In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Earn a master's in AI for under $2,500

AI skills aren’t optional anymore—they’re a requirement for staying competitive. Now you can earn a Master of Science in Artificial Intelligence, delivered by the Udacity Institute of AI and Technology and awarded by Woolf, an accredited higher education institution.

During Black Friday, you can lock in the savings to earn this fully accredited master's degree for less than $2,500. Build deep expertise in modern AI, machine learning, generative models, and production deployment—on your own schedule, with real projects that prove your skills.

This offer won’t last, and it’s the most affordable way to get graduate-level training that actually moves your career forward.

Learn More

CISA Flags Actively Exploited ScadaBR Vulnerability

CISA has added CVE-2021-26829, a cross-site scripting (XSS) flaw in OpenPLC ScadaBR, to the Known Exploited Vulnerabilities (KEV) catalog following confirmation of real-world exploitation. The decision comes amid evidence linking pro-Russian hacktivist group TwoNet to attacks against industrial-themed honeypots, demonstrating how low-complexity vulnerabilities and default credentials continue to expose operational technology (OT) environments to risk.

Context

OpenPLC ScadaBR is an open-source SCADA/HMI platform used for industrial monitoring and control. Although not as widely deployed as major commercial SCADA systems, it is popular in smaller facilities, research labs, and education environments—places where misconfigurations and legacy software often persist.

TwoNet, a hacktivist group with a growing portfolio of disruptive and criminal activity, was observed targeting a Forescout honeypot in September 2025. The attackers misidentified the decoy as a water treatment facility and attempted to move from reconnaissance to disruption within roughly 26 hours.

What Happened

Forescout reported that:

  • TwoNet accessed the honeypot using default credentials

  • They created a new high-privilege user named “BARLATI”

  • They conducted basic reconnaissance on the HMI environment

  • They exploited CVE-2021-26829 to deface the login page with “Hacked by Barlati”

  • They modified system settings to disable logs and alarms

  • They focused solely on the web-application layer, not the underlying host

The attackers were unaware the system was a controlled research environment.

CISA’s decision to list the flaw in the KEV catalog reflects the confirmation of active exploitation in the wild.

Technical Breakdown

Vulnerability Details

  • CVE-2021-26829 — Cross-Site Scripting (XSS)

  • CVSS Score: 5.4

  • Affected Versions:

    • ScadaBR through 1.12.4 on Windows

    • ScadaBR through 0.9.1 on Linux

The flaw resides in system_settings.shtm, where insufficient input sanitization allows an attacker to inject malicious JavaScript, enabling defacement, data manipulation, or execution of scripts in the victim’s browser.

Exploitation Flow Observed

  1. Initial access using default credentials

  2. Creation of a persistent user account

  3. Exploitation of CVE-2021-26829 for UI defacement

  4. Modification of settings to suppress alarms and logs

  5. No privilege escalation attempts—focus on application-layer disruption

The intruder’s behavior reflects common hacktivist activity: fast, noisy, and oriented toward visibility rather than stealth.

Impact Analysis

While the honeypot was not a real facility, the observed behavior demonstrates real-world risks:

  • Legacy OT systems remain vulnerable to both trivial misconfigurations and older XSS flaws.

  • Hacktivist groups are expanding beyond DDoS into OT-themed attacks.

  • Default credentials continue to enable initial access to industrial systems.

  • Web-layer attacks can disable alarms or distort operator visibility—potentially leading to safety implications in real environments.

Federal agencies using OpenPLC ScadaBR must apply patches by December 19, 2025, per CISA’s binding directive.

Why It Matters

This incident underscores a persistent reality in industrial cybersecurity:

  • Attackers no longer need zero-days to disrupt OT environments.

  • Publicly available SCADA software is frequently misconfigured or outdated.

  • Hacktivists increasingly use OT-labeled activity to amplify visibility, even when real operational impact is limited.

  • Adding the flaw to the KEV catalog ensures updated tracking and enforcement for vulnerable federal systems.

Expert Commentary

Researchers note that TwoNet is evolving rapidly, blending political messaging with opportunistic technical exploitation. Their operations now include:

  • DDoS

  • OT-themed defacements

  • Ransomware-as-a-service

  • Initial access brokerage

  • Hack-for-hire offerings

Forescout analysts emphasize that this “pseudo-OT focus” leverages branding over capability—yet still creates real risk for unpatched environments.

Key Takeaways

  • CISA added CVE-2021-26829 to the KEV catalog due to confirmed active exploitation.

  • TwoNet hacktivists exploited the flaw in a SCADA honeypot posing as a water plant.

  • The attackers used default credentials and JavaScript injection to deface the interface.

  • XSS in OT systems can disable logs and alarms, impacting operator insight.

  • Federal agencies must patch by December 19, 2025.

  • Misconfigurations remain a leading cause of OT exposure.

Keep Reading

No posts found

© 2025 The Cyber Syrup..

Privacy policy

Terms of use

Powered by beehiiv