Overview 

Two Russian hacktivist groups are increasingly targeting critical infrastructure in the U.S. and elsewhere, and their attacks go well beyond the DDoS attacks and website defacements that hacktivist groups typically engage in. 

The groups – the People’s Cyber Army and Z-Pentest – have posted videos to their Telegram channels allegedly showing members tampering with operational technology controls (OT), most notably in the oil and gas and water system sectors. 

Those claims, documented by Cyble dark web researchers, may largely be intended to establish credibility rather than inflict damage on targets, but within the last week Z-Pentest’s claims have escalated to include disrupting one U.S. oil well system. 

The groups have also accessed operational controls for critical infrastructure in other countries, notably Canada, Australia, France, South Korea, Taiwan, Italy, Romania, Germany and Poland, often claiming retaliation for a country’s support for Ukraine in its war with Russia. 

Some of the attacks have been publicly reported – most notably the People’s Cyber Army attacks on water facilities – but Z-Pentest’s claims of energy sector attacks have largely flown under the radar. 

It is not clear how much damage the Russian groups could do or are capable of, but given repeated warnings from U.S. cybersecurity and intelligence agencies about China’s deep penetration of U.S. critical infrastructure, these environments should be considered deeply vulnerable and strengthened accordingly. 

Z-Pentest’s Activities 

Z-Pentest appears to have been active only since October, but in those two months Cyble’s dark web research team has recorded 10 claims of attacks by the group, all involving accessing control panels in critical infrastructure environments. Their main Telegram channel was recently shut down but the group maintains a presence on X and claims to be based in Serbia. 

Z-Pentest’s most recent claim involved disrupting critical systems at an oil well site, including systems responsible for water pumping, petroleum gas flaring, and oil collection. A 6-minute screen recording shows detailed screenshots of the facility’s control systems, showing tank setpoints, vapor recovery metrics, and operational dashboards, allegedly accessed and changed during the breach. It is not clear where that oil facility is located, but the other two U.S. oil facility claims appear to correspond with known locations and companies. 

In one of the other two claimed attacks, the threat group released a 4-minute screen recording where they accessed a range of operational controls (identifying information removed from example below). 

While the hackers may well be accessing sensitive environments, it is not clear how much damage they could do. Programmable logic controllers (PLCs), for example, often include safety features that can prevent damaging actions from occurring, but the fact that such environments are accessible to threat actors is nonetheless concerning. 

Cyble has in general observed increased threat activity targeting the energy sector in recent months. Dark web claims and ransomware attacks have increased, and network access and zero-day vulnerabilities have been offered for sale on dark web market places. Cyble has observed instances where credentials for energy network access were offered for sale on the dark web before larger breaches and attacks occurred, suggesting that monitoring for credential leaks may be an important defense for preventing larger breaches later. 

People’s Cyber Army Activities 

The better-known People’s Cyber Army (PCA) – also known as the Cyber Army of Russia Reborn – has also been targeting critical infrastructure controls in the U.S. and elsewhere, and there have been some suggestions that PCA and Z-Pentest may be working together. While many of the group’s activities have involved DDoS attacks, recent claims have included access to the control panels of a U.S. environmental cleanup company and water systems in Texas and Delaware. 

Water and wastewater systems are considered particularly vulnerable by some OT security specialists, in part because communities are ill-equipped to deal without them for any length of time. 

The People’s Cyber Army struck twice in late August and September, releasing screen recordings showing the group tampering with system settings on control panels at the Stanton Water Treatment Plant in Stanton, Texas, and New Castle, Delaware water towers (images below). 

Image above: Stanton Water Treatment Plant attack 

Image above: Delaware water tower attack 

In the Texas case, the hackers were able to open valves and release untreated water, but otherwise no damage is believed to have occurred. 

In all, Cyble has documented eight water system attacks by the People’s Cyber Army this year in the U.S. and elsewhere, including a January attack that caused water storage tanks to overflow in Abernathy and Muleshoe, Texas. The group has been targeting Ukraine allies since 2022, and was sanctioned by the U.S. government in July 2024. 

Conclusion 

Security weaknesses in critical infrastructure organizations are by now a well-documented phenomenon, but the recent spate of attacks targeting energy and water facilities suggests a concerning escalation in the exploitation of these vulnerable environments. The emergence of Z-Pentest as a new threat actor in this space should be taken seriously, as the group has demonstrated an apparent ability to penetrate these environments and access – and tinker with – operational control panels. 

Critical infrastructure environments often cannot afford downtime, and end-of-life devices often remain in service long after support has ended. With those challenges in mind, below are some general recommendations for improving the security of critical environments: 

1. Organizations should follow ICS/OT vulnerability announcements and apply patches as soon as they become available. Staying up to date with vendor updates and security advisories is critical to ensuring that vulnerabilities are addressed promptly. 

2. Segregating ICS/OT/SCADA networks from other parts of the IT infrastructure can help prevent lateral movement in case of a breach. Implementing a Zero-Trust Architecture is also advisable to limit the potential for exploitation. Devices that do not need to be exposed to the internet should not be, and those that require web exposure should be protected to the extent possible. 

3. Regular cybersecurity training for all personnel, particularly those with access to Operational Technology (OT) systems, can help prevent human error and reduce the risk of social engineering attacks. 

4. Ongoing vulnerability scanning and penetration testing can help identify and address weaknesses before attackers exploit them. Engaging threat intelligence services and staying updated with vulnerability intelligence reports is essential for proactive defense. 

5. Developing a robust incident response plan and conducting regular security drills ensures that organizations are prepared for a quick and coordinated response to any security incidents that may arise. 

The post Russian Hacktivists Increasingly Tamper with Energy and Water System Controls appeared first on Cyble.

Blog – Cyble – ​Read More

Overview 

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding three critical flaws that are currently being actively exploited. These vulnerabilities impact a range of products, from industrial control systems (ICS) to web-based applications. The newly added vulnerabilities include CVE-2023-45727, CVE-2024-11680, and CVE-2024-11667, each affecting high-profile systems in industries such as manufacturing, telecommunications, and energy. 

The first flaw added to the Known Exploited Vulnerabilities (KEV) catalog, CVE-2023-45727, affects North Grid’s Proself product suite, including versions prior to 5.62 of Proself Enterprise/Standard Edition, 1.65 of Proself Gateway Edition, and 1.08 of Proself Mail Sanitize Edition. The second vulnerability, CVE-2024-11680, affects ProjectSend, an open-source file management application.  

The last vulnerability, CVE-2024-11667, impacts several Zyxel firewall products, including the ATP series, USG FLEX series, USG FLEX 50(W), and USG20(W)-VPN series, with versions prior to 5.38 being affected. Organizations using these products are urged to apply patches promptly to mitigate the risks associated with these vulnerabilities. 

Technical Details of the Vulnerabilities 

CVE-2023-45727: Proself Vulnerability in North Grid Proself Systems 

One of the newly cataloged vulnerabilities, CVE-2023-45727, affects North Grid Corporation’s Proself product suite. Specifically, the vulnerability is found in versions prior to 5.62 of Proself Enterprise/Standard Edition, 1.65 of Proself Gateway Edition, and 1.08 of Proself Mail Sanitize Edition. This flaw allows attackers to exploit improper restrictions on XML External Entity (XXE) processing, which can lead to remote unauthenticated attacks. 

By submitting specially crafted XML data, attackers can gain access to sensitive files, including those containing account information. This opens the door for data theft or manipulation. The CVSS score for CVE-2023-45727 is notably high, signaling the severity of this flaw. 

CVE-2024-11680: ProjectSend Authentication Vulnerability 

CVE-2024-11680 addresses an issue in ProjectSend, an open-source file management application. Versions prior to r1720 of ProjectSend are vulnerable to improper authentication, allowing attackers to send malicious HTTP requests to the application’s configuration files. 

Exploiting this flaw, attackers can bypass authentication mechanisms and gain unauthorized access to modify system configurations, create new accounts, and upload malicious content such as webshells and embedded JavaScript. 

The critical nature of this vulnerability is highlighted by its CVSS score of 9.8, categorizing it as a high-risk flaw with the potential for extensive compromise if left unaddressed. Remote attackers do not require prior access or authentication to exploit this vulnerability, making it even more dangerous to organizations using ProjectSend versions below r1720. 

CVE-2024-11667: Zyxel Path Traversal in Multiple Firewalls 

The third vulnerability in CISA’s latest update is CVE-2024-11667, which affects several Zyxel firewall products. Specifically, the flaw resides in the web management interface of ATP series and USG FLEX series firewalls, as well as USG FLEX 50(W) and USG20(W)-VPN series devices. Versions of these products prior to 5.38 are susceptible to a path traversal vulnerability, which allows attackers to manipulate file paths and potentially download or upload arbitrary files. 

The flaw could allow attackers to access sensitive files or upload malicious software onto affected devices. With a CVSS score of 7.5, this vulnerability is deemed high-risk but not as critical as CVE-2024-11680. However, for organizations relying on Zyxel products to secure their networks, addressing this flaw is essential to prevent unauthorized access and maintain the integrity of their firewalls. 

Sector-Wide Impact of Known Exploited Vulnerabilities 

These newly cataloged vulnerabilities stress the ongoing risks in industrial control systems (ICS) and critical infrastructure. For example, flaws in systems like Proself, ProjectSend, and Zyxel firewalls can expose vulnerable systems to a range of cyberattacks, including unauthorized access, data exfiltration, and service disruption. Such vulnerabilities are particularly concerning for sectors like energy, critical manufacturing, and telecommunications, where any disruption can have far-reaching consequences. 

With CVE-2023-45727, CVE-2024-11680, and CVE-2024-11667 now added to the list of Known Exploited Vulnerabilities, organizations using these products must adopt upgraded cybersecurity measures to defend against attacks. Organizations are strongly encouraged to follow best practices in patch management, including regularly applying vendor-issued patches and updates.  

For example, users of Proself should upgrade to newer versions that address the XXE vulnerability, while ProjectSend users should ensure they are running r1720 or later. Additionally, Zyxel firewall users should promptly update firmware versions to mitigate the path traversal flaw. 

Mitigation and Recommendation Strategies 

To mitigate the risks associated with these vulnerabilities, organizations are advised to implement several key cybersecurity measures: 

1. Ensure that all systems are regularly updated with the latest security patches to reduce the risk of exploitation from Known Exploited Vulnerabilities. 

2. Adopt a zero-trust model where all access requests are treated as potentially hostile, requiring stringent verification before granting access. 

3. By segmenting networks, organizations can contain potential breaches and prevent attackers from moving laterally through critical systems. 

4. Implement multi-factor authentication (MFA) to protect sensitive systems and reduce the likelihood of unauthorized access. 

5. Regularly conduct vulnerability scans, penetration testing, and security audits to identify and address weaknesses before they can be exploited. 

Conclusion 

The recent updates to CISA’s Known Exploited Vulnerabilities catalog highlight the urgency to address critical security flaws in widely used products. The vulnerabilities in North Grid’s Proself, ProjectSend, and Zyxel firewall systems can expose businesses to a range of cyber threats, including unauthorized access, data theft, and system manipulation.  

As these vulnerabilities can be leveraged for cyberattacks, organizations must apply timely patches, follow best practices in patch management, and adopt cybersecurity strategies. Implementing security measures such as multi-factor authentication, network segmentation, and regular vulnerability assessments will help organizations protect against potential breaches and reduce the risk of exploitation. 

References 

• https://www.cisa.gov/news-events/alerts/2024/12/03/cisa-adds-three-known-exploited-vulnerabilities-catalog 
• https://www.cve.org/CVERecord?id=CVE-2023-45727 
• https://www.cve.org/CVERecord?id=CVE-2024-11680 
• https://www.cve.org/CVERecord?id=CVE-2024-11667 

The post CISA Updates Known Exploited Vulnerabilities Catalog, Adding 3 Critical Flaws appeared first on Cyble.

Blog – Cyble – ​Read More