In 2023, a member of the pwnp0ny collective known as kahmi reportedly gained unauthorized access to several internal systems belonging to Flex-N-Gate, a global automotive and plastics manufacturing company. The intrusion was not publicly disclosed at the time, but screenshots and data samples later circulated in private security channels.
Scope of Access
The attacker obtained access to multiple internal resources at the company’s Danville, Illinois facility:
1. Employee Production Roles System
A legacy interface titled “Set Employee Production Roles” was accessed, revealing employee records that included:
• Employee numbers
• First and last names
• Internal Emp_Tag# values
• Assignment details (many listed under DFT class/group)
2. Internal IT Helpdesk Portal
Access was achieved to the FNG IT Help Desk/IS Global Service Desk. A profile for an account named “ILDN Maintenance” was viewed, listing the location as FLEX-N-GATE PLASTICS DANVILLE and timezone as USA – Central Time.
3. Corporate Wireless Network
Network configuration details for the SSID “FNGOffice” were captured, showing WPA2-Enterprise with PEAP authentication running on a Dell laptop (asset tag ILDNENLT07).
4. Network Asset Discovery
Most significantly, the attacker viewed a live inventory of the internal network, which listed 85 connected devices on the FNGOffice segment. Visible assets included:
• ILDNSVDC2 – Microsoft Virtual Machine (10.137.128.1)
• ILDNSVHV1 – Dell PowerEdge R540 server
• Multiple additional Microsoft virtual machines (ILDNSVFS1, ILDNSVME1, ILDNSVUT1, ILDNSVDB1, etc.)
All hostnames followed a consistent “ILDN” naming convention, further confirming the geographic scope of the breach.
Timeline and Context
This activity took place in 2023. The intrusion demonstrated a methodical approach: starting with operational systems, moving laterally to IT service portals, and eventually achieving visibility into network infrastructure and active assets. There was no evidence of data destruction, ransomware deployment, or public defacement — characteristics often associated with pwnp0ny operations.
Lessons from the 2023 Incident
The compromise highlights several persistent risks in industrial and manufacturing environments:
• Legacy production systems frequently remain accessible with weak controls.
• Internal helpdesk and administrative portals can serve as valuable pivot points.
• Flat network segments combined with enterprise Wi-Fi allow broad visibility once initial access is obtained.
• Asset naming conventions and exposed hostnames can significantly aid reconnaissance.
Organizations in the manufacturing sector should treat this case as a reminder that even seemingly isolated operational technology (OT) and IT systems can provide pathways to broader network awareness.
While Flex-N-Gate has presumably taken remediation steps since the 2023 incident, the event underscores the importance of network segmentation, regular credential hygiene, timely system modernization, and continuous internal monitoring.
Note:
*This post is for educational and awareness purposes in the cybersecurity community.*
No comments:
Post a Comment