Critical Infrastructure Under Active Attack: Fuel Tank Monitoring Systems Compromised

CISA, FBI, NSA, and the Department of Energy have issued a joint advisory confirming that threat actors are actively compromising internet-exposed Automatic Tank Gauge (ATG) systems across the Energy, Chemical, Food and Agriculture, and Transportation sectors. Attackers are exploiting authentication bypass vulnerabilities, hardcoded credentials, OS command execution flaws, SQL injection, and privilege escalation weaknesses to gain access. Once inside, they are modifying network settings, product identifiers, tank volumes, and pump controls, and disabling leak detection alerts.

ATG systems monitor fuel and liquid storage tanks at thousands of sites. The advisory states that attackers can create conditions that prevent operators from properly monitoring tank fill levels, increasing the risk of leaks, spills, and equipment failures. The activity has not been formally attributed, but CNN reported in May that Iranian hackers were behind similar breaches at US gas stations, exploiting ATG systems protected by weak or nonexistent passwords. The agencies note that forensic evidence is limited.

The advisory is direct: block ATG systems from the internet, restrict remote access through firewalls and VPNs, replace default passwords, enable multifactor authentication, apply security updates, and actively monitor for unauthorized changes.

Chinese Cybercrime Group TA4922 Expands Into Europe

Proofpoint reports that TA4922, a Chinese-speaking financially motivated threat actor, has expanded from East Asian targeting into Germany, Italy, the United Kingdom, and South Africa. The group, which overlaps with activity tracked as Silver Fox and Void Arachne, now operates at a higher tempo than any other cybercrime actor in Proofpoint's dataset.

TA4922 deploys localized phishing lures mimicking payroll notices, tax audits, VAT filings, and government compliance communications. The group also contacts victims via WhatsApp, LINE, and Microsoft Teams. Its malware toolkit has expanded significantly since March 2026 and includes Atlas RAT, a newly identified remote access trojan with system reconnaissance, file theft, keylogging, screenshot capture, and audio and webcam recording capabilities. The group also deploys RomulusLoader, SilentRunLoader, and the Winos4.0 framework (ValleyRAT). Proofpoint assesses that TA4922 may be using large language models to accelerate malware development, based on placeholder values and code patterns consistent with AI-generated code.

While assessed as financially motivated, Proofpoint notes that the surveillance capabilities of the malware "could be used by or sold to espionage groups." European organisations should treat this as an immediate priority for detection engineering and user awareness.

PAN-OS VPN Authentication Bypass Added to CISA KEV

Palo Alto Networks PAN-OS CVE-2026-0257, an authentication bypass vulnerability that allows attackers to bypass security restrictions and establish unauthorized VPN connections, was added to the CISA Known Exploited Vulnerabilities catalog on May 29 with a three-day remediation deadline. The unusually short deadline signals either active exploitation or extreme severity. Organisations running PAN-OS should verify patch status immediately.

So What / Action

Three items demand immediate attention. First, if you operate or are responsible for sites with ATG systems, audit their internet exposure today. These systems should not be reachable from the public internet, period. Second, European security teams should build detection rules for TA4922 indicators and brief staff on the phishing vectors, particularly tax and payroll lures arriving via email, WhatsApp, and Teams. Third, PAN-OS administrators should confirm that CVE-2026-0257 has been patched on all edge devices. The three-day KEV deadline is not a suggestion.