Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 30 November 2025 11:27
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its list of exploited vulnerabilities (KEVs), reporting a new vulnerability affecting OpenPLC ScadaBR , due to ongoing active exploitation indications.
This security flaw, identified as CVE-2021-26829 with a CVSS score of 5.4, affects Windows and Linux versions of the software due to a cross-site scripting (XSS) vulnerability in the system_settings.shtm page.
Just over a month after Forescout reported that a pro-Russian hacktivist group known as TwoNet had targeted its honeypot in September 2025, mistaking it for a water treatment plant, the security flaw was added to the KEV catalog.
Affected versions include:
“The attacker did not attempt to escalate privileges or exploit the underlying host, focusing solely on the HMI web application layer,” Forescout said.
As researchers report, the TwoNet group began its operations on Telegram in early January, initially focusing on distributed denial of service (DDoS) attacks before moving on to a broader range of activities, including targeting industrial systems, doxxing, and commercial offerings such as ransomware-as-a-service (RaaS), hacking-for-hire, and initial access brokering.
The decoy deployment process revealed that the attacker took approximately 26 hours to progress from the initial access phase to the disruptive action phase. During this time, they exploited default credentials to gain initial access to the system. They then conducted reconnaissance and established persistence, among other actions, by creating a new user account named ” BARLATI .”
The attackers exploited the CVE-2021-26829 vulnerability to alter the description of the HMI login page and display a “Hacked by Barlati” pop-up message. They also modified system settings to disable logs and alarms, without realizing they were breaching a honeypot system.
The exploitation attempts were found to originate from the US-based Google Cloud infrastructure, demonstrating how attackers are weaponizing legitimate internet services to evade detection and blend in with normal network traffic.
“We observed approximately 1,400 exploit attempts targeting more than 200 CVEs related to this infrastructure,” said Jacob Baines, CTO of VulnCheck. “While most of the activity resembled standard Nuclei templates, the attacker’s hosting choices, payloads, and regional targeting were not consistent with typical OAST usage.”
Redazione