US Water Systems' HMIs Exposed; Salesforce Social Engineering Extortion Campaign; Cisco Fixes Hardcoded Credential in Identity Services Engine

In October 2024, researchers from Censys discovered hundreds of Internet-exposed human-machines interfaces (HMIs) at US water facilities. The vulnerable systems were "identified via TLS certificate analysis and confirmed through screenshot extraction." Censys found that all vulnerable water facilities were using the same HMI/SCADA software, and all were detected to be either authenticated (credentials required for access); read-only (systems viewable but not controllable); or unauthenticated (systems accessible with full access). Of the nearly 400 detectable systems, 40 were fully unauthenticated, which means they were controllable by any device with a browser. Censys shared their findings with the Environmental Protection Agency (EPA) and with the vendor. Twenty-four percent of vulnerable systems were secured within nine days; several weeks later, that figure had increased to 58 percent, and by May 2025, more than 94 percent of systems had been secured.

According to a report from the Google Threat Intelligence Group, a cybercriminal operation has been using social engineering tactics to trick organizations into granting them access to their Salesforce Data Loader tools; from there, the criminals are stealing data and gaining further access to the organizations' networks. The campaign, which uses voice-based phishing techniques, has targeted roughly 20 organizations to date. The threat actors have attempted to extort the organizations using the stolen data as leverage. In some of those cases, the extortion activity did not begin until several months after the initial attack. In March, Salesforce published guidance designed to help users protect their Salesforce environments from social engineering attacks.

On Wednesday, June 4, Cisco released updates to address a hard-coded password issue that affects Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE). According to Cisco's advisory, the flaw could be exploited to "allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems." The vulnerability affects Cisco ISE 3.1, 3.2, 3.3, and 3.4 deployed on AWS, Cisco 3.2, 3.3, and 3.4 deployed on Azure, and Cisco 3.2, 3.3, and 3.4 deployed on OCI.

ConnectWise published a security advisory on May 28, 2025, disclosing "suspicious activity" in the company's environment specifically affecting "a very small number of ScreenConnect customers." The software company is working with Mandiant to implement monitoring and hardening measures and to continue investigation; the advisory alleges the activity was tied to a nation state actor. Just over a month earlier, on April 24, 2025, ConnectWise issued a patched release of ScreenConnect (version 25.2.4) to "reduce the risk of ViewState abuse" in light of an exploited ASP.NET weakness found by Microsoft Threat Intelligence in December 2024. While the patch announcement does not specify the flaw, the company simultaneously released a separate security bulletin announcing a patch for CVE-2025-3935, NVD CVSS score 7.2, which allows an attacker to perform a code injection attack through ScreenConnect by using compromised machine keys and generating a malicious ViewState. The Cybersecurity and Infrastructure Security Agency added this flaw to its Known Exploited Vulnerabilities (KEV) catalog on June 2, 2025. ConnectWise's May 28 advisory states that no further suspicious activity in ScreenConnect cloud instances has been observed since the April 24 patch, but does not clarify the timeline of the attack, nor the timing of the flaw's known exploitation relative to the patch, and does not specifically mention CVE-2025-3935.

Schneider Electric has disclosed a critical vulnerability affecting the company's Wiser AvatarOn 6K Freelocate and Wiser Cuadro H 5P Socket Home Automation devices. The buffer overflow vulnerability lies in the Silicon Labs Gecko bootloader on ARM that was disclosed in 2023. Both affected products have reached end of life and will not be receiving patches. Schneider advises users to disable the firmware update function or to replace the products.

Major US media company Lee Enterprises has filed a report with the Office of the Maine Attorney General disclosing additional information about a ransomware attack the company suffered on February 3, 2025. Investigation concluding on May 28, 2025, determined that the first and last names and Social Security numbers of "certain individuals" may have been accessed and/or stolen during the attack. The report estimates 39,779 people may be impacted by this data breach. The letter to Maine residents notes that Lee Enterprises has not observed misuse nor attempted misuse of the information, but has notified the FBI, and is offering identity theft protection and credit monitoring services to those affected.

The US Federal Bureau of Investigation (FBI) has updated the December 2023 advisory about the Play ransomware group, a document published jointly with the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC). Information added to the advisory includes new tactics, techniques, and procedures (TTPs) the group is using and an edited list of indicators of compromise (IoCs). The advisory now also notes that "The Play ransomware binary is recompiled for every attack, resulting in unique hashes for each deployment, complicating anti-malware and anti-virus program detection of the ransomware." The agencies note that the number of entities affected by the Play ransomware group now exceeds 900, up from 300 in late 2023.

Microsoft has announced the launch of their European Security Program, which is an expansion of the company's existing Government Security Program. The new elements in the program include "increasing AI-based threat intelligence sharing with European governments; making additional investments to strengthen cybersecurity capacity and resilience; and expanding our partnerships to disrupt cyberattacks and dismantle the networks cybercriminals use." The program is available at no cost to European governments.

Committee that cybercriminals stole £47M (US$63M) from online accounts associated with about 100,000 taxpayers. HMRC is contacting affected individuals to let them know that their accounts have been secured and that they have not lost any money. The scammers appear to have used phishing attacks to gain access to the accounts and claim rebates. Members of Parliament criticized HMRC for not notifying them of the incident when it first occurred.