The IT Nerd

The CISA has warned of an flaw called the ‘OpenPLC ScadaBR’ flaw, tracked as CVE-2021-26829, that was recently leveraged by hackers to deface an industrial control system (ICS). Meaning that it is related to critical infrastructure.

More details here: https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog

Martin Jartelius, AI Product Director at Outpost24, provided the following comments:

“This vulnerability is four years old, and while the project is still in use, it has largely been replaced by other solutions for many users. Both existing vulnerabilities in the platform require authentication, and the observed intrusion occurred in a honeypot, meaning it must have been configured with an intentionally weak or default password. The group then opted for “defacement,” meaning they changed the appearance of the application rather than abusing the known file-upload issue to achieve code execution on the system.

“As it is an ICS system, the incident is serious, but the key lesson is not to fear this outdated, unpatched system itself. Instead, we should recognize that there are attackers driven by hacktivism or simple cyber-vandalism actively looking for these types of exposed systems. These systems should never be exposed to the internet; organizations must adhere to ICS-CERT guidelines for proper isolation. We must also remember that this incident was visible. If someone had simply logged in and changed settings, there would have been no visual indication.

Over the years, we have seen small power plants with currents and frequency controls exposed directly to the internet — these systems are not toys, and to repeat myself, they should never be accessible without strict isolation and must not have direct internet exposure.”

This should highlight the need to protect critical infrastructure at all costs. Hopefully it doesn’t take a significant incident to get that message through.

The CISA issued an urgent warning that federal agencies must immediately patch two actively exploited Cisco ASA and Firepower vulnerabilities, CVE-2025-20362 and CVE-2025-20333. The flaws allow unauthenticated access to restricted endpoints and remote code execution, and when chained, give attackers full control of affected devices. Although Cisco patched the bugs in September after observing zero-day exploitation tied to the ArcaneDoor campaign, after many agencies incorrectly believed they had updated to safe versions. 

Gunter Ollmann, CTO, Cobalt had this to say:

“The ongoing exploitation of these Cisco flaws highlights how attackers increasingly rely on chaining weaknesses to gain rapid, unauthenticated control over perimeter devices. These types of edge-network compromises are particularly attractive because they create a launch point that bypasses many downstream defenses. The challenge is that organizations still struggle to validate their exposure in real-world terms, even when patches exist. Offensive testing helps reveal whether the environment behaves as expected after updates and whether an attacker could still traverse overlooked paths. Mature programs treat patching as the starting point, not the finish line, and use adversarial validation to catch residual gaps before threat actors do.”

Wade Ellery, Chief Evangelist and IAM Strategy Officer, Radiant Logic follows with this:

“When firewalls or VPN gateways are compromised, attackers often pivot quickly into identity systems because credentials remain one of the most reliable pathways to deeper access. Incidents like this reveal how perimeter flaws can cascade into identity-based risks when agencies lack unified visibility across accounts, entitlements, and authentication patterns. The limitation is that many organizations still operate with fragmented identity data, making it hard to detect suspicious changes that follow network intrusions. Strengthening identity observability provides the context needed to spot anomalies early and contain lateral movement before privileges accumulate. Agencies that unify and observe identity data will be better positioned to absorb these infrastructure-level shocks and maintain Zero Trust resilience.”

Once again it’s time to patch all the things because of an actively exploited threat. The “fun” never ends in this business.

The CISA has added three newly exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: one in Windows SMB Client and two in Kentico Xperience CMS. The Windows flaw (CVE-2025-33073, CVSS 8.8) allows privilege escalation via improper access control and has been exploitable since June, when proof-of-concept code was released. The Kentico vulnerabilities (CVE-2025-2746 and CVE-2025-2747, CVSS 9.6) are authentication bypass issues that could enable full administrative takeover when chained with remote code execution. CISA also confirmed exploitation of a 2022 Apple arbitrary code execution bug (CVE-2022-48503). Federal agencies now have three weeks to patch affected systems under Binding Operational Directive 22-01.

Will Baxter, Field CISO, Team Cymru had this to say:

     “The inclusion of both recent and legacy vulnerabilities in CISA’s KEV catalog underscores how threat actors mix newly developed exploits with long-lived flaws to sustain access and expand operational reach. Even when patches are available, adversaries rely on delayed remediation and incomplete asset visibility — the very gaps KEV aims to close. Active monitoring of external infrastructure and intelligence sharing across organizations remain essential to identify when known vulnerabilities are being re-weaponized in the wild.”

Andrew Obadiaru, CISO, Cobalt follows with this:

     “This is a reminder that patching and vulnerability scanning aren’t the same as true resilience. The lag between disclosure and exploitation is shrinking, and adversaries are quick to capitalize on unpatched systems even within well-defended networks. Continuous offensive testing—validating exploitability in real-world conditions—remains one of the most effective ways to ensure critical exposures are prioritized and remediated before attackers strike.

This is why I recommend that people patch all the things when patches appear or soon after they appear. The bad guys will not waste any time in terms of reverse engineering the flaws that these patches fix and using those to launch attacks.

The CISA has warned that a local privilege escalation vulnerability in Sudo (CVE-2025-32463, CVSS 9.3) is being actively exploited in the wild. The flaw, introduced in Sudo version 1.9.14 in 2023, allows any local user to execute commands with root privileges, even without being in the sudoers file. Exploitation requires tricking Sudo into loading a malicious /etc/nsswitch.conf file via the chroot feature, which has since been deprecated. The issue was patched in June with Sudo version 1.9.17p1, but proof-of-concept exploits have circulated since July, and CISA has mandated remediation within three weeks for federal agencies under BOD 22-01. 

John McShane, Principal Product Manager for AI & Data Science, Cobalt:

     “Privilege escalation flaws like this sudo chroot issue reinforce a recurring pattern in security: when high privilege software accepts untrusted input or environmental control without guardrails, the downstream impact can be massive. Remember last year’s CrowdStrike Falcon outage (CVE-2025-1146)? A malformed update triggered system crashes at scale across airlines, hospitals, and critical infrastructure. In both cases the root failure was trusted high privilege logic failing in edge scenarios, which is exactly why testing must include more than happy-path unit tests. Fuzzing that targets config and path resolution logic, focused penetration testing that simulates hostile environments, and unit and integration tests all could have caught this earlier.”

Wade Ellery, Chief Evangelist and IAM Strategy Officer, Radiant Logic:

     “Security and defense from attack needs to be a multilayered operation.  Compromising the network perimeter and in this case local access to a server and then taking over a benign local account dramatically increases the threat to the organization.  When a vulnerability then allows any compromised local account to be escalated to root privileges the threat becomes catastrophic.  In most organizations there are no further walls between the attacker and his targets.  Layering in an additional line of defense is critical to stopping such an attack.  Adding continuous observability into who is accessing what resources, and how privilege is being escalated shines the light into the dark corners of today’s vulnerabilities.  Leveraging near real-time controls and remediation can prevent the escalated account from operating outside their original limited access.  Strong identity governance combined with timely patching ensures that when privilege escalation attempts occur, they are detected, prevented, and contained before causing lasting harm.”

“This vulnerability illustrates how access and identity intersect with system-level controls. Even without being in the sudoers file, an attacker could gain full privileges, bypassing established access policies. That underlines the importance of continuous observability into who is accessing what resources, and how privilege is being escalated. Without that visibility, organizations are blind to the subtle shifts that transform a minor intrusion into a full compromise. Strong identity governance combined with timely patching ensures that when privilege escalation attempts occur, they are detected, prevented, and contained before causing lasting harm.”

This is another one of those today problems that affected organizations need to deal with. And it needs to be dealt with ASAP. So it’s once again it’s time to patch all the things.

The CISA yesterday warned critical infrastructure organizations of “unsophisticated” threat actors actively targeting the U.S. oil and natural gas sectors.

CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems. Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage

Ensar Seker, CISO at SOCRadar had this comment:

“CISA’s warning about unsophisticated actors targeting ICS and OT systems in the oil and natural gas sectors should not be underestimated. The level of technical sophistication doesn’t always correlate with the level of impact, especially when it comes to operational technology. In many cases, even basic scanning tools, default credentials, or exposed interfaces can lead to catastrophic outcomes when ICS and SCADA environments are not properly segmented or monitored.”

“What makes this alarming is the growing accessibility of industrial-specific exploits and open-source ICS scanning tools, which are now circulating not only in underground forums, but even in open GitHub repositories. This lowers the barrier to entry for less capable threat actors including ideologically driven groups or lone wolves with potentially disproportionate physical effects, such as fuel distribution disruptions or pipeline shutdowns.”

“The real issue here isn’t just threat actor sophistication, it’s systemic exposure. Many ICS environments were designed decades ago, without cybersecurity in mind, and continue to rely on legacy protocols like Modbus and DNP3 with little to no authentication, encryption, or tamper detection.”

“This isn’t just about defending against advanced persistent threats. It’s about recognizing that even a simple script, when aimed at an unprotected valve, sensor, or controller, can have very real-world consequences.”

“CISA’s alert is yet another signal that the line between cyber and physical security has dissolved. It’s time for energy and transportation operators to treat every node on their ICS networks as a critical attack surface regardless of how sophisticated the attacker may seem.”

James McQuiggan, Security Awareness Advocate at KnowBe4:

“Critical infrastructure must move from “if” to “when” thinking. Eight years after NotPetya disrupted global operations, we’re still seeing attackers rely on tactics that should no longer be effective, yet they are. That clearly indicates that many critical infrastructure organizations haven’t hardened their defenses fast enough.”

“These attacks aren’t carried out by sophisticated state actors. They’re using well-known techniques like stolen credentials, unpatched vulnerabilities, and remote access misconfigurations, all items blue teams should be able to stop. Too many organizations operate under the assumption that they won’t be targeted, or that their OT environments are “isolated enough.” That’s the same logic as leaving your front door unlocked because no one’s robbed your neighbors yet.”

“If you can’t see your attack surface, you can’t secure it. Organizations should run tabletop exercises specific to OT scenarios. Include ransomware in your simulations and work to identify single points of failure before attackers do.”

“Leaders, including boards and the C-suite, must stop treating cybersecurity as an IT line item, as this is an operational risk. And in many cases, it’s a matter of national security. We’re not in the “what if” phase anymore. We’re in the “how bad will it be when it happens” phase.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech: 

“Cybercriminals are always looking for low-hanging fruit, and that includes ill-prepared critical infrastructure. These threats are easy to spot but persistent, so vigilance is key. An organization can avoid it 1,000 times but only needs to slip up once to allow cybercriminals into their network. Once inside, they can steal data and deploy ransomware, among other attacks.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy:

“Unfortunately, the infrastructure in the U.S. is an attractive target for the bad actors of the world. The rise of malware-as-a-service allows unsophisticated hackers to wreak havoc with little effort, often causing unintended consequences in some cases. U.S. oil and gas companies need to modernize and harden their systems. While this won’t be cheap, it will still be more economical than trying to clean up the mess left behind by the bad guys.”

This illustrates that the amount of threat actors looking to launch attacks are only increasing. Thus it’s incumbent on defenders to make sure that potential attacks are mitigated or stopped before they happen.

Yesterday, CISA released a joint advisory on the Medusa Ransomware that provided tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods associated with the ransomware group. As of February 2025, Medusa has impacted over 300 victims across critical infrastructure sectors, including medical, education, law, insurance, technology, and manufacturing.

You can read the advisory here.

 James Winebrenner, CEO at Elisity had this to say:

“The CISA recent advisory on Medusa ransomware really reflects how threat actors are getting smarter and adapting. What particularly concerns me is Medusa’s exploitation of legitimate remote management tools like AnyDesk, ConnectWise, and Splashtop, which are the tools many OT environments rely on for maintenance and support.

Medusa’s attack pattern through the lens of IEC 62443 is a classic example of why proper zone boundary protection (CR 5.2) and network segmentation (CR 5.1) are foundational to industrial control system security. The attackers first perform reconnaissance and then leverage legitimate tools for lateral movement before payload deployment, a pattern that traditional detection methods struggle to identify.

Organizations should implement three technical controls aligned with IEC 62443:

1. Implement proper zones and conduits architecture as specified in IEC 62443-3-2, ensuring critical control systems are isolated and protected from IT networks where initial compromise typically occurs.
2. Apply least privilege principles (CR 7.7) for all network communications. Define granular policies based on asset function and operational context rather than just network location to limit lateral movement.
3. Deploy solutions that can detect anomalous behavior in legitimate tools and enforce zone boundary protection (CR 5.2), focusing on monitoring behavioral patterns rather than just the presence of these tools.

The triple extortion scheme mentioned in the advisory indicates that Medusa actors understand the unique pressures facing critical infrastructure operators. Organizations must treat ransomware as a business risk requiring defense-in-depth strategies across people, process, and technology controls.

With Medusa attacks up 42% according to Symantec, OT security teams should reassess their segmentation strategies and ensure alignment with IEC 62443 standards.”

What this advisory highlights is the fact that this is a today problem and every organization needs to treat it as such. Because an advisory like this would not exist if this ransomware were not a clear and present danger.