Close Menu
Cybercrime and Ransomware

CISA Moves to Protect Against Major XSS Vulnerability in OpenPLC and SCADABR

Staff WriterBy No Comments4 Mins Read1 Views

Top Highlights

  1. CISA added a actively exploited cross-site scripting vulnerability (CVE-2021-26829) in OpenPLC ScadaBR to its KEV catalog, impacting Windows and Linux versions with a CVSS score of 5.4.
  2. The breach was linked to the pro-Russian hacktivist group TwoNet, which used default credentials and exploited the flaw to deface a honeypot, revealing their focus on web-layer attacks and avoidance of privilege escalation.
  3. TwoNet’s activities expanded from DDoS to targeting industrial systems, doxxing, and RaaS, with operations increasingly blending legacy tactics with broader claims.
  4. Exploit activities are facilitated by a long-standing OAST infrastructure hosted on Google Cloud, targeting Brazil, involving over 1,400 attempts across 200+ CVEs, illustrating how malicious actors weaponize legitimate services for sustained attacks.

The Core Issue

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a critical security flaw, CVE-2021-26829, affecting OpenPLC ScadaBR software to its Known Exploited Vulnerabilities catalog. This vulnerability, a cross-site scripting (XSS) flaw, has been actively exploited by cyberattackers—most notably a pro-Russian hacktivist group called TwoNet. According to reports from cybersecurity firm Forescout, TwoNet targeted a honeypot system resembling a water treatment plant, swiftly moving from initial access via default credentials to defacing the system and disabling logs, without attempting privilege escalation. Their activities, which began earlier this year, involved web application attacks on industrial control systems and expanded into DDoS campaigns and other malicious operations. Notably, the hackers used the vulnerability to modify system pages, revealing their presence with the message “Hacked by Barlati,” while remaining unaware they were targeting a decoy system. Governments and organizations are now required to apply urgent fixes by December 19, 2025, to mitigate further damage. Meanwhile, security researchers from VulnCheck uncovered a long-standing operation using Google Cloud infrastructure focused on Brazil, exploiting numerous vulnerabilities through sophisticated, sustained scanning efforts that blend legitimate services with malicious activities, further highlighting the evolving and persistent nature of cyber threats.

Critical Concerns

The issue of the CVE-2021-26829 XSS vulnerability being added to KEV highlights a critical risk that can directly impact your business. If exploited, hackers could inject malicious scripts into your OT or ICS systems, leading to unauthorized data access or system disruptions. Consequently, this can cause operational shutdowns, data theft, or even safety hazards for personnel. Moreover, such breaches may result in regulatory fines, damage to your reputation, or legal liabilities. As a result, any business using vulnerable systems like OpenPLC or ScadaBR faces substantial threats that can impair productivity and trust. Therefore, it’s essential to prioritize timely patches and security measures to protect your critical infrastructure from these active exploit risks.

Possible Next Steps

In the realm of cybersecurity, swift remediation of vulnerabilities such as the recently added actively exploited XSS bug CVE-2021-26829 in OpenPLC ScadaBR is critical. Promptly addressing these issues helps prevent potential attacks, minimizes damage, and preserves system integrity, aligning with the NIST Cybersecurity Framework’s emphasis on rapid response to security threats.

Mitigation and Remediation Steps

  • Patch Implementation
    Apply the latest security patches provided by the vendor to eliminate the vulnerability.

  • Input Validation
    Implement strict input validation on all data fields to prevent malicious scripts from executing.

  • Access Controls
    Restrict access to the affected system components to authorized personnel only to reduce attack surface.

  • Network Segmentation
    Isolate critical systems from less secure networks to limit potential spread of exploitation.

  • Vulnerability Scanning
    Conduct regular scans to detect and identify the presence of vulnerabilities like CVE-2021-26829.

  • Monitoring and Logging
    Enhance monitoring and maintain logs to detect suspicious activities indicative of exploitation attempts.

  • User Awareness Training
    Educate staff about the nature of XSS attacks and proper security practices to prevent inadvertent vulnerabilities.

  • Incident Response Planning
    Prepare and regularly update incident response procedures to ensure rapid action if exploitation occurs.

Explore More Security Insights

Stay informed on the latest Threat Intelligence and Cyberattacks.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.