CISA and partners have observed malicious cyber actors targeting and compromising Cisco SD-WAN systems of organizations, globally. These actors have been observed exploiting a previously undisclosed authentication bypass vulnerability, CVE-2026-20127, for initial access before escalating privileges using CVE-2022-20775 and establishing long-term persistence in Cisco SD-WAN systems.
Category: Cybersecurity
Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure
The FBI, CISA, NSA assess pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups. These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate (or gain access to) OT control devices within critical infrastructure systems. Pro-Russia hacktivist groups—Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), Sector16, and affiliated groups—are capitalizing on the widespread prevalence of accessible VNC devices to execute attacks against critical infrastructure entities, resulting in varying degrees of impact, including physical damage. Targeted sectors include Water and Wastewater Systems, Food and Agriculture, and Energy.
More information on this alert can be found here.
BRICKSTORM Backdoor CISA Alert
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. CISA, NSA, and Cyber Centre are releasing this Malware Analysis Report to share indicators of compromise (IOCs) and detection signatures based off analysis of eight BRICKSTORM samples. CISA, NSA, and Cyber Centre urge organizations to use the IOCs and detection signatures to identify BRICKSTORM malware samples.
More information on the alert can be found on the CISA website here.
Cybersecurity Exercises and Technical Assistance Courses
The EPA has training material and courses which can help improve your waterworks cybersecurity found here.
Cyber Incidents Involving Cityworks Software
EPA is issuing this alert to inform water and wastewater system owners and operators of cyber incidents involving Cityworks Software. The Cityworks (owned by Trimble) platform is used widely by State, Local, Tribal, and Territorial municipalities, including water and wastewater systems. Read more about this alert here.
Iran Conflict is Increasing the Likelihood of Low-Level Cyberattacks Against US Networks
The U.S. EPA is issuing this alert to inform water and wastewater system owners and operators of the need for increased vigilance for potential cyber activity in the United States due to the current geopolitical environment. More information can be found here.
Microsoft Sharepoint Vulnerabilities
The U.S. EPA is issuing this alert to inform water and wastewater system owners and operators of the need for increased vigilance surrounding the use of Microsoft SharePoint. While the scope and impact continue to be assessed, the chain, publicly reported as “ToolShell,” provides unauthenticated access to systems and authenticated access through network spoofing, respectively, and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network. See a full update regarding this release on the CISA’s Webpage.