Yesterday, CISA and the FBI released a Secure by Design Alert, Eliminating OS Command Injection Vulnerabilities, in response to recent well-publicized threat actor campaigns that exploited OS command injection defects in network edge devices to target and compromise users.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS security advisories, along with additional alerts, updates, and bulletins:
ICS Advisories:
Last week, CISA released a guidance document, “Guide to Operational Security for Election Officials,” which offers an overview of operational security, highlighting potential risks and offering practical mitigation measures. Although the product focuses on election infrastructure, the mitigation guidance is applicable to every critical infrastructure organization.
The following posts are useful for general awareness of current cyber threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.
Critical Infrastructure
The Office of the Director of National Intelligence (ODNI) recently published a graphic depicting the vulnerability to U.S. industrial control systems. The graphic includes top recommendations and guidance from CISA, the EPA, FBI, and WaterISAC. The dataset was provided by the Cyber Threat Intelligence Integration Center (CTIIC) that captures cyber attacks on industrial systems from November 23, 2023 through April 22, 2024.
As data breaches continue to impact organizations at an increasing rate, the importance of effective cyber incident response is more important than ever. WaterISAC is sharing resources and tools to help utilities prepare for and implement this crucial aspect of organizational resilience.
Cybersecurity researchers have recently reported that threat actors leaked a significant compilation of passwords on a popular hacking forum totaling 9.9 billion passwords. The compilation, known as “RockYou2024” was posted by a user named “ObamaCare” on July 4, and boasts the “largest password compilation of all time.” These kinds of sensational headlines are indeed notable. However, it’s important to note that this is not a new development, nor are these believed to all be newly leaked credentials.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS security advisories, along with additional alerts, updates, and bulletins:
ICS Advisories:
In a notification published today, CISA has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) to release an advisory, People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action (AA24-190A) outlining a PRC state-sponsored cyber group’s activity.
WaterISAC has been made aware of a second phishing attempt against Maine water operators. This time the campaign also targeted well drillers. The campaign was reported to the Maine CDC Drinking Water Program on June 24, 2024, and was observed using a similar template as the prior attempt reported in January 2024 – Threat Advisory – Phishing Campaign Impersonates State CDC Drinking Water Program.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
