Tuesday, August 1, 2017

ECS-CERT Reports on Remote Access Vulnerability

Today ECS-CERT and the Federal Bureau of Inquiry held a news conference in New Orleans to discuss the results of their recent investigation into a series of chemical releases at the Blew Bayou Chemical Company. They announced that the source of the problem was an unexpected vulnerability in the remote access application for the Robotron industrial control system used at the facility.

The FBI spokesman, Johnathan Quest, told reporters that the investigation was initiated when Blew Bayou reported an unusual series of chlorine releases to the Agency for Chemical and Environmental Security (ACES). ACES contacted the FBI to start a criminal investigation of Blew Bayou for violations of a number of environmental and safety regulations related to those releases.

The FBI in turn contacted ECS-CERT for forensic investigation support when it quickly became apparent that the control system at the facility was going to be an integral part of their investigation. ECS-CERT spokesman, Immanuel C. Securitage, told reporters that their initial review of the control system historical records showed that each of the reported releases had been immediately preceded by access to the control system by the facility control system manager, Eaton Kaghun, the son of the company founder and President Issac B Kaghun.

While the FBI continued their investigation of the younger Kaghun, the team from ECS-CERT continued to delve deeper into the historical record at the facility. They discovered that every time that Eaton accessed the facility control system from his smart phone, the controllers for the three release valves sent a message via the opened VPN communications link to web site associated with Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER), a radical environmental terrorist organization. Each of the reported releases coincided with the receipt back of a message from that site via the same VPN link.

While the FBI tried to track down the people associated with the operation of the SFINCTER web site, the focus of the ECS-CERT investigation switched to Robotron, the supplier of the remote access application. Erich Mielke, spokesman for Robotron, told reporters via a video link, that his company quickly and completely cooperated with the investigation.

It turned out that the web site for the Fernzugriff® software had been hacked and the VentilSteuerung worm was included in each download of the Fernzugriff software. The worm allowed an outsider to upload commands to the phone of the app user that would be piggybacked during any VPN session between the app user and the Robotron control system.

Quest noted that it appeared that the hack of the Robotron web site had been undertaken by the German hacking collective, Stasi Ehemalige. The FBI is still investigating ties between Stasi Ehemalige and SFINCTER.

Mielke reported that the worm had been removed from the Robotron web site and that an updated version of the app was available that would remove the worm from the users phone if it was present. Robotron is still working on upgrades to the various control system programs that would deal with the portions of the worm that had been transferred by the app to the actual Robotron control software.

Securitage told reporters that he encouraged all Robotron control system users to discontinue use of the remote application app until the worm had been removed from all software components, both on the phone and in the manufacturing facilities. Indicator of compromise information is available on the ECS-CERT web site.