Listen to this Post
Rising Alarm in Industrial Cybersecurity
A quiet but deeply troubling shift is unfolding across the digital infrastructure that powers critical industries. The U.S. Cybersecurity and Infrastructure Security Agency has updated its Known Exploited Vulnerabilities catalog with a flaw tied to OpenPLC ScadaBR—an industrial control system used in water, energy, and automation environments. The update follows fresh evidence of real-world exploitation, including activity traced back to a pro-Russian hacktivist group.
Before diving into the timeline and the threat actor’s missteps, this introduction sets the stage: a single XSS flaw in an industrial panel interface is proving just how easily attackers can breach the physical systems we rely on.
the
The Added Vulnerability
CISA formally added CVE-2021-26829 to its KEV catalog after observing active exploitation. The flaw affects both Windows and Linux releases of OpenPLC ScadaBR, allowing a cross-site scripting injection through the system_settings.shtm component. CISA’s notice covers software versions up to 1.12.4 on Windows and up to 0.9.1 on Linux.
A Flaw in the Human–Machine Interface
The vulnerability is not a deep kernel issue, not a protocol failure. It lives strictly inside the web application layer of the system’s HMI, where exposed input fields can be manipulated to run malicious scripts. With a CVSS score of 5.4, it is not the highest-severity bug in the ecosystem—but recent events show that modest vulnerabilities can trigger high-impact consequences.
TwoNet’s Misguided Attack
CISA’s decision came shortly after analytics firm Forescout reported a notable breach attempt in September 2025. The threat actor behind the intrusion was TwoNet, a pro-Russian hacktivist group active on Telegram. The attackers mistook a honeypot for an actual water treatment plant. Within 26 hours, they progressed from initial access to disruptive actions.
Use of Default Credentials
TwoNet gained entry by abusing default login details—an all-too-common issue in industrial deployments with weak security maintenance. Once inside, they created a new administrative user under the name “BARLATI,” likely the operator’s alias.
The XSS Exploitation
TwoNet then weaponized CVE-2021-26829. They modified the system’s HMI login description to show a message: “Hacked by Barlati.” Alongside the defacement, they attempted to disable alarm mechanisms and logging, unaware that their victim was only a decoy environment.
Limited Technical Ambition
Forescout noted that the attackers showed no interest in elevating privileges or breaching the host OS. Their efforts remained confined to the web application tier, reflecting a pattern seen in hacktivist groups that prioritize visibility over complexity.
TwoNet’s Evolution
Originally associated with DDoS antics, TwoNet has gradually shifted toward more sophisticated activity: doxxing operations, commercialized RaaS offerings, hack-for-hire services, and the brokerage of initial access to compromised networks. The group also claims links with CyberTroops and OverFlame, though these alliances remain unverified.
Federal Deadlines
Due to confirmed exploitation, all Federal Civilian Executive Branch agencies must deploy patches or mitigations by December 19, 2025. This ensures protection across sensitive infrastructure regulated by federal cybersecurity directives.
The OAST Connection
Separately, VulnCheck documented a long-running Out-of-Band Application Security Testing infrastructure hosted on Google Cloud. The system has been observed facilitating approximately 1,400 exploit attempts across 200+ CVEs.
Regional Focus on Brazil
The activity is geographically targeted toward Brazilian networks and has persisted since at least November 2024. The attackers exploit flaws and route successful callbacks to OAST subdomains quietly embedded in cloud services.
Weaponized Cloud Legitimacy
By operating through U.S.-based Google Cloud servers, attackers blend seamlessly into normal network traffic. This tactic leverages trusted hosting environments to avoid detection, complicating attribution and defensive filtering.
Discovery of a Java Exploit File
VulnCheck identified a Java class file—TouchFile.class—hosted on an IP linked to the OAST domain. The file expands on a public Fastjson RCE exploit, enabling remote command execution and outbound HTTP interactions controlled via attacker-supplied parameters.
A Sustained Scanning Operation
The OAST infrastructure does not resemble opportunistic scanning. Instead, it displays consistently maintained behavior, implying a long-term campaign aimed at automated reconnaissance and selective exploitation.
Broader Industrial Targeting
Across both cases—the ScadaBR exploitation and the OAST campaign—the recurring theme emerges: threat actors increasingly lean on lightweight, widely available tools like Nuclei, pairing them with default passwords and misconfigured industrial interfaces. The cost of executing such attacks remains low, but the potential impact in critical infrastructure environments is severe.
What Undercode Say:
A Subtle Flaw With Outsized Implications
CVE-2021-26829 might look unremarkable in severity scoring, yet industrial control systems rewrite the risk equation. XSS in a consumer web app leads to phishing pop-ups. In SCADA, it can alter operational screens or suppress warnings. The flaw becomes a gateway to manipulating the operator’s perception of real-time processes.
Why TwoNet’s Attack Matters
Despite targeting only a honeypot, TwoNet demonstrated a timeline that should concern industrial defenders. Twenty-six hours is a remarkably short window between initial access and disruptive intent in OT environments. Traditional industrial attacks—Stuxnet, Industroyer—took months of preparation. Hacktivists are now performing simplified versions overnight.
The Default Credential Crisis
The reliance on default usernames and passwords shows systemic weakness across operational technology deployments. Attackers did not need to breach cryptographic controls or exploit kernel vulnerabilities; they entered through a door that operators had simply forgotten to lock.
Industrial Misidentification
The attackers believed they were breaching a water facility—proof of a growing trend in which hacktivist groups seek symbolic industrial targets. Even if their technique was basic, their target selection was deliberate. That shift signals a dangerous convergence: politically motivated groups now view industrial panels as canvases for propaganda.
XSS as a Disruption Tool
In OT environments, modifying visual elements is far from harmless. A manipulated interface can delay operator reaction, obscure alarms, or create false confidence. For a water treatment system, those seconds or minutes matter.
An Ecosystem of Off-the-Shelf Exploits
The wider OAST campaign illustrates attackers’ dependence on ready-made toolkits. Nuclei templates, Fastjson RCE payloads, and public PoCs form the foundation of modern exploitation workflows. Attackers no longer need deep expertise; they only need persistence and a cloud server.
Cloud Infrastructure as a Shield
The use of legitimate providers like Google Cloud lets malicious traffic blend perfectly with everyday enterprise communications. Security teams hesitate to block entire ranges belonging to trusted providers, giving attackers a free layer of camouflage.
Regional Targeting Signals Intent
Brazil’s prominence in the OAST callbacks suggests more than random scanning. Brazil has expanding industrial automation initiatives, numerous municipal water systems online, and significant energy infrastructure exposed through legacy web interfaces. Its digital footprint makes it a prime testing ground.
Long-Term Campaign Behavior
A year-long scanning and exploitation operation indicates a well-resourced actor or a deeply automated framework. Threat groups with long horizons often build exploit infrastructure that operates in the background, accumulating intelligence until the right opportunity emerges.
Growing Intersection of Hacktivism and OT
TwoNet’s behavior sits at the intersection of political activism and opportunistic exploitation. Their actions lack the precision of state-backed groups, yet they demonstrate a desire to be perceived as capable and disruptive in the industrial domain.
The Real Story Behind the KEV Update
CISA’s KEV additions rarely appear without cause. When a flaw reaches this list, exploitation is confirmed and active. That alone elevates the vulnerability far beyond its CVSS score. Industrial operators must treat it as a priority.
The Industry’s Blind Spot
Organizations often overlook XSS because it does not deliver immediate remote code execution. But in industrial HMIs, it can manipulate the very environment operators depend on for situational awareness. This is no longer a mere “web problem.”
Automation of Exploit Delivery
The detection of Java payloads capable of executing arbitrary commands underscores a wave of semi-autonomous attack frameworks. Attackers are packaging exploits into drop-in modules that operate across vast address spaces with minimal human supervision.
Blending OT and IT Threat Strategies
OT threats increasingly resemble IT threats—broad scanning, exploit spraying, and credential stuffing. The industrial sector has not yet fully adapted to defend against these high-volume patterns.
When Hacktivists Reach Industrial Panels
The moment hacktivist groups begin touching HMI systems, defenders must reevaluate their assumptions. These actors are not driven purely by profit; they are driven by visibility. That makes them unpredictable and, in some cases, more reckless.
Fact Checker Results
CISA did officially add CVE-2021-26829 to the KEV list. ✅
TwoNet did target a honeypot believing it was a real facility. ✅
No evidence suggests privilege escalation beyond the HMI layer. ❌
Prediction
Industrial attacks will grow more symbolic as hacktivist groups chase attention rather than technical depth. ⚠️
Cloud-hosted exploit delivery platforms will become the norm, hiding malicious traffic in plain sight. 📡
More low-severity OT vulnerabilities will be added to KEV lists as attackers exploit overlooked weaknesses. 🔍
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
