A cybercriminal is allegedly selling a zero-day exploit that targets the Human-Machine Interface (HMI) of gas pump automation systems developed by a Russian company. The seller claims the vulnerability allows for complete control over the affected gas pumps, posing a significant threat to potentially thousands of gas stations.
The targeted system is the “БУК TS-G” (BUK TS-G), a gas station automation system created by “Нефтепродукттехника” (Nefteprodukttekhnika), a company based in Russia. This system is reportedly utilized in over 2,500 gas stations across Russia and the Commonwealth of Independent States (CIS), highlighting the widespread potential impact of the alleged exploit. The “БУК TS-G” system manages the core operations of a gas station, including fuel dispensing, payment processing, and monitoring of tank levels. An exploit affecting this system could lead to severe disruptions and financial damage.
According to a post on a criminal forum, the zero-day exploit is being offered for $40,000. The seller alleges that the vulnerability grants full administrative access to the gas pump’s control panel. The potential for misuse is significant, with the seller listing a range of malicious actions possible through this access. The leaked data titles or capabilities allegedly include:
- Inventory access and manipulation
- Complete closure of services
- Ability to alter system settings
The seller claims that over 50 publicly accessible devices are vulnerable, with the implication that many more private or internally-hosted systems are also at risk. If the claims are accurate, this vulnerability could be exploited to manipulate fuel prices, steal fuel by altering pump readings, or cause widespread service outages at affected gas stations. The alleged sale of such a powerful exploit underscores the growing threat of cyberattacks against critical infrastructure.
