Overview 

The water sector is experiencing a rise in cyber threats, with critical infrastructure, including both IT and operational technology (OT) systems, becoming primary targets for malicious actors. These attacks, which exploit vulnerabilities in internet-facing OT systems and industrial control systems (ICS), pose cybersecurity risks to public health, business continuity, and national security.  

MyCERT, the Malaysian Computer Emergency Response Team, has issued MA-1228.012025, an advisory aimed at raising awareness of cybersecurity risks in the water sector and providing recommendations to mitigation stratergies. While there have been no cyber incidents reported in Malaysia’s water systems, the MyCERT advisory stresses the importance of vigilance and proactive defense strategies. 

MyCERT Advisory Highlights the Growing Cybersecurity Threat to Water Systems 

Water systems control essential services such as pumping stations, chlorination processes, and valves, all of which are critical to public health and safety. However, older systems with outdated software and weak security measures are increasingly susceptible to cyber-attacks. Many of these attacks exploit simple security weaknesses, such as default passwords and unprotected access points, enabling attackers to gain unauthorized access to sensitive systems. 

Cyberattacks targeting water systems can take many forms, from ransomware attacks demanding payment to prevent data exposure, to more insidious breaches targeting programmable logic controllers (PLCs) and other ICS devices. While large utilities have strengthened their defenses, smaller systems remain especially vulnerable. 

The recent cyber incident in October 2024, involving American Water in New Jersey, is one of such examples of these attacks. Although the attack did not result in operational disruptions at American Water’s facilities, it stresses the importance of cybersecurity vulnerabilities in the sector. The attack primarily affected computer networks and administrative systems, underlining the necessity for water utilities worldwide, including those in Malaysia, to enhance their security measures. 

Potential Impacts of Cyberattacks on Water Systems 

Cybersecurity incidents in the water sector can have a wide range of destructive consequences, both direct and indirect. Among the most concerning impacts are: 

• Cyberattacks can interfere with the normal functioning of water systems, leading to delays in water treatment, pumping, and distribution processes. 
• If attackers gain control of critical water system functions, they could contaminate drinking water or improperly manage chemicals, posing serious risks to public health. 
• Industries relying on water, such as agriculture and manufacturing, could face operational shutdowns, leading to economic losses. 
• Attackers who gain access to sensitive water system data could compromise confidential information, resulting in reputational damage and erosion of public trust. 
• These attacks exploit vulnerabilities in water systems to hold sensitive data hostage. If ransoms are not paid, attackers may leak confidential data, including trade secrets and personal information, leading to further harm. 
• Recovering from a cyberattack often involves substantial costs, including expenses for system restoration, legal fees, and potential fines for data breaches. 

MyCERT Advisory for Securing Water Systems 

To mitigate the cybersecurity risks facing water systems, MyCERT has outlined a series of best practices aimed at improving resilience and reducing the likelihood of successful attacks. Water system administrators are encouraged to follow these guidelines to protect critical assets: 

1. Immediately replace default passwords with strong, unique passwords. This is one of the most basic yet effective steps to secure systems. 
2. Minimize the number of critical systems exposed to the public internet, thereby reducing the attack surface for potential threats. 
3. Ensure that user accounts have access only to the data and systems necessary for their role. This can limit the damage caused by compromised accounts. 
4. MFA provides an added layer of security by requiring additional verification steps before granting access to critical systems. 
5. Apply network segmentation in water treatment facilities to isolate key systems from non-essential systems, preventing widespread damage in the event of an attack. 
6. Ensure that all systems, both OT and IT, are updated with the latest security patches and antivirus definitions. This is crucial to defending against known vulnerabilities. 
7. Perform daily backups of both OT and IT systems and store backup copies in remote locations. Regularly test backup processes to ensure they function correctly during a disaster recovery scenario. 
8. Provide annual cybersecurity training for all staff members, ensuring they understand the latest threats and how to avoid common pitfalls like phishing or clicking on malicious links. 
9. Regularly update disaster recovery and business continuity plans to account for emerging threats and vulnerabilities. Ensure these plans are well-practiced in the event of an actual breach. 

Conclusion  

The MyCERT advisory emphasizes the need to strengthen cybersecurity in Malaysia’s water systems, which are crucial for public health and the economy. As these systems become more digital and interconnected with sectors like agriculture and manufacturing, their exposure to cyber risks grows. 

By adopting best practices like updating passwords, using multi-factor authentication, and applying security patches, water utilities can improve defenses against cyber threats. MyCERT encourages staying updated on cybersecurity developments and conducting regular assessments. While Malaysia has not faced major cyber incidents in water systems, the rising threats require vigilance. Platforms like Cyble, with AI-driven threat intelligence, help protect these vital infrastructures. 

References 

• https://www.mycert.org.my/portal/advisory?id=MA-1228.012025 

The post MyCERT Advisory Recommends Cybersecurity Practices for Water Systems appeared first on Cyble.

Blog – Cyble – ​Read More

Overview 

JoCERT has alerted the global cybersecurity community about two critical issues requiring urgent attention from IT professionals and system administrators. The first involves Tenable Nessus Agents, a widely-used vulnerability scanning tool, while the second concerns a critical vulnerability in Windows Lightweight Directory Access Protocol (LDAP), potentially leading to remote code execution (RCE). Both incidents emphasize the need for prompt action and a proactive approach to cybersecurity. 

This blog will provide a detailed overview of the incidents, their impacts, and recommended resolution steps to help organizations mitigate potential risks. 

Incident 1: Tenable Nessus Agent Outage 

Incident Overview 

On December 31, 2024, Tenable Nessus Agent versions 10.8.0 and 10.8.1 encountered a critical issue due to a faulty differential plugin update. This bug disrupted systems across multiple regions, including the Americas, Europe, and Asia, leaving Nessus agents offline and unable to perform their core function—vulnerability scanning. The root cause was a rare race condition triggered during plugin updates, which led to the simultaneous compilation of interdependent libraries. 

Impact 

• Nessus agents running versions 10.8.0 and 10.8.1 stopped functioning, rendering them incapable of conducting vulnerability scans. 

• Tenable temporarily disabled plugin feed updates for these versions to prevent further issues. 

• Organizations relying on these agents for vulnerability management faced significant disruptions. 

Resolution Steps 

To address the issue, Tenable provided the following guidance: 

1. Upgrade or Downgrade Agents 

• Upgrade to Nessus Agent version 10.8.2. 

• Downgrade to version 10.7.3 if upgrading is not feasible. 

2. Plugin Reset 

• If using agent profiles for updates, a plugin reset is necessary to recover offline agents. This can be achieved using the following methods: 

• Use a script provided in the Tenable release notes. 

• Execute the nessuscli reset command. 

3. Manual Upgrade Process 

• Download the Tenable Nessus Agent 10.8.2 or 10.7.3 installation package. 

• Manually upgrade or downgrade agents using the install package. 

4. Recommendations for Long-Term Management 

• Maintain vigorous change management processes to minimize risks associated with tool updates. 

• Consider retaining older, stable software versions for quick rollback scenarios. 

Key Fixes in Nessus Agent Version 10.8.2 

• Resolved issues causing agents to crash under specific error conditions. 

• Addressed the race condition that caused agents to go offline following a plugin update. 

Additional Notes 

Organizations should review their network configurations to ensure uninterrupted communication between Nessus agents and Tenable’s infrastructure. For instance, domain allow lists must include *.cloud.tenable.com to ensure compatibility with Tenable’s new domains, reducing operational overhead. 

Incident 2: Windows LDAP Remote Code Execution Vulnerability (CVE-2024-49113) 

Incident Overview 

Microsoft disclosed a critical vulnerability, CVE-2024-49113, impacting the Lightweight Directory Access Protocol (LDAP). LDAP is integral to Microsoft’s Active Directory, facilitating the access and maintenance of directory services. The vulnerability could potentially allow Remote Code Execution (RCE), enabling attackers to exploit directory services and compromise sensitive systems. 

Impact 

An attacker could exploit the vulnerability to: 

• Execute arbitrary code on the targeted system. 

• Disrupt directory services, leading to a Denial of Service (DoS). 

• Compromise sensitive organizational data stored in Active Directory. 

Mitigation Steps 

Microsoft has provided mitigations to reduce the risk associated with this vulnerability. Organizations are advised to: 

1. Apply Patches Immediately 

• Ensure the latest security patches are applied to all systems using LDAP services. 

2. Enhance Security Configurations 

• Limit access to LDAP servers to trusted entities. 

• Implement mutual authentication to verify both the server and client identities. 

3. Monitor for Malicious Activity 

• Regularly audit LDAP logs for suspicious activity. 

• Deploy intrusion detection/prevention systems (IDS/IPS) to monitor LDAP traffic. 

4. Train Employees 

• Educate users on identifying and avoiding phishing attempts that could lead to LDAP exploitation. 

Key Recommendations 

Applying these mitigations will reduce the likelihood of attackers successfully convincing victims to connect to malicious servers. Organizations should regularly review and update their security protocols to address evolving threats. 

Technical Analysis and Key Learnings 

Tenable Nessus Incident 

The Tenable Nessus outage point out the importance of thorough testing before deploying updates to critical systems. The race condition caused by simultaneous compilation of interdependent libraries could have been identified with more comprehensive testing under varied conditions. This incident highlights the need for: 

• Strong QA Processes: Test updates across different environments before release. 

• Fail-Safe Mechanisms: Implement automatic rollbacks or sandboxing for plugin updates to prevent widespread outages. 

Windows LDAP Vulnerability 

The Windows LDAP vulnerability illustrates the critical need for: 

• Proactive Patch Management: Timely patching is essential to mitigate known vulnerabilities. 

• Layered Defense Strategies: Relying solely on patching is insufficient. Organizations must adopt a multi-layered approach that includes firewalls, access controls, and continuous monitoring. 

Conclusion 

The Tenable Nessus Agent outage and the Windows LDAP vulnerability (CVE-2024-49113) emphasize the critical importance of proactive vulnerability management and swift response strategies. These incidents highlight the need for vigorous patch management, effective change controls, and the ability to quickly roll back in times of disruption. 

Staying ahead in today’s cybersecurity landscape requires vigilance, routine updates, and strategic planning to mitigate evolving threats. By learning from these events and prioritizing system resilience, organizations can strengthen their defenses and minimize risks. 

References:

• https://jocert.ncsc.jo/EN/ListDetails/Security_Alerts__Advisorites/1203/85 
• https://jocert.ncsc.jo/EN/ListDetails/Security_Alerts__Advisorites/1203/86 
• https://docs.tenable.com/release-notes/Content/nessus-agent/2025.htm#TenableNessusAgent2025ReleaseNotes 

The post Tenable Nessus Bug and LDAP RCE: What You Need to Know appeared first on Cyble.

Blog – Cyble – ​Read More