ICS cybersecurity firm Dragos is tracking a threat group they dub RASPITE, that is currently actively targeting U.S. electric organizations. RASPITE’s primary focus is on ICS-operating entities; however, the group has not yet demonstrated any capability to disrupt or destroy ICS-specific operations. The group’s primary tactics include strategic web compromise (a.k.a., watering hole) and Windows credential harvesting.
The NCCIC has released an advisory regarding a vulnerability of an improper restriction of operations within the bounds of a memory buffer in AVEVA Wonderware License Server. The vulnerability affects Wonderware License Server v4.0.13100 and prior using the vulnerable Flexara Imgrd (Versions 11.13.1.1 and prior); only users with the Counted Licenses feature with “ArchestrAServer.lic” are affected. Successful exploitation of this vulnerability may result in remote code execution with administrative privileges.
The NCCIC has released an advisory regarding a cross-site scripting (XSS) vulnerability in AVEVA InTouch Access Anywhere remote access software. The vulnerability affects AVEVA InTouch Access Anywhere, 2017 Update 2 and prior that use vulnerable jQuery libraries prior to version 3.0.0. Successful exploitation of this vulnerability may allow attackers to obtain sensitive information and/or execute Javascript or HTML code due to improper neutralization of input during web page generation.
The NCCIC has released an advisory regarding an information exposure through an error message vulnerability in Johnson Controls Metasys and BCPro products. The vulnerability affects Metasys System, Versions 8.0 and prior, and BCPro (BCM), all versions prior to 3.0.2. Successful exploitation of this vulnerability could allow an attacker to obtain technical information about the Metasys or BCPro server, allowing an attacker to target a system for attack.
The NCCIC has released an advisory regarding the use of a password hash with insufficient computational effort vulnerability in Davolink DVW-3200N network switches. All versions of DVW-3200N prior to version 1.00.06 are affected. Successful exploitation of this vulnerability may result in a remote attacker obtaining the password to the device, as the device generates a weak password hash that is easily cracked. Currently there are no known public exploits; however, this vulnerability is remotely exploitable, and could be successfully exploited by an attacker with a low skill level.
Critical infrastructure organizations face cyber threats of all kinds, from state-sponsored and cyber crime actors to traditional IT threats. However, observations have identified common attack methodology and tradecraft regardless of industry. Gary Williams, Senior Director of Cybersecurity Services Offer Management at Schneider Electric, discusses how, while the threats and methods are similar, the uniqueness of OT environments requires security leaders to adopt different defense strategies, including greater employee engagement.
There is no silver bullet in cybersecurity, but some strategies, like network segmentation, provide more bang for the cybersecurity buck. Effective network segmentation requires thorough knowledge about what is in the environment. This knowledge includes information beyond just the endpoints, such as regarding normal operational process workflows, as well as expected network communications. ICS cybersecurity expert Galina Antova discusses the priceless role network segmentation plays in protecting OT networks. Ms.
The Delaware Information & Analysis Center (DIAC) has released a Cyber Alert warning that several state, local, tribal, and territorial governments have reported receiving suspicious envelopes containing malware infected CDs originating from China. Key features of these envelopes include Chinese postmarks, confusingly-worded letters with occasional Chinese characters, and SOCKO brand CD-Rs. DIAC’s alert contains sample photos of a letter, envelope, and CD. Members are encouraged to notify WaterISAC if they receive one of these envelopes.
Demand for malware creation is three times greater than supply, according to research by Positive Technologies into more than 10,000 hack-for-hire and malware-related postings on Dark Web markets. Its analysis included 25 sites on the Dark Web in Russian and English, with a total registered user base of about three million people. The leading type of malware available was cryptocurrency miners (20%), followed by hacking utilities (19%), botnet malware (14%), remote access Trojans (RATs) (12%), and ransomware (12%).
ICS security technology firm, Applied Risk discusses the importance of asset identification in ICS environments. The post explains how to approach asset identification and the benefits of passive monitoring solutions, not only to discover assets, but also for maintaining an up-to-date inventory, highlighting anomalies, and pinpointing operational problems – all while avoiding disruption to critical processes.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
