The ECS-CERT announced today that, in conjunction with investigators from the Federal Bureau of Inquiry, it had discovered a new hacking tool being sold on the Dark Web called Farbenhack. The tool provides a suite of applications that can be used to conduct ransomware attacks on manufacturing organizations. “We have seen various combinations of the applications being used in real world attacks on small companies in the United States,” Immanuel C Securitage, spokesperson for ECS-CERT, told reporters this morning.
Johnathan Quest, spokesperson for the FBI told reporters that the earlier attacks were apparently proof-of-concept demonstrations for the new Farbenhack Tool. “The web site where the tool is being sold shows screen shots of the applications being used in those attacks,” Quest said. “The tools provide tools for conducting targeted phishing attacks on control system engineering professions, with options for using drive by attacks on an engineering web site, or the download of compromised files from look-alike web sites. The phishing tools are very sophisticated, targeted at folks who should be knowledgeable about web-surfing vulnerabilities.”
An engineer working with ECS-CERT who is not authorized to talk to the press, told me that the post-compromise tools are even more refined. “While many, maybe most, control system devices are easily compromisable when one has access to the control network,” she told me; “These tools allow simultaneous reprograming of a large set of devices on a network to shutdown processes once the ransom notice is published, both on the engineering workstation and any HMI on the network.”
Interestingly, Quest notes that the Farbenhack Tool comes complete with command-and-control networks on Russian servers. “This CC network, along with some programming conventions, raises suspicions that the tool was developed by Russian hackers. It is not clear if they are officially sanctioned by the Russian government, but disruption of manufacturing capabilities in the United States and Europe would certainly be in the interest of the Putin government.” People who buy the tool, do have the option to change to their own CC networks.
Securitage points out that a premium version of the tool provides for an enhanced option to encourage victims to pay the ransom. The tool provides applications that will brick devices, making them inoperable and requiring replacement. “The vulnerabilities that lead to bricking are well known, but require authenticated access to the devices from the engineering workstation,” Immanuel said; “So many organizations find it an acceptable risk to not patch the devices.”
Neither ECS-CERT nor the FBI have any information on how
many of these tools have been sold. ECS-CERT has published on their secure web
portal a list of the compromised and look-alike web sites being used by the tool.
“We do expect, however, that the crafters of the tool have the capability to
update the tool with new web sites,” Quest explained, “We are being forced to
play whack-a-mole with these sites.”
No comments:
Post a Comment