- Neeve
- Posts
- 🚨 180,000 Industrial Systems Exposed on Public Internet
🚨 180,000 Industrial Systems Exposed on Public Internet
Fines, leaks, and hacks—key cyber updates
Alison Bridge
September 30, 2025
Welcome to your essential briefing on threats at the intersection of cybersecurity and critical infrastructure, brought to you by Neeve, the edge cloud security platform for smart buildings, making built spaces secure, intelligent, and sustainable.
This Week’s Cyber Insights
BitSight research reveals alarming reversal in operational technology security trends, with over 180,000 industrial control systems and OT devices exposed to public internet monthly in 2024, projected to reach 200,000 in 2025 as critical infrastructure becomes increasingly vulnerable to nation-state and criminal exploitation.
Global ICS/OT exposure jumped 12% across all monitored protocols including Modbus, KNX, BACnet, and EtherNet/IP, with new deployments showing minimal network segmentation or attack surface consideration
CISA's Known Exploited Vulnerabilities catalog shows steady rise in ICS/OT CVEs, many with CVSS 10.0 scores affecting fuel systems, building automation, water treatment, and manufacturing
Attribution challenges plague remediation as most exposed devices trace only to ISPs rather than operators, with mobile broadband and third-party integrators obscuring ownership
United States remains most exposed country in manufacturing utilities, building automation systems, and vulnerable fuel infrastructure through ATG systems
New ICS-specific malware including Fuxnet and FrostyGoop targets operational technology while only 45% of organizations continuously monitor asset exposure
🤔 The Bigger Picture:
The surge in internet-connected building automation and industrial systems creates direct pathways for attackers to compromise HVAC, lighting, fire safety, and power management systems. Facility managers must immediately audit all internet-facing OT devices, implement network segmentation between IT and operational systems, and establish continuous monitoring protocols to prevent catastrophic infrastructure compromises.
Arctic Wolf Labs detected surge in attacks targeting SonicWall firewall users since July 2025, with threat actors exploiting compromised SSL VPN credentials to bypass multi-factor authentication and deploy Akira ransomware within 55 minutes of initial access.
Attackers use harvested credentials from devices previously vulnerable to CVE-2024-40766, successfully bypassing SonicWall's One-Time Password MFA and gaining access from VPS hosting providers
Network scanning begins immediately after login targeting SMB, RPC, and SQL ports using Impacket tools, followed by rapid privilege escalation and creation of new administrator accounts
Remote access tools including AnyDesk, TeamViewer, and RustDesk provide persistent access while attackers disable Windows Defender and EDR solutions using kernel-level techniques
Data exfiltration occurs through WinRAR packaging and rclone/FileZilla transfer before final Akira ransomware deployment targeting network drives and demanding ransom payments
🤔 The Bigger Picture:
SonicWall firewall compromises directly threaten facility network security and building automation systems that rely on VPN access for remote management. Organizations must reset all SSL VPN credentials immediately and monitor for suspicious hosting provider logins to prevent rapid ransomware deployment.
Security researchers have revealed how attackers used simple prompt injection techniques and a $5 domain to exploit Salesforce's Agentforce system, demonstrating the alarming ease of targeting AI applications for sensitive data access.
Prompt injection vulnerability discovered in Salesforce Agentforce platform
Attackers able to access sensitive customer data using minimal resources
Exploitation required only a $5 domain registration
Salesforce has since patched the vulnerability
Incident classified as high infrastructure impact threat
🤔 The Bigger Picture:
This incident exposes how AI systems integrated into building management platforms could be similarly exploited. Facility operators using AI-powered systems must implement robust input validation and monitoring to prevent data leaks.
Further Alerts & Insights
🔥 CISA Issues Emergency Directive for Cisco Zero-Day Campaign
The Cybersecurity and Infrastructure Security Agency has issued an emergency directive following a widespread hacking campaign exploiting newly discovered zero-day vulnerabilities in Cisco firewall products. Organizations are urged to patch these vulnerabilities immediately to prevent potential breaches, highlighting the critical need for robust cybersecurity measures.
✈️ UK Arrests Suspect in Global Airport Ransomware Attack
The UK's National Crime Agency has made an arrest connected to a ransomware attack that significantly disrupted airports globally over the previous weekend. This incident has raised serious concerns about air travel security and the potential for organized crime to exploit vulnerabilities in critical infrastructure.
🤖 Agentic AI Transforms Security Operations Centers
Security operations centers are implementing agentic AI systems that can autonomously execute cybersecurity workflows, moving beyond simple automation to intelligent decision-making capabilities. The technology shows particular promise for infrastructure security teams managing building automation systems where 24/7 monitoring is essential, though proper guardrails and human oversight remain critical.
📊 Industrial Control System Exposure Increases Globally
Global exposure of industrial control systems rose 12% in 2024, with over 180,000 vulnerable devices visible on the internet each month. The exposure affects building automation systems, power management equipment, and manufacturing controls, creating entry points for attackers targeting operational technology environments.
🏭 New Botnet Targets IoT Infrastructure
A sophisticated Loader-as-a-Service botnet operation systematically exploits SOHO routers, IoT devices, and building automation systems through command injection vulnerabilities. The campaign deploys Mirai payloads across smart building infrastructure, posing significant risks to connected systems managing HVAC, lighting, and access controls.