Security Boulevard

via the comic artistry and dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Electric Vehicles’ appeared first on Security Boulevard.

Flashpoint analysts, working with partner financial institutions, have observed a growing number of PhaaS operations operating with a level of coordination and specialization more commonly associated with legitimate software platforms. These ecosystems bring together phishing kit developers, infrastructure providers, spam delivery services, and financially motivated actors into a single, scalable pipeline for fraud.

The post The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks appeared first on Flashpoint.

The post The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks appeared first on Security Boulevard.

ClickFix campaigns have found a way around macOS Tahoe's warnings against pasting commands in the Terminal. They're using Script Editor instead.

The post ClickFix finds a new way to infect Macs appeared first on Security Boulevard.

Author, Creator & Presenter: Daniel Miessler, Founder, Unsupervised Learning

Our thanks to [un]prompted for publishing their Creators, Authors and Presenter’s outstanding [un]prompted 2026 AI Security Practitioner content on the Organizations' YouTube Channel.

Permalink

The post [un]prompted 2026 – Anatomy Of An Agentic Personal Al Infrastructure appeared first on Security Boulevard.

Explore how LLM proxies secure AI models by controlling prompts, traffic, and outputs across production environments and exposed APIs.

The post What Is an LLM Proxy and How Proxies Help Secure AI Models appeared first on Security Boulevard.

Why Product Teams Fail at Feature Prioritization Most product engineering teams don’t have a shortage of ideas. They have a shortage of impact. Roadmaps are...Read More

The post How to Prioritize Product Strategy Features Using Data Instead of Opinions appeared first on ISHIR | Custom AI Software Development Dallas Fort-Worth Texas.

The post How to Prioritize Product Strategy Features Using Data Instead of Opinions appeared first on Security Boulevard.

See how you can use Tenable Hexa AI to determine in minutes if you’re impacted by the Axios npm supply chain attack. Learn how easy it is to automate configuration of scans, identify impacted assets, prioritize remediation, and more using agentic AI from Tenable.

Key takeaways: 

1. Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform, can tell you in minutes if your organization is running compromised versions of the Axios npm package following a recent discovery of a supply chain attack.
    
2. Tenable Hexa AI configures and launches scans; tags affected assets by severity, owner, or business unit to scope the blast radius of the threat; and automates remediation scans to verify remediation effectiveness.
    
3. The workflow that Tenable Hexa AI automates (targeted scan, tag, remediate, verify) applies to any emerging threat, whether the discovery of a new CVE, zero-day vulnerability, or supply chain compromise.
    

When a highly utilized code package like the Axios npm package is compromised in a supply chain attack, news of the compromise often sets off a mad scramble for security teams. Responding to the discovery can take days, and typically involves manually configuring different assessments to identify if vulnerable versions of the software are present in your environment, and if so, which assets are affected by them. Then, of course, you have to implement recommended remediations, which in the case of the Axios npm supply chain attack include:

• Downgrade to safe versions: [email protected] or [email protected]
• Remove the phantom dependency: node_modules/plain-crypto-js/
• Block C2 traffic to sfrclak[.]com and 142.11.206.73
• Treat affected systems as fully compromised: rotate all secrets and credentials, rebuild from clean snapshots
• Audit CI/CD pipelines: ephemeral runners require secret rotation; self-hosted runners are treated as fully compromised
• Search for file artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux).

Even if you can respond and remediate within hours, it’s still not fast enough for AI-assisted threat actors. These days, we need to answer three critical questions in minutes: 

• Are we exposed?
• Where are we exposed?
• How quickly can we mitigate the threat? 

In the first of a series of blogs on use cases for the Tenable Hexa AI agentic engine, we show you how Tenable Hexa AI accelerates this exact workflow to reduce your window of risk.

Using Tenable Hexa AI to discover the Axios threat and answer “Are we exposed?”

When researchers discover a new zero-day or supply chain compromise, the first question on security teams’ minds isn’t “How do we fix it?” It’s “Are we affected?” Answering that question shouldn’t be difficult, and with Tenable Hexa AI, it couldn’t be simpler. 

Open Tenable Hexa AI and type something like, “Show me all assets in my environment vulnerable to the Axios Supply Chain vulnerability.”

Tenable Hexa AI then queries the Tenable One Exposure Data Fabric, the data already collected from your existing scans, agents, and integrations. Within seconds, Tenable Hexa AI produces a clear picture of which assets are running the compromised Axios versions, where they sit in your network, and how critical they are to your business. 

No query language. No console-hopping. No waiting for a new scan to finish. Just ask the question and get the answer. 

Using Tenable Hexa AI to scope the blast radius with asset tagging

Now you know which assets are affected, but a flat list isn’t a response plan; it’s a starting point. The next step is to scope the blast radius and organize it for action. With Tenable Hexa AI, this is as simple as telling Tenable Hexa AI to “Tag this with the category Supply Chain and value Axios.” 

Tenable Hexa AI then bulk-applies the tag across every asset in one action. And just like that, you’ve turned a raw discovery into a structured, queryable incident surface. 

This matters because tagging is the bridge between exposure discovery and remediation by the right team. Once assets are tagged, you can slice them by business unit or owner to route remediation work. You can feed tagged assets into dashboards for executive visibility, and critically, the tag preserves a snapshot of the blast radius as the environment changes. 

Why this capability matters beyond Axios

Supply chain attacks have seen a staggering increase in recent years, with the Sonatype 2024 State of the Software Supply Chain report showing a 156% year-over-year surge in attacks targeting upstream repositories like npm and PyPI. So the question isn’t if another package will be poisoned, but how much of your weekend it will consume when it happens.

What we’ve shown here with the Axios response (i.e., scope, discover, prioritize) is more than just a fix for one npm package. It represents a fundamental shift in how security teams handle emergency response. 

By using Tenable Hexa AI, you are building agentic and operational muscle memory. You can deploy the exact same conversational workflow you used to hunt for malicious versions of Axios the moment the next Log4j, XZ Utils, or MoveIt-style vulnerability hits the news.

Tenable Hexa AI transforms high-pressure fire drills like the discovery of the Axios npm supply chain attack into a structured, repeatable, and sane workflow. Instead of writing custom scripts or manually configuring policies under duress, you simply tell Tenable Hexa AI what to do, and the agentic engine handles the grunt work for you. 

Use cases for agentic AI: Additional ways to use Tenable Hexa AI 

Stay tuned for more use cases demonstrating the agentic power of Tenable Hexa AI. Here’s what’s coming next: 

• Using Tenable Hexa AI to target remediation scans at tagged assets, schedule post-patch verification, and compare before/after results to confirm the threat is neutralized
• Using Tenable Hexa AI to automate the creation of risk dashboards and report on security KPIs
• Using Tenable Hexa AI to map vulnerabilities to asset owners (via Okta, CMDB, or custom mappings) and automatically notify the right teams.
• Using Tenable Hexa AI to trigger patching workflows and network isolation for compromised assets

Tenable Hexa AI is currently in private preview for select Tenable One customers. Contact your Tenable Account Team to join the private preview program.

Want to learn more? Download the Tenable Hexa AI data sheet to get the full technical breakdown of our agentic capabilities.

The post Crushing the Axios supply chain threat with Tenable Hexa AI: Use cases for agentic AI appeared first on Security Boulevard.

Discover the best Sentry alternatives for error tracking and monitoring in 2026 to improve debugging, performance, and application reliability.

The post Best Sentry Alternatives for Error Tracking and Monitoring (2026) appeared first on Security Boulevard.

Modern authentication solutions help businesses prevent fraud, reduce login friction, and improve user experience. Learn key use cases, benefits, and how passwordless, OTP, and user verification systems enhance security.

The post Authentication Solutions for Businesses: Benefits, Use Cases, and More appeared first on Security Boulevard.

How modern age-verification laws, like the California Digital Age Assurance Act, dismantle the principle of data minimization by mandating the collection of sensitive personal data, effectively turning "don't know" into "must know" and knowledge into liability.

The post When Privacy Laws Force You to Know Too Much: The Perverse Incentives of Age Verification Regimes appeared first on Security Boulevard.

I spent most of one day this week trying to access a perfectly ordinary online service and felt like I was applying for witness protection. By the end of it, I’d supplied a password, a code, a backup code, a second email, and what felt like several pieces of emotional verification. We are constantly told … Continue reading Breach of Confidence: 10 April 2026 →

The post Breach of Confidence: 10 April 2026 appeared first on Security Boulevard.

Kasada will headline the 2026 RH-ISAC Cybersecurity Summit, addressing bot-driven fraud, AI-powered cybersecurity threats, and agentic commerce across retail and hospitality sectors.

The post Kasada Partners with the Retail and Hospitality ISAC as Title Sponsor of 2026 Cybersecurity Summit appeared first on Security Boulevard.

How Do Non-Human Identities Fit into Complex IT Architectures? Have you ever wondered how organizations maintain secure environments where complex IT architectures, especially when it comes to non-human identities (NHIs)? With machine identities become increasingly essential in automating processes and facilitating seamless communication between systems, their management is critical to maintaining robust cybersecurity frameworks. Understanding […]

The post How are NHIs supported in complex IT architectures appeared first on Entro.

The post How are NHIs supported in complex IT architectures appeared first on Security Boulevard.

What Role Do Non-Human Identities Play in Achieving Calm Operations? Managing operations is no small feat, especially when it comes to cybersecurity. But have you ever considered how non-human identities (NHIs) can significantly impact the operational stability of your organization? Where Agentic AI operations are becoming crucial, understanding NHIs can bring order and tranquility to […]

The post How can Agentic AI bring calm to hectic operations appeared first on Entro.

The post How can Agentic AI bring calm to hectic operations appeared first on Security Boulevard.

What Is the Role of Non-Human Identities in Cybersecurity? Where increasingly governed by technology, it’s crucial to examine the security of Non-Human Identities (NHIs). These machine identities play a pivotal role in cybersecurity but are often overlooked in favor of human-centric security measures. Understanding their importance can help bridge the gap between security teams and […]

The post Are Agentic AI systems truly scalable for large enterprises appeared first on Entro.

The post Are Agentic AI systems truly scalable for large enterprises appeared first on Security Boulevard.

An Iran-affiliated threat group has evolved from defacing water utility displays to deploying custom ICS malware and exploiting Rockwell Automation PLCs across multiple U.S. critical infrastructure sectors.

Key takeaways:

1. CyberAv3ngers is a state-directed threat group operating under Iran's IRGC Cyber-Electronic Command. The U.S. Treasury sanctioned six named officials in February 2024 and the State Department has offered a $10 million bounty for information on the group's activities.
    
2. The group has escalated from exploiting default credentials on Israeli-made PLCs (2023) to deploying a custom ICS malware platform called IOCONTROL (2024) to actively exploiting CVE-2021-22681, a critical authentication bypass in Rockwell Automation controllers, across U.S. water, energy, and government facilities (2026). There is no vendor patch for this vulnerability; only defense-in-depth mitigations are available.
    
3. A six-agency joint advisory (CISA AA26-097A) issued on April 7, 2026, confirmed operational disruption and financial loss at multiple U.S. organizations. CyberAv3ngers' ICS exploitation techniques have proliferated to an estimated 60+ affiliated groups, meaning the threat persists even if the core group is degraded. Defenders operating internet-exposed PLCs should take immediate action.

Background

On April 7, 2026, the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command jointly warned that Iranian-affiliated advanced persistent threat actors are actively exploiting internet-facing programmable logic controllers across U.S. critical infrastructure. The advisory, designated AA26-097A, confirmed operational disruption and financial loss at multiple victim organizations in the Government Services, Water and Wastewater Systems, and Energy sectors. The authoring agencies linked this activity to the same threat ecosystem behind CyberAv3ngers, a group the U.S. government has formally attributed to Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).

CyberAv3ngers is not a new actor, but its capabilities have matured significantly since it first drew international attention in late 2023. This FAQ provides defenders, vulnerability management teams, and security leadership with a comprehensive profile of the group: its history, technical capabilities, targeted sectors, and the specific steps organizations should take to reduce their exposure.

FAQ Who is CyberAv3ngers?

CyberAv3ngers is an Iranian state-directed cyber threat group operating as a persona for the IRGC-CEC. The group has been active since at least 2020 and is tracked by the security community under multiple designations, including Storm-0784 (Microsoft), Bauxite (Dragos), Hydro Kitten, UNC5691 (Mandiant), and MITRE ATT&CK ID G1027.

Despite initially presenting itself as a hacktivist collective motivated by anti-Israel ideology, subsequent investigations by CISA, the U.S. Treasury Department, and multiple cybersecurity research organizations established that the group's funding, tooling, and operational sophistication far exceeded typical hacktivist capabilities. The group is a state-sponsored actor, not an independent activist collective.

Who is behind the group?

In February 2024, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned six IRGC-CEC officials for directing CyberAv3ngers operations: Hamid Reza Lashgarian (head of IRGC-CEC and an IRGC-Qods Force commander), Hamid Homayunfal, Mahdi Lashgarian, Milad Mansuri, Mohammad Amin Saberian, and Mohammad Bagher Shirinkar. The State Department's Rewards for Justice program is currently offering up to $10 million for information on the "Mr. Soul" persona, which the State Department has linked to CyberAv3ngers and which is suspected to be an alias for one of the sanctioned officials.

In December 2025, leaked internal operational records exposed structured spreadsheets tracking domain registrations, European virtual private server hosting, and cryptocurrency payments routed through Bitcoin wallets. These records confirmed direct infrastructure and administrative overlap with the Moses Staff operation, formally connecting what had previously been treated as separate Iranian cyber personas into a single coordinated effort directed by the state.

The group has also demonstrated resilience through serial rebranding. When the "APT IRAN" Telegram channel, widely assessed as a CyberAv3ngers rebrand, was deleted, a new "Cyber4vengers" channel emerged in January 2026 to continue operations. Taking down individual channels and personas has not disrupted the underlying organizational capability.

Should CyberAv3ngers' public claims be taken at face value?

No. CyberAv3ngers operates a deliberate parallel influence campaign alongside its technical operations, and defenders should evaluate the group's public claims with skepticism.

DomainTools Investigations (DTI) characterized the group's strategy as "engineering beliefs" rather than merely breaching systems. CyberAv3ngers has refined its cyber activity into what DomainTools describes as a propaganda apparatus: each operation becomes a performance calibrated to sow fear and disrupt public trust, recycled data leaks are theatrically repackaged to simulate fresh compromises, and social media personas sustain the perception of threat even during operational pauses.

The October 2023 Dorad power station incident is the clearest example. CyberAv3ngers posted on Telegram claiming to have breached a major Israeli power plant, sharing what appeared to be screenshots of compromised control systems. DomainTools' forensic investigation demonstrated that the images were recycled from a 2022 Moses Staff data leak, cropped and rebranded with CyberAv3ngers logos. No indicators of compromise, malware samples, or valid forensic evidence were released. Despite this, the fabricated claim generated media coverage and threat intelligence discussion.

This dual-track strategy of blending genuine industrial control systems (ICS) operations with fabricated claims is not early-phase immaturity that the group outgrew. It is a standing operational doctrine that persists alongside the group's increasingly sophisticated technical campaigns. When CyberAv3ngers claim a new compromise, organizations should look for corroborating technical evidence before treating the claim as confirmed.

What does CyberAv3ngers target?

The group's primary focus is operational technology and ICS in critical infrastructure. Targeted sectors include:

• Water and wastewater systems, the group's most persistent target since 2023, with confirmed compromises at U.S. water utilities and a private water scheme in Ireland
• Energy, including fuel management systems (Orpak and Gasboy) and PLC-controlled energy infrastructure
• Government services and facilities, including local municipalities targeted in the current 2026 campaign
• Healthcare and food and beverage sectors, where Unitronics PLCs were deployed and compromised during the 2023 campaign

The targeting logic follows two principles: Israeli-manufactured technology, regardless of where it is deployed, and U.S. critical infrastructure as retaliatory targeting aligned with geopolitical hostilities between the United States and Iran.

Why do small utilities and municipal operators keep getting hit?

CyberAv3ngers has repeatedly compromised small water utilities, municipal facilities, and rural energy operators, and the reason is structural, not coincidental.

Many of these organizations manage their operational technology environments with consumer-grade remote access tools such as TeamViewer or AnyDesk, or by exposing PLC management interfaces directly to the public internet. These access methods bypass enterprise security controls entirely, creating an attack surface that is invisible to conventional security monitoring. The compromised Unitronics PLC at the Municipal Water Authority of Aliquippa, Pennsylvania was directly accessible from the internet with default credentials and no security gateway in between.

The problem is compounded by inadequate network segmentation between IT and OT environments. When a PLC is reachable from the same network as email servers and employee workstations, the blast radius of any compromise extends well beyond the initial point of entry. A 2024 CISA assessment found over 70% non-compliance with existing safety requirements at U.S. water utilities.

Organizations in these sectors typically lack dedicated OT security staff and operate under constrained budgets that make comprehensive security architecture difficult. The result is a persistent systemic exposure condition: the same type of misconfiguration that CyberAv3ngers exploited in 2023 remains available for the group and the 60+ affiliated hacktivist groups that have adopted its playbook to exploit today.

How has CyberAv3ngers evolved over time?

The group's operational history reveals a deliberate capability escalation across four distinct phases.

Phase 1: Propaganda (2020–2022): The "Cyber Avengers" persona first appeared in 2020, claiming responsibility for power outages and rail disruptions in Israel. These claims were dismissed by Israeli officials and no supporting evidence was identified. DomainTools Investigations later demonstrated that several of these claims reused imagery from a 2022 Moses Staff data leak, cropped and rebranded to simulate a fresh intrusion.

Phase 2: Default Credential Exploitation (October 2023 – January 2024): The group compromised at least 75 Unitronics Vision Series PLCs across the United States, Israel, the United Kingdom, and Ireland by exploiting default passwords on internet-exposed devices. The Municipal Water Authority of Aliquippa, Pennsylvania, was the highest-profile victim. In Ireland, an attack left residents without water for several days. CISA, the FBI, NSA, and other agencies issued joint advisory AA23-335A documenting the campaign.

Phase 3: Custom ICS Malware (Mid-2024): Claroty's Team82 identified and analyzed IOCONTROL, a custom-built Linux malware platform designed for IoT and OT environments. The malware targets routers, PLCs, HMIs, IP cameras, firewalls, and fuel management systems from multiple vendors. IOCONTROL uses the MQTT protocol over TLS for command-and-control communications, a standard IoT protocol that allows traffic to blend with legitimate network activity. Team82 characterized IOCONTROL as a cyberweapon used by a nation-state to attack civilian critical infrastructure. Separately, OpenAI disclosed in October 2024 that CyberAv3ngers had used ChatGPT to perform reconnaissance on targets and debug code, indicating the group incorporates commercially available AI tools into its operational workflow.

Phase 4: Authentication Bypass Exploitation (March 2026 – Present): The group pivoted to exploiting CVE-2021-22681, a critical authentication bypass vulnerability (CVSS 9.8) in Rockwell Automation Logix controllers. Actors used leased overseas infrastructure with Rockwell's Studio 5000 Logix Designer software to connect to internet-facing PLCs, bypassing authentication to manipulate project files and HMI/SCADA displays. This phase represents a platform shift from Israeli-made Unitronics devices to U.S.-made Rockwell Automation controllers, targeting a more widely deployed industrial platform.

This four-phase arc is not just a historical record, it is a capability escalation trajectory with a predictable direction. Dragos, which tracks the overlapping threat activity as BAUXITE, assessed in its 2026 OT/ICS Cybersecurity Year in Review that Iranian adversaries are moving beyond pre-positioning to actively mapping control loops and understanding how to manipulate physical processes. CyberAv3ngers' progression from default credentials to custom IoT malware to CVE exploitation against tier-1 ICS platforms tracks this maturation pattern. The group's next capability step is likely to involve additional ICS vendor platforms or deeper process manipulation, not a retreat to simpler techniques.

What is IOCONTROL?

IOCONTROL is a custom-built malware platform attributed to CyberAv3ngers by Claroty Team82. It is designed to run on a variety of Linux-based IoT and OT devices due to its modular architecture. Affected device types include IP cameras, routers, PLCs, HMIs, firewalls, and fuel management systems from vendors including D-Link, Hikvision, Baicells, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.

Key technical characteristics include MQTT over TLS for C2 communications on port 8883, DNS-over-HTTPS to evade network monitoring when resolving C2 domains, AES-256-CBC encrypted configuration data, persistence through a systemd boot script, and capabilities including OS command execution, port scanning, and self-deletion. The malware was previously tracked under the names OrpraCab and QueueCat in 2023 before being identified under the IOCONTROL designation in 2024.

Has CyberAv3ngers used AI tools?

Yes. In October 2024, OpenAI published a threat intelligence report disclosing that CyberAv3ngers had used ChatGPT to assist with target reconnaissance and code debugging. The group used the platform to research ICS, explore exploitation techniques against specific device types, and troubleshoot code, incorporating a commercially available AI tool into the operational preparation phase of ICS-targeted campaigns.

This is consistent with a broader pattern across state-sponsored threat actors. AI tools lower the research and development overhead for operations that previously required more specialized expertise, and they are particularly useful for actors expanding into unfamiliar technology domains, such as CyberAv3ngers' pivot from Unitronics to Rockwell Automation controllers. The OpenAI disclosure does not suggest that AI fundamentally changed the group's capabilities, but it does indicate that AI-assisted reconnaissance is now part of the standard toolkit for state-directed ICS threat actors.

What is CVE-2021-22681 and why does it matter?

CVE-2021-22681 is a critical authentication bypass vulnerability (CVSS 9.8) in Rockwell Automation's Logix controller ecosystem. The flaw stems from an insufficiently protected cryptographic key used to verify communications between the Studio 5000 Logix Designer engineering software and Logix PLCs. A remote, unauthenticated attacker who obtains or intercepts this key can impersonate legitimate engineering software, bypass authentication, and establish a direct connection to affected controllers without valid credentials.

The vulnerability affects a wide range of Rockwell Automation products including RSLogix 5000 (versions 16–20), Studio 5000 Logix Designer (version 21 and later), and multiple Logix controller families: CompactLogix, ControlLogix, GuardLogix, DriveLogix, and SoftLogix. CVE-2021-22681 was originally disclosed in February 2021 and was added to the CISA Known Exploited Vulnerabilities catalog in March 2026 after active exploitation by Iranian-affiliated actors was confirmed.

A critical operational detail for vulnerability management teams: Rockwell Automation has stated that this vulnerability cannot be fully addressed with a patch. There is no software update to deploy and no patch cycle to wait for. Rockwell directs customers to apply defense-in-depth mitigations instead, including network segmentation, engineering workstation isolation, CIP Security enablement, and physical mode switch hardening. This means the exposure is permanent absent architectural controls, and organizations that rely on patch-based remediation workflows will not resolve this vulnerability through their standard processes.

How severe is the current threat?

The current threat level is critical. The convergence of three factors: a confirmed state-directed actor with demonstrated willingness to disrupt civilian infrastructure, a custom-built ICS malware capability alongside exploitation of a critical authentication bypass with no available patch, and active kinetic hostilities between the United States and Iran following Operation Epic Fury, creates the most acute Iranian cyber threat to U.S. critical infrastructure on record.

CISA Advisory AA26-097A confirmed that organizations from multiple U.S. critical infrastructure sectors experienced disruptions through malicious interactions with PLC project files and manipulation of data displayed on HMI and SCADA systems, resulting in operational disruption and financial loss. The FBI assessed that the actors' intent is to cause disruptive effects within the United States.

The threat does not depend on CyberAv3ngers remaining intact as an organization. Unverified reports have circulated that individuals linked to the group may have been killed in the Operation Epic Fury strikes, but these reports remain unconfirmed, and the continued exploitation activity documented in the April 7 advisory demonstrates that the operational capability persists regardless. More importantly, CyberAv3ngers' ICS exploitation techniques have proliferated to an estimated 60+ pro-Iranian hacktivist groups. This "swarm effect" creates a distributed threat surface with no single point of disruption, lowers the capability threshold so less experienced actors can attempt ICS attacks using shared knowledge, and increases the risk of unintended physical consequences from operators who lack the discipline or understanding to control the effects of PLC manipulation. The threat may actually become less predictable as it becomes more diffuse.

Finally, the systemic exposure condition that enables this threat–internet-exposed PLCs with weak or default authentication–is structural, not transient. It has persisted across every phase of CyberAv3ngers' operations despite repeated federal advisories. Until the foundational attack surface is eliminated, the same class of attack will remain viable for any group that adopts the playbook.

What should organizations do right now?

Organizations operating internet-exposed PLCs, particularly Rockwell Automation and Unitronics devices, should take the following actions immediately:

• Disconnect PLCs from the public internet. Any internet-accessible Rockwell Logix controller is exploitable via CVE-2021-22681 without authentication. There is no patch for this vulnerability. If remote access is operationally necessary, deploy a secure gateway with multifactor authentication.
• Set physical mode switches to "Run." This prevents remote modification of PLC logic and configurations.
• Back up all PLC logic and configurations offline. Store backups on secured physical media and test restore procedures.
• Ingest IOCs from CISA Advisory AA26-097A. Download the STIX-formatted indicators of compromise and deploy them in SIEM, IDS, and firewall platforms. Monitor for traffic on ports 44818, 2222, 102, 22, and 502 from overseas hosting providers.
• Implement IT/OT network segmentation. Isolate engineering workstations running Studio 5000 Logix Designer from untrusted network segments. Deploy allowlisting so only authorized workstations can communicate with controllers.
• Audit remote access to OT environments. Identify and replace any consumer-grade remote access tools (TeamViewer, AnyDesk, or similar) with enterprise VPN solutions that enforce multifactor authentication and centralized logging. Ensure all remote OT access is monitored.
• Audit Unitronics devices. Verify that all Unitronics Vision Series PLCs have had default passwords changed per VisiLogic version 9.9.00.
• Deploy behavioral detection for IOCONTROL indicators. Alert on MQTT over TLS (port 8883) and DNS-over-HTTPS traffic originating from OT network segments.

Has Tenable released product coverage for the vulnerabilities discussed?

A Tenable plugin is available for CVE-2021-22681, which was updated in March 2026. Tenable OT Security detects this vulnerability in Rockwell Automation Logix controller environments.

Organizations using the Tenable One Exposure Management Platform can leverage vulnerability intelligence capabilities to identify affected Rockwell Automation assets in their environment. The platform's exposure assessment capabilities can help prioritize remediation based on the active exploitation context documented in this post.

A list of Tenable plugins for this vulnerability can be found on the CVE-2021-22681 plugins page. These plugins will be updated as additional detection coverage is developed.

For the latest information on Tenable detection coverage and ongoing updates, visit the Tenable CVE page for CVE-2021-22681.

Conclusion

CyberAv3ngers has evolved from a propagandistic hacktivist persona into one of the most consequential Iranian threats to U.S. operational technology infrastructure. The group's trajectory from default credential exploitation in 2023, to custom ICS malware deployment in 2024, to active exploitation of Rockwell Automation controllers in 2026, demonstrates a deliberate capability escalation that tracks the broader maturation pattern Dragos identified across Iranian ICS-targeting groups–adversaries moving beyond pre-positioning to actively understanding and manipulating physical processes.

Three factors make this threat durable. First, the systemic exposure condition: internet-exposed PLCs with weak or absent authentication has persisted across every phase of the group's operations despite repeated federal advisories. Until the foundational attack surface is eliminated, the same class of attack will remain viable. Second, the exploitation playbook has proliferated to dozens of semi-autonomous groups, meaning the threat persists regardless of CyberAv3ngers' own organizational status. Third, CVE-2021-22681 has no vendor patch. Affected organizations cannot resolve this vulnerability through standard patch management workflows and must implement architectural controls instead.

Organizations operating Rockwell Automation or Unitronics devices should treat the recommendations in this post and CISA Advisory AA26-097A as urgent action items, not longer-term roadmap items. The threat is accelerating.

Tenable Research Special Operations will continue to track CyberAv3ngers and the broader Iranian ICS threat ecosystem. We will update this post as new intelligence becomes available.

Get more information

• CISA Advisory AA26-097A: Iranian-Affiliated Cyber Actors Exploit PLCs Across US Critical Infrastructure (April 7, 2026)
• CISA Advisory AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors (Updated December 2024)
• Rewards for Justice — CyberAv3ngers
• Claroty Team82 — Inside a New OT/IoT Cyberweapon: IOCONTROL (December 2024)
• DomainTools — CyberAv3ngers Influence Operations Analysis (June 2025)
• Tenable CVE Page — CVE-2021-22681

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post What to Know About CyberAv3ngers: The IRGC-Linked Group Targeting Critical Infrastructure appeared first on Security Boulevard.

AI is stress-testing database infrastructure. Teams using Liquibase Community face scaling challenges that only Liquibase Secure can solve.

The post Is Your Liquibase Community Project Ready for the AI Era? appeared first on Security Boulevard.

Author, Creator & Presenter: Rami McCarthy, Principal Security Researcher At Wiz

Our thanks to [un]prompted for publishing their Creators, Authors and Presenter’s outstanding [un]prompted 2026 AI Security Practitioner content on the Organizations' YouTube Channel.

Permalink

The post [un]prompted 2026 – Zeal Of The Convert: Taming Shai-Hulud With AI appeared first on Security Boulevard.

If you're running Sonatype Nexus Repository or Sonatype Nexus Repository Community Edition (formerly known as Nexus Repository OSS) on OrientDB, you're operating on a legacy database architecture that is no longer aligned with current security and platform requirements.

The post Modernizing Nexus Repository: Moving Beyond OrientDB appeared first on Security Boulevard.

 

The post Mythos: Just One Piece of the Cybersecurity Puzzle appeared first on Security Boulevard.