From 287a610955d756389d2f109334ca7260f330e8fa Mon Sep 17 00:00:00 2001
From: JadonWill <117053393+JadonWill@users.noreply.github.com>
Date: Mon, 4 Dec 2023 11:37:44 +0800
Subject: [PATCH] 20231204002 - CISA Joint CSA CyberAv3ngers (#426)

* 20231122001 - Juniper

* 20231122002 - GNU C LIbrary + typo correction

* 20231123002 + Table template

* 20231129001

* 20231204002 - CyberAv3ngers
---
 ...xploitation-CISA-Cybersecurity-Advisory.md | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 docs/advisories/20231204002-PLC-Exploitation-CISA-Cybersecurity-Advisory.md

diff --git a/docs/advisories/20231204002-PLC-Exploitation-CISA-Cybersecurity-Advisory.md b/docs/advisories/20231204002-PLC-Exploitation-CISA-Cybersecurity-Advisory.md
new file mode 100644
index 00000000..d541a568
--- /dev/null
+++ b/docs/advisories/20231204002-PLC-Exploitation-CISA-Cybersecurity-Advisory.md
@@ -0,0 +1,34 @@
+# CISA Publish Joint Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs - 20231204002
+
+## Overview
+
+Since the publication of [Advisory #20231129001](https://soc.cyber.wa.gov.au//advisories/20231129001-CISA-OT-Advisories/), CISA have released a joint Cybersecurity Advisory (CSA) [IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a) in response to the **active exploitation** of Unitronics programmable logic controllers (PLCs) in multiple sectors, including U.S. Water and Wastewater Systems (WWS) facilities, by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated advanced persistent threat (APT) cyber actors using the persona “CyberAv3ngers”.
+
+## Cyber Actor Information
+
+CyberAv3ngers (also known as CyberAveng3rs, Cyber Avengers) is an Iranian IRGC cyber persona that has claimed responsibility for numerous attacks against critical infrastructure organizations.
+
+CyberAv3ngers are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other **industries including, but not limited to, energy, food and beverage manufacturing, and healthcare**. The PLCs may be rebranded and appear as different manufacturers and companies.
+
+Most recently, CyberAv3ngers began targeting U.S.-based WWS facilities that operate **Unitronics PLCs**. The threat actors compromised Unitronics Vision Series PLCs with human machine interfaces (HMI). These compromised devices were publicly exposed to the internet with default passwords and by default are on TCP port 20256. These PLC and related controllers are often exposed to outside internet connectivity due to the remote nature of their control and monitoring functionalities.
+
+
+## Indicators of Compromise (IOCs)
+
+| Indicator | Type | Fidelity | Description |
+| --- | --- | --- | --- |
+| BA284A4B508A7ABD8070A427386E93E0 | MD5 | Suspected | MD5 hash associated with Crucio Ransomware | 
+| 66AE21571FAEE1E258549078144325DC9DD60303 | SHA1 | Suspected | SHA1 hash associated with Crucio Ransomware |
+| 440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3 | SHA256 | Suspected | SHA256 hash associated with Crucio Ransomware |
+| 178.162.227[.]180 | IP address |  |  | 
+| 185.162.235[.]206 | IP address |  |  | 
+
+
+## Recommendations
+
+The WA SOC encourages OT/ICS organizations to review this guidance and implement its mitigations and recommendations. Additionally, it is highly recommended to perform validation of PLC configurations in recent backups.
+
+
+## References
+
+- [**IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities**](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a)
\ No newline at end of file