Categories
Breach Analysis Company Policy Cyber Security IT Ransomware

Garmin Breach: My Thoughts

What Garmin did well and where they fell short in their 2020 Ransomware Incident.

Written August 11, 2020.

Infected late July 23, 2020, on Monday (July 27) garmin released a statement acknowledging they had been victim to a “cyberattack that encrypted some of our systems.” (9) As you may have heard, less than 4 weeks ago Garmin fell victim to a costly ransomware attack.
Ransomware is a form of malware which fully encrypts contents/files of systems. These files cannot be recovered without either:

  • a. A decryption key, which is acquired by paying the negotiated “ransom”
  • b. Data backups which are not encrypted by the ransomware

The attack was orchestrated by the Russian Hacker group “Evil Corp”.  Allegedly, Evil Corp is only interested in getting paid via their ransomware.  They (Evil Corp) have not shown any evidence of data exfiltration in any instances where their ransomware was used to date.  Further Garmin has stated that “We have no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost or stolen.”(9)

This breach is very recent.  It is difficult to find any information on how Evil Corp were able to get the ransomware into Garmin’s systems. 

Were hackers able to somehow exploit Garmin connect, or similar Garmin services which allow uploading of data, to upload the ransomware?  This could have been done using a variation of an attack listed on the OWASP Top 10 such as a form of Cross Site Scripting or XML External Entity.  Or was the ransomware able to penetrate into Garmin’s systems via a more “Traditional” method such as a compromised computer, spearphishing email, etc.

The attack was orchestrated by the Russian Hacker group “Evil Corp”.  Allegedly, Evil Corp is only interested in getting paid via their ransomware.  They (Evil Corp) have not shown any evidence of data exfiltration in any instances where their ransomware was used to date.  Further Garmin has stated that “We have no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost or stolen.”(9)

This breach is very recent.  It is difficult to find any information on how Evil Corp were able to get the ransomware into Garmin’s systems. 

Were hackers able to somehow exploit Garmin connect, or similar Garmin services which allow uploading of data, to upload the ransomware?  This could have been done using a variation of an attack listed on the OWASP Top 10 such as a form of Cross Site Scripting or XML External Entity.  Or was the ransomware able to penetrate into Garmin’s systems via a more “Traditional” method such as a compromised computer, spearphishing email, etc.

From reading about the incident, I don’t believe a malicious upload on Garmin connect (or similar) was the case.  Garmin has extremely high levels of Quality Control for their Aviation devices and so we can assume all of their software development and design goes through rigorous testing and follows a strict SDLC.  Further, data uploading was one of the first services reinstated after the incident, if Garmin suspected Garmin Connect of being vulnerable there is no doubt they would not have reinstated its functionality so quickly.  While other services and sites remained inaccessible, data uploading was working again shortly after the incident.

In a large enterprise like Garmin, policies and procedures related to incident management are crucial.  This incident illustrates how Garmin’s lack of staff training and procedures on incident management failed.  Example, almost immediately after the breach occurred, some Garmin staff members were sharing sensitive pictures on social media. These pictures show a screen full of infected/encrypted files on a computer system.  It is unfortunate that staff working at an enterprise would think of sharing this information with the world as appropriate conduct.  There is no guarantee that a detailed incident response staff training (or code of conduct) would have prevented the aforementioned scenario, however proper training and planning offer guidance for staff on how to conduct themselves in the event of an incident affecting systems they regularly use.

Next is the issue of data backups.  Evidently Garmin did not have a robust Backup solution in place.  I make this assumption because there is proof of Garmin using a decryption key for the ransomware in order to bring their systems back up and running.  A robust, full backup solution including offsite backups would have saved Garmin millions of dollars in ransom payment because upon infection, the systems could have simply been restored using a full backup (or combination of other backups) from a previous date.

Assuming Garmin is being truthful in their statement regarding customer data, this illustrates the success of Lest Privilege and Separation of Duties type controls they may have in place.  Perhaps Garmin can confidently say that customer data was not breached because the systems housing that data are physically and logically separate from the public facing web services servers.  This customer data may also be protected by very strict privilege.  It is difficult to know, I read through the risks section of the 2019 10-K form (p. 22-23, ref. 10).  There is extensive discussion around cyber security risks and liabilities/insurance.  The form states that “We have technology and processes in place to detect and respond to data security incidents.”(10), however there is no details around exactly what controls are in place.  Of course, there is the possibility Garmin is incorrect, and customer data and information has been breached, and they used the decryption key or backups to restore that data as well as disrupted web services.  As this story develops we will learn more.

I’m sure there will be more information released regarding this data breach over time.  I expect Garmin to conduct an internal Administrative investigation, and Garmin may also be subject to a Criminal investigation.  Garmin will potentially face a criminal investigation because the US Government has placed sanctions on the Russian Hacking Group Evil Corp, and so a company paying a ransom to Evil Corp could face litigation.  I did read that Garmin outsourced a smaller company to negotiate with Evil Corp for the decryption Key, then Garmin paid that smaller company “for their services” of providing the Decryption Key.  This type of negotiation scenario may present a loophole in the US’ action of placing sanctions on hacking groups to discourage US Companies from paying a “ransom” for the decryption key. 

As mentioned, this is still a developing story, which I will be following.  We will see if Garmin faces any criminal investigation or litigation because they allegedly paid the ransom through a 3rd party.  I’ll also be following this story to see if they can somehow prove customer data was never breached and if they ever release further details on how their systems were actually breached (if they even know).  I could easily see this breach also just going away, sort of swept under the rug since they paid the ransomware and restored everything back to normal so quickly.

Assuming Garmin is being truthful in their statement regarding customer data, this illustrates the success of Lest Privilege and Separation of Duties type controls they may have in place.  Perhaps Garmin can confidently say that customer data was not breached because the systems housing that data are physically and logically separate from the public facing web services servers.  This customer data may also be protected by very strict privilege.  It is difficult to know, I read through the risks section of the 2019 10-K form (p. 22-23, ref. 10).  There is extensive discussion around cyber security risks and liabilities/insurance.  The form states that “We have technology and processes in place to detect and respond to data security incidents.”(10), however there is no details around exactly what controls are in place.  Of course, there is the possibility Garmin is incorrect, and customer data and information has been breached, and they used the decryption key or backups to restore that data as well as disrupted web services.  As this story develops we will learn more.

I’m sure there will be more information released regarding this data breach over time.  I expect Garmin to conduct an internal Administrative investigation, and Garmin may also be subject to a Criminal investigation.  Garmin will potentially face a criminal investigation because the US Government has placed sanctions on the Russian Hacking Group Evil Corp, and so a company paying a ransom to Evil Corp could face litigation.  I did read that Garmin outsourced a smaller company to negotiate with Evil Corp for the decryption Key, then Garmin paid that smaller company “for their services” of providing the Decryption Key.  This type of negotiation scenario may present a loophole in the US’ action of placing sanctions on hacking groups to discourage US Companies from paying a “ransom” for the decryption key. 

As mentioned, this is still a developing story, which I will be following.  We will see if Garmin faces any criminal investigation or litigation because they allegedly paid the ransom through a 3rd party.  I’ll also be following this story to see if they can somehow prove customer data was never breached and if they ever release further details on how their systems were actually breached (if they even know).  I could easily see this breach also just going away, sort of swept under the rug since they paid the ransomware and restored everything back to normal so quickly.

Sources:

  1. https://www.techrepublic.com/article/experts-devastating-ransomware-attack-on-garmin-highlights-danger-of-haphazard-breach-responses/
  2. https://cyclingtips.com/2020/08/report-garmin-secured-decryption-key-paid-ransom-to-hackers-2/
  3. https://cyclingtips.com/2020/07/how-did-the-garmin-cyber-attack-happen-and-what-does-it-mean-for-users/
  4. https://www.bleepingcomputer.com/news/security/confirmed-garmin-received-decryptor-for-wastedlocker-ransomware/
  5. https://threatpost.com/garmin-pays-evil-corp-ransomware-attack-reports/157971/
  6. https://www.darkreading.com/attacks-breaches/garmin-takes-app-and-services-offline-after-suspected-ransomware-attack/d/d-id/1338456
  7. https://www.zdnet.com/article/garmin-services-and-production-go-down-after-ransomware-attack/
  8. https://www.zdnet.com/article/new-wastedlocker-ransomware-demands-payments-of-millions-of-usd/
  9. https://newsroom.garmin.com/newsroom/press-release-details/2020/Garmin-issues-statement-on-recent-outage/default.aspx
  10. https://www8.garmin.com/aboutGarmin/invRelations/reports/2019_10K.pdf
Categories
Cyber Security IT

Free Cyber Security Advice

because everyone loves “Free Advice”

8 EASY TO IMPLEMENT ideas to help protect against malware, ransomware, hackers, and other cyber threats

DISCLAIMER: I (the writer) am not just making suggestions and “Poof! The capital of Australia” outta here. Eventually there will be detailed blog posts related to each one of the following suggestions. If you would like to ask further details about any of these items feel free to use the contact form on our website.

Thank you for visiting the very first post on the official intelliGENTS blog. Here is the quick list of the 8 suggestions in no particular order of importance or hierarchy.

  1. Passwords and using Complex Passwords
  2. Separate Admin and User Privilege Accounts
  3. Virtual Private Network, VPN
  4. Two Factor Authentication, 2FA
  5. Turn on Bit Locker Drive Encryption
  6. Stop using Mapped Drives (at work)
  7. Educate yourself on Phishing
  8. Stop sharing passwords

The following is a high level overview of the suggestions, if you have specific questions about any of these ideas, post questions in the comments section and our team will try to provide feedback.

USE A PASSWORD

It might seem obvious. 15-20% of people still aren’t using a password to either a) log in to their computer, or b) unlock their phone. Do they also leave their vehicles unlocked with a key in the ignition?

  • Strong Password protection gives Peace of Mind in the event a device is lost or stolen.
  • A Password mitigates against the threat of someone acquiring (stealing?) your laptop/computer/phone, simply turning it on, and having access to EVERYTHING you normally have access to without inputting one password. Think about that.
Picture of me finding a random laptop that does not employ a password to log on.

Use a more COMPLEX PASSWORD

If your password Does NOT employ at least 4 of the 5 annoying password requirements (upper case, lowercase, number, symbol, 8+ Characters), then update your password so that it does.

  • Again, Peace of Mind if equipment is ever lost or stolen
  • Mitigates against all Cyber threats to some degree.
  • Effectiveness of Mitigation directly proportional to complexity of password.

Separate Administrator and User accounts.

Does this screen look familiar? Make it require a username/password instead of just a YES click.

Does that screen look familiar? It helps, but still too easy to click yes. It seems like a LOT of hassle always entering another password to run as admin right? Lets all stop being silly and separate the Administrator account from the User account on our computers. Yes, even YOU, home user. Windows 10 makes it easy to run processes as “administrator”. Having to input credentials will make you “think” before you press OKAY after that link, running that program install, or opening that file.

  • If you have kids, or careless/unsuspecting people that use your computer, this can be especially effective.
  • Mitigates against threats that infiltrate your computer and attempt to self-install and run on your system like malware programs, spybots and auto-run files on USB sticks.
  • Mitigates against users overloading computers with programs in Overflow area (ie Junk area) as pictured below.

Use a VPN (Virtual Private Network)

With a VPN, that car is like you on the open road of internet browsing. It might be a little slower, but on the other side of that tunnel is an open road of internet with nobody else to crash into, nobody watching you, and nobody judging what you do with your early 90s Toyota

You don’t ALWAYS need to use a VPN, but if you are in a public WiFi like a coffee shop or hotel, you should consider using a VPN or just stick to your Cellular Data. VPN is your own private tunnel you are browsing the internet with. A VPN will slow down your internet speed, because it takes a lot of extra data to create this “virtual tunnel” around your internet activity.

  • Your network activity & packets can still be intercepted, but the VPN encrypts them in a manner that the data is completely unreadable to anyone not using the VPN .
  • There are many commercially available VPNs at low monthly costs (ex: NordVPN).
  • Some consumer grade routers include functionality to host your own VPN. To do this you might just have to get your hands dirty, maybe RTFM about your router, do some google searching, that kind of thing. (blog post?)
  • Ask at your workplace about providing a VPN service you can use for private browsing while outside the office. Employers – with enterprise grade firewall equipment there is no reason not to provide this service for your employees.

**Note – Public WiFi not only apply to WiFi networks, open wired network connections at trade shows and hotels are perhaps even more vulnerable.

  • Mitigates against threat of network activity being intercepted, monitored, “sniffed”, or analyzed by others using the WiFi or supplying the WiFi.

Use Two Factor Authentication, 2FA

Yubikey is one of many forms of 2FA

Two factor authentication adds an extra layer of security to all your accounts, knowing the username/password is not even enough to access the device. There are both hard and soft two factor authentication methods out there. The USB key pictured above is an example of a hard control. An app like Google Authenticator associates a random number sequence that changes every 30 seconds (aka One Time Password, OTP) with your account.

  • Mitigates against brute force attacks on your login
  • Mitigates against damage from leaked username/password lists available on the “dark web”

Use BitLocker Drive Encryption

I’m a windows guy. I’m sure there is a way to do this with Mac as well, but I haven’t done it. I’ll eventually write a detailed post about Drive Encryption, but for now any semi modern PC should have a TPM built in so you can use BitLocker.

Here is how to turn it on:

  1. Find THIS PC on your computer, click it
  2. Right click your C: drive, choose TURN ON BITLOCKER
  3. Follow on screen instructions
  4. DO NOT LOSE YOUR DECRYPTION KEY GENERATED AT THE END

That’s it. Now your C: drive will be encrypted.

  • Mitigates against threat of hard drive ending up in wrong hands and being mined for information
  • In combination with a Complex Password, basically makes any information on stolen device inaccessible.

Stop using Network Mapped Drives!

“If you have never heard of Zed Drive put yer hands up!”
Seriously though, mapped drives are for dorks.

Mapped drives at work? (ie: X: Drive, Z: Drive, K: Drive) . Use UNC path shortcut icons instead.

  • easy to setup (post coming soon) train staff
  • Provides much higher level of security than a mapped network drive like X:\.
  • Definitely not a bullet proof solution, however
  • Users will hardly notice a difference, and for a threat targeting your file systems it can make all the difference.
  • Mitigates against threats that might scan your file system looking for other connected drives and files to infect.
  • Prevents ransomware type attacks from reaching server share files through a local client computer that normally accesses those files through a mapped drive.
  • Prevents command line browsing of network files

Understand Phishing and Spear Phishing Emails.

Phishing, generally speaking, is when a hacker impersonates someone or something, ie: email from your colleague, email from server (pictured above), or text from a bank, in order to get you to click a link or download a file. Phishing attempts have become very sophisticated.

If you are questioning an email you received, a good practice is either asking your IT department or reaching out directly to the person or company who sent it to you, “Hey Lisa, did you send a document to my email this morning?”, to check its legitimacy. Don’t reply to the email, call or ask in person. If it is an email from a company, like a tracking number, go to the supposed vendors website (ex: fedex.ca) and paste the tracking number there. Don’t click any links embedded in emails you aren’t 100% certain about.

  • Ask IT department about sending semi regular mock phishing attempts to staff to ensure everyone understands phishing emails.
  • The Human Factor is the best (and worse) mitigation against Cyber Threats. Keep yourself and your peers aware and educated on latest trends in cyber threats
  • Discuss any incidents, no matter how small, with others, you might start to find patterns that should be investigated.

One last note on Phishing. If someone receives a Phishing email in your organization, impersonating anyone else (or themselves) in the organization, this type of activity should be addressed immediately:

  • Don’t delete the email right away. It may contain valuable forensic information.
  • Report the email/text to IT and Management ASAP
  • Origination of email and how it passed through spam filters needs to be understood and explained
  • Internal Phishing attempts should be dealt with in a manner that they do not reoccur.

Stop Sharing Passwords

And don’t write them on a sticky note pasted to your monitor either

Stop sharing passwords with co-workers/family and don’t share passwords between computers. Its best if you and other people in your life use different passwords that are more or less unknown to each other. Its keeps everyone secure and gives me warm fuzzies.

Environments with a “Store Front”, such as salons, hotels, boutique stores, may require a single computer accessed regularly by different users. If this is the case then try NOT to give every computer (even if there’s only 2 of them) the same password, like “hair111”. maybe do “hair111”, “hair222”, “hair333”.

  • Mitigates against threats due to information being leaked or falling into the wrong hands such as a password being cracked/known.

Thank you for reading through some or all of these easy to implement ideas. Let us know in the comments what you thought about this post and what you would like the next post to be about.

Categories
Breach Analysis

intelliGENTS Blog

Enjoy reading and participating in the intelliGENTS Blog.