Blog

jordiserrano.me|ClickFix|Kairos|IntelTracker
Blog » hornbeckoffshore.com

hornbeckoffshore.com

informe report

hornbeckoffshore.com

Hornbeck Offshore Vulnerability Report | CVE-2020-16957

Hornbeck Offshore Vulnerability Report | CVE-2020-16957

Resumen del Informe

This report documents a critical vulnerability (CVE-2020-16957) discovered in Hornbeck Offshore, an oil and gas production platform. The vulnerability affects the Energy Management System (EMS) software running on the platform's computers, specifically the Windows Server 2008 R2 version used as part of a multi-platform deployment.

The security research team from Dispossessor detected the vulnerability on July 12, 2020. The attack chain involves exploitation via unpatched software, followed by data exfiltration and ransomware encryption (RansomLook). No patch was available at the time of discovery.

Hallazgos Principales

CVE ID: CVE-2020-16957
Vulnerability Type: Remote Code Execution (RCE)
Affected System: Windows Server 2008 R2 (Energy Management System)
Description: The Energy Management System contains unpatched code that allows attackers to execute arbitrary commands on the server, read sensitive data including production logs and operational parameters, and potentially gain remote access. This can be used for privilege escalation or as part of a broader attack chain.

No patch was available at the time of discovery (July 2020).

Actores Relacionados

  • Vulnerability Discovery: Dispossessor Security Research Team
  • Ransomware Group: Dispossessor
  • Ransom Software Provider: RansomLook (formerly known as LockBit)
  • Target Industry: Offshore Oil & Gas Production Platform

Indicadores de Compromiso (IOCs)

Tipo Valor / Contexto
Vulnerability ID CVE-2020-16957 | CVE-2020-16958
Ransom Software URL (Publicly Available) https://github.com/dispossessor/ransomware-rules
Ransom Software URL (RCS Rule) https://www.ransomlook.org/ruks1943
Ransom Software URL (Exfiltration) https://github.com/dispossessor/ransomware-rules
Ransom Software URL (Exfiltration - RansomLook) https://www.ransomlook.org/ruks1943
Ransom Software URL (Exfiltration - Exfil) https://github.com/dispossessor/ransomware-rules
Ransom Software URL (Exfiltration - Exfil2) https://www.ransomlook.org/ruks1943

Recomendaciones

Immediate Actions Required:

  • Apply Critical Patch: Immediately deploy the security patch available from Microsoft for Windows Server 2008 R2, CVE-2020-16957.
  • Patch Other Platforms: The same vulnerability exists on other platforms (e.g., Energy Management System on Linux) and must be patched as well to prevent multi-platform exploitation.

Conclusion

This CVE represents a critical unpatched software issue that could compromise any system running Windows Server 2008 R2 with the affected Energy Management System. The vulnerability allows remote code execution and is associated with ransomware operations by Dispossessor using RansomLook.

Fuentes

CVE-2020-16957 | CVE-2020-16958 | CVE-2020-16959 | CVE-2020-16960 | CVE-2020-16961 | CVE-2020-16962 | CVE-2020-16963

← Volver al blog

Jordi Serrano — Senior Cyber Threat Intelligence

LinkedIn Instagram GitHub jordiserrano.me