Norwegian Dam’s OT Breached via Weak Password; OpenVSX was Critically Vulnerable to Supply Chain Attack; Scam Texts Arrive After Glasgow City Council Takes Services Offline

Hackers breached Norway's Lake Risevatnet dam control system in April, opening the facility's valve and increasing the water flow for four hours before the incident was detected. The increase in volume did not pose an immediate danger. Officials think the intruders exploited a weak password for the dam's web-based control panel and accessed the dam's operational technology (OT) environment. The dam's owner discovered the incident on April 7 and alerted authorities on April 10. The facility "primarily serves a fish farm and is not connected to Norway’s power grid."

Researchers at Koi Security write that they have found a critical vulnerability in OpenVSX that could be exploited to gain "full control over the entire extensions marketplace, and in turn, full control over millions of developer machines." Hosted by the Eclipse Foundation, OpenVSX is an open-source extension marketplace alternative to Microsoft’s Visual Studio Code marketplace. Koi researchers write, "By exploiting a CI issue a malicious actor could publish malicious updates to every extension on Open VSX." Koi found the vulnerability, which lies in the publish-extensions repository, in May 2025; the flaw was patched on June 25, 2025.

Scotland's Glasgow City Council has posted an update on a cyber incident discovered on June 19, 2025, warning citizens of counterfeit parking fine collection text messages reported in the days following the incident, noting that online parking penalty payment systems are among the systems still offline after the attack. The council stresses that disruptions to a wide range of web-based services were caused by the council's protective "isolation of the affected servers," not by malicious activity. The council's Information and Communication Technology supplier, CGI, observed "malicious activity on servers managed by a third-party supplier," and ongoing investigation will involve law enforcement as well as the Scottish Cyber Coordination Centre (SC3) and the National Cyber Security Centre; specialists have currently ruled out email as the attack vector. Online services that have been disrupted or whose calendars or forms are unavailable include planning applications, penalty charge notices, pensions, registrars, revenues and benefits, permits, complaints, certificates, comments and compliments, FOI requests, applications for footway crossings, elections, planning enforcement and statutory enforcement, public and future processions, the Sign Language Interpreter Service (SILS), the Glasgow Film Office's location library, pupil absence forms, the bin calendar, taxi complaints, and the council diary. While the council and its partners do not believe data were stolen and state that no financial information was accessed or compromised, they have contacted the Information Commissioner's Office (ICO) as a precaution. The notice urges caution with communications, emphasizing that the Council will never ask for sensitive information via email, and encouraging that any suspicious contact and fraud be reported to law enforcement and to Scotland's Cyber and Fraud Hub.

The US Food and Drug Administration (FDA) has published an updated version of its final guidance for medical device cybersecurity, “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” The FDA writes, "this document provides FDA’s recommendations to industry regarding cybersecurity device design, labeling, and the documentation that FDA recommends be included in premarket submissions for devices with cybersecurity risk." FDA was granted increased authority over medical device cybersecurity in late 2022, giving it the authority to automatically reject submissions that are not accompanied by specified cybersecurity information. The first version of the document was published in September 2023. The updated document includes clarification regarding the definition of a cyber device and premarket submission recommendations.

A UK man has been sentenced to more than seven months in jail after he sabotaged his former employer's IT system. In July 2022, Mohammed Umar Taj was suspended from his position as an IT worker at an as-yet undisclosed company. Within hours of his suspension, Taj "physically accessed the premises and corporate computer systems in order to change logins and multifactor authentication (MFA). This enabled him to disrupt business operations, and those of customers in the UK, Germany and Bahrain, the police force said." His activity caused the firm monetary losses estimated at £200,000 (US$274,000) as well as damage to the firm's reputation. Taj admitted to one charge of committing unauthorized acts with intent to impair the operation of or hindering access to a computer, a violation of the Computer Misuse Act.

Ahold Delhaize, a Dutch-Belgian multinational holding company, now says that a November 2024 ransomware attack compromised information belonging to 2.2 million people. The attack itself disrupted the company's IT systems, preventing customers from ordering groceries online. The threat actors accessed internal employment records; the compromised information includes Social Security numbers, passports, financial account information including bank numbers, health information, and other sensitive employment data. Ahold Delhaize owns several grocery store chains in the US, including Stop & Shop, Hannaford, and Giant Food.

The US Federal Bureau of Investigation's (FBI's) Internet Crime Complaint Center (IC3) has published an alert warning that criminals are impersonating health insurers and employees to send phishing emails and text messages in an attempt to trick recipients into disclosing protected health information (PHI) and other sensitive personal data. IC3 reminds consumers of basic cyber hygiene practices: be suspicious of unsolicited messages; never click on unsolicited links; use multifactor authentication (MFA); keep software and antivirus products updated; and contact health insurance companies directly to verify communication. The alert comes soon after a series of recent cyberattacks targeting US insurance companies. Health-ISAC CISO Errol Weiss also reports increased phishing and social engineering attacks targeting healthcare organizations.

In November 2024, Microsoft launched its Windows Resiliency Initiative (WRI), which "prioritizes preventing, managing and recovering from security and reliability incidents, mitigating issues swiftly and providing seamless recovery across the Windows platform." As part of WRI, Microsoft will preview their new Windows endpoint security platform to some Microsoft Virus Initiative (MVI) customers in July 2025. "The new Windows capabilities will allow them to start building their solutions to run outside the Windows kernel." This change is an effort to decrease the likelihood of another event like last summer's CrowdStrike outage. Other WRI offerings include a WRI e-book and product innovations like improving recovery time following unexpected restarts.

On June 26, 2025, Let's Encrypt, the Internet Security Research Group's (ISRG's) non-profit certificate authority (CA) and one of the largest CAs in the world, published a blog post summarizing their decision to cease sending notification emails to subscribers via the Automatic Certificate Management Environment (ACME) API when certificates expire. This policy has now been in effect for nearly a month, since June 4, 2025, and Let's Encrypt lists four factors in the change: certificate renewal is increasingly reliably automated; in the interest of data privacy, Let's Encrypt no longer wishes to retain "millions of email addresses connected to issuance records"; the large amount of funding needed to operate the expiration notification service is better used elsewhere; and the notification system represents an infrastructural complication whose value no longer justifies its maintenance. Let's Encrypt has deleted all email addresses associated with issuance data, and an unassociated system retains email addresses for mailing lists and other services. The CA notes that third-party monitoring services are available for users who still need expiration notifications.

On June 26, 2025, Hawaiian Airlines posted a press release disclosing a cybersecurity event affecting some of their IT systems, stating that they began investigation and remediation with "appropriate authorities and experts" immediately upon learning of the incident. All flights continue to operate "safely and as scheduled," and a second update almost six hours later states that "guest travel is not impacted." The following day the airline filed form 8-K with the US Securities and Exchange Commission (SEC) as a subsidiary of Alaska Air Group, Inc., stating the same information and noting that the company "has not yet determined" the potential for material impact on finances and operations. A US Federal Aviation Administration (FAA) spokesperson states "There has been no impact on safety, and the airline continues to operate safely." The company has not disclosed the nature nor the scope of the attack. This incident follows a similar disclosure from Canadian airline WestJet on June 13, and nearly coincides with June 27 warnings from the FBI, Mandiant, and Palo Alto Networks that Scattered Spider may be targeting the aviation and transportation sectors.