Telephone: 1-844-NETIZEN
Tel: 1-844-NETIZEN
Email: team (at) Netizen.net
slider

Netizen: Monday Security Brief (12/1/2024)

Posted on 02 Dec 2025 at https://www.Netizen.net/news Source Link: https://blog.netizen.net

Today’s Topics:

  • CISA Flags Active XSS Exploitation in OpenPLC ScadaBR
  • DPRK Group Seeds npm Registry with Another Set of Loader Packages
  • How can Netizen help?

CISA Flags Active XSS Exploitation in OpenPLC ScadaBR

CISA has added CVE-2021-26829 to the Known Exploited Vulnerabilities catalog after investigators confirmed that the flaw has been used in real attacks. The weakness is a cross site scripting issue in OpenPLC ScadaBR, present in Windows versions through 1.12.4 and Linux versions through 0.9.1. It is tied to the system_settings.shtm page and carries a CVSS score of 5.4. Although it is not a high score, its presence in the KEV list means attackers are actively trying to use it in operational environments.

Much of the renewed attention came from research into a September 2025 incident involving a Forescout honeypot. The system was built to resemble a small water treatment plant. TwoNet, a pro-Russian hacktivist group, accessed it through default credentials and created a new user account called BARLATI. They spent roughly a day moving from initial access to simple changes inside the web interface. They used the vulnerability to deface the HMI login page with a pop up message that read “Hacked by Barlati” and then attempted to turn off logs and alarms, unaware that the environment was a decoy. Their activity stayed within the web layer and showed no attempt to escalate privileges or reach the underlying host. The action fit their pattern of blending older web exploitation with loud claims about industrial targets.

TwoNet has been shifting its tactics throughout the year. The group started on Telegram in January with uncomplicated DDoS attacks and has since moved into industrial systems, doxxing, paid access, ransomware services, and broad hack-for-hire activity. They have also tied their brand to other hacktivist groups such as CyberTroops and OverFlame. Their interest in industrial interfaces appears to be part of a strategy focused on visibility rather than deep technical control.

Federal Civilian Executive Branch agencies now have until December 19, 2025 to apply the required updates. Any organization running ScadaBR, including those outside government, should confirm that patches are installed, interfaces are not exposed unnecessarily, and default passwords have been removed.

Around the same period, VulnCheck uncovered a separate campaign built on an Out of Band Application Security Testing endpoint hosted in Google Cloud. The infrastructure has been active for at least a year and shows a pattern of activity aimed at Brazil. Sensor data revealed more than 1,400 exploit attempts tied to over 200 CVEs. Many of the requests used familiar Nuclei style signatures although the payloads and geographic pattern pointed to a more focused operator. Successful exploitation triggered callbacks to subdomains under i-sh.detectors-testing[.]com. Activity has been traced to US based Google Cloud systems, which allows the attacker to blend in with normal traffic.

VulnCheck also discovered a Java class file at 34.136.22[.]26 called TouchFile.class. The file expands on a public Fastjson remote code execution proof of concept, adding the ability to accept commands and URL parameters and send outbound HTTP requests. The length of time the infrastructure has been active and the narrow geographic focus suggests a sustained scanning effort rather than a series of short, opportunistic sweeps.

DPRK Group Seeds npm Registry with Another Set of Loader Packages

North Korean operators tied to the Contagious Interview activity have pushed another 197 malicious packages into the npm registry, continuing a steady pattern that started late last month. Socket’s telemetry shows more than 31,000 downloads across these uploads. Each package acts as a loader for an updated build of OtterCookie that blends traits from BeaverTail with older OtterCookie versions, which mirrors what researchers have been documenting for several weeks.

Some of the loaders appeared under familiar names such as bcryptjs-node, cross-sessions, json-oauth, node-tailwind, react-adparser, session-keeper, tailwind-magic, tailwindcss-forms, and webpack-loadcss. Once launched, the malware checks for sandboxes and virtual machines, collects basic system information, and opens a command channel. With that foothold, the operators gain a remote shell along with the ability to capture keystrokes, screenshots, clipboard data, browser credentials, documents, and cryptocurrency wallet information including seed phrases.

Researchers have been noting the shrinking gap between OtterCookie and BeaverTail. Cisco Talos described this overlap last month during an investigation into an infection that reached a system tied to an organization in Sri Lanka. In that case, the user had been tricked into running a Node.js application that formed part of a staged job interview.

Further review shows that these npm packages connect to a hard coded Vercel address, tetrismic.vercel[.]app. That server fetches the cross platform OtterCookie payload from a GitHub repository controlled by the actor. The GitHub profile behind the distribution, stardev0914, has since disappeared.

Kirill Boychenko at Socket noted that the pace of these uploads makes Contagious Interview one of the most active efforts abusing the npm ecosystem. The campaign fits a broader pattern where North Korean operators blend developer tooling with workflows tied to cryptocurrency projects, JavaScript development, and common open source utilities.

A related wing of this activity has shown up in a separate set of fake assessment websites. These sites walk victims through steps that mimic ClickFix troubleshooting. During the flow, the user is persuaded to download malware written in Go, often described as GolangGhost or FlexibleFerret. The operation goes by the name ClickFake Interview. After running, the malware contacts a built in command server and waits for instructions. It can collect system data, run commands, move files, and gather information from Google Chrome. Persistence is handled through a macOS LaunchAgent that triggers a shell script at login. A decoy application also appears during this process, showing camera or microphone prompts that look like Chrome and later presenting a fake Chrome password window that stores the user’s input and sends it to a Dropbox account.

Despite some shared themes, analysts have stressed that this operation differs from the separate DPRK IT worker schemes where operators embed themselves into companies under borrowed identities. Contagious Interview instead targets individuals directly through job postings, coding tests, and staged hiring portals that act as delivery systems for malware.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

News and Updates

Sign up to get the latest news and threat briefs:

Get in Touch

Telephone: 1-844-NETIZEN
Email: Team (at) Netizen.net
Office Locations:
Allentown, PA (Headquarters)
 Arlington, VA (DC Region)
 Charleston, SC (Southeast Region)

Connect With Us

    Facebook
    Twitter
    LinkedIn
    Instagram
    GitHub

Copyright © Netizen Corporation. All Rights Reserved.