< ciso
brief />
Tag Banner

All news with #critical infrastructure tag

400 articles · page 13 of 20

CISA Releases Nine ICS Advisories Covering Multiple Vendors

🔔 CISA published nine Industrial Control Systems (ICS) advisories on 2025-12-18 that detail current security issues, vulnerabilities, and known exploits affecting a range of vendors and products. The advisories cover Inductive Automation Ignition, Schneider Electric EcoStruxure Foxboro DCS Advisor, National Instruments LabView, Mitsubishi Electric components, Siemens IP-Stack, Advantech WebAccess/SCADA, Rockwell Automation Micro controllers, Axis Communications Camera Station offerings, and an updated notice for Mitsubishi Electric CNC Series (Update C). Each advisory provides technical details, impact assessments, and recommended mitigations for administrators and asset owners. CISA urges users to review the advisories promptly and implement the suggested mitigations to reduce operational risk.
read more →

Raspberry Pi Attack Exposes Gaps in Physical Security

🔌 A Raspberry Pi with a cellular modem was discovered plugged into a French ferry's internal network as it prepared to sail from Sète to Algeria; investigators told Bloomberg that network segmentation and the absence of remote access to critical controls prevented lateral movement and possible sabotage. Security experts warn such rogue devices can create a new internal perimeter that bypasses monitored gateways and render SOCs blind if traffic exits over cellular. Recommended mitigations include 802.1X authentication, disabling unused switch ports by default, physical port locks and tamper-evident measures, deployment of advanced NACs and physical-layer fingerprinting tools like Sepio, and capturing a device's network traffic for forensic analysis before physical removal.
read more →

Raspberry Pi on Ferry Prompts CISO Wake-Up on Security

🔒 In mid-December, a Raspberry Pi paired with a cellular modem was found attached to a ferry owned by the Mediterranean Shipping Company, apparently intended to give remote access to the vessel’s internal network. Robust segmentation and disabled remote access to critical control systems prevented lateral movement and a potential sabotage scenario. Analysts warn many organizations remain vulnerable because physical security and port-level controls are often overlooked, and they recommend stronger NAC, 802.1X enforcement, port locks, and continuous external infrastructure monitoring.
read more →

Deliberate Internet Shutdowns: Rising Global Trend

🌐 The Taliban ordered a two‑day nationwide internet blackout in Afghanistan in September, cutting emergency communications, grounding flights, and interrupting banking. That incident is part of a global surge: Access Now and the #KeepItOn coalition documented 296 deliberate shutdowns in 2024 and at least 244 more in 2025 so far. Shutdowns range from full national cuts to targeted platform blocks and throttling, and are increasingly used for political, military, and social control. Workarounds like VPNs, mesh networks, and satellite terminals help some, but for most people loss of connectivity means loss of essential services and civil liberties.
read more →

CISA Guide Helps Stadiums Mitigate Lifeline Disruptions

🏟 CISA released the Venue Guide for Mitigating Dependency Disruptions to help stadium and arena owners reduce operational risk from outages in Energy, Water and Wastewater, Communications, and Transportation. Developed with government and industry partners, the concise, actionable resource offers baseline strategies, assessment steps, and partnership guidance tailored for major events including FIFA World Cup 2026 and the 2028 Summer Olympics. It encourages venues to assess lifeline dependencies, integrate contingency plans, and coordinate with local service providers and CISA Security Advisors to strengthen operational resilience.
read more →

Russian APT Targets Energy and Critical Infrastructure

🔎 Amazon Threat Intelligence reports a Russian state-sponsored cyber espionage team has increasingly targeted energy providers and other critical infrastructure, operating since at least 2021. The actors have shifted toward exploiting device misconfigurations while continuing to leverage known vulnerabilities such as CVE-2022-26318, CVE-2021-26084, CVE-2023-22518 and CVE-2023-2753. Observed tradecraft includes compromise of network-edge devices hosted on AWS EC2, passive credential capture and credential-replay attacks to move laterally across victim environments. Amazon provides indicators of compromise and specific mitigation guidance, including configuration audits, isolation of management interfaces and deployment of multi-factor authentication.
read more →

Russian APT Shifts to Network Edge Device Misconfigurations

🔍 A Russian state-sponsored cyberespionage group has shifted to exploiting misconfigurations in network-edge devices to target energy companies and critical infrastructure. Amazon Threat Intelligence found the actor, active since at least 2021, pivoted from known CVEs to passive credential harvesting via compromised routers, VPN concentrators and management appliances. Telemetry shows overlaps with GRU-linked Sandworm and Bitdefender’s Curly COMrades, with attackers intercepting traffic to replay credentials. Amazon urges audits of edge devices, isolation of management interfaces, enforcement of MFA and monitoring for anomalous authentication.
read more →

Amazon Disrupts GRU Hackers Targeting Edge Devices

🔒 Amazon Threat Intelligence disrupted active operations attributed to GRU-linked hackers who targeted customer cloud infrastructure by abusing misconfigured edge devices. The multi-year campaign, observed since 2021 and focused on Western critical infrastructure and the energy sector, shifted in 2025 from zero-day exploitation to targeting exposed management interfaces on routers, VPN gateways, and network management appliances. Amazon isolated compromised EC2 instances, shared indicators, and advised audits, credential monitoring, and AWS controls like isolating management interfaces, restricting security groups, and enabling CloudTrail, GuardDuty, and VPC Flow Logs.
read more →

Cyberattack disrupts Venezuelan oil giant PDVSA's operations

🛢️ Petróleos de Venezuela (PDVSA) reported a weekend cyberattack it says was restricted to administrative systems and did not affect operational areas, asserting continuity via secure protocols. Despite that assertion, internal memos and multiple sources cited by Bloomberg and Reuters indicate staff were ordered to disconnect and that systems managing the main crude terminal remained offline. PDVSA publicly blamed the United States and domestic conspirators for the incident.
read more →

Amazon Reveals Years-Long GRU Campaign Targeting Energy

🛡️ Amazon's threat intelligence team disclosed a years-long campaign tied with high confidence to the GRU-affiliated APT44 (also tracked as FROZENBARENTS/Sandworm), which targeted Western critical infrastructure from 2021–2025. The actor shifted from zero-day exploitation to abusing misconfigured customer network edge devices and exposed management interfaces on AWS-hosted instances, enabling packet capture, credential harvesting, and credential replay against energy, telecom, and cloud providers. Amazon observed exploitation of WatchGuard (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532), notified affected customers, disrupted active operations, and recommended audits, stronger authentication, and monitoring for unexpected access and credential replay.
read more →

Güralp Web Interface DoS Vulnerability (CVE-2025-14466)

⚠️ A vulnerability in the web interface of Güralp Systems Fortimus, Minimus, and Certimus Series (CVE-2025-14466) allows an unauthenticated network attacker to send specially crafted HTTP requests that cause the web service process to restart. The restart produces a brief denial-of-service condition with a CVSS v3.1 base score of 5.3 (Medium). Güralp recommends operating affected systems behind a NAT or VPN firewall and contacting the vendor for further guidance. CISA advises minimizing network exposure, isolating control networks, and using secure, up-to-date remote access methods.
read more →

Hitachi Energy RADIUS MD5 Vulnerability (CVE-2024-3596)

⚠️ A critical vulnerability (CVE-2024-3596, CVSS 9.0) in Hitachi Energy AFS/AFR/AFF series RADIUS implementations allows a local attacker to forge valid RADIUS responses by exploiting an MD5 chosen-prefix collision against the response authenticator. Successful exploitation can compromise product data integrity and disrupt availability. Hitachi Energy recommends immediately enabling the RADIUS message authenticator option; vendor-specific CLI commands and MIB objects vary by product family.
read more →

CISA Releases Seven ICS Advisories on Multiple Products

🛡️ CISA has published seven new Industrial Control Systems advisories detailing vulnerabilities and guidance for affected products. The advisories cover Güralp Systems, Johnson Controls, Hitachi Energy, Mitsubishi Electric, and Fuji Electric, including updates to previously released notices. Administrators are urged to review technical details, apply vendor mitigations, and implement compensating controls to reduce operational risk.
read more →

Johnson Controls PowerG Vulnerabilities and Mitigations

🔒 CISA warns that multiple vulnerabilities in Johnson Controls PowerG implementations could let attackers read, modify, or replay encrypted wireless traffic. Affected devices include IQPanel 4, legacy IQPanel 2/2+, and IQHub with referenced CVEs CVE-2025-61738, CVE-2025-61739, CVE-2025-26379, and CVE-2025-61740. Vendor fixes (IQPanel 4.6.1, PowerG v53.05+) and secure enrollment practices are recommended, and end-of-life hardware should be replaced.
read more →

Amazon: Russian GRU Group Targets Western Infrastructure

🔐 Amazon Threat Intelligence details a multi-year, state-sponsored Russian campaign—assessed as GRU-linked—that targeted Western critical infrastructure, especially the energy sector, from 2021 through 2025. The actor shifted from exploiting N-day/zero-day flaws to abusing misconfigured customer network edge devices (including EC2-hosted appliances) to intercept credentials and gain persistent access. Amazon observed packet-capture based credential harvesting and subsequent credential replay attempts, with infrastructure overlaps linked to clusters tracked as Curly COMrades and Sandworm. Recommended mitigations include auditing edge devices, enforcing strong authentication, monitoring for credential replay, and applying AWS-specific controls.
read more →

Maritime Cyber Crisis: US Ports at Systemic Risk Now

🛳️ A single vessel carrying orange juice concentrate illustrates systemic risk at US ports: one weekly ship supplies millions and a localized outage would ripple across supply chains. Recent policy gaps — a furlough of CISA/FEMA staff and the lapse of the Cybersecurity Information Sharing Act — increase exposure, while nation-state malware is reportedly pre-positioned. New Title 33 CFR mandates and scarce maritime cybersecurity talent create urgent operational shortfalls; facilities must prioritize practical resilience testing, penetration tests, and cross-sector collaboration.
read more →

Legacy BMS Exposure: Over 1,000 Buildings at Systemic Risk

⚠️ The Black Hat Europe 2025 talk by Gjoko Krstic of Zero Science Lab revealed that a widely deployed building management system, evolved through multiple acquisitions, now exposes over 1,000 buildings on public IPs and contains numerous long-standing vulnerabilities. Many issues trace back to an 18-year-old firmware codebase and to fixes that patched symptoms rather than root causes. The vendor recommends securing the platform behind a VPN; organizations should audit, patch and restrict access immediately.
read more →

Johnson Controls iSTAR Controllers: OS Command Injection

🔒 Johnson Controls disclosed two OS command injection vulnerabilities (CVE-2025-43873, CVE-2025-43874) affecting multiple iSTAR Ultra, iSTAR Ultra G2, and iSTAR Edge G2 door controller firmware versions. Successful exploitation could allow remote attackers to execute OS commands, modify firmware, and gain full device control. Both issues are rated high severity (CVSS v3.1 8.8; CVSS v4 8.7) and are exploitable with low attack complexity. Users are advised to apply vendor firmware updates and reduce network exposure immediately.
read more →

Siemens Energy Services G5 Authentication Bypass Advisory

🔒 Siemens Energy Services Elspec G5 devices (firmware up to 1.2.2.19) contain an authentication bypass that lets an attacker with physical access reset the Admin password by inserting a USB drive with a documented reset string. The flaw is tracked as CVE-2025-59392 (CVSS v4: 7.0; CVSS v3.1: 6.8) and is not remotely exploitable. Siemens recommends updating to V1.2.3.13 or later and following operational security guidance.
read more →

Johnson Controls iSTAR: Remote OS Command Flaws Discovery

🔒 Johnson Controls disclosed two command-injection vulnerabilities in its iSTAR series (CVE-2025-43875, CVE-2025-43876). Both are classified as CWE-78 and carry high severity (CVSS v3.1 8.8; CVSS v4 8.7), exploitable remotely with low complexity. Johnson Controls and CISA advise upgrading affected devices to the fixed firmware and applying network isolation and secure remote-access controls.
read more →