Advisories – Tisalabs

Exploitation of Cisco Catalyst SD-WAN

Wed, 25 Feb 2026 00:00:00 +0000

Malicious cyber threat actors are targeting Cisco Catalyst Software Defined Wide Area Networks (SD-WAN) used by organisations globally. These actors are compromising SD-WANs to add a malicious rogue peer and then conduct a range of follow-on actions to achieve root access and maintain persistent access to the SD-WAN. This cluster of cyber threat activity has targeted organisations using Cisco Catalyst SD-WANs globally. A Hunt Guide has been prepared based on observations from various investigations which details tactics, techniques, and procedures (TTPs) leveraged by these malicious actors. The Hunt Guide aims to support network defenders to conduct detection and threat hunting activities and provides mitigation guidance to reduce the risk from the observed TTPs. The Hunt Guide is being released by the following authoring and co-sealing agencies: Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) Canadian Centre for Cyber Security (Cyber Centre) New Zealand National Cyber Security Centre (NCSC-NZ) United Kingdom National Cyber Security Centre (NCSC-UK) United States Cybersecurity and Infrastructure Security Agency (CISA) United States National Security Agency (NSA) Cisco has released software updates for Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Controller. Organisations employing Cisco Catalyst SD-WAN should follow the priority actions detailed below. Cisco Catalyst SD-WANs that have management interfaces exposed to the internet are at most risk of compromise. Management interfaces must never be exposed to the internet. The authoring agencies strongly urge network defenders to follow these priority actions: Perform threat hunting for evidence of compromise detailed in the Hunt Guide. If you believe you have been compromised, collect artefacts from the device and, if you are in the UK, report it to the NCSC. Update to the appropriate fixed latest version of Cisco Catalyst SD-WAN Manager and Cisco Catalyst SD-WAN Controller as detailed in their respective advisories. Apply the Cisco Catalyst SD-WAN Hardening Guide. Perform continuous threat hunting activities. To reduce the risks to your networks, review the Cisco Catalyst SD-WAN Hardening Guide in full and take appropriate action, including but not limited to the following: Network perimeter controls ensure control components are behind a firewall isolate VPN 512 interfaces use IP blocks for manually provisioned edge IPs SD-WAN manager access replace the self-signed certificate for the web user interface Control and data plane security use pairwise keying Session timeout limit to the shortest period possible Logging forward to a remote syslog server Any mitigation or eviction measures listed within are subject to change as new information becomes available and ongoing coordinated operations dictate. Network defenders should ensure any actions taken in response to the Hunt Guide are compliant with local laws and regulations within the jurisdictions within which they operate. Cisco Catalyst SD-WAN hardening guide ASD’s ACSC’s Cisco SD-WAN Threat Hunt Guide co-sealed by NSA, CISA, CCCS, NCSC-NZ and NCSC-UK NCSC resources to help secure systems: Follow NCSC guidance including vulnerability management and preventing lateral movement. If your organisation is in the UK, you can sign up to the free NCSC Early Warning service to receive notifications of potential cyber threats on your network. If you are already an Early Warning user, please check your MyNCSC portal. The NCSC Vulnerability Disclosure Toolkit helps organisations of all sizes with the essential components of implementing a vulnerability disclosure process.

The post Exploitation of Cisco Catalyst SD-WAN appeared first on Tisalabs.

CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems

Wed, 25 Feb 2026 00:00:00 +0000

The purpose of this Alert is to provide resources for organizations with Cisco Software-Defined Wide-Area Networking (SD-WAN) systems, including Federal Civilian Executive Branch (FCEB) agencies, to address ongoing exploitation of multiple vulnerabilities. Notably, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20127 and CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 25, 2026. As a result of the malicious cyber activity and vulnerabilities involving Cisco SD-WAN systems, CISA has outlined requirements for FCEB agencies in Emergency Directive (ED) 26-03 to inventory Cisco SD-WAN systems, update them, and assess compromise. CISA and partners have observed malicious cyber actors targeting and compromising Cisco SD-WAN systems of organizations, globally. These actors have been observed exploiting a previously undisclosed authentication bypass vulnerability, CVE-2026-20127, for initial access before escalating privileges using CVE-2022-20775 and establishing long-term persistence in Cisco SD-WAN systems. CISA, National Security Agency (NSA), and international partners Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (Cyber Centre), New Zealand National Cyber Security Centre (NCSC-NZ), and United Kingdom National Cyber Security Centre (NCSC-UK), hereafter the “authoring organizations,” strongly urge network defenders to immediately 1) inventory all in-scope Cisco SD-WAN systems, 2) collect artifacts, including virtual snapshots and logs off of SD-WAN systems to support threat hunt activities, 3) fully patch Cisco SD-WAN systems with available updates, 4) hunt for evidence of compromise, and 5) concurrently review Cisco’s latest security advisories, Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability and Cisco Catalyst SD-WAN Vulnerabilities, and implement Cisco’s SD-WAN Hardening Guidance.1 To address malicious activity involving vulnerable Cisco SD-WAN systems, CISA issued Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems, which outlines requirements for FCEB agencies to inventory Cisco SD-WAN systems, update them, and assess compromise. Further, CISA released Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems to provide prescriptive actions for FCEB agencies. Cisco’s Catalyst SD-WAN Hardening Guide recommends that network defenders address: Network perimeter controls: Ensure control components are behind a firewall, isolate virtual private network (VPN) 512 interfaces, and use internet protocol (IP) blocks for manually provisioned edge IPs. SD-WAN manager access: Replace the self-signed certificate for the web user interface. Control and data plane security: Use pairwise keys. Session timeout: Limit to the shortest period possible. Logging: Forward to a remote syslog server. CISA and the authoring organizations are providing the following resources:  CISA: Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems CISA: Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems Cisco: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability Cisco: Cisco Catalyst SD-WAN Vulnerabilities Cisco: Cisco Catalyst SD-WAN Hardening Guide ASD’s ACSC: Cisco SD-WAN Threat Hunt Guide, co-sealed by CISA, NSA, Cyber Centre, NCSC-NZ, and NCSC-UK. This guide, based on investigative data, supports network defenders’ detection of and response to the malicious actors’ threat activity Acknowledgements NSA, ASD’s ACSC, Cyber Centre, NCSC-NZ, and NCSC-UK contributed to this alert. Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.  Notes 1 Cisco Security, “Cisco Catalyst SD-WAN Hardening Guide,” last modified February 9, 2026, https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide This product is provided subject to this Notification and this Privacy & Use policy.

The post CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems appeared first on Tisalabs.

Poland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps

Tue, 10 Feb 2026 00:00:00 +0000

The purpose of this Alert is to amplify Poland’s Computer Emergency Response Team (CERT Polska’s) Energy Sector Incident Report published on Jan. 30, 2026, and highlight key mitigations for Energy Sector stakeholders. In December 2025, a malicious cyber actor(s) targeted and compromised operational technology (OT) and industrial control systems (ICS) in Poland’s Energy Sector—specifically renewable energy plants, a combined heat and power plant, and a manufacturing sector company—in a cyber incident. The malicious cyber activity highlights the need for critical infrastructure entities with vulnerable edge devices to act now to strengthen their cybersecurity posture against cyber threat activities targeting OT and ICS. A malicious cyber actor(s) gained initial access in this incident through vulnerable internet-facing edge devices, subsequently deploying wiper malware and causing damage to remote terminal units (RTUs). The malicious cyber activity caused loss of view and control between facilities and distribution system operators, destroyed data on human machine interfaces (HMIs), and corrupted system firmware on OT devices. While the affected renewable energy systems continued production, the system operator could not control or monitor them by their intended design.1 CERT Polska’s incident report highlights: Vulnerable edge devices remain a prime target for threat actors. As indicated by CISA’s Binding Operational Directive (BOD) 26-02: Mitigating Risk From End-of-Support Edge Devices, end-of-support edge devices pose significant risks. OT devices without firmware verification can be permanently damaged. Operators should prioritize updates that allow firmware verification when available; if updates are not immediately feasible, ensure that cyber incident response plans account for inoperative OT devices to mitigate prolonged outages. Threat actors leveraged default credentials, a vulnerability not limited to specific vendors, to pivot onto the HMI and RTUs. Operators should immediately change default passwords and establish requirements for integrators or OT suppliers to enforce password changes in the future. CISA and the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (DOE CESER) urge OT asset owners and operators to review the following resources for more information about the malicious activity and mitigations: CERT Polska’s Energy Sector Incident Report – 29 December 2025. CISA’s joint fact sheet with FBI, EPA, and DOE Primary Mitigations to Reduce Cyber Threats to Operational Technology. DOE’s Energy Threat Analysis Center’s threat advisories. Acknowledgements DOE CESER and CERT Polska contributed to this Alert. Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. Notes CERT Polska, “Energy Sector Incident Report – 29 December 2025,” Naukowa i Akademicka Sieć Komputerowa Poland, last modified January 30, 2026, https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/. This product is provided subject to this Notification and this Privacy & Use policy.

The post Poland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps appeared first on Tisalabs.

Barriers to Secure OT Communication: Why Johnny Can’t Authenticate

Tue, 10 Feb 2026 00:00:00 +0000

CISA released the guidance, Barriers to Secure OT Communication: Why Johnny Can’t Authenticate, which highlights the known issues with insecure-by-design legacy industrial protocols and seeks to understand why the technology to secure these protocols is not widely adopted. CISA developed this guidance in partnership with operational technology (OT) equipment manufacturers and standard development organizations, by interviewing OT asset owners and operators to understand: What motivates owners and operators to secure communication, and What barriers prevent successful adoption from design through deployment and operations. Legacy OT protocols lack strong protections against data alteration, device impersonation, and unauthorized access, making critical infrastructure vulnerable to cyber threats. Securing these protocols requires solutions that are practical for current operators as well as cyber experts. Based on the research conducted, CISA provides recommendations for how owners and operators can avoid the negative experiences of their peers, as well as recommendations to OT manufacturers to drive sustainable, more usable capabilities. Barriers to Secure Communication: Why Johnny Can’t Authenticate (PDF, 915.41 KB ) Please share your thoughts! We welcome your feedback. CISA Product Survey

The post Barriers to Secure OT Communication: Why Johnny Can’t Authenticate appeared first on Tisalabs.

Reducing the Attack Surface for End-of-Support Edge Devices

Thu, 05 Feb 2026 00:00:00 +0000

Introduction The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.K.’s National Cyber Security Centre (NCSC) are releasing this fact sheet to urge defensive action against malicious cyber activity by nation-state threat actors. Nation-state threat actors exploit end-of-support (EOS) edge devices—including, but not limited to, load balancers, firewalls, routers, and virtual private network (VPN) gateways—to gain network access, maintain presence, and compromise sensitive data. Organizations using EOS devices are particularly vulnerable to compromise, especially if they are using EOS devices exposed to the public internet or external systems at the network’s “edge.” CISA’s Binding Operational Directive (BOD) 26-02: Mitigating Risk From End-of-Support Edge Devices requires U.S. Federal Civilian Executive Branch (FCEB) agencies to manage the lifecycle of edge devices to defend against malicious cyber activity. Although the BOD 26-02 requirement only applies to FCEB agencies, CISA, FBI, and NCSC strongly encourage organizations to follow the guidance in the BOD and this fact sheet to safeguard systems, data, and operations from nation-state threat actors. What Are EOS Edge Devices? Edge devices include technology that resides on the boundary of an organization’s network and is accessible from the public internet and other external environments. An edge device becomes an “end-of-support” or “unsupported” device when its manufacturer no longer: Monitors it for defects in its software and/or firmware, and Updates it with patches for common vulnerabilities and exposures (CVEs), security updates, and software fixes (hotfixes). EOS edge devices pose significant risks for organizations because threat actors can exploit unresolved security gaps. Nation-state threat actors can exploit these devices as entry points to access modern, supported environments, placing organizations’ data, services, and overall security at serious risk. EOS devices may also cause compatibility issues that disrupt productivity. Mitigations Organizations should be prepared to respond to malicious cyber activity. As the nation’s cyber defense agency, CISA and its partners stand ready to help prepare organizations to respond to and mitigate the impact of malicious cyber activity. CISA and its partners strongly urge all organizations to review BOD 26-02 and implement the following mitigations. Maintain Asset Inventory and Audits Keeping track of all devices within a network will equip network defenders with the awareness necessary to protect vulnerable assets. Actively scan networks for undocumented and outdated edge devices. Maintain an inventory of all edge devices and their respective support timelines. Regularly review inventory and EOS dates. Critical infrastructure owners and operators, see Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators. Replace EOS Edge Devices and Software Network defenders should proactively monitor for and replace unsupported edge devices to reduce a network perimeter’s vulnerability. Take prompt action to replace EOS edge devices; as these devices age, managing their risks becomes increasingly challenging and costly. Install Updates and Patch Known CVEs Software updates will patch known CVEs; if automatic updates are not enabled, network defenders should proactively monitor for these updates. Ensure EOS devices operate on the latest supported software version when immediate replacement is not possible. By using the latest software update, organizations can address CVEs and other known vulnerabilities identified up to the time of the update. Enable automatic updates on all devices to install timely patches. Resources The following resources provide further guidance on protecting systems from cyber threats linked to EOS software or devices: CISA: Edge Device Security webpage provides edge device best practices to help organizations secure their network perimeters against modern cyber threats. CISA: Guidance and Strategies to Protect Network Edge Devices offers practical advice and recommendations for protecting edge devices, focusing on minimizing vulnerabilities and improving network resilience. CISA: Known Exploited Vulnerabilities Catalog provides a regularly updated list of vulnerabilities actively exploited by threat actors, allowing organizations to prioritize remediation efforts effectively. ASD’s ACSC: Managing the risks of legacy IT: Executive guidance provides strategies and high-level guidance for executives to mitigate risks stemming from outdated and legacy IT systems. ASD’s ACSC: Mitigation strategies for edge devices: Practitioner guidance offers detailed technical advice and actionable steps for IT practitioners to enhance the security of edge devices in their networks. CISA: No-Cost Cybersecurity Services and Tools lists no-cost services and tools provided by CISA, as well as private and public sector organizations across the cyber community, to strengthen security postures and address cyber risks. CISA: Technical Approaches to Uncovering and Remediating Malicious Activity presents detailed technical methodologies and best practices for detecting, analyzing, and addressing malicious activity within networks. OASIS: OpenEoX provides robust guidance on the secure lifecycle management and handling of EOS software and associated tools to reduce security vulnerabilities. NCSC: Guidance on digital forensics and protective monitoring specifications for producers of network devices and appliances delivers best practices and recommendations for conducting digital forensic investigations and implementing protective monitoring to safeguard network devices against cyber threats. Please share your thoughts! We welcome your feedback CISA PRODUCT SURVEY

The post Reducing the Attack Surface for End-of-Support Edge Devices appeared first on Tisalabs.

Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858

Wed, 28 Jan 2026 00:00:00 +0000

Newly disclosed vulnerability Common Vulnerabilities and Exposures (CVE)-2026-24858 [Common Weakness Enumeration (CWE)-288: Authentication Bypass Using an Alternate Path or Channel] allows malicious actors with a FortiCloud account and a registered device to log in to separate devices registered to other users in FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer, if FortiCloud single sign on (SSO) is enabled on devices.1 Users are vulnerable to CVE-2026-24858 even if they updated Fortinet devices to address previously disclosed FortiCloud SSO bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 [CWE-347: Improper Verification of Cryptographic Signature]2 CVE-2025-59718 and CVE-2025-59719 affect FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager, and allow malicious actors to bypass the SSO login authentication via a crafted Security Assertion Markup Language (SAML) message.3 On Fortinet devices that had been fully upgraded to the latest release addressing CVE-2025-59718 and CVE-2025-59719 at the time of CVE-2026-24858 exploitation, Fortinet observed the following malicious activity: Unauthorized firewall configuration changes on FortiGate devices. Unauthorized creation of accounts. Unauthorized configuration changes of virtual private networks (VPNs) to grant access to new accounts.4 According to Fortinet, on Jan. 26, 2026, Fortinet disabled all FortiCloud SSO authentication to mitigate CVE-2026-24858, then reinstated the service on Jan. 27, 2026, with changes to prevent exploitation of vulnerable devices. CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) Catalog on Jan. 27, 2026. CISA urges users to check for indicators of compromise on all internet-accessible Fortinet products affected by this vulnerability and immediately apply updates as soon as they are available using Fortinet’s instructions: Administrative FortiCloud SSO authentication bypass Analysis of Single Sign-On Abuse on FortiOS Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.  Notes Fortinet, “Administrative FortiCloud SSO Authentication Bypass,” FortiGuard Labs, last modified January 27, 2026, https://fortiguard.fortinet.com/psirt/FG-IR-26-060. Fortinet, “Multiple Fortinet Products’ FortiCloud SSO Login Authentication Bypass,” FortiGuard Labs, last modified December 9, 2025, https://fortiguard.fortinet.com/psirt/FG-IR-25-647. Carl Windsor, “Analysis of Single Sign-On Abuse on FortiOS,” PSIRT Blogs (blog), Fortinet, last modified January 22, 2026, https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios. Arctic Wolf Labs, “Arctic Wolf Observes Malicious Configuration Changes on Fortinet FortiGate Devices via SSO Accounts,” Arctic Wolf Blog (blog), Arctic Wolf, last modified January 21, 2026, https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/. This product is provided subject to this Notification and this Privacy & Use policy.

The post Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858 appeared first on Tisalabs.

Product Categories for Technologies That Use Post-Quantum Cryptography Standards

Fri, 23 Jan 2026 00:00:00 +0000

Executive Summary In response to the June 6, 2025, Executive Order (EO) 14306, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144,” the Cybersecurity and Infrastructure Security Agency (CISA) is providing and regularly updating the below lists to aid in post-quantum cryptography (PQC) adoption. The lists include hardware and software categories with example types of widely available products that use PQC standards to protect sensitive information.1 The lists focus on categories of available products, typically acquired by the federal government, that utilize cryptographic algorithms. Because PQC-capable products are widely available in the listed categories, organizations should acquire only PQC-capable products when planning acquisitions and procuring products in these categories. Introduction Purpose The lists below are CISA’s response to Executive Order (EO) 14306, which instructed: By December 1, 2025, the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), and in consultation with the Director of the National Security Agency, shall release and thereafter regularly update a list of product categories in which products that support post-quantum cryptography (PQC) are widely available. When a particular category offers widely available PQC-capable products, organizations should plan acquisitions to procure only PQC-capable products from that category. Scope and Definitions The scope of the lists below includes categories of hardware and software products that are—or are anticipated to be—widely available and use PQC standards. Note: “Widely available” describes products that are generally available in the marketplace, and agencies can acquire them in accordance with their typical procurement policies and procedures. The categories cover hardware and software products that apply PQC standards for encryption and authentication through the following cryptographic functions: Key establishment:2 A function in the lifecycle of keying material; the process by which cryptographic keys are securely established among cryptographic modules using manual transport methods (e.g., key loaders), automated methods (e.g., key-transport and/or key-agreement protocols), or a combination of automated and manual methods (consisting of key transport plus key agreement). Digital signatures:3 The result of a cryptographic transformation of data that, when properly implemented, provides the services of 1. origin authentication, 2. data integrity, and 3. signer non-repudiation. Key establishment is often essential for establishing confidential communication using encryption among two or more parties. Digital signatures are often essential for authenticating the parties participating in a communication and for establishing the authenticity of data, products, and services. Automated cryptographic discovery and inventory products are out of scope of these lists. Considerations for Products That Use PQC Standards PQC Transition of Information Technology (IT) Infrastructure Recognizing the global need to support PQC algorithms, product manufacturers are developing new products and updating existing products to incorporate post-quantum cryptographic standards. National Institute of Standards and Technology In 2016, the National Institute of Standards and Technology (NIST) initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms. The ongoing PQC standardization process has produced PQC standards and will likely standardize additional algorithms in the coming years. The NIST Internal Report (IR) 8547, Transition to Post-Quantum Cryptography Standards, describes NIST’s expected approach to transitioning from quantum-vulnerable cryptographic algorithms to post-quantum digital signature algorithms and key-establishment schemes. The report identifies existing quantum-vulnerable cryptographic standards and the current quantum-resistant standards that organizations will use in the transition. The report informs the efforts and timelines of federal agencies, industry, and standards organizations for transitioning products, services, and infrastructure to PQC. NIST will revise this report and feed into other algorithms- and application-specific guidance for the transition to PQC as necessary to support transition timelines. Table 1 shows three NIST PQC standards along with a recommendation for stateful hash-based signature algorithms that support quantum-resistant standards. Table 1: NIST Standard PQC Algorithms Cryptographic Function Algorithm Standard Standard Key Establishment Module-Lattice-Based Key- Encapsulation Mechanism (ML-KEM) Federal Information Processing Standards (FIPS) 203 Digital Signature Module-Lattice-Based Digital Signature Algorithm (ML-DSA) Federal Information Processing Standards (FIPS) 204 Digital Signature Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) Federal Information Processing Standards (FIPS) 205 Digital Signature Stateful Hash-Based Digital Signature Algorithms: Leighton-Micali Signature Scheme (LMS), Hierarchical Merkle Signature Scheme (HMS), eXtended Merkle Signature Scheme (XMSS), eXtended Merkle Signature Scheme with Multi-Tree (XMSSMT) NISTSP 800-208 Product Lists Table 2 details widely available categories with respective types of hardware and software products that use PQC standards to protect sensitive information well into the foreseeable future, including after the advent of a cryptographically relevant quantum computer (CRQC). Organizations building PQC migration plans can use these categories as a guide to assess future technological needs. Once a category is listed as having PQC-capable products widely available, organizations should plan acquisitions to procure only PQC-capable products in that category.4 Table 3 does not list categories of PQC-capable products that are currently widely available; instead, it lists product categories where manufacturer implementation and testing of PQC capabilities are encouraged. It is important that the products listed in Table 3 implement PQC for core features and for all secondary functionality, such as for software updates. As the Table 3 product categories mature their capabilities and transition to PQC, CISA will move them from Table 3 to the list in Table 2. Tables 2 and 3 consider efforts within the General Services Administration (GSA),5,6 CISA,7 NIST,8 and the National Security Agency (NSA)9. Note: Tables 2 and 3 are not exhaustive lists; CISA will periodically update these tables as needed to cover new examples of widely available products that use PQC standards. Table 2: Widely Available Hardware and Software Product Categories That Use PQC Standards Product Category* Example Product Type Cloud Services Platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS) Collaboration Software Chat/messaging Web Software Web browsers, web servers Endpoint Security10 Data at rest (DAR) security, full disk encryption * Most of these categories have implemented PQC for key encapsulation and key agreement but have not yet widely implemented PQC for digital signatures and authentication. As a result, these categories are not considered to be fully quantum resistant; CISA includes them on this list because one of their main security services is quantum resistant and Federal

The post Product Categories for Technologies That Use Post-Quantum Cryptography Standards appeared first on Tisalabs.

NCSC issues warning over hacktivist groups disrupting UK organisations and online services

Mon, 19 Jan 2026 00:00:00 +0000

New alert warns of state-aligned hacktivists targeting UK organisations, looking to cripple services and disable websites. Russian groups continue to target organisations in the UK, particularly local government and operators of critical infrastructure. Organisations are encouraged to review defences and prepare resilience against attacks. Today, 19th January 2026, the National Cyber Security Centre (NCSC) – a part of GCHQ – has issued an alert highlighting the persistent targeting of UK organisations by Russian state-aligned hacktivist groups aiming to disrupt networks. Organisations, particularly local government authorities and operators of critical national infrastructure, are being encouraged to review their defences and improve their cyber resilience by preparing and being able to respond to denial of service (DoS) attacks. Although DoS attacks are typically low in sophistication, a successful attack can disrupt entire systems, costing organisations significant time, money, and operational resilience by having to analyse, defend against, and recover from them. The alert notes that the ongoing attacks by Russian-aligned hacktivist groups are driven by ideology, over perceived Western support for Ukraine, rather than financial gain, and they operate outside the direct control of the state. In December 2025, alongside international partners, the NCSC co-sealed an advisory which called out pro-Russian hacktivists groups for targeting government and private sector entities in NATO member states and other European countries that are seen as standing in opposition to Russia’s geopolitical ambitions. NCSC Director of National Resilience, Jonathon Ellison said: “We continue to see Russian-aligned hacktivist groups targeting UK organisations and although denial-of-service attacks may be technically simple, their impact can be significant. “By overwhelming important websites and online systems, these attacks can prevent people from accessing the essential services they depend on every day. “All organisations, especially those identified in today’s alert, are urged to act now by reviewing and implementing the NCSC’s freely available guidance to protect against DoS attacks and other cyber threats.” The NCSC has persistently called out malicious cyber activity from Russia and its supporters. In 2023, the NCSC alerted organisations to the emergent risk posed by state-aligned adversaries following the Russian invasion of Ukraine. Organisations are also encouraged to engage with the NCSC’s heightened cyber threat collection.

The post NCSC issues warning over hacktivist groups disrupting UK organisations and online services appeared first on Tisalabs.

Pro-Russia hacktivist activity continues to target UK organisations

Mon, 19 Jan 2026 00:00:00 +0000

Russian-aligned hacktivist groups continue to target the UK and global organisations by attempting to disrupt operations, take websites offline and disable services. In December 2025, the NCSC co-sealed an advisory highlighting that pro-Russian hacktivists groups have been conducting worldwide cyber operations against numerous organisations and critical infrastructure sectors. In particular, the group NoName057(16) has been active since March 2022, and have been conducting attacks against government and private sector entities in NATO member states and other European countries that are perceived as hostile to Russian geopolitical interests. These attacks have included frequent DDoS attempts against UK local government. The group operates primarily through Telegram channels and used GitHub (and other websites and repositories) to host the proprietary tool DDoSia, and to share tactics, techniques, and procedures (TTPs) with their followers. This is not the first time that the NCSC has called out activity from Russian-aligned groups targeting UK organisations. In 2023, the NCSC published an alert on the risk posed by state-aligned adversaries following the Russian invasion of Ukraine. These attacks are ideologically (rather than financially) motivated, and reflect an evolution in the threat which now target UK operational technologies. As a result, the NCSC encourages all OT owners to follow recommended mitigation advice to harden their cyber defences. Understand and mitigate denial of service (DoS) attacks The NCSC is advising all organisations review their defences, and to improve resilience against attacks from Russian-aligned groups. In particular, we’re encouraging all organisations review their DoS protections, which includes: Understanding your service There are probably many points in your service where an attacker can attempt to overload or exhaust available resources, thereby preventing you from serving legitimate users. You should understand where these points are, and in each case, determine whether you, or a supplier, are responsible. Upstream defences Ensure your service providers are ready to deal with resource exhaustion in places where they are uniquely placed to help. We recommend you: understand the denial of service mitigations that your ISP has in place on your account look into third-party DDoS mitigation services that can be used to protect against network traffic based attacks consider deploying a content delivery network, for web-based services understand when and how your service provider might limit your network access in order to protect their other customers consider using multiple service providers for some functionality Building to allow scaling To deal with attacks which can’t be handled upstream (or only once detected and blocked), make sure your service can rapidly scale. Ideally, you should be able to scale all aspects of your application and infrastructure. Cloud-native applications can be automatically scaled using the cloud providers’ APIs. In private data centres, automated scaling is possible using modern virtualisation, but this will require spare hardware capacity to deal with the additional load. Defining your response plan Design your service and plan your response to an attack so that it can continue to operate (albeit in a degraded fashion). We recommend your plan includes: graceful degradation dealing with changing tactics retaining administrative access during an attack having a scalable fall-back plan for essential services Testing and monitoring your service Gain confidence in your defences by testing them, and ensure you can spot when attacks start by having the right tools in place. Test your defences so you know the types (and volume) of attacks you are able to defend. System monitoring will help you spot attacks when they begin, and analyse your response while it’s underway. For more information, please refer to the NCSC’s core Denial of Service (DoS) guidance. In addition, the NCSC encourage all organisations to review our heightened cyber threat guidance collection, in particular the guidance on actions to take when the cyber threat is heightened.

The post Pro-Russia hacktivist activity continues to target UK organisations appeared first on Tisalabs.

Secure Connectivity Principles for Operational Technology (OT)

Wed, 14 Jan 2026 00:00:00 +0000

CISA and the UK National Cyber Security Centre (NCSC-UK), in collaboration with federal and international partners, have released Secure Connectivity Principles for Operational Technology (OT) guidance to help asset owners address increasing business and regulatory pressures for connectivity into operational technology (OT) networks. This guidance outlines eight principles to use as a framework to design, secure, and manage connectivity into OT environments. These principles are particularly critical for operators of essential services. Please share your thoughts! We welcome your feedback. CISA Product Survey

The post Secure Connectivity Principles for Operational Technology (OT) appeared first on Tisalabs.

Advisories – Tisalabs

Exploitation of Cisco Catalyst SD-WAN

CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems

Poland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps

​​Barriers to Secure OT Communication: Why Johnny Can’t Authenticate​

Reducing the Attack Surface for End-of-Support Edge Devices

Fortinet Releases Guidance to Address Ongoing Exploitation of Authentication Bypass Vulnerability CVE-2026-24858

Product Categories for Technologies That Use Post-Quantum Cryptography Standards

NCSC issues warning over hacktivist groups disrupting UK organisations and online services

Pro-Russia hacktivist activity continues to target UK organisations

Secure Connectivity Principles for Operational Technology (OT)

Barriers to Secure OT Communication: Why Johnny Can’t Authenticate