The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
Sophos has posted a blog providing an insightful look into the activity of threat actors loitering on victim networks before finally executing a Lockbit ransomware attack. Researchers described how an unknown threat actor spent over five months exploring a “regional US government agency’s” networks after gaining access to them. Their activity was initially amateurish and lackadaisical, before turning professional in the weeks before the ransom, potentially indicating that a novice attacker had penetrated the network and eventually sold the access to a more sophisticated group.
Security researchers at Microsoft have uncovered a new malware being employed by the Chinese-state sponsored Hafnium group, that maintains persistence on compromised Windows devices by creating and obfuscating scheduled tasks. The Hafnium group was linked to last year’s worldwide exploitation of the ProxyLogon zero-day flaws that impacted Microsoft Exchange Servers. These threat actors have targeted organizations in multiple critical infrastructure sectors.
Summary: Given the current threat landscape and recent concerns for the potential of cyber attacks against critical infrastructure, members are highly encouraged to review the following Joint Cybersecurity Advisory regarding newly discovered custom attack tools designed to target ICS/SCADA devices and address accordingly. The current advisory warns of tools that have been created to cause damage to the following components:
Action Recommended: Members are strongly encouraged to advise their system administrators to address Microsoft security updates for April 2022. This month’s round of patches includes a critical remote code execution (RCE) vulnerability for an extremely important component of the operating system that allows for arbitrary code execution without authentication or user interaction.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
While still the most popular method of authentication, passwords suffer significant drawbacks in terms of security and cost as we continue to struggle at creating less crackable ones. Dark Reading has written a piece describing six steps organizations can take to transition to passwordless authentication methods to help reduce the reliance on humans to create strong enough passwords to reduce the occurrence of information and data leaks. First, passwordless programs must start small, instead of attempting to switch the entire organization over at once.
Abnormal Security released a blog post on its research into BEC trends, which details the significant rise they’ve observed in BEC attacks between the first and second halves of 2021. Between July and December 2021, 84% more Abnormal customers’ inboxes were targeted by BEC lures, though the tactic itself stayed relatively uncommon, hitting less than one out of one thousand inboxes.
Security researchers have observed the Qbot/Qakbot botnet distributing malware payloads via a new delivery method. The technique involves sending a phishing email that includes a password-protected ZIP archive attachment containing malicious MSI Windows Installer packages. Qakbot, which WaterISAC has reported on numerous times, is a highly modular malware used for many malign activities such as credential harvesting and dropping ransomware.
Yesterday, the Department of Justice (DOJ) announced the disruption of the Cyclops Blink botnet before it could be used for malicious activity. The malware, dubbed Cyclops Blink, targets WatchGuard Firebox firewall appliances and multiple ASUS router models and has reportedly been operated by the Russian-backed Sandworm group since at least June 2019. Cyclops Blink allows threat actors to establish persistence on a device via firmware updates, providing remote access to compromised networks. The malware is modular allowing it to be easily upgraded to target new systems.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
