"The addition of the security defect to the KEV catalog comes a little over a month after Forescout said it caught a pro-Russian hacktivist group known as TwoNet targeting its honeypot in September 2025, mistaking it for a water treatment facility. TwoNet began its operations on Telegram earlier this January, initially focusing on distributed denial-of-service (DDoS) attacks, before pivoting to a broader set of activities, including the targeting of industrial systems, doxxing, and commercial offerings like ransomware-as-a-service (RaaS), hack-for-hire, and initial access brokerage."
"The attackers then proceeded to exploit CVE-2021-26829 to deface the HMI login page description to display a pop-up message "Hacked by Barlati," and modify system settings to disable logs and alarms unaware that they were breaching a honeypot system. "The attacker did not attempt privilege escalation or exploitation of the underlying host, focusing exclusively on the web application layer of the HMI," Forescout said."
CVE-2021-26829 (CVSS 5.4) is a cross-site scripting vulnerability in OpenPLC ScadaBR via system_settings.shtm, affecting Windows through 1.12.4 and Linux through 0.9.1. CISA added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. Forescout observed a pro-Russian hacktivist group called TwoNet targeting a honeypot that mimicked a water treatment facility and moving from initial access to disruptive actions in about 26 hours. Attackers used default credentials, created a user named "BARLATI," exploited the XSS to deface the HMI, and modified settings to disable logs and alarms. The attackers focused on the web application layer and did not attempt privilege escalation. TwoNet has expanded from DDoS to industrial targeting, doxxing, and commercialized services including RaaS and initial access brokerage.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]