O RLY CYBER(tenable.com) CyberAv3ngers: IRGC-Linked Threat Group Escalates ICS Attacks Against U.S. Critical Infrastructure
CyberAv3ngers (IRGC-CEC) escalates ICS attacks on U.S. critical infrastructure, exploiting CVE-2021-22681 (CVSS 9.8) in Rockwell Automation controllers and deploying IOCONTROL malware. No patch available; mitigations require architectural controls.
In brief - Iranian state-directed threat group CyberAv3ngers, linked to IRGC-CEC, has intensified attacks on U.S. water, energy, and government sectors. The group exploits unpatched CVE-2021-22681 in Rockwell Automation controllers and deploys custom ICS malware, causing operational disruptions. Mitigations are critical as no vendor patch exists.
Technically - CyberAv3ngers evolved from exploiting default credentials on Unitronics PLCs to deploying IOCONTROL, a Linux-based ICS malware using MQTT over TLS (port 8883) and DNS-over-HTTPS for C2. They actively exploit CVE-2021-22681, an authentication bypass in Rockwell Logix controllers (RSLogix 5000 v16-20, Studio 5000 v21+), leveraging insufficiently protected cryptographic keys. Mitigations include network segmentation, CIP Security, and monitoring ports 44818, 2222, 102, 22, and 502 from overseas hosting providers.
