Cybersecurity

Critical ICS Threats, Nation-State Cyber, & Data Privacy Enforcement

By Sentinel News Editorial Team

May 07, 2026 Source: Thehackernews 17 views

New threats surface this week, highlighting severe vulnerabilities in industrial control systems and persistent nation-state cyber activity. Critical flaws in widely used ICS software demand immediate attention from operators, while a legal ruling exposes the deep entanglement of North Korean state entities in global cybercrime operations. These developments underscore the evolving landscape of digital risk, from infrastructure integrity to geopolitical influence.

Critical vulnerabilities have been identified in Eclipse BaSyx V2 industrial control system software, including a top-severity flaw that could enable arbitrary file writing and remote code execution.
A recent court decision in South Korea revealed an individual's collaboration with a North Korean cyber actor for illicit gain, linking the actor to a Workers' Party of Korea trading company involved in creating cyberterrorism tools.
Enhanced supply chain security measures are rolling out in a prominent package manager, introducing a waiting period for new package releases to deter automated attacks leveraging newly published, compromised components.

Intelligence briefing: Why this matters: IT and military professionals must prioritize patching critical infrastructure systems against known exploits and understand the sophisticated methods nation-states employ to monetize cyber capabilities, informing defensive strategies and intelligence gathering.

Location data crackdown

The Federal Trade Commission (FTC) and location data broker Kochava said they agreed to a settlement in which the company and its subsidiary Collective Data Solutions would be blocked from selling, sharing, or disclosing sensitive location data without consumers' explicit consent. The company was found to be illegally obtaining and selling consumers' yearly incomes, mobile device IDs, app usage, and nearly real-time geolocation data within 10 meters without their consent or awareness. While the proposed order does not impose a fine on Kochava, the company is required to establish a data retention schedule that will mandate consumers' data be deleted in a predetermined time frame.

Supply chain hardening

pnpm 11 has been released with new supply chain protections in place, including defaulting the minimum release age to 24 hours to reduce the risk of installing compromised packages and blocking exotic sub-dependencies that resolve from non-standard sources, such as Git repositories or direct tarball URLs. "Newly published package versions are not resolved until they are at least one day old. Teams can opt out by setting minimumReleaseAge: 0, but pnpm's default posture now favors a built-in waiting period before fresh package releases enter installs," Socket said. With most package compromise campaigns relying on automated installs to expand their reach, the new effort aims to reduce the risk of packages getting installed immediately after publication.

AI age verification push

Meta said it's deploying artificial intelligence (AI) tools to bolster its underage enforcement measures and remove people under 13 from its services like Facebook and Instagram. Acknowledging that "knowing someone’s age online is a complex, industry-wide challenge," the company said it's using AI to analyze profiles for contextual clues, as well as scan photos and videos for physical cues to assess whether a user is under 13 on Instagram and Facebook. "We want to be clear: this is not facial recognition. Our AI looks at general themes and visual cues, for example, height or bone structure, to estimate someone’s general age; it does not identify the specific person in the image," Meta said. "By combining these visual insights with our analysis of text and interactions, we can significantly increase the number of underage accounts we identify and remove."

North Korea-linked cybercrime case

South Korea's highest court has upheld the one-year prison term for a man, identified as Oh Dae-hyun, who hired an unnamed North Korean cybercriminal to conduct attacks against rival game servers in exchange for a payment of more than $16,300 between October 2014 and March 2015. Per details revealed by NK News last November, the defendant operated an illegal online game server for Lineage and sought access to a file that would allow him to bypass the game's security system and enable users to play the game at a lower cost. To obtain the file, the defendant is said to have communicated with a North Korean cyber actor via the Chinese messaging app QQ. The court also found Oh recruiting the same North Korean national to conduct distributed denial-of-service (DDoS) attacks on rival gaming servers. Per court documents, the North Korean national is a head of the development team at a trading company under the Workers’ Party of Korea. The company is also believed to have been involved in the creation and sale of DDoS attack programs and cyberterrorism tools to generate revenue for Pyongyang.

Critical ICS security flaws

Two security vulnerabilities have been disclosed in Eclipse BaSyx V2 that pose a severe risk to industrial environments. The vulnerabilities in question are CVE-2026-7411 (CVSS score: 10.0), an unauthenticated path traversal flaw that could be exploited to write arbitrary files, leading to code execution, and CVE-2026-7412 (CVSS score: 8.6), a blind SSRF flaw that forces the BaSyx server to act as a proxy and execute HTTP POST requests to arbitrary internal or external targets. The issues have been patched in version 2.0.0-milestone-10. "By chaining or utilizing these flaws, an external attacker can completely bypass network segmentation," Mohamed Lemine Ahmed Jidou, security researcher and founder of AegisSec, told The Hacker News. "The compromised Digital Twin server can be weaponized to pivot internally and send unauthorized commands directly to isolated Programmable Logic Controllers (PLCs) and industrial sensors, posing a direct threat to physical manufacturing lines."

Broken ransomware encryption

A new analysis of VECT 2.0 ransomware binaries has uncovered multiple critical flaws in both full and intermittent encryption modes, making data recovery impossible even if a ransom payment is made. "VECT's FULL encryptor contains an insufficient memory allocation flaw that restricts successful encryption to files 32 KB or smaller," Halcyon said. "VECT's intermittent mode discards the nonces for all encrypted segments except the final one, retaining only the last 12-byte nonce in the file footer. The decryption algorithm requires the unique nonce for each segment, all segments preceding the final block are cryptographically unrecoverable by the victim and the attacker alike." What's more, a race condition vulnerability exists in the multi-threaded encryption implementation that causes files to be renamed with the .vect extension without their contents being encrypted. In some cases, the contents of one file is saved and renamed as a different file name, or two different files are encrypted and saved with the same name, potentially resulting in the loss of one file. "These issues collectively undermine the reliability and repeatability of the Vect2.0 encryption and renaming logic," Halcyon said.

Oracle accelerates patching

Oracle said it will supplement the quarterly Critical Patch Update (CPU) fixes with monthly security releases focused on high-priority vulnerabilities, citing the increased pace of AI-assisted vulnerability disclosures stemming from the adoption of AI models like Anthriopic Mythos to aid with code analysis, security testing, and vulnerability detection. Several vendors like Microsoft, SAP, Adobe, andGoogle (for Android) already release patches on a monthly cadence, most of which occur on the second Tuesday of each month. Oracle's release cycle, however, will be on the third Tuesday of each month. The first monthly Critical Security Patch Updates (CSPUs) will arrive on May 28, 2026. "CSPUs provide targeted fixes for critical vulnerabilities in a smaller, more focused format, allowing customers to address high-priority issues without waiting for the quarterly release," Oracle said. "Security depends on identifying vulnerabilities quickly and applying fixes just as quickly."

Global smishing surge

Scammers are sending tens of thousands of fraudulent text messages to mobile users across 12 countries, impersonating transport authorities, toll operators, and parking services, as part of a new mass smishing campaign, per Bitdefender Labs. The active campaign, called Operation Road Trap, has been active since December 2025. More than 79,000 fraudulent messages have already been detected in 40 distinct SMS scam campaigns. Countries targeted include the U.S., Canada, Australia, New Zealand, France, Spain, Colombia, Brazil, India, the U.K., Ireland, and Luxembourg. "All messages share a common goal: to persuade recipients to pay a fake fine, hand over sensitive information, or install spyware," the company said. "At this stage, there’s no confirmed link tying these campaigns together, beyond a shared theme of messages about unpaid tolls, parking violations, or traffic fines." The activity has not been attributed to a specific threat actor or group.

Encrypted backup hardening

Meta has updated its infrastructure used for protecting end-to-end encrypted backups for WhatsApp and Messenger using a hardware security module (HSM)-based Backup Key Va

Analysis

The convergence of critical infrastructure vulnerabilities with state-sponsored cyber exploitation presents an escalating challenge to national security. Organizations must adopt proactive threat intelligence to identify and mitigate risks from actors seeking to leverage supply chain weaknesses or direct system compromises. This landscape necessitates a holistic approach, integrating technical defenses with robust policy frameworks and continuous vigilance against evolving adversary tactics.

cybersecurityics securitynation-state threatsnorth koreasupply chain securitydata privacyvulnerability management

📰 Primary Source: Thehackernews