBI FLASH contains technical details, indicators, MITRE ATT&CK mapping, recommended mitigations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals..

Administrative Note The information in this document is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients to protect against cyber threats. This data is provided to help cybersecurity professionals and system administrators guard against the persistent malicious actions of cyber actors. The FBI does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by the FBI.

On April 14, 2026, NIST announced a new Notice of Funding Opportunity (NOFO) to support Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development. The funding expands the existing RAMPS program and anticipates awarding up to sixteen (16) new awards of up to $200,000 through cooperative agreements. The authorized period of performance for awards issued pursuant to this NOFO is no more than two (2) years.  

Applicants must demonstrate through letters of commitment that, in additional to the applicant, at least one of each of the following types of organizations is committed to being part of the proposed regional alliance:

• at least one local employer or owner or operator of critical infrastructure (that is not the applicant), and
• at least one of the following (that is not the applicant):
  • K12 School,
  • Local State Agency,
  • Local Educational Agency,
  • Institution of Higher Education,
  • Non-Profit Organization, or
  • Training Organization.

The deadline to apply is Thursday, May 28, 2026, by 11:59 p.m. Eastern Time. 

More information about the RAMPS NOFO may be found in the recording of the webinar for interested applicants and an FAQ.

Deadline to apply: May 28, 2026

Register now for the NIST Workshop on Hardware CPE and CVSS Updates NIST will host a workshop on proposed updates to Common Platform Enumeration (CPE) and the Common Vulnerability Scoring System (CVSS) for hardware. The workshop gathers community feedback on draft revisions to how hardware is identified and how hardware vulnerabilities are scored, and that feedback will shape the next draft cycle. Date: June 22, 2026 Time: 10:00 AM – 5:00 PM Eastern Daylight Time (EDT) (morning coffee and snacks at 9:30 AM) Format: Hybrid — attend in person or virtually Registration fee: $96 in person / $46 virtual Register deadlines: June 15, 2026 at 6:00 PM EDT (in person). June 22, 2026 at 9:00 AM EDT (virtual) For more information on the event, or to register, click on the button below. Register Now Questions? contact cpe-workshop@nist.gov Stay involved beyond the workshop. CPE development and public comments continue on the cpe-dev mailing list. To follow or take part in ongoing CPE specification work, join here.

The Federal Bureau of Investigation (FBI) issued this Public Service Announcement (PSA) to warn the public that cyber threat actors are conducting spoofing attacks against the Fédération Internationale de Football Association (FIFA ) website in advance of the 2026 FIFA World Cup. A spoofed website is designed to pose as a legitimate website, with branding, product listings, etc., and malicious actors use them to further illegal activity like personal information theft and facilitating monetary scams.

Threat actors often create spoofed websites by slightly altering characteristics of legitimate website domains, with the purpose of gathering personally identifiable information (PII) entered by a user into the site, including name, home address, phone number, email address, and banking information. For example, spoofed website domains may feature alternate spellings of words or use an alternative top-level domain to impersonate a legitimate website. Members of the public could unknowingly visit spoofed websites while attempting to access FIFA’s website.

This PSA contains an overview of how the scam works, tips to protect yourself, and is being provided to assist agencies, organizations, and individuals in guarding against the persistent malicious actions of cybercriminals.

AI moves quickly, and IT leaders are looking for ways to keep pace. As you go from experimentation to adoption, expand your AI capabilities while prioritizing security and governance.

In the e-book, Powering Frontier Transformation with Intelligence and Trust, you’ll explore how to bring AI, agents, and enterprise-grade security into everyday work.

Get the e-book to gain insight on:

• Why leaders are shifting from using AI as a tool to reengineering AI into daily workflows.
• How frontier firms accelerate productivity while maintaining visibility with human-led agent teams.

Operate AI and agents within existing identity, security, and compliance foundations to mitigate risk as you scale with Microsoft 365 E7

Get the e-book

Xint Code disclosed CVE-2026-31431, an authencesn scratch-write bug chaining AF_ALG + splice() into a 4-byte page cache write. A 732-byte PoC gets root on Ubuntu, Amazon Linux, RHEL, SUSE.

Copy Fail (CVE-2026-31431) is a logic bug in the Linux kernel’s authencesn cryptographic template. It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.

The kernel never marks the corrupted page dirty for writeback, so the file on disk remains unchanged and ordinary on-disk checksum comparisons miss the modification. However, the page cache is what actually gets read when accessing the file, so the corrupted in-memory version is immediately visible system-wide. A local unprivileged user can turn this into root by corrupting the page cache of a setuid binary. The same primitive also crosses container boundaries because the page cache is shared across the host.

This finding was AI-assisted, but began with an insight from Theori researcher Taeyang Lee, who was studying how the Linux crypto subsystem interacts with page-cache-backed data. He used Xint Code to scale his research across the entire crypto subsystem, and Copy Fail was the most critical finding in the report.

Read the full article here

The Cybersecurity and Infrastructure Security Agency (CISA) along with Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), National Security Agency (NSA), Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre (NCSC-NZ), and United Kingdom National Cyber Security Centre (NCSC-UK) released this Joint Guidance which discusses key cybersecurity challenges and risks associated with the introduction of agentic artificial intelligence (AI) into information technology environments, as well as best practices for securing agentic AI systems. The Joint Guidance also provides actionable recommendations to help organizations anticipate, assess, and mitigate agentic AI-specific risks.

Agentic AI systems increasingly operate across critical infrastructure and defense sectors and support mission-critical capabilities. As agentic AI systems play a growing operational role, it is crucial for defenders to implement security controls to protect national security and critical infrastructure from agentic AI-specific risks. Agentic AI can automate repetitive, well-defined and low-risk tasks. However, these additional opportunities come with additional risks. Like other AI services, agentic AI can be misused or misappropriated, leading to productivity losses, service disruption, privacy breaches or cybersecurity incidents. Organizations must therefore anticipate what could go wrong, assess how agentic AI risk scenarios might affect operations and establish ongoing visibility and assurance to maintain confidence in their agentic AI investments. Where possible, organizations should also consider a full spectrum of solutions for repetitive tasks, including reducing or eliminating low-value processes, which may be lower risk compared to agentic AI solutions.

The authoring agencies strongly recommend aligning agentic AI risks and mitigation strategies with your organization’s existing security model and risk posture. The authoring agencies further recommend adopting agentic AI with security in mind, assessing its use and never granting it broad or unrestricted access, especially to sensitive data or critical systems. Additionally, organizations should only use agentic AI for low-risk and non-sensitive tasks.

Image Source: Checkpoint

There has been a massive increase in the availability, variety, and adoption of Cybercrime-as-a-Service (CaaS) tools. These services offer potential bad actors a low-cost, low-barrier entry into cybercrime by providing rentable, user-friendly tools and infrastructure for launching cyberattacks. Customer support is often included, allowing affiliates (cybercriminals) who rent these services to reach out to the developers for assistance.

No longer standalone operations, these services are often run by teams of threat actors, each with a distinct role to keep operations running smoothly and maintain the backend while still receiving regular payouts from affiliate-driven attacks. Originally a niche underground market, CaaS has transformed into a multi-billion-dollar global industry, making hacking accessible to potential criminals through subscription plans that start at $50.

Ransomware-as-a-Service (RaaS)

While many new players are making names for themselves in the RaaS market, older, more established ransomware developers have also created their own rentable ransomware infrastructure. These kits handle key aspects of a ransomware attack, including ransom notes, payment portals, data encryption, and malware maintenance.

RansomHub, though still newer to the scene, has quickly made a name for itself with its double-extortion tactics – stealing data before encrypting victims’ systems. These aggressive tactics, along with the affiliate’s larger-than-average share of the ransom payment, help this RaaS model continue to dominate the landscape. Some of the older, more well-known groups include Akira , known for targeting small-to-medium enterprises (SMEs) and critical infrastructure; Qilin, whose highly customizable platform frequently targets the healthcare and manufacturing sectors; and LockBit, which created a RaaS model that enabled faster, more automated attacks.

Phishing-as-a-Service (PhaaS)

Over time, the phishing landscape has become increasingly dominated by PhaaS kit providers. These providers offer services such as email templates, fake websites used to harvest credentials, and Adversary-in-the-Middle (AitM) technologies that not only capture credentials in real time but also steal session tokens, allowing threat actors to bypass multi-factor authentication prompts.

Some of the major players include EvilProxy, known for its session token-stealing capabilities that can grant access to accounts without the victim’s knowledge. Using AI to scrape targeted companies for signature styles, tone, and branding, Greatness aims to create lures that mirror legitimate brand messages and alerts. New kits, such as Kratos and Venom Stealer, specialize in ClickFix social engineering, which tricks users into pasting malicious commands directly into their terminals, often by posing as OS Update or CAPTCHA errors.

Malware-as-a-Service (MaaS)

MaaS encompasses a broader range of attacks. Some providers specialize in infostealer malware that steals data such as browser cookies, autofill data, clipboard information, cryptocurrency wallets, and credentials. Lumma Stealer is a popular infostealer that is regularly updated to evade endpoint detection and response (EDR) systems. Other providers, such as SocGholish , are known as initial access brokers (IABs). IABs gain access to networks and sell that access through criminal forums, auctions, or directly to other cybercriminals. These initial access attacks can also leave behind loaders, which, when installed on a device, can download, install, and execute additional malware, including infostealers, ransomware, and cryptominers.

Other types of MaaS include Distributed Denial-of-Service (DDoS) as a Service, which lets affiliates rent a botnet to overwhelm a website with traffic and take it offline. Deepfakes as a Service offers rentable AI tools that can clone an executive’s voice or face in real time for voice or video calls, often used to target high-value wire transfers.

Recommendations

Exercise caution with communications from known senders or legitimate platforms. Confirm requests from senders using contact information obtained from verified, official sources before taking action, such as clicking links or opening attachments. Navigate directly to legitimate websites and verify before submitting account credentials, providing personal or financial information, or downloading files. Enable multi-factor authentication (MFA) and keep systems and browsers up to date. If victimized, disconnect from the internet and run anti-virus/anti-malware scans. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. If sensitive information was entered, change passwords for compromised accounts, monitor for unauthorized activity, and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes. Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks. Report malicious cyber activity to the NJCCIC and the FBI’s IC3.

Glossary

Adversary-in-the-Middle – The attacker secretly relays and possibly alters communications between two parties who believe they are communicating directly with each other.

Deepfake – Images, videos, or audio that have been edited or generated using artificial intelligence, AI-based tools, or audio-video editing software.

Distributed Denial-of-Service (DDoS) – A cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network.

Malware – Software or firmware intended to perform an unauthorized process that will have an adverse impact on the confidentiality, integrity, or availability of an information system.

Phishing – The use of convincing emails or other messages to trick us into opening harmful links or downloading malicious software.

Ransomware – A type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access.

Session Token – A temporary digital key used to verify a user’s identity after login, enabling secure and continuous access to Web Applications.