The Psychological Impacts of Cyberattacks What I will call the “Heroes” Excerpts from Interviews with Heroes THINGS TO REMEMBER About the Author Didier Annet is an Operational & Data Resilience Specialist and a Certified Professional Coach dedicated to empowering individuals and teams to navigate the …
Probably the most interesting on the long list of fixed security bugs is CVE-2025-33053, an unauthenticated Remote Code Execution, which exploits the fact that Windows does not properly validate the WorkingDirectory variable in Internet Shortcuts, or as most of us know them, .url files.
Unfortunately, the attack has been in the wild for many months now as a zero day, with the first malware sample identified by CheckPoint’s researchers back in March.
Without deep diving into the technical details, the kill chain begins with sending a phishing mail with a maliciously crafted .url file which executes iediagcmd.exe, a legitimate Windows tool that collects diagnostics info for Internet Explorer. This diagnostic tool calls other valid executables like ipconfig.exe, netsh.exe and route.exe. However, there’s a twist: you can set this tool’s working directory in the .url file and it’s even allowed to point to a remote WebDAV share! This means that you can host your own malware on a network share, you just have to name it route.exe and it will be executed once the targeted user clicks on the crafted shortcut.
The threat actors, who are associated with the Stealth Falcon APT group, did not stop at this point. They continued to deliver advanced payloads after the initial access, utilizing defense evasion, anti-debugging and obfuscation techniques. The final result is full control over the victim’s machine, allowing the attackers to exfiltrate data, send commands, inject shellcode into running processes and basically do whatever they want, all happening in the background while the victim is reading a bait PDF document.
For those interested in going down the rabbit hole, we are sharing a link to CheckPoint’s excellent writeup, which is definitely worth a read if you want to learn more about this sophisticated threat. It’s also a useful resource for blue teamers as it shares valuable IoCs to help defend your networks.
Furthermore, the usual security best practices apply as always: patch as soon as possible, investigate past emails with suspicious (especially .url) attachments and educate users to avoid clicking on attachments before verifying that they came from a trusted source.
CheckPoint research: https://research.checkpoint.com/2025/stealth-falcon-zero-day/
Official advisory: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
CVE details by NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-33053
White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.
With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.
They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.
02 – 08 June 2025 Open-source enthusiast sysadmins might be familiar with Roundcube, one of the most popular webmail clients deployed, to be exact, Shodan currently lists over 160,000 publicly available instances. Unfortunately, it has now become the subject of our regular CVE of the …
I was already feeling twitchy about the state of critical infrastructure, but it was Ryan Naraine’s article in SecurityWeek – “Misconfigured HMIs Expose U.S. Water Systems to Anyone with a Browser” – that pushed me over the edge. Drawing on new data from Censys, Ryan has laid out in clear, horrifying terms how thousands of Human-Machine Interfaces (HMIs) tied to U.S. water and wastewater systems are exposed to the open internet, many with no passwords at all.
These are the digital control panels for water facilities. They manage everything from pump speeds to chlorine dosing. Some allow manual overrides of safety protocols. In many cases, all you need is a browser and the right URL to access them.
This is not a plot line from Mr. Robot. This is real infrastructure, vulnerable in real time. But sure, let’s keep arguing about fluoride.
What exactly is going on here?
HMIs are meant to give authorised operators a real-time view into critical systems. They were originally built for internal networks – not for the internet. But over time, convenience crept in. Engineers started putting them online for remote monitoring. And somewhere along the way, basic security got left behind.
In many cases, these systems are online with default credentials. In others, they have no authentication at all. Some can be found using simple search engines like Shodan.
And unfortunately, this is not just a theoretical risk. It has already happened:
None of these required deep technical skills or nation-state funding. Just access and opportunity.
How did it get this bad?
In smaller towns and regional areas, most utilities are running on razor-thin budgets. Their focus is on delivering water, not defending against international cyber threats. Many are still relying on legacy systems that were never built with cybersecurity in mind. And while digitisation has made operations more efficient, it has also introduced new, unmanaged risks.
No one meant for things to be this insecure. But without clear standards, without dedicated security resources, and without the money to fix what’s broken, this is where we’ve landed.
Is this just an American problem? Not even close.
The Censys scan focused on U.S. systems, but the issue is global. Industrial control systems are exposed in countries around the world — Australia, the UK, Brazil, Indonesia, Germany. Wherever water infrastructure has been digitised without proper security, the risks are there.
In lower-income regions, systems are often rolled out quickly, with little cyber planning. In wealthier nations, decentralised governance means hundreds of small operators each manage their own infrastructure – and many are flying blind.
Shodan makes this visibility possible for anyone. And unfortunately, that includes people who are not just curious.
What should we be doing about this?
We know what needs to be done. The challenge is the will – and the funding – to do it.
Here’s where to start:
Security is not something we can bolt on later. It has to be built in from the beginning, and it has to be maintained with the same urgency as any other critical safety function.
We have spent decades debating what should go in the water. We have opinions on fluoride, chlorine, and microplastics. Meanwhile, no one stopped to ask whether the control panel was sitting online with no password.
This is not a hypothetical crisis. It is already happening, and it is fixable – but only if we stop treating cybersecurity like someone else’s problem.
At the very least, we should start by locking the door before the taps are turned off.
Kim Chandler McDonald is the Co-Founder and CEO of 3 Steps Data, driving data/digital governance solutions.
She is the Global VP of CyAN, an award-winning author, storyteller, and advocate for cybersecurity, digital sovereignty, compliance, governance, and end-user empowerment.
One idea that continues to guide his leadership comes from his time at Microsoft. When he joined the company in 2008, he was struck by a powerful metaphor. If we sit in one boat, we must not only row well. We must also remain in …
