Cybersecurity

The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:

ICS Vulnerability Advisories:

• Hitachi Energy IEC 61850 MMS-Server - Product used in Energy Sector

Alerts, Updates, and Bulletins:

While public facing websites are vital for today’s commerce, they also create a security risk that requires on-going diligence. In today's threat landscape, website injection attacks are not as enduringly popular to discuss as ransomware or phishing attacks. However, OWASP lists them as the third most significant risk to web application security, after access control and cryptography.

WaterISAC is tracking open-source reports describing an ongoing supply chain attack against 3CX software and its customers. According to the reports, 3CXDesktopApp — a voice and video conferencing app — was trojanized, potentially leading to multi-staged attacks against users employing the vulnerable app.

The FBI has released a Public Service Announcement warning of the use of Business Email Compromise (BEC) tactics by criminal actors to acquire physical goods from the victim. Instead of impersonating requests for the transfer of money, these attacks spoof purchase orders requesting the distribution of goods to a false company. The goods that the report highlights include construction materials, agricultural supplies, computer technology hardware, and solar energy products. Additionally, some criminals abuse credit repayment to conduct this attack multiple times against a single business.