Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Internet-facing Modbus OT devices with unauthenticated access remain exposed

Target Trend
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

Internet-facing Modbus OT devices remain exposed to unauthenticated access, with a scan finding at least 179 devices and highlighting a broader critical-infrastructure visibility gap. The exposed systems are reachable on port 502 without login controls. That creates a direct route into industrial controllers that can be read from or potentially written to by an attacker.

Related Happenings

NCSC-UK joint advisory on covert botnets and proxy networks

Public Sector Action
First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...

Open Happening

Iranian-affiliated US CNI OT attack campaign

Campaign
First: 08.04.2026 11:15 Last: 08.04.2026 11:15 Sources 1

About this happening: An **Iranian-affiliated** campaign is actively targeting **US critical national infrastructure providers**, creating **operational disruption** and **financial loss** across multi...

Open Happening

CISA April 7 Rockwell Automation/Allen-Bradley PLC mitigation advisory

Advisory/Mitigation
First: 08.04.2026 11:15 Last: 08.04.2026 11:15 Sources 1

About this happening: **CISA** and authoring agencies issued **April 7** mitigation guidance for **internet-facing OT assets**, warning that **US critical infrastructure** operators using **Rockwell Au...

Open Happening

APT28 SOHO router DNS hijacking and credential theft campaign

Campaign
First: 07.04.2026 18:30 Last: 07.04.2026 18:30 Sources 1

About this happening: **APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...

Latest development: 08.04.2026 13:03

On April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.

Open Happening

Poland's energy sector hit by network compromise

Incident
First: 17.02.2026 23:31 Last: 17.02.2026 23:31 Sources 1

About this happening: A **wiper attack** hit **Poland's energy sector** on **Dec. 29 and 30, 2025**, damaging OT visibility and firmware across **more than 30 renewable energy farms** and other facilit...

Open Happening

Timeline

  1. 10.04.2026 16:30 2 articles · 1mo ago

    Public scan finds unauthenticated Modbus OT devices

    Initial Disclosure

    A public scan of Internet-facing operational technology using Modbus found at least 179 devices on port 502 that allowed unauthenticated access after filtering out possible honeypots, including systems tied to a national railway and two national power grids.

    Show sources
    Open in new tab