Anna Ribeiro@Industrial Cyber
//
Fortinet's FortiGuard Labs has revealed a multi-year, state-sponsored cyber intrusion targeting critical infrastructure in the Middle East. The intrusion, attributed to an Iranian APT group likely Lemon Sandstorm, began as early as May 2023, with potential traces back to May 2021, and went undetected for nearly two years. Attackers gained initial access through compromised VPN credentials, deploying multiple web shells and custom backdoors throughout the infrastructure.
This Iranian APT exhibited significant operational discipline, constantly rotating tools, infrastructure, and access methods to maintain their foothold. After gaining access, they installed backdoors such as HanifNet, HXLibrary, and NeoExpressRAT. The attackers used in-memory loaders for Havoc and SystemBC to avoid detection, plus custom loaders to execute malware directly in memory, avoiding disk-based detection. Throughout the campaign, FortiGuard Labs identified at least five novel malware families, including HanifNet, NeoExpressRAT, HXLibrary, RemoteInjector, and CredInterceptor. The attackers also modified legitimate OWA JavaScript files to silently siphon credentials, disguising malicious scripts as legitimate traffic. The attackers used open-source proxy tools such as plink, Ngrok, Glider Proxy, and ReverseSocks5 to circumvent network segmentation. References :
Classification:
@securityonline.info
//
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning to organizations globally regarding severe vulnerabilities in Planet Technology's network management and industrial switch products. These products are commonly used in critical manufacturing and industrial environments worldwide. The vulnerabilities, discovered by security researcher Kev Breen of Immersive Labs, affect several widely deployed Planet Technology products, including UNI-NMS-Lite, NMS-500, NMS-1000V, WGS-804HPT-V2, and WGS-4215-8T2S.
These critical flaws could allow remote attackers to take full control of affected devices, manipulate sensitive data, and compromise industrial networks. CISA's advisory highlights five major vulnerabilities, each with a CVSS v4 base score of 9.3 or higher. These include OS Command Injection (CVE-2025-46271, CVE-2025-46272), Hard-Coded Credentials (CVE-2025-46273, CVE-2025-46274), and Missing Authentication for Critical Functions (CVE-2025-46275). Exploitation of these vulnerabilities could enable attackers to execute arbitrary commands, gain administrative privileges, manipulate sensitive data, create unauthorized administrator accounts, and corrupt managed databases. Planet Technology has released patches for all affected products, and CISA strongly urges organizations to apply these updates immediately. It is also recommended to minimize network exposure by keeping devices off the public internet and to segregate control system networks from business networks. Security researchers warn that internet-exposed devices are particularly at risk, and tools like Shodan and Censys have already identified many potentially vulnerable systems online. CISA advises organizations to place critical devices behind firewalls, separate them from business networks and use VPNs for remote access, ensuring they are fully updated. References :
Classification:
|