Home » Security Information

Security Information

This page is dedicated to security, it includes local security information, as well as a number of syndicated security feeds, alerts, tools and news from major security portals. This page aims to provide a single security information access point, helping you stay current with recent security threats. You can check the SG Security FAQ and visit the SG Security forum with any questions you might have.

SG Security Scan

SG Security Articles

Latest Security Advisories (US-CERT)

CISA has added one new vulnerability to itsKnown Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-55182 Meta React Server Components Remote Code Execution Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.  

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilitiesestablished the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See theBOD 22-01 Fact Sheetfor more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation ofKEV Catalog vulnerabilitiesas part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet thespecified criteria. 

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of ongoing intrusions by Peoples Republic of China (PRC) state-sponsored cyber actors using BRICKSTORM malware for long-term persistence on victim systems. BRICKSTORM is a sophisticated backdoor for VMware vSphere^1,2 and Windows environments.³ Victim organizations are primarily in the Government Services and Facilities and Information Technology Sectors. BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command and control. The malware employs advanced functionality, including multiple layers of encryption (e.g., HTTPS, WebSockets, and nested TLS), DNS-over-HTTPS (DoH) to conceal communications, and a SOCKS proxy to facilitate lateral movement and tunneling within victim networks. BRICKSTORM also incorporates long-term persistence mechanisms, such as a self-monitoring function that automatically reinstalls or restarts the malware if disrupted, ensuring its continued operation.

The initial access vector varies. In one confirmed compromise, PRC state-sponsored cyber actors accessed a web server inside the organizations demilitarized zone (DMZ), moved laterally to an internal VMware vCenter server, then implanted BRICKSTORM malware. See CISA, the National Security Agency, and Canadian Cyber Security Centres (Cyber Centres) joint Malware Analysis Report (MAR) BRICKSTORM Backdoor for analysis of the BRICKSTORM sample CISA obtained during an incident response engagement for this victim. The MAR also discusses seven additional BRICKSTORM samples, which exhibit variations in functionality and capabilities, further highlighting the complexity and adaptability of this malware.

After obtaining access to victim systems, PRC state-sponsored cyber actors obtain and use legitimate credentials by performing system backups or capturing Active Directory database information to exfiltrate sensitive information. Cyber actors then target VMware vSphere platforms to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden rogue VMs to evade detection.

CISA recommends that network defenders hunt for existing intrusions and mitigate further compromise by taking the following actions:

• Scan for BRICKSTORM using CISA-created YARA and Sigma rules; see joint MAR BRICKSTORM Backdoor.
• Block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic to reduce unmonitored communications.
• Take inventory of all network edge devices and monitor for any suspicious network connectivity originating from these devices.
• Ensure proper network segmentation that restricts network traffic from the DMZ to the internal network.

See joint MAR BRICKSTORM Backdoor for additional detection resources. If BRICKSTORM, similar malware, or potentially related activity is detected, report the incident to CISAs 24/7 Operations Center at contact@cisa.dhs.gov or (888) 282-0870.

Disclaimer: The information in this report is being provided as is for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

Notes

¹ Matt Lin et al., Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies, Google Cloud Blog, April 4, 2024, https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement.

² Maxime, NVISO analyzes BRICKSTORM espionage backdoor, NVISO, April 15, 2025, https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor.

³ Sarah Yoder et al., Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors, Google Cloud Blog, September 24, 2025, https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign.

CISA has added one new vulnerability to itsKnown Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2021-26828 OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability 

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.  

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilitiesestablished the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See theBOD 22-01 Fact Sheetfor more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation ofKEV Catalog vulnerabilitiesas part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet thespecified criteria. 

CISA and the Australian Signals Directorates Australian Cyber Security Centre, in collaboration with federal and international partners, have released new cybersecurity guidance: Principles for the Secure Integration of Artificial Intelligence in Operational Technology.

This guidance aims to help critical infrastructure owners and operators integrate artificial intelligence (AI) into operational technology (OT) systems securely, balancing the benefits of AIsuch as increased efficiency, enhanced decision-making, and cost savingswith the unique risks it poses to the safety, security, and reliability of OT environments.

The document focuses on machine learning (ML), large language models (LLMs), and AI agents due to their complex security challenges, but is also applicable to systems using traditional statistical modeling and logic-based automation.

Key Principles for Secure AI Integration:

1. Understand AI: Educate personnel on AI risks, impacts, and secure development lifecycles.
2. Assess AI Use in OT: Evaluate business cases, manage OT data security risks, and address immediate and long-term integration challenges.
3. Establish AI Governance: Implement governance frameworks, test AI models continuously, and ensure regulatory compliance.
4. Embed Safety and Security: Maintain oversight, ensure transparency, and integrate AI into incident response plans.

Critical infrastructure owners and operators are encouraged to adopt these principles to maximize AI benefits while mitigating risks. For further details, review the full guidance.

For more information on related resources, visit CISAs Artificial Intelligence and Industrial Control Systems webpages.

CISA has added two new vulnerabilities to itsKnown Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2021-26829 OpenPLC ScadaBR Cross-site Scripting Vulnerability 

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.