CyberSecurity news

FlagThis - #ics

Anna Ribeiro@Industrial Cyber //
Fortinet's FortiGuard Labs has revealed a multi-year, state-sponsored cyber intrusion targeting critical infrastructure in the Middle East. The intrusion, attributed to an Iranian APT group likely Lemon Sandstorm, began as early as May 2023, with potential traces back to May 2021, and went undetected for nearly two years. Attackers gained initial access through compromised VPN credentials, deploying multiple web shells and custom backdoors throughout the infrastructure.

This Iranian APT exhibited significant operational discipline, constantly rotating tools, infrastructure, and access methods to maintain their foothold. After gaining access, they installed backdoors such as HanifNet, HXLibrary, and NeoExpressRAT. The attackers used in-memory loaders for Havoc and SystemBC to avoid detection, plus custom loaders to execute malware directly in memory, avoiding disk-based detection.

Throughout the campaign, FortiGuard Labs identified at least five novel malware families, including HanifNet, NeoExpressRAT, HXLibrary, RemoteInjector, and CredInterceptor. The attackers also modified legitimate OWA JavaScript files to silently siphon credentials, disguising malicious scripts as legitimate traffic. The attackers used open-source proxy tools such as plink, Ngrok, Glider Proxy, and ReverseSocks5 to circumvent network segmentation.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
  • industrialcyber.co: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
  • Virus Bulletin: Fortinet's IR team investigate an Iranian-led long-term intrusion on critical infrastructure in the Middle East. Attackers used stolen VPN creds, in-memory loaders for Havoc/SystemBC, and backdoors like HanifNet, HXLibrary, and NeoExpressRAT.
  • securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
Classification:
  • HashTags: #Cybersecurity #ICS #APT
  • Company: Fortinet
  • Target: Middle East Critical Infrastructure, NATO
  • Attacker: Nebulous Mantis
  • Feature: Cyber Espionage
  • Malware: RomCom RAT
  • Type: Espionage
  • Severity: High
@securityonline.info //
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning to organizations globally regarding severe vulnerabilities in Planet Technology's network management and industrial switch products. These products are commonly used in critical manufacturing and industrial environments worldwide. The vulnerabilities, discovered by security researcher Kev Breen of Immersive Labs, affect several widely deployed Planet Technology products, including UNI-NMS-Lite, NMS-500, NMS-1000V, WGS-804HPT-V2, and WGS-4215-8T2S.

These critical flaws could allow remote attackers to take full control of affected devices, manipulate sensitive data, and compromise industrial networks. CISA's advisory highlights five major vulnerabilities, each with a CVSS v4 base score of 9.3 or higher. These include OS Command Injection (CVE-2025-46271, CVE-2025-46272), Hard-Coded Credentials (CVE-2025-46273, CVE-2025-46274), and Missing Authentication for Critical Functions (CVE-2025-46275). Exploitation of these vulnerabilities could enable attackers to execute arbitrary commands, gain administrative privileges, manipulate sensitive data, create unauthorized administrator accounts, and corrupt managed databases.

Planet Technology has released patches for all affected products, and CISA strongly urges organizations to apply these updates immediately. It is also recommended to minimize network exposure by keeping devices off the public internet and to segregate control system networks from business networks. Security researchers warn that internet-exposed devices are particularly at risk, and tools like Shodan and Censys have already identified many potentially vulnerable systems online. CISA advises organizations to place critical devices behind firewalls, separate them from business networks and use VPNs for remote access, ensuring they are fully updated.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Cyber Security News: CISA Issues Warning Over Planet Technology Network Product Flaws
  • hackread.com: Immersive security researchers discovered critical vulnerabilities in Planet Technology network management and switch products, allowing full device control.
  • securityonline.info: CISA warns of critical vulnerabilities in Planet Technology products
  • Talkback Resources: Critical vulnerabilities in industrial switches and network management products by Planet Technology, allowing remote attackers to gain admin privileges, have been disclosed by CISA and patched by the company.
  • cyberpress.org: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory warning organizations worldwide of severe vulnerabilities affecting a range of network management and industrial switch products from Taiwan-based Planet Technology.
  • securityonline.info: CISA Warns of Critical Vulnerabilities in Planet Technology Products
  • hackread.com: Planet Technology Industrial Switch Flaws Risk Full Takeover - Patch Now
Classification:
  • HashTags: #PlanetTechnology #ICS #Vulnerability
  • Company: Planet Technology
  • Target: Industrial organizations
  • Product: UNI-NMS-Lite
  • Feature: Remote Admin Access
  • Type: Vulnerability
  • Severity: Critical