Cisco’s Talos reported critical and high-severity flaws in OpenPLC that could lead to DoS condition and remote code execution.

Cisco’s Talos threat intelligence unit has disclosed details of five newly patched vulnerabilities in OpenPLC, an open-source programmable logic controller.

These vulnerabilities can be exploited to trigger a denial-of-service (DoS) condition or execute remote code. OpenPLC is an open-source programmable logic controller (PLC) designed to offer a low-cost solution for industrial automation. It is widely used for automating machines and processes in industries like manufacturing, energy, and utilities.

The most severe issue is a stack-based buffer overflow vulnerability, tracked as (CVSS score 9.0), that resides in the OpenPLC Runtime EtherNet/IP parser functionality of OpenPLC _v3 b4702061dc14d1024856f71b4543298d77007b88.

An attacker could trigger the vulnerability to achieve remote code execution.

“A specially crafted EtherNet/IP request can lead to remote code execution. An attacker can send a series of EtherNet/IP requests to trigger this vulnerability.” .

The vulnerability was discovered by Jared Rittle of Cisco Talos that reported the issue to the maintainers of the project on June 10, 2024. The issue was addressed on September 18, 2024.

The remaining DoS flaws discovered by Talos are tracked as , . 

An attacker can exploit these high-severity vulnerabilities by sending specially crafted EtherNet/IP requests.

Users are recommended to update OpenPLC to the latest version that addresses the above vulnerabilities.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, RCE)

A security bypass bug in Rockwell Automation ControlLogix 1756 devices could allow unauthorized access to vulnerable devices.

A high-severity security bypass vulnerability, tracked as CVE-2024-6242 (CVSS Base Score v4.0 of 7.3), impacts Rockwell Automation ControlLogix 1756 devices. An attacker can exploit the vulnerability to execute (CIP) programming and configuration commands.

“A vulnerability exists in the affected products that allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller.” reads the published by the vendor. “If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.”

The vulnerability impacts the following versions of ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules:

• 1756-EN2TP, Series A: Version V10.020
• ControlLogix: Version V28
• GuardLogix: Version V31
• 1756-EN4TR: Version V2
• 1756-EN2T, Series A/B/C (unsigned version): Version v5.007
• 1756-EN2F, Series A/B (unsigned version): Version v5.007
• 1756-EN2TR, Series A/B (unsigned version): Version v5.007
• 1756-EN3TR, Series B (unsigned version): Version v5.007
• 1756-EN2T, Series A/B/C (signed version): Version v5.027
• 1756-EN2F, Series A/B (signed version): Version v5.027
• 1756-EN2TR, Series A/B (signed version): Version v5.027
• 1756-EN3TR, Series B (signed version): Version v5.027
• 1756-EN2T, Series D: Version V10.006
• 1756-EN2F, Series C: Version V10.009
• 1756-EN2TR, Series C: Version V10.007
• 1756-EN3TR, Series B: Version V10.007

The researcher Sharon Brizinov of Claroty Research – Team82 reported this vulnerability to Rockwell Automation.

An attacker needs network access to the device to exploit this vulnerability. If successful, the attacker could bypass security restrictions and send elevated commands to the PLC CPU.

“Team82 has discovered and disclosed a security bypass vulnerability in Rockwell Automation ControlLogix 1756 devices. Our technique allowed us to bypass the trusted slot feature implemented by Rockwell that enforces security policies and allows the controller to deny communication via untrusted paths on the local chassis.” reads the published by Claroty. “The vulnerability we found, before it was fixed, allowed an attacker to jump between local backplane slots within a 1756 chassis using CIP routing, traversing the security boundary meant to protect the CPU from untrusted cards. “

Rockwell the flaw and users are urged to apply it immediately.  with mitigation advice.

“This vulnerability had the potential to expose critical control systems to unauthorized access over the CIP protocol that originated from untrusted chassis slots.” concludes Claroty.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, )

In April 2024, Dragos researchers spotted the malware FrostyGoop that interacts with Industrial Control Systems (ICS) using the Modbus protocol.

In April 2024, Dragos researchers discovered a new ICS malware named FrostyGoop that interacts with Industrial Control Systems using the Modbus protocol. FrostyGoop is the ninth ICS malware that was discovered an that a nation-state actor employed in attacks in the wild.

The experts reported that FrostyGoop was used in a January 2024 attack on a heating company in Lviv, Ukraine. Russia-linked threat actors exploited a vulnerability in a Mikrotik router and left 600 buildings without heat for nearly two days. Dragos started analyzing the FrostyGoop malware in April 2024 and initially thought it was for testing but later confirmed it was used for disruptive purposes. The lack of network segmentation facilitated the attacker’s access to other systems.

The Cyber Security Situation Center linked FrostyGoop to the attack on a Lviv energy company.

“The Cyber Security Situation Center (CSSC), a part of the Security Service of Ukraine (Служба безпеки України), shared details with Dragos of a cyber attack that took place in January 2024. During the late evening on 22 January 2024, through 23 January, adversaries conducted a disruption attack against a municipal district energy company in Lviv, Ukraine.” reads the published by Dragos. “At the time of the attack, this facility fed over 600 apartment buildings in the Lviv metropolitan area, supplying customers with central heating.”

According to the Cyber Security Situation Center (CSSC) of Ukraine, the attackers initially gained access in April 2023 via a Mikrotik router vulnerability, then disrupted heating for 600 buildings for nearly two days.

The researchers reported that the attackers gained access to the district energy company’s network assets using L2TP (Layer Two Tunnelling Protocol) connections from Moscow-based IP addresses.

The threat actors downgraded firmware on ENCO controllers, causing inaccurate readings and heating loss. The attackers used Modbus commands facilitated by poor network segmentation and previously stolen credentials, accessing the system primarily through Tor IP addresses. The attackers did not attempt to destroy the controllers, they only acted to disrupt their operation.

“The victim network assets, which consisted of a Mikrotik router, four management servers, and the district heating system controllers, were not adequately segmented within the network. A forensic examination during the investigation showed that the adversaries sent Modbus commands directly to the district heating system controllers from adversary hosts, facilitated by hardcoded network routes.” continues the report. “The affected heating system controllers were ENCO Controllers. The adversaries downgraded the firmware on the controllers from versions 51 and 52 to 50, which is a version that lacks monitoring capabilities employed at the victim facility, resulting in the Loss of View.”

“FrostyGoop’s ability to communicate with ICS devices via Modbus TCP threatens critical infrastructure across multiple sectors. Given the ubiquity of the Modbus protocol in industrial environments, this malware can potentially cause disruptions across all industrial sectors by interacting with legacy and modern systems.” concludes the report. “The Lviv, Ukraine, incident highlights the need for adequate security controls, including OT-native monitoring. Antivirus vendors’ lack of detection underscores the urgency of implementing continuous OT network security monitoring with ICS protocol-aware analytics to inform operations of potential risks.”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, ICS malware)

Microsoft discovered two flaws in Rockwell Automation PanelView Plus that remote, unauthenticated attackers could exploit.

Microsoft responsibly two vulnerabilities in Rockwell Automation PanelView Plus that remote, unauthenticated attackers can exploit to perform remote code execution (RCE) and denial-of-service (DoS).

The RCE vulnerability in PanelView Plus involves exploiting two custom classes to upload and load a malicious DLL. The DoS vulnerability uses the same custom class to send a crafted buffer, causing the device to malfunction and result in a DoS.

The RCE vulnerability in PanelView Plus involves two custom classes that can be abused to upload and load a malicious DLL into the device. The DoS vulnerability uses the same custom class to send a crafted buffer that the device cannot properly manage, triggering a DoS condition.

PanelView Plus devices are human-machine interfaces (HMI) in industrial environments, the exploitation of the flaws can potentially disrupt operations, posing serious risks to organizations relying on these devices.

The two vulnerabilities are:

CVE-2023-2071 (CVSS score: 9.8) is an improper input validation vulnerability that remote, unauthenticated attackers can exploit to achieve code executed via crafted malicious packets.

“FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets.  The device has the functionality, through a CIP class, to execute exported functions from libraries.  There is a routine that restricts it to execute specific functions from two dynamic link library files.” . “By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.”

The flaw impacts FactoryTalk View Machine Edition (versions 13.0, 12.0, and prior).

CVE-2023-29464 (CVSS score: 8.2) is an improper input validation vulnerability that an unauthenticated threat actor can exploit to read data from memory via crafted malicious packets and result in a DoS by sending a packet larger than the buffer size

“FactoryTalk Linx, in the Rockwell Automation PanelView Plus, allows an unauthenticated threat actor to read data from memory via crafted malicious packets. Sending a size larger than the buffer size results in leakage of data from memory resulting in an information disclosure. If the size is large enough, it causes communications over the common industrial protocol to become unresponsive to any type of packet, resulting in a denial-of-service to FactoryTalk® Linx over the common industrial protocol.” .

The vulnerability impacts FactoryTalk Linx (versions 6.30, 6.20, and prior).

Rockwell Automation published two separate advisories on the flaws respectively on , and . The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also published alerts on the two flaws in  and .

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, OT)

The Ukrainian hacking group Blackjack used a destructive ICS malware dubbed Fuxnet in attacks against Russian infrastructure.

Industrial and enterprise IoT cybersecurity firm Claroty reported that the Ukrainian Blackjack hacking group claims to have damaged emergency detection and response capabilities in Moscow and beyond the Russian capital using a destructive ICS malware dubbed Fuxnet.

The Blackjack group is believed to be affiliated with Ukrainian intelligence services that carried out other attacks against Russian targets, including an  and a .

The group claims to have attacked Moscollector, a Moscow-based company, that is responsible for the construction and monitoring of underground water and sewage and communications infrastructure. 

The website provided detailed information about the attacks against Moscollector, the hackers also published screenshots of monitoring systems, servers, and databases they claim to have compromised.

The site also hosts password dumps allegedly stolen from the Russian company.

Below is the timeline of the attack published on ruexfil.com:

Initial access June 2023.
- Access to . 
- 87,000  and controls have been disabled (including Airports, subways, gas-pipelines, ...).
-  (stuxnet on steroids) was deployed earlier to slowly and physically destroy sensory equipment
  (by NAND/SSD exhaustion and introducing bad CRC into the firmware). (YouTube Video 1, YouTube Video 2).
- Fuxnet has now started to flood the RS485/MBus and is sending 'random' commands to 87,000 embedded
  control and sensory systems (carefully excluding hospitals, airports, ...and other civilian targets).
- All servers have been deleted. All routers have been reset to factory reset. Most workstations (including
  the admins workstations) have been .
- Access to the office building has been disabled (all key-cards have been invalidated).
- Moscollector has recently been  for being 'secure & trusted' (picture included)
- Defaced the webpage (https://web.archive.org/web/20240409020908/https://moscollector.ru/)

The website reported that Blackjack destroyed about 1,700 sensor routers deployed at airports, subways, gas-pipelines. The group also disrupted the central command-dispatcher and database. The attack brought all 87,000 sensors offline, threat actors also wiped databases, backups, and email servers, a total of 30TB of data.

“Fuxnet has now started to flood the RS485/MBus and is sending ‘random’ commands to 87,000 embedded control and sensory systems (carefully excluding hospitals, airports, …and other civilian targets).” states the website.

Team82 and Claroty have been unable to verify the attackers’ claims, however, they conducted a detailed analysis of the Fuxnet malware relying on information provided by the attackers.

“For example, Blackjack claims to have damaged or destroyed 87,000 remote sensors and IoT collectors. However, our analysis of data leaked by Blackjack, including the Fuxnet malware, indicates that only a little more than 500 sensor gateways were bricked by the malware in the attack, and the remote sensors and controllers likely remain intact.” reads the published by Claroty. “If the gateways were indeed damaged, the repairs could be extensive given that these devices are spread out geographically across Moscow and its suburbs, and must be either replaced or their firmware must be individually reflashed.”

The attack chain sees hackers targeting a list of sensor gateways IPs. Threat actors distributed their malware to each target, likely either through remote-access protocols such as SSH or the sensor protocol (SBK) over port 4321.

Upon running on the target device, the malware initiates a new child process to lock out the device. The malicious code remounts the filesystem with write access, then delete essential filesystem files and directories and disables remote access services such as SSH, HTTP, telnet, and SNMP. This prevents remote access for restoring operations even if the router remains functional.

Subsequently, the threat actors erase the router’s routing table, rendering its communication with other devices non-functional. Finally, the malware deletes the filesystem and rewrites the flash memory using the operating system’s mtdblock devices.

Once it has corrupted the file system and isolated the device, the malware attempts to destroy the NAND memory chip physically and rewrites the UBI volume to prevent rebooting. 

“In order to ensure the sensor does not reboot again, the malware rewrites the . First, the malware uses the IOCTL interface  allowing it to interact with the management layer controlling the flash memory, which tells the kernel that the UBI volume will be rewritten, and that x-number of bytes will be written.” continues the report. “In its normal behavior, the kernel will know that the rewrite is finished only when x-number of bytes were written. However, the malware will not write x-number of bytes to the UBI, instead it will write fewer bytes than it declares, causing the device to wait for the rewrite to finish indefinitely.”  

The malware overwrites the UBI volume with junk data (0xFF), making the UBI useless and the filesystem becomes unstable.

The malware also tries to disrupt gateway-connected sensors by flooding serial channels with random data, overloading the serial bus and the sensors.

“The attackers developed and deployed malware that targeted the gateways and deleted filesystems, directories, disabled remote access services, routing services for each device, and rewrote flash memory, destroyed NAND memory chips, UBI volumes and other actions that further disrupted operation of these gateways.” concludes the report.

(SecurityAffairs – hacking, Fuxnet)

Follow me on Twitter:  and  and Mastodon

Threat actors launched a cyberattack on an Irish water utility causing the interruption of the power supply for two days.

Threat actors hacked a small water utility in Ireland and interrupted the water supply for two days.

The victim of the attack is a private group water utility in the Erris area, the incident impacted 180 homeowners.

According to the Irish media, the residents of the Binghamstown/Drum were without their water supply on Thursday and Friday. The personnel at the impacted utility worked to repair the water pumping system hit by the cyber attack.

“Our caretaker went down and when he got to the pumphouse, up on the screen was a sign ‘You have been hacked’. Down with Israel was written on it and the name of the company that hacked us,” Noel Walsh, a member of the group water scheme, said. “Eurotronics supply a lot of equipment to schemes across the country.”

Mr Walsh announced that the water facility is currently improving their security systems. He confirmed that the security breach caused a big inconvenience for the population.

“Irish Water would probably have far greater resources for firewalls to withstand this but they knocked ours off and we could not circumvent it. It took all day Friday to circumvent it so we could let the water flow manually,” he added.

The WesternPeople website reported that the attackers are politically motivated and have chosen the equipment due to the fact it originated in Israel.

The threat actors defaced the user interface of the water pumping system, they posted an anti-Israel message.

Recently Iranian threat actors (MWAA) and took control of one of their booster stations. The Authority pointed out that the attack did not impact the operations at the facility, the water supply, and the drinking water.

The pro-Hamas threat actors took over a Unitronics Vision system.

On its Telegram channel, Cyber Av3ngers announced that it had targeted several SCADA systems at Israel water facilities. The group added that “every Equipment ” Made In Israel ” Is Cyber Av3ngers Legal Target!”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Irish water utility)

Mandiant reported that Russia-linked Sandworm APT used a novel OT attack to cause power outages during mass missile strikes on Ukraine.

Mandiant researchers reported that Russia-linked APT group employed new operational technology (OT) attacks that caused power outages while the Russian army was conducting mass missile strikes on critical infrastructure in Ukraine in October.

The Sandworm group (aka BlackEnergy, , , , and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017. In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine,including , , , , , , , , and ZeroWipe. 

The nation-state actor first used OT-level living off the land (LotL) techniques to likely trip the victim’s substation circuit breakers, causing an unplanned power outage. Then the APT group deployed a new variant of the data wiper in the target’s IT environment to destroy its operations and remove forensic artifacts. 

On October 10, the threat actors leveraged an optical disc (ISO) image named “a.iso” to execute a native MicroSCADA binary to issue commands to switch off substations.

Hitachi MicroSCADA is a Supervisory Control and Data Acquisition (SCADA) system developed by Hitachi Energy. It is a software platform that is used to monitor and control industrial and infrastructure systems. MicroSCADA is used in a wide range of industries, including power generation, transmission, and distribution, oil and gas, water and wastewater, and transportation.

The analysis of the timestamp for one of the artifacts (“lun.vbs”) suggests that the attacks began two months before, at the time threat actors gained initial access to the target SCADA system. 

The researchers noticed that the wiper deployment only impacted the IT environment of the victim, it did not impact the hypervisor or the SCADA virtual machine. According to Mandiant, this is unusual since the threat actor had removed other forensic artifacts from the SCADA system which would have been enhanced by the wiper activity. A possible explanation for this behavior is the lack of coordination among components of the attack team.

“Sandworm’s substation attack reveals notable insights into Russia’s continued investment in OT-oriented offensive cyber capabilities and overall approach to attacking OT systems. This incident and last year’s incident both show efforts to streamline OT attack capabilities through simplified deployment features.” published by Mandiant.

“The techniques leveraged during the incident suggest a growing maturity of Russia’s offensive OT arsenal, including an ability to recognize novel OT threat vectors, develop new capabilities, and leverage different types of OT infrastructure to execute attacks. By using LotL techniques, the actor likely decreased the time and resources required to conduct its cyber physical attack.”

Mandiant has yet to determine how Sandworm gained initial access to the target environment. The APT group was first observed in the victim’s environment in June 2022, at the time the attackers deployed the  webshell on an internet-facing server. A few weeks later, the nation-state actor deployed the Golang tool GOGETTER to establish a tunnel with the C2 infrastructure.

The experts were unable to identify the SCIL commands executed, however thay believe attackers used commands to open circuit breakers.

“The SCIL commands would have caused the MicroSCADA server to relay the commands to the substation RTUs via either the IEC-60870-5-104 protocol for TCP/IP connections or the IEC-60870-5-101 protocol for serial connections.” continues the report.

The CADDYWIPER variant employed in the attack was compiled in October 2022, it features slight functional enhancements enabling threat actors to dynamically resolve functions at runtime. Mandiant observed the deployment of the CADDYWIPER wiper across various sectors in Ukraine, including government and financial domains, particularly during Russia’s invasion of the country.

The report includes a discovery and hardening guidance, Indicators of Compromise (IoCs) and Yara rules.

In October, researchers that the APT Sandworm has hacked eleven telecommunication service providers in Ukraine between May and September 2023.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Sandworm)

Pro-Palestinian hackers group ‘Soldiers of Solomon’ claims to have hacked one of the largest Israeli flour plants causing severe damage to the operations.

The Pro-Palestinian hackers group ‘Soldiers of Solomon’ announced that it had breached the infrastructure of the production plant of Flour Mills Ltd, a multinational company engaged in the processing and marketing of flour and related food products. The threat actors claim to have damaged the production cycle.

The group published on its Telegram Channel a video showing several screenshots from systems used to control the processes at the plan.

This type of attack can have a significant impact on the company and the community, as the target is an important component of the food supply chain.

The Soldiers of Solomon group continues to target Israeli organizations, recently they claimed a successful cyber attack on Ashalim Power Station located in the Negev desert. The threat actors said it had disconnected the Station out of the power distribution circuit.

In October, the hacktivists have taken full control of more than 50 servers, security cameras and a smart city management system in the Nevatim military area. They also claimed to have exfiltrated 25TB of data and ransomed them via our customized Crucio ransomware.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Israel)

Russia-linked APT group Sandworm has hacked eleven telecommunication service providers in Ukraine between May and September 2023.

The Russia-linked APT group (UAC-0165) has compromised eleven telecommunication service providers in Ukraine between May and September 2023, reported the Ukraine’s Computer Emergency Response Team (CERT-UA).

According to public sources, the threat actors targeted ICS of at least 11 Ukrainian telecommunications providers leading to the disruption of their services.

“According to public sources, for the period from 11.05.2023 to 27.09.2023, an organized group of criminals tracked by the identifier UAC-0165 interfered with the information and communication systems (ICS) of no less than 11 telecommunications providers of Ukraine, which, among other things, led to interruptions in the provision of services to consumers.” reads the advisory published by the CERT-UA.

The Sandworm group (aka BlackEnergy, , , , and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017. In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine, including , , , , , , , , and ZeroWipe. 

The attacks against the telecommunication service providers commence with a reconnaissance activity through a “rough” scan of the provider’s subnets (autonomous system) using typical set port scanning tools, such as masscan.

Sandworm were observed targeting open ports and unprotected RDP or SSH interfaces to gain access to the internet-facing systems. The attackers were also spotted attempting the exploitation of known vulnerabilities in the target systems.

The threat actors used various tools, including ‘ffuf’, ‘dirbuster’, ‘gowitness’, and ‘nmap.’ The CERT-UA also reported that the state-sponsored hackers used compromised VPN accounts that weren’t protected by multi-factor authentication.

“Note (!) that intelligence and exploitation activity is carried out from pre-compromised servers located, in particular, in the Ukrainian segment of the Internet. Dante, socks5 and other proxy servers are used to route traffic through such nodes.” reads the advisory.

Sandworm employed two backdoors, named Poemgate and Poseidon, in the attacks against the Ukrainian telecommunications providers.

POEMGATE is a malicious PAM module that is used by attackers to authenticate with a statically determined password and saves logins and passwords entered during authentication in a file in XOR-encoded form. Authentication data collected by POEMGATE can be used for lateral movement and other malicious activities on the compromised networks.

Poseidon is a Linux backdoor that supports a full range of remote computer control tools. The malware maintains persistence through Cron jobs.

In order to avoid detection and remove tracks of unauthorized access, the attackers used the WHITECAT utility.

At the final stage of an attack, the attackers were able to interfere with network equipment, as well as data storage systems. 

CERT-UA published Indicators of Compromise for these attacks and recommends reading the article “How to be responsible and hold the cyber front.”

In May, CERT-UA CERT-UA of destructive cyberattacks conducted by the Russia-linked Sandworm APT group against the Ukraine public sector.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, Sandworm)

Both pro-Israeli and pro-Palestinian hacktivists have joined the fight and are targeting SCADA and ICS systems.

Both pro-Israeli and pro-Palestinian hacktivists have joined the fight in the cyber realm. Industrial control systems (ICS) seem to be one of the most lucrative targets for them, and there are hundreds exposed.

After Hamas gunmen killed hundreds of Israelis and took an unknown number of people hostage, Israel has now retaliated with airstrikes on Gaza.

Some people took to social media to, for example, show support for Israel by adding the country’s flag to their profile pictures. Thousands marched on the streets to express support for the Palestinian side.

Others turned to cyber weapons to voice their opinion and sow chaos. Hacktivists are already launching attacks on various systems amid a grave escalation of the Israeli-Palestinian conflict.

We’ve already reported on a , (DDoS), against Israel. Hacktivists have targeted the Israeli government and media, among other organizations.

Some threat actors, such as ThreatSec, haven’t claimed any allegiance and are boasting about attacking both sides alike.

“As you might know, we don’t like Israel, but… We also don’t like War! Soooo, as we have attacked Israel in the past, we now attack the Gaza region, where many of the Hamas fighters are located!” the gang wrote on Telegram, claiming that it had shut down nearly every server owned by Alfanet.ps – including Quintiez Alfa General Trading, which is one of the biggest ISPs (internet service providers) in the Gaza Strip.

ThreatSec is part of the “Five Families” – notorious and highly organized gangs (the others are GhostSec, Stormous, Blackforums, and SiegedSec) that collaborate on launching big cyberattacks.

Mantas Sasnauskas, head of the Cybernews research team, highlighted that many hacktivists go after various ICSs in an attempt to disrupt critical infrastructure and draw international attention.

Since a cyberattack on critical infrastructure can have serious repercussions, including operational disruptions, safety hazards, economic costs, and reputational damage, cybersecurity should be a top priority in the organizations that administer them.

Unfortunately, that’s not always the case. An analysis by the Cybernews research team reveals that many ICSs are exposed, and threat actors can easily take advantage of sloppy security practices.

An ICS is a computerized system used to monitor and manage machinery and processes in industries, ensuring that they work effectively and safely. SCADA, which stands for supervisory control and data acquisition, is a type of ICS capable of gathering data and applying operational controls over long distances.

As per Cybernews’ findings, some Israeli organizations are exposing their Modbus, a SCADA communications protocol.

More info on exposed occurrences are available in the original post

Original post at

About the author: , Chief Editor at Cybernews

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, hacktivists)