The fallout and potential exposure from Iran’s state-backed targeting of U.S. critical infrastructure extends to more than 5,200 internet-connected devices, researchers at Censys said in a threat intelligence brief Wednesday. 

 Of the programmable logic controllers manufactured by Rockwell Automation/Allen-Bradley that Censys identified as  potentially exposed to Iranian government attackers, nearly 3,900, or about 3 out of every 4, are based in the United States. 

The cybersecurity firm identified the devices based on details multiple federal agencies shared in a joint alert Tuesday, and published additional indicators of compromise, including operator IPs and other threat hunting queries.

Federal authorities earlier this week warned that Iranian government attackers have exploited devices that control industrial automation processes and disrupted multiple sectors during the past month. Some victims also experienced financial losses as a result of the attacks, officials said. 

The operational technology devices are deployed across the energy sector, water and wastewater systems, and U.S. government services and facilities. 

Censys scans spotted 5,219 internet-exposed Rockwell Automation/Allen-Bradley PLC hosts shortly after the joint alert was issued by the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency, Energy Department and U.S. Cyber Command. 

Researchers at Censys determined most of the exposed devices are connected via cellular systems, posing a significant risk to remote field deployments. Nearly half of the devices globally are connected to Verizon’s wireless network and 13% are connected to AT&T’s infrastructure.

“These devices are almost certainly field-deployed in physical infrastructure (pump stations, substations, municipal facilities) with cellular modems as their sole internet path,” Censys researchers wrote in the report. 

The potential attack surface is also amplified by additional services exposed in other ports on these devices, a discovery that Censys warned could allow attackers to gain direct paths to operations beyond PLC exploitation. 

Researchers fingerprinted MicroLogix and CompactLogix models exposed to the latest threat campaign and published a list of the 15 most-exposed products. Many of the most prominent devices are running end-of-life software, a compounding risk that could allow attackers to prioritize unpatched devices upon scanning, according to Censys.

The attacks date back to at least March, following the U.S. and Israel’s war against Iran, and were underway as other Iranian government-backed attackers claimed other victims, including Stryker and local governments.

The post Iranian attacks on US critical infrastructure puts 3,900 devices in crosshairs appeared first on CyberScoop.

Deceptive-Auditing is a tool that deploys Active Directory honeypots and automatically enables auditing for those honeypots.

The post Deceptive-Auditing: An Active Directory Honeypots Tool appeared first on Black Hills Information Security, Inc..

This webcast was originally published on November 8, 2024. In this video, Hayden Covington discusses the detection engineering process and how to apply the scientific method to improve the quality […]

The post The Detection Engineering Process appeared first on Black Hills Information Security, Inc..

Hannah Cartier // Social engineering, especially phishing, is becoming increasingly prevalent in red team engagements as well as real-world attacks. As security awareness improves and systems become more locked down, […]

The post Phishing Made Easy(ish) appeared first on Black Hills Information Security, Inc..

Kent Ickler // A robot wearing boots… with straps…. Have you been tasked with automation in the Command and Control (C2) world? If so your goal is to shorten the […]

The post Empire Bootstrapping v2 – How to Pre-Automate All the Things! appeared first on Black Hills Information Security, Inc..