{"id":3295,"date":"2025-05-23T07:00:00","date_gmt":"2025-05-23T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3295"},"modified":"2025-05-23T07:00:00","modified_gmt":"2025-05-23T07:00:00","slug":"critical-infrastructure-under-attack-flaws-becoming-weapon-of-choice","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3295","title":{"rendered":"Critical infrastructure under attack: Flaws becoming weapon of choice"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Threat actors are increasingly exploiting vulnerabilities to attack critical infrastructure systems.<\/p>\n

Critical infrastructure organizations accounted for 70% of all attacks that IBM X-Force responded to last year, with more than one quarter of those attacks carried out using vulnerability exploitation.<\/p>\n

\u201cOver the past year, we observed a continued shift towards identity attacks across all sectors, including critical infrastructure,\u201d Michelle Alvarez<\/a>, manager of IBM X-Force Strategic Threat Analysis, told CSO. \u201cWhile attackers increasingly log in with stolen credentials, vulnerability exploitation remains a preferred entry point for these sectors, given their reliance on legacy tech and slow patching cycles.\u201d<\/p>\n

Alvarez added: \u201cDefenders are overwhelmed by the patching backlog, and attackers will continue to take full advantage until that changes.\u201d<\/p>\n

Under fire \u2014 and overexposing critical systems<\/h2>\n

Other cybersecurity vendors quizzed by CSO agreed that security vulnerabilities represent an increasing threat to the integrity of critical infrastructure systems such as power distribution, water treatment, transport, telecoms, and banking.<\/p>\n

\u201cAttackers have leaned more heavily on vulnerability exploitation to get in quickly and quietly,\u201d said Dray Agha<\/a>, senior manager of security operations at managed detection and response vendor Huntress. \u201cPhishing and stolen credentials play a huge role, however, and we\u2019re seeing more and more threat actors target identity first before they probe infrastructure.\u201d<\/p>\n

James Lei, chief operating officer at application security testing firm Sparrow, added: \u201cWe\u2019re seeing a shift in how attackers approach critical infrastructure in that they\u2019re not just going after the usual suspects like phishing or credential stuffing, but increasingly targeting vulnerabilities in exposed systems that were never meant to be public-facing.\u201d<\/p>\n

VPNs, firewalls, and legacy web servers are common entry points, especially when they haven\u2019t been patched properly or are running out-of-date firmware. Insecure IoT devices and operational technology (OT) systems offer further targets for potential exploitation.<\/p>\n

Ian McGowan, managing director at cybersecurity firm Barrier Networks, commented: \u201cThe majority of attacks on CNI [critical national infrastructure] are not zero-days or exotic hacks; they are straightforward exploits of the basics we struggle to manage operationally.\u201d<\/p>\n

Himaja Motheram, a security researcher at threat intelligence firm Censys, added: \u201cWhile attackers do exploit traditional software flaws, the bigger concern in critical infrastructure is the widespread availability of insecure, internet-facing systems that provide direct access to essential services without proper access controls.\u201d<\/p>\n

One of the most overlooked fundamental issues is the sheer number of critical systems, such as water treatment interfaces or medical imaging systems, that are exposed to the public internet with either no authentication or default\/weak credentials, according to Sparrow\u2019s Lei.<\/p>\n

\u201cIn these cases, attackers don\u2019t even need to leverage exploits; they can simply log in,\u201d Lei explained. \u201cThe core problem isn\u2019t just a particular class of vulnerability; it\u2019s the systemic exposure and accessibility of sensitive systems that should never be directly reachable in the first place.\u201d<\/p>\n

Trade in exploit code<\/h2>\n

IBM\u2019s X-Force found four of the 10 most mentioned common vulnerabilities and exposures (CVEs) on the dark web were linked to sophisticated threat actor groups, including nation-state intelligence agencies.<\/p>\n

\u201cExploit codes for these CVEs were openly traded on numerous forums \u2014 fueling a growing market for attacks against power grids, health networks, and industrial systems,\u201d IBM\u2019s X-Force reports.<\/p>\n

IBM\u2019s threat intel arm adds: \u201cThis sharing of information between financially motivated and nation-state adversaries highlights the increasing need for dark web monitoring to help inform patch management strategies and detect potential threats before they are exploited.\u201d<\/p>\n

Of the 10 CVE\u2019s highlighted in IBM\u2019s X-Force 2025 Threat Report, five of them impacted edge devices and each were also featured in the US Cybersecurity and Infrastructure Security Agency\u2019s (CISA) Known Exploited Vulnerabilities (KEV) catalog.<\/p>\n

Scott Caveza<\/a>, senior staff research engineer at Tenable, commented: \u201cBecause these devices are often mission-critical and downtime may require significant planning, it may be one of the reasons these devices are patched less frequently, even in the wake of critical vulnerabilities impacting them.\u201d<\/p>\n

Attackers targeting critical infrastructure also exploit unpatched vulnerabilities across legacy operating systems, as well as industrial control systems.<\/p>\n

\u201cThese systems often remain unpatched for longer periods of time given the downtime risks, making them attractive targets,\u201d IBM X-Force\u2019s Alvarez said. \u201cAs a result, attackers can leverage vulnerabilities to gain control over critical systems and disrupt essential services.\u201d<\/p>\n

Appetite for disruption<\/h2>\n

The list of attacks against critical infrastructure organizations that relied, wholly or in part, on vulnerability exploitation is large and growing.<\/p>\n

US government security agencies warned in February 2024 that Chinese state-sponsored hackers had penetrated multiple critical infrastructure networks<\/a>, spanning communications, energy, transportation, and water sectors, and were maintaining persistent access.<\/p>\n

The Volt Typhoon group<\/a> typically gained initial access by exploiting vulnerabilities in public-facing network appliances from vendors such as Fortinet, Citrix, and Cisco.<\/p>\n

Intel agencies warned that the group was setting up the ability to disrupt or destroy services in the event of a major crisis or conflict between the US and China.<\/p>\n

The MOVEit Transfer hack<\/a> hit multiple healthcare and government organizations in June 2023 after a zero-day vulnerability in enterprise file transfer software was exploited by ransomware groups, a textbook example of a supply chain attack.<\/p>\n

Another example is the CyberAv3ngers attacks on US water and wastewater systems<\/a> (2023-2024). This group, linked to Iran\u2019s Islamic Revolutionary Guard Corps (IRGC), targeted Unitronics programmable logic controllers (PLCs) used in many facilities.<\/p>\n

\u201cBy exploiting publicly exposed interfaces and weak security configurations, they defaced human-machine interfaces (HMIs) and, in at least one Texas incident, manipulated water pumps and alarms,\u201d Bharat Mistry<\/a>, director of product management at cybersecurity software company Trend Micro, said. \u201cThese attacks highlight the ongoing risks posed by vulnerable industrial control systems.\u201d<\/p>\n

Andy Thompson<\/a>, offensive cybersecurity research analyst at global identity security firm CyberArk, said that the biggest threat to critical infrastructure is the disruption of availability, as exemplified by the May 2021 Colonial Pipeline ransomware attack<\/a>.<\/p>\n

The Colonial Pipeline breach started with a compromised VPN login, but it was the lack of multi-factor authentication and poor patching that allowed it to escalate so severely, according to Huntress\u2019s Agha.<\/p>\n

The attack disrupted fuel supplies and triggered panic buying and widespread gasoline shortages across the US East Coast.<\/p>\n

Countermeasures<\/h2>\n

The escalating threat to critical infrastructure systems, which shows little sign of abating, ought to prompt a rethink in how to defend critical systems.<\/p>\n

\u201cTraditional methods for defense are not resilient enough for today\u2019s evolving risk landscape,\u201d said Andy Norton<\/a>, European cyber risk officer at cybersecurity vendor Armis. \u201cLegacy point products and siloed security solutions cannot adequately defend systems against modern threats, which increasingly incorporate AI. And yet, too few organizations are successfully adapting.\u201d<\/p>\n

Norton added: \u201cIt\u2019s vital that organizations stop reacting to cyber incidents once they\u2019ve occurred and instead shift to a proactive cybersecurity posture that allows them to eliminate vulnerabilities before they can be exploited.\u201d<\/p>\n

Mark Hughes<\/a>, global managing partner of cybersecurity services at IBM, said: \u201cBusinesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernizing authentication management, plugging multi-factor authentication holes, and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Threat actors are increasingly exploiting vulnerabilities to attack critical infrastructure systems. Critical infrastructure organizations accounted for 70% of all attacks that IBM X-Force responded to last year, with more than one quarter of those attacks carried out using vulnerability exploitation. \u201cOver the past year, we observed a continued shift towards identity attacks across all sectors, […]<\/p>\n","protected":false},"author":0,"featured_media":3296,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3295","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3295"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3295"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3295\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3296"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3295"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3295"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3295"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}