The IT Nerd

The CISA, the NSA, and Canadian Centre for Cyber Security are warning that the People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems.  

You can get more details here: https://www.cisa.gov/news-events/analysis-reports/ar25-338a

Ensar Seker, CISO at threat intel company SOCRadar, provided the following comments:

“The recent advisory from CISA, NSA and the Canadian Centre for Cyber Security (Cyber Centre) confirms that a China‑linked actor is using BRICKSTORM to compromise virtual‑infrastructure environments, creating hidden virtual machines, harvesting credentials via cloned VM snapshots, and maintaining long dwell times of up to 393 days. 

What’s especially alarming about this campaign is that it targets the virtualization layer itself, not the OS or applications, which historically receives less attention. Once the hypervisor or management console (vCenter) is compromised, attackers gain broad visibility over the virtual infrastructure and can bypass many traditional endpoint defenses (like EDR), because these often don’t monitor hypervisor behavior or VM snapshot manipulation. 

For defenders, the implications are stark: if you run VMware vSphere or ESXi, particularly with vCenter exposed internally or weakly segmented, you are directly in scope. This means organizations must treat virtualization infrastructure as a critical attack surface with the same urgency as public‑facing apps or legacy enterprise systems.

Immediate steps: apply detection signatures/YARA and Sigma rules from the joint CISA/NSA report to hunt for BRICKSTORM indicators; audit VM snapshot creation and export logs; restrict vCenter access tightly; segment management consoles from general workloads; block unauthorized DNS‑over‑HTTPS (DoH) traffic from servers; and ensure build‑in and third‑party monitoring includes hypervisor‑level telemetry. 

In short, this isn’t just another malware campaign. It’s a wake‑up call showing that adversaries are shifting upward in the stack, targeting the foundations of virtualization rather than individual VMs. For many organizations, exposure will only be obvious after they start actively hunting for hypervisor‑layer compromise. Let me know if you’d like a short quote or deeper technical breakdown to include.”

Everyone needs to pay attention to this as it is clear from this alert that the bad guys are changing the tactics that they use to get a bigger payoff at the end of the day. Which is bad for all of us and requires immeidate attention from defenders.

The CISA has warned of an flaw called the ‘OpenPLC ScadaBR’ flaw, tracked as CVE-2021-26829, that was recently leveraged by hackers to deface an industrial control system (ICS). Meaning that it is related to critical infrastructure.

More details here: https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog

Martin Jartelius, AI Product Director at Outpost24, provided the following comments:

“This vulnerability is four years old, and while the project is still in use, it has largely been replaced by other solutions for many users. Both existing vulnerabilities in the platform require authentication, and the observed intrusion occurred in a honeypot, meaning it must have been configured with an intentionally weak or default password. The group then opted for “defacement,” meaning they changed the appearance of the application rather than abusing the known file-upload issue to achieve code execution on the system.

“As it is an ICS system, the incident is serious, but the key lesson is not to fear this outdated, unpatched system itself. Instead, we should recognize that there are attackers driven by hacktivism or simple cyber-vandalism actively looking for these types of exposed systems. These systems should never be exposed to the internet; organizations must adhere to ICS-CERT guidelines for proper isolation. We must also remember that this incident was visible. If someone had simply logged in and changed settings, there would have been no visual indication.

Over the years, we have seen small power plants with currents and frequency controls exposed directly to the internet — these systems are not toys, and to repeat myself, they should never be accessible without strict isolation and must not have direct internet exposure.”

This should highlight the need to protect critical infrastructure at all costs. Hopefully it doesn’t take a significant incident to get that message through.

The CISA issued an urgent warning that federal agencies must immediately patch two actively exploited Cisco ASA and Firepower vulnerabilities, CVE-2025-20362 and CVE-2025-20333. The flaws allow unauthenticated access to restricted endpoints and remote code execution, and when chained, give attackers full control of affected devices. Although Cisco patched the bugs in September after observing zero-day exploitation tied to the ArcaneDoor campaign, after many agencies incorrectly believed they had updated to safe versions. 

Gunter Ollmann, CTO, Cobalt had this to say:

“The ongoing exploitation of these Cisco flaws highlights how attackers increasingly rely on chaining weaknesses to gain rapid, unauthenticated control over perimeter devices. These types of edge-network compromises are particularly attractive because they create a launch point that bypasses many downstream defenses. The challenge is that organizations still struggle to validate their exposure in real-world terms, even when patches exist. Offensive testing helps reveal whether the environment behaves as expected after updates and whether an attacker could still traverse overlooked paths. Mature programs treat patching as the starting point, not the finish line, and use adversarial validation to catch residual gaps before threat actors do.”

Wade Ellery, Chief Evangelist and IAM Strategy Officer, Radiant Logic follows with this:

“When firewalls or VPN gateways are compromised, attackers often pivot quickly into identity systems because credentials remain one of the most reliable pathways to deeper access. Incidents like this reveal how perimeter flaws can cascade into identity-based risks when agencies lack unified visibility across accounts, entitlements, and authentication patterns. The limitation is that many organizations still operate with fragmented identity data, making it hard to detect suspicious changes that follow network intrusions. Strengthening identity observability provides the context needed to spot anomalies early and contain lateral movement before privileges accumulate. Agencies that unify and observe identity data will be better positioned to absorb these infrastructure-level shocks and maintain Zero Trust resilience.”

Once again it’s time to patch all the things because of an actively exploited threat. The “fun” never ends in this business.

The CISA has added three newly exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: one in Windows SMB Client and two in Kentico Xperience CMS. The Windows flaw (CVE-2025-33073, CVSS 8.8) allows privilege escalation via improper access control and has been exploitable since June, when proof-of-concept code was released. The Kentico vulnerabilities (CVE-2025-2746 and CVE-2025-2747, CVSS 9.6) are authentication bypass issues that could enable full administrative takeover when chained with remote code execution. CISA also confirmed exploitation of a 2022 Apple arbitrary code execution bug (CVE-2022-48503). Federal agencies now have three weeks to patch affected systems under Binding Operational Directive 22-01.

Will Baxter, Field CISO, Team Cymru had this to say:

     “The inclusion of both recent and legacy vulnerabilities in CISA’s KEV catalog underscores how threat actors mix newly developed exploits with long-lived flaws to sustain access and expand operational reach. Even when patches are available, adversaries rely on delayed remediation and incomplete asset visibility — the very gaps KEV aims to close. Active monitoring of external infrastructure and intelligence sharing across organizations remain essential to identify when known vulnerabilities are being re-weaponized in the wild.”

Andrew Obadiaru, CISO, Cobalt follows with this:

     “This is a reminder that patching and vulnerability scanning aren’t the same as true resilience. The lag between disclosure and exploitation is shrinking, and adversaries are quick to capitalize on unpatched systems even within well-defended networks. Continuous offensive testing—validating exploitability in real-world conditions—remains one of the most effective ways to ensure critical exposures are prioritized and remediated before attackers strike.

This is why I recommend that people patch all the things when patches appear or soon after they appear. The bad guys will not waste any time in terms of reverse engineering the flaws that these patches fix and using those to launch attacks.

The CISA has warned that a local privilege escalation vulnerability in Sudo (CVE-2025-32463, CVSS 9.3) is being actively exploited in the wild. The flaw, introduced in Sudo version 1.9.14 in 2023, allows any local user to execute commands with root privileges, even without being in the sudoers file. Exploitation requires tricking Sudo into loading a malicious /etc/nsswitch.conf file via the chroot feature, which has since been deprecated. The issue was patched in June with Sudo version 1.9.17p1, but proof-of-concept exploits have circulated since July, and CISA has mandated remediation within three weeks for federal agencies under BOD 22-01. 

John McShane, Principal Product Manager for AI & Data Science, Cobalt:

     “Privilege escalation flaws like this sudo chroot issue reinforce a recurring pattern in security: when high privilege software accepts untrusted input or environmental control without guardrails, the downstream impact can be massive. Remember last year’s CrowdStrike Falcon outage (CVE-2025-1146)? A malformed update triggered system crashes at scale across airlines, hospitals, and critical infrastructure. In both cases the root failure was trusted high privilege logic failing in edge scenarios, which is exactly why testing must include more than happy-path unit tests. Fuzzing that targets config and path resolution logic, focused penetration testing that simulates hostile environments, and unit and integration tests all could have caught this earlier.”

Wade Ellery, Chief Evangelist and IAM Strategy Officer, Radiant Logic:

     “Security and defense from attack needs to be a multilayered operation.  Compromising the network perimeter and in this case local access to a server and then taking over a benign local account dramatically increases the threat to the organization.  When a vulnerability then allows any compromised local account to be escalated to root privileges the threat becomes catastrophic.  In most organizations there are no further walls between the attacker and his targets.  Layering in an additional line of defense is critical to stopping such an attack.  Adding continuous observability into who is accessing what resources, and how privilege is being escalated shines the light into the dark corners of today’s vulnerabilities.  Leveraging near real-time controls and remediation can prevent the escalated account from operating outside their original limited access.  Strong identity governance combined with timely patching ensures that when privilege escalation attempts occur, they are detected, prevented, and contained before causing lasting harm.”

“This vulnerability illustrates how access and identity intersect with system-level controls. Even without being in the sudoers file, an attacker could gain full privileges, bypassing established access policies. That underlines the importance of continuous observability into who is accessing what resources, and how privilege is being escalated. Without that visibility, organizations are blind to the subtle shifts that transform a minor intrusion into a full compromise. Strong identity governance combined with timely patching ensures that when privilege escalation attempts occur, they are detected, prevented, and contained before causing lasting harm.”

This is another one of those today problems that affected organizations need to deal with. And it needs to be dealt with ASAP. So it’s once again it’s time to patch all the things.

The CISA yesterday warned critical infrastructure organizations of “unsophisticated” threat actors actively targeting the U.S. oil and natural gas sectors.

CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems. Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage

Ensar Seker, CISO at SOCRadar had this comment:

“CISA’s warning about unsophisticated actors targeting ICS and OT systems in the oil and natural gas sectors should not be underestimated. The level of technical sophistication doesn’t always correlate with the level of impact, especially when it comes to operational technology. In many cases, even basic scanning tools, default credentials, or exposed interfaces can lead to catastrophic outcomes when ICS and SCADA environments are not properly segmented or monitored.”

“What makes this alarming is the growing accessibility of industrial-specific exploits and open-source ICS scanning tools, which are now circulating not only in underground forums, but even in open GitHub repositories. This lowers the barrier to entry for less capable threat actors including ideologically driven groups or lone wolves with potentially disproportionate physical effects, such as fuel distribution disruptions or pipeline shutdowns.”

“The real issue here isn’t just threat actor sophistication, it’s systemic exposure. Many ICS environments were designed decades ago, without cybersecurity in mind, and continue to rely on legacy protocols like Modbus and DNP3 with little to no authentication, encryption, or tamper detection.”

“This isn’t just about defending against advanced persistent threats. It’s about recognizing that even a simple script, when aimed at an unprotected valve, sensor, or controller, can have very real-world consequences.”

“CISA’s alert is yet another signal that the line between cyber and physical security has dissolved. It’s time for energy and transportation operators to treat every node on their ICS networks as a critical attack surface regardless of how sophisticated the attacker may seem.”

James McQuiggan, Security Awareness Advocate at KnowBe4:

“Critical infrastructure must move from “if” to “when” thinking. Eight years after NotPetya disrupted global operations, we’re still seeing attackers rely on tactics that should no longer be effective, yet they are. That clearly indicates that many critical infrastructure organizations haven’t hardened their defenses fast enough.”

“These attacks aren’t carried out by sophisticated state actors. They’re using well-known techniques like stolen credentials, unpatched vulnerabilities, and remote access misconfigurations, all items blue teams should be able to stop. Too many organizations operate under the assumption that they won’t be targeted, or that their OT environments are “isolated enough.” That’s the same logic as leaving your front door unlocked because no one’s robbed your neighbors yet.”

“If you can’t see your attack surface, you can’t secure it. Organizations should run tabletop exercises specific to OT scenarios. Include ransomware in your simulations and work to identify single points of failure before attackers do.”

“Leaders, including boards and the C-suite, must stop treating cybersecurity as an IT line item, as this is an operational risk. And in many cases, it’s a matter of national security. We’re not in the “what if” phase anymore. We’re in the “how bad will it be when it happens” phase.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech: 

“Cybercriminals are always looking for low-hanging fruit, and that includes ill-prepared critical infrastructure. These threats are easy to spot but persistent, so vigilance is key. An organization can avoid it 1,000 times but only needs to slip up once to allow cybercriminals into their network. Once inside, they can steal data and deploy ransomware, among other attacks.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy:

“Unfortunately, the infrastructure in the U.S. is an attractive target for the bad actors of the world. The rise of malware-as-a-service allows unsophisticated hackers to wreak havoc with little effort, often causing unintended consequences in some cases. U.S. oil and gas companies need to modernize and harden their systems. While this won’t be cheap, it will still be more economical than trying to clean up the mess left behind by the bad guys.”

This illustrates that the amount of threat actors looking to launch attacks are only increasing. Thus it’s incumbent on defenders to make sure that potential attacks are mitigated or stopped before they happen.