cybersecurity

cross-posted from: https://lemmy.sdf.org/post/35125971

Archived

Danish firms have found “suspicious” components added to east Asian circuit boards that were supposed to be built into the country’s green energy infrastructure, according to an industry body.

It has raised concerns about the potential for remote disruption of the power supply or digital espionage, coming a week after the US claimed to have identified “kill switches” in a consignment of solar panels and batteries from China.

[...]

Green Power Denmark, an umbrella group for 1,500 Danish renewable technology companies, said the components from “the East” had been found during routine checks on a “development project” that had at no point been connected to the grid.

“It’s a clear warning: threats to energy security can hide in plain sight,” the organisation said. “The real danger isn’t always sabotage. It can also be unlisted components. Hidden functions. That’s why Danish energy companies dismantle and inspect before anything goes live.”

Jorgen Christensen, Green Power Denmark’s technical director, said there was no proof of foul play and it was possible that the mysterious electronics had been included to add some kind of innocent function to the circuit boards.

“It’s possible the supplier had no malicious intent,” he told Reuters. “We can’t say at this point. But that doesn’t change the fact that these components shouldn’t be there.”

Walburga Hemetsberger, head of the lobby group SolarPower Europe, said the discovery was highly concerning and called for an investigation.

[...]

In recent years experts have issued increasingly strident warnings about the security risk posed by China’s stranglehold over the supply of many categories of renewable energy components in Europe, such as batteries, turbines and the inverters used to smooth the voltage of power as it is fed into the grid.

The large-scale blackout that occurred a fortnight ago across much of Spain and Portugal, both of which depend heavily on Chinese-made solar energy infrastructure, has further concentrated minds on the issue.

[...]

This project implements a FastAPI-based local server designed to load one or more pre-trained NLP models during startup and expose them through a clean, RESTful API for inference.

For example, it leverages the Hugging Face transformers library to load the CIRCL/vulnerability-severity-classification-distilbert-base-uncased model, which specializes in classifying vulnerability descriptions according to their severity level. The server initializes this model once at startup, ensuring minimal latency during inference requests.

Clients interact with the server via dedicated HTTP endpoints corresponding to each loaded model. Additionally, the server automatically generates comprehensive OpenAPI documentation that details the available endpoints, their expected input formats, and sample responses—making it easy to explore and integrate the services.

The ultimate goal is to enrich vulnerability data descriptions through the application of a suite of NLP models, providing direct benefits to Vulnerability-Lookup and supporting other related projects.

cross-posted from: https://lemmy.sdf.org/post/35141215

Archived

Here is the German Federal Office for Information Security's original press release (and a link to download the paper, both in German)

[...]

The German Federal Office for Information Security said has for years ranked energy sector at a "high" risk of hacking. Recent shifts including new technologies such as internet-connected solar power inverters and a tense geopolitical situation should nonetheless spark increased concern, the agency said.

[...]

The growth of decentralized energy sector operations make the grid more complex to secure since thousands of smaller players with photovoltaic systems become part of the grid. Solar inverters and grid control technology is additionally at risk of supply chain attacks, the German agency [better known as the BSI for its German acronym] said.

"A successful disturbance of energy supply in Germany or Europe is a horror scenario for citizens, the German economy and the state bodies. Social life would come to a standstill, the economic damage would be enormous," said BSI President Claudia Plattner.

[...]

The agency last year identified a slew of nation-state groups targeting German critical infrastructure, including China's Nylon Typhoon and Russian groups Fancy Bear and Midnight Blizzard.

[...]

cross-posted from: https://lemmy.sdf.org/post/35083943

Archived

Advanced persistent threat (APT) groups with ties to China have become persistent players in the cyber espionage landscape, with a special emphasis on European governmental and industrial entities, according to a thorough disclosure from ESET’s APT Activity Report for Q4 2024 to Q1 2025.

The report, covering activities from October 2024 to March 2025, highlights the sophisticated tactics and tools employed by these threat actors to infiltrate sensitive networks.

[...]

These diverse and innovative techniques illustrate the persistent dedication of China-aligned APTs to espionage, often prioritizing long-term access over immediate financial returns.

The ESET report emphasizes that the highlighted operations are merely a snapshot of the broader threat landscape, with intelligence derived from proprietary telemetry data and verified by expert researchers.

The sustained focus on European targets by these APT groups signals a strategic intent to gather sensitive political and industrial intelligence, potentially influencing geopolitical dynamics.

[...]

This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.

This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

• AI media generation is a significant trend in how we use the Internet in 2025. Kling AI is a widely used platform, with 6 million users since its launch in June 2024.
• A threat actor mimicked Kling AI and drove traffic to a convincing fake website via counterfeit Facebook pages and paid ads.
• User submissions of a text prompt or image on this fake site produce a seemingly innocent media file whose filename uses Hangul Filler characters to conceal an executable.
• In some cases, the executable’s loader used .NET Native AOT compilation for stealth. Executing it installs an infostealer with monitoring capabilities.
• This campaign has a global reach, with victims reported across multiple regions, most notably in Asia.

A brief look at all things infostealers for the week 20, 2025 (12.05.2025–18.05.2025). This week observed updates from LummaC2, MonsterV2 and KatzStealer infostealers. Grabbed some numbers from marketplaces and some interesting news/articles.

cross-posted from: https://lemmy.sdf.org/post/34853591

Archived

The world is in a cyberwar in every sense except a legal one because no side has declared war, said Mart Noorma, director of the NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) in Tallinn. Russian hackers' goal is to sow chaos and steal money, he said.

[...]

The avalanche of attacks from Russia is very intense. "The bad actors think they can attack as much as they can, limited only by how well countries can defend themselves and hold the criminals accountable," he told the show.

"The West constantly feels how hacker groups supported by the Russian authorities are carrying out attacks against us. By supporting hacker groups, the state can more easily create confusion. Then the state is not directly connected. Creating chaos has been a constant for Russia — their goal is to achieve geopolitical and cognitive effects so that people in democratic countries begin to doubt their values and governments. Even influencing presidential elections is of interest to the hackers," he explained.

"Quite often, Russian hackers also have financial motives — the proceeds are divided among state agencies," Noorma explained.

[...]

Archived

• In Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page.
• In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra.
• For MDaemon, Sednit used a zero-day XSS vulnerability. We reported the vulnerability to the developers on November 1st, 2024 and it was patched in version 24.5.1.
• Most victims are governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South America being targeted as well.
• The report provides an analysis of the JavaScript payloads SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA.
• These payloads are able to steal webmail credentials, and exfiltrate contacts and email messages from the victim’s mailbox. Additionally, SpyPress.MDAEMON is able to set up a bypass for two-factor authentication.

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)