Poland’s Internal Security Agency (ABW) has published a detailed account of a sustained campaign targeting the country’s water plants, documenting security breaches at five water treatment facilities in 2025. The incidents mark one of the clearest documented cases in Europe of state-linked hackers gaining direct access to industrial control systems managing public water supplies.
The affected facilities were located in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. In several cases, attackers didn’t just observe, they obtained the ability to modify operational parameters of equipment in real time, creating a direct and concrete risk to the continuity of public water services. A breach of this kind isn’t a data theft. It is the digital equivalent of sabotage.
“In some cases, the attackers gained access to industrial control systems and obtained the capability to modify device operating parameters.” reads the report published by ABW. “This created a direct threat to the continuity of water supply processes and the proper functioning of municipal infrastructure.”
The attack vectors ABW identified are as unglamorous as they are alarming: weak password policies and systems left directly exposed to the internet. These are not sophisticated zero-day exploits. They are basic security failures that the OT and ICS security community has been warning about for years.
“The incidents were made possible by inadequate security measures, including weak password policies and the exposure of management interfaces directly to the public internet.” continues the report. “In several cases, systems responsible for operational technology were accessible without sufficient protection mechanisms.”
The attribution points firmly eastward. ABW identified Russian APT groups APT28 and APT29, the same actors linked to election interference across Europe and the SolarWinds supply chain attack, as well as UNC1151, a Belarusian-aligned group previously connected to the Ghostwriter operation targeting NATO countries.
“APT28, APT29 and UNC1151 are among the most active state-linked cyber espionage groups operating against European targets.” concludes the report. “Their activities combine intelligence collection, disruptive cyber operations and coordinated information warfare campaigns.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Water Plants)
A new open-source cybersecurity platform called DarkMoon has emerged as a significant advancement in autonomous penetration testing.
It provides security teams and DevSecOps professionals with a fully AI-powered vulnerability assessment system. DarkMoon integrates over 50 specialized offensive security tools, all managed through a controlled execution interface.
DarkMoon is an automated penetration testing platform that uses artificial intelligence to orchestrate complete security assessments without manual intervention.
Unlike traditional vulnerability scanners, DarkMoon deploys a multi-agent AI architecture where specialized sub-agents reason, plan, and execute real offensive security operations through a controlled Model Context Protocol (MCP) interface, a gatekeeper layer that ensures the AI never directly touches the underlying system.
The platform aligns with recognized security frameworks, including ISO 27001, NIST SP 800-115, and the MITRE ATT&CK methodology, making it a standards-compliant option for organizations seeking repeatable, evidence-based assessments.
When a target is provided via the command line, DarkMoon automatically progresses through a multi-phase assessment: discovering open ports and services, fingerprinting the technology stack, modeling the attack surface, and then deploying specialized sub-agents based on what it detects.
The platform dynamically triggers agents tailored to discovered technologies:
Multiple agents can execute in parallel across a hybrid infrastructure, significantly accelerating assessment timelines compared to sequential manual testing.
DarkMoon ships with a purpose-built Docker image housing over 50 compiled security tools organized by category.
Port scanning is handled by Naabu and Masscan; web application testing leverages Nuclei, ffuf, sqlmap, Arjun, and wafw00f; reconnaissance uses Subfinder, Katana, Waybackurls, and httpx; CMS testing relies on WPScan and CMSeeK; and network enumeration employs Hydra, dig, and SNMP tooling.
All tools are accessible inside the Docker toolbox without path configuration — the AI reasons and plans, the MCP controls execution, and the Docker container runs the tools in isolation.
DarkMoon is designed for security teams running continuous automated testing, DevSecOps engineers integrating security into CI/CD pipelines, bug bounty hunters accelerating target analysis, and security researchers exploring adaptive attack surfaces in real time.
The platform supports bug bounty mode natively, with command-line flags such as FOCUS, EXCLUDE, SEVERITY, and FORMAT=h1 interpreted directly by the AI agent.
DarkMoon is available on GitHub at github.com/ASCIT31/Dark-Moon and requires only Docker, Docker Compose, and an LLM API key from providers such as Anthropic, OpenAI, or OpenRouter with local model support via Ollama and llama.cpp also available.
The platform represents a broader industry trend toward autonomous AI-driven penetration testing that scales beyond the limits of human-only security teams.
Cybercriminals now enter through your suppliers instead of your front door – Free Webinar
The post DarkMoon AI-Powered Autonomous Penetration Testing Platform With 50+ Tools appeared first on Cyber Security News.
According to an official statement, UIDAI and NFSU have established a structured collaboration designed to address emerging challenges in cybersecurity and digital forensics.
Meta patched two WhatsApp flaws affecting iOS, Android, and Windows users, including bugs tied to risky files, links, and Reels previews.
The post New WhatsApp Flaws Could Affect Billions of Users After Meta Security Patch appeared first on TechRepublic.
Hackers abused Google AppSheet to send Meta phishing emails, compromising 30,000 Facebook business accounts across 50 countries.
The post Google AppSheet Abuse Helped Phish 30,000 Facebook Accounts appeared first on TechRepublic.
A new open-source project called CVE MCP Server is redefining how security teams triage vulnerabilities, transforming Anthropic’s Claude AI into a fully capable security analyst by giving it direct, correlated access to 27 intelligence tools spanning 21 external APIs all through a single natural-language query.
Every security analyst knows the painful reality: triaging even a single CVE can mean opening a dozen browser tabs simultaneously, NVD for CVSS scores, EPSS for exploitation probability, CISA’s Known Exploited Vulnerabilities (KEV) catalog, GitHub for patch status, VirusTotal for malware associations, Shodan for exposed hosts, and more.
Industry data confirms this bottleneck is severe, with EPSS v4 research showing that 96% of CVE alerts that fall below an exploitation threshold go completely uninvestigated due to manual workload alone.
For teams managing 50 or more CVEs simultaneously, that fragmented workflow can consume an entire workday.
Released on GitHub by developer Mahipal (mukul975), CVE MCP Server is a production-grade implementation of Anthropic’s Model Context Protocol (MCP) an open standard that enables seamless integration between LLM applications and external data sources and tools.
The server integrates Claude with 27 security tools organized into five categories: Core Vulnerability Intelligence, Exploit & Attack Intelligence, Advanced Risk & Reporting, Network Intelligence, and Threat Intelligence.
Built with Python, FastMCP, httpx, aiosqlite, Pydantic v2, and defusedxml, the entire stack operates via outbound HTTPS only, no inbound ports, no telemetry, no API keys ever logged.
The tool catalog is extensive and immediately production-ready. Core vulnerability tools include lookup_cve (NVD), get_epss_score (FIRST), check_kev_status (CISA), and bulk_cve_lookup for batch-fetching up to 20 CVEs in parallel.
Exploit intelligence tools map CVEs to MITRE ATT&CK techniques, check PoC availability across GitHub and Exploit-DB, and retrieve CAPEC attack patterns.
Network intelligence layers in AbuseIPDB reputation scoring, GreyNoise scan activity, Shodan host profiling, and CIRCL Passive DNS. Threat intelligence tools connect to VirusTotal, MalwareBazaar, ThreatFox for IOC lookups, and Ransomwhere for ransomware Bitcoin address tracking.
At the heart of the project is a weighted risk scoring formula that moves beyond CVSS-only prioritization, a methodology aligned with the industry shift toward multi-signal triage.
The formula weights EPSS probability at 35%, CISA KEV status at 30%, CVSS at 20%, and PoC availability at 15%, with boost multipliers applied for active KEV+PoC combinations, CVSS ≥ 9.0 with high EPSS, and recently published CVEs.
A score of 76–100 triggers a CRITICAL label requiring patching within 24–48 hours under an emergency change window.
One notable design decision is accessibility: eight tools require zero API keys to function, including EPSS, CISA KEV, OSV.dev, MITRE ATT&CK, CWE lookups, CVSS parsing, Ransomwhere, and NVD at a reduced rate.
Teams can deploy and begin querying immediately, then progressively add Tier 1 keys (NVD, GitHub) for 10× throughput and Tier 2 keys (AbuseIPDB, VirusTotal, GreyNoise, Shodan) for full multi-domain intelligence.
The server also addresses the software supply chain angle with three DevSecOps tools: scan_dependencies queries OSV.dev for vulnerable package versions, scan_github_advisories searches GitHub Security Advisories by ecosystem, and urlscan_check analyzes suspicious URLs.
In a single Claude prompt, a developer can scan an entire requirements.txt and receive prioritized upgrade recommendations.
The CVE MCP Server is available now at github.com/mukul975/cve-mcp-server under an open-source license, with Claude Desktop and Claude Code configuration supported out of the box.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CVE MCP Server Turns Claude Into a Fully Capable Security Analyst With 27 Tools Across 21 APIs appeared first on Cyber Security News.
A new wave of cyber operations targeting European political leadership is once again highlighting how modern espionage increasingly relies on deception rather than technical exploits. Recent investigations by German authorities point to a large-scale phishing campaign conducted via the Signal messaging platform, with strong suspicions of Russian involvement.
According to multiple reports [1, 2, 3], the campaign targeted high-profile individuals, including German politicians, ministers, military personnel, diplomats, and journalists. German prosecutors have launched an investigation into what they believe may be a coordinated espionage effort, with early evidence suggesting a state-sponsored actor.
The attack did not rely on malware or vulnerabilities in Signal itself. Instead, it exploited human trust—arguably the weakest link in cybersecurity. Victims were approached through messages impersonating official Signal support or trusted contacts, prompting them to share authentication codes, scan malicious QR codes, or click on crafted links. Once compromised, attackers gained access to private chats, contact lists, and potentially sensitive political discussions.
One of the most notable targets was Julia Klöckner, whose account was reportedly compromised through a phishing attempt embedded in what appeared to be a legitimate group chat linked to her political party. The operation also attempted to target German Chancellor Friedrich Merz, although no compromise was confirmed in that case.
Authorities estimate that hundreds of accounts may have been affected. While Berlin has not formally attributed the campaign, intelligence sources increasingly point toward Russian involvement, consistent with a broader pattern of cyber activities aimed at European democracies.
“The German government suspects Russia is behind a series of phishing attacks on Signal targeting high-ranking politicians, including two government ministers, military personnel and journalists, a government spokesperson said.
“Federal prosecutors have been conducting a preliminary investigation since mid-February 2026 into alleged cyberattacks on Signal accounts, a spokesperson for the federal prosecutors confirmed on Saturday. Among other things, the investigation involves an initial suspicion of espionage, she added, without specifying which country might be involved.” reads the report published by the Associated Press.
“The German government has still not officially attributed the attacks to Russia.”
This incident is not isolated. Over the past decade, Western intelligence agencies have repeatedly linked Russian state-backed groups to cyber espionage and influence operations targeting political institutions. These activities are part of a broader strategy often described as “hybrid warfare,” where cyber operations, disinformation, and psychological tactics are combined to achieve geopolitical objectives without direct military confrontation.
Security experts stress that what makes this campaign particularly concerning is its simplicity and effectiveness. Instead of exploiting software flaws, attackers leveraged legitimate platform features and social engineering techniques. This approach allows them to bypass many traditional security controls and remain largely undetected.
We are witnessing a new phase of hybrid warfare, where attackers don’t need to break encryption—they just trick the user. The human factor has become the primary attack surface.”
Targeting secure messaging platforms like Signal demonstrates how threat actors adapt quickly to changing communication habits. When politicians and officials move to more secure platforms, adversaries follow them. The battlefield is no longer the infrastructure, but the user.”
Another critical aspect is the potential impact. Access to private conversations between political leaders, policymakers, and diplomats can provide strategic intelligence, enable blackmail, or support disinformation campaigns. Even limited breaches can undermine trust in secure communication tools and institutions.
German authorities, including the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI), have already issued warnings about similar tactics earlier this year. They highlighted that such campaigns are likely ongoing and could expand to other platforms like WhatsApp or Telegram.
The broader implication is clear: cybersecurity is no longer just a technical issue but a geopolitical one. As digital communication becomes central to governance, diplomacy, and decision-making, it also becomes a primary target for intelligence operations.
This campaign serves as a reminder that even the most secure technologies cannot protect against deception if users are not adequately trained and aware. In today’s threat landscape, resilience depends not only on encryption and infrastructure but also on human vigilance.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – German officials, Bundestag)
Entrar