Vehicle repair shops: Likely target

Vehicles are throughout society. People may have multiple vehicles at a residence for their children, spouse, or collectibles. These are also used in multiple ways for an increasing number of years.  The vehicles begin to age, they tend to need more repairs. The establishments repairing vehicles do much of the work manually. The backbone of the operations are still run with computers. Where there is an issue with the system, the garage does not operate well. This can especially be a problem when malware is introduced into the system for a chain of garages.

Kwik Fit is one of these organizations. This is a chain of garages focused on repairing vehicles. The organization had the unfortunate opportunity to be targeted, and successfully attacked. The issue became apparent when their clients began to complain on Twitter. The symptom which brought this on was their clients could not reach the business when calling. The complaints began to pick up, as it appeared the call center was down. Naturally, this was a significant issue for the business. While they began the investigation, management acknowledged via a tweet they were having technical difficulties. This was from the malware being introduced into the system. It does appear this was a ransomware attack, however, the details were not reported.

The effect of this was rather quick and direct. The business was not able to accept and schedule work, or process orders. The system was down from January 26 to at least February 1, 2019. They don’t believe any of their client’s records had been breached. On a positive note, they did state the customer’s financial information was not stored there.

It would have been much more helpful to the industry if a bit of the attack information would have been shared. Given this is not the optimal situation, however, once the damage was done and issue remediated, others could have learned from this.

Resources

Corfield, G. (2019, January 31). Kwik-fit hit by MOT fail, that’s malware on target. Retrieved from https://www.theregister.co.uk/2019/01/31/kwik_fit_malware_it_systems_down/

IT Pro. (2019). Kwik fit hit by malware, knocking out IT systems. Retrieved from https://www.itpro.co.uk/security/32880/kwik-fit-hit-by-malware-knocking-out-it-systems

Rumney, S. (2019, January 30). Kwik fit garages hit by computer virus. Retrieved from https://www.bbc.com/news/technology-47062480

Winant, D. (2019, February 1). Kwik fit hit by malware knocking out IT systems. Retrieved from https://seclists.org/dataloss/2019/q1/105

The kids are alright! But the network isn't!

K-12 schools are throughout our landscape in small towns and large cities. The number of students varies per region, requiring small buildings or one large enough for a medium-sized business. They may be located on short, two-lane roads or primary thorough-fares. When we drive by these, we know they are educational facilities teaching the next generation. While the primary focus is the same for these institutions, there is another commonality. These have some form, be it rudimentary or complex, of a network holding a mass amount of data, managing operations where needed and facilitating email communications. One issue with these networks has been cybersecurity. With constricting budgets, it has become tough to get everything done as planned. 

Attack

One such school is Wolcott Public Schools. The school system, located in Connecticut was attacked successfully. The attackers naturally had a full array of tools available to use. They chose an all familiar one, which has proven to be very effective. Their system was compromised with ransomware. The use of ransomware has proven itself over the last two years to be an epidemic. The attack started in May 2019, at the end of the school year. They, in vain, attempted to manage this issue internally. Ransomware, with select tools, may be able to be removed by the target. This is with very few cases with the early variants, which may still be in use. This issue came to a tipping point and needed to be brought in front of the town officials when they were not able to correct the issue.

Effects

The successful attack had deep-rooted effects on the school. If this affected one user’s station, there would be a much different case. They were forced to lock down several servers. While these were locked down, they were not able to access or work with any of the data secured on these. Fortunately, a portion of the files was located in other locations as back-ups. While this sounds unpleasant, analyze through all of the learning activities that could not occur as the files were encrypted. On the bright side, no student data was compromised.

Remediation

This was a rather significant issue. Having data tied up and not usable is problematic for anyone. With the school district, there are timelines involved with reporting data to the state and possibly federal agencies. Post-detection, the school district did contact the FBI after the ransomware. The focus with this, naturally, was who was behind the ransomware attack.

As noted, the affected systems were shut down for all purposes. Once the school IT workgroup decided they were not going to be able to fix the issue, they consulted with the Wolcott Board of Education. The risks and benefits of paying the ransom were discussed and debated. The Board of Education approved the ransomware payment by a vote of 6 to 1. The hope was to secure the decrypt key. The amount noted for the payment was up to the amount the town charter would allow, or $9,999. This was the ceiling amount. An amount greater than this would require a bidding process, and an extended amount of time, which is something they did not have. Without the ransom being paid and the decrypt key is provided, a portion of the middle and high school files would not be usable in any form. In this incident, of the schools in the district, the high school, middle school, and central office only had a back-up server.

Comments & Concerns

Ransomware has become an epidemic. This has become a massive issue across many industries. Any business connected to the internet is susceptible to this. One fact not covered in the publications is the method of infiltration. This may have been an employee clicking on a link or file, inviting the malware in through the front door, and allowing it to scurry about in the network. Ransomware training is a necessity in this day. The employees need to know what to look for as a constant reminder. In the case of an individual oversight, which generally is a detriment to such a significant level, the employees need to know what to do.

Resources

Backus, L. (2019, August 30). FBI probes hacking of CT school’s computer. Retrieved from https://www.ctpost.com/local/article/FBI-probles-hacking-of-CT-school-s-scomputers-14401437.php

Data Breaches. (2019, August 30). Cyber attack affects Wolcott public schools. Retrieved from https://www.wfsb.com/news/cyber-attack-affects-colcott-public-schools/

WFSB. (2019, August 30). Cyber attack affects Wolcott public schools. Retrieved from https://www.wfsb.com/news/cyber-attack-affects-wolcott-public-schools/

Johnson, K. (2019, August 28). Ransomware attack targets Wolcott public schools. Retrieved from https://www.nbcconnectictu.com/news/local/Ransomware-attack-targets-wolcott-public-schools-558610611.html

Passmore, S. (2019, August 30). Board passes motion to allow Wolcott superintendent to pay ransom after cyber attack. Retrieved from https://www.weny.com/story/40985421/board-passes-motion-to-allow-wolcott-superintendent-to-pay-ransom-after-cyber-attack

Automakers still targeted: Toyota Australia Attacked

The auto manufacturing industry maintains a mass amount of intellectual property. This is based on legacy systems and models, along with current models. A gold mine within this realm are the models being designed and the new technologies in the vehicles presently and planned for the future. This not only includes electrical engineering but also everything associated with autonomous drive vehicles. This concept has been in process for well over a decade. An attacker breaching a system and exfiltrating code, which had taken over a decade to get to a workable level, has a rather significant value. The well-used, with positive results for the attacker, ransomware attack also would be a good fit for this scenario.

With any attack vector with a reasonable potential for a breach, an auto manufacturer certainly is a viable target. An attack in early 2019 certainly exemplified.

Target

Toyota Australia is an OEM located in Australia. As with the other vehicle manufacturers, there is a wealth of data to exfiltrate or leverage for the attacker’s gain. The business was targeted and attacked in February 2019.

Methodology

The attack began on February 20, 2019. With this attack, as with many others, the details are scant. This could have been a great learning activity, especially since the defenses held, apparently. The attacker’s focus was on the email system. This was not operating for at least three days. This crippled their communication, internal and external. Fortunately, the dealer network was not affected.

With this attack, since it was not successful, it would have been useful to know at least a portion of the details. If this were to be a successful attack, one could understand why the details would not be made public until the issue was remediated.

Action

As the email system was being attacked, this mode of communication was not operational. The employees had to use other means to communicate with each other. While this was required in order to conduct business, the other methods and means may have had vulnerabilities and inherent, systemic risks. This includes having no control or monitoring over any confidential data leaving the business. This also was being sent through a third party.

The IT Department worked through the attack. At one point, they simply sent the staff home. The business also contracted with cybersecurity experts from around the globe to help with the issue.

Results

As noted, the email system was down for a few days. While a significant detriment, this was not critical. Toyota Australia released a statement noting, in part, they believe after their investigation, the private employee or customer data had not been accessed, which is a good thing. The IT Department was working diligently to have the affected systems operational ASAP.

Resources

Bites, C. (2019, February 21). Toyota Australia confirms cyber attack. Retrieved from https://www.itsecurityguru.org/2019/02/21/toyota-australia-confirms-cyber-attack/

Charlwood, S. (2019, February 21). Toyota Australia rocked by cyber attack. Retrieved from https://www.motoring.com.au/toyota-austrailia-rocked-by-cyber-attack-117076/

Duckett, C. (2019, February 21). Toyota Australia confirms ‘attempted cyber attack’. Retrieved from https://www.zdnet.com/article/toyota-australia-confirms-attempted-cyber-attack/

Moore, J. (2019, February 21). Toyota Australia confirms cyber attack. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/toyota-australia-confirms-cyber-attack/

SBS News. (2019, February 21). Toyota Australia embroiled in cyber threat. Retrieved from https://www.sbs.com.au/news/toyota-austraila-embroiled-in-cyber-attack

Tan, A. (2019, February 21). Toyota Australia under cyber attack. Retrieved from https://www.computerweekly.com/news/25248-86/Toyota-Australia-under-cyber-attack

Toyota. (2019, February 21). Toyota Australia statement re attempted cyber attack. Retrieved from https://www.toyota.com.au/news/toyota-australia-statement-re-attempted-cyber-attack

Here comes the judge! Oregon Judicial Department Pwned

Throughout each state, county, and city, there are court systems in place. Oregon is no different. In this specific case, Oregon Judicial Department includes the Oregon Supreme Court, Court of Appeals, Tax Court, Circuit Courts in each of the counties, and the Office of the State Court Administrator.

Attack

Phishing attacks are the premier attack being used throughout many industries. With the low cost and tech involved with a phishing campaign, it is no wonder. The Oregon Judicial Department experienced a phishing attack and was not successful in defending itself. The attack began at 4:30am on July 15, 2019. The successful attack led to five email accounts being compromised. With any phishing attack, the level of success with the attack is dependent on who clicks the link, picture, or tool creating an attractive nuisance for the user to click. In this case, there were more than 6k persons affected. The affected parties had their personal data exposed.

Data

Each of the 6,607 affected persons, while individuals have the same issue. The data exposed included the affected person’s personal data. This included the name and full and partial dates of birth. There was also partial exposure to financial information, health information, and social security numbers. This is exactly what the attackers would need to use for identity theft or to sell on the dark web.

Remediation

The affected accounts were disabled within four hours of the issue being detected. The Oregon Judicial Department sent notices to the affected persons. The department will provide credit monitoring services to those affected by the breach. The department also did contact law enforcement and other agencies to assist with the forensic work.

Thoughts

Phishing and the subsequent associated issues (e.g. ransomware, viruses, backdoors, etc.) are a societal problem potentially affecting anyone connected to the internet. One aspect of the remediation which in theory is helpful, but may not be in the long-run regards the credit monitoring. This did not state how long with was to last. This is a bit of a moot issue. The data exfiltrated with the compromise is partially permanent (e.g. social security number). While the credit monitoring may last a year, for example, the issue will last well beyond this for the affected persons.

Resources

Associated Press. (2019, August 29). Oregon judicial department hit by phishing attack. Retrieved from https://www.seattletimes.com/seattle-news/northwest/oregon-judicial-department-hit-by-phishing-attack/

Associated Press. (2019, August 29). Oregon judicial department hit by phishing attack, personal information exposed. Retrieved from https://katu.com/news/local/oregon-judiciail-department-hit-by-phishing-attack-personal-information-exposed

Associated Press. (2019, August 29). Oregon judicial department hit by phishing attack. Retrieved from https://www.usnews.com/news/best-states/oregon/articles/2019-08-29/oregon-judicial-department-hit-by-phishing-attack

Associated Press. (2019, August 30). Oregon judicial department hit by phishing attack. Retrieved from https://democratherald.com/news/state-and-regional/oregon-judicial-department-hit-by-phishing-attack/

Breach Exchange. (2019, August 30). Oregon judicial  department hit by phishing attack. Retrieved from https://www.bradenton.com/news/business/technology/article234530047.html

Still hacking the cars! MyCar provides yet another attack vector

Vehicles are throughout society. A person can’t walk far without seeing one in place or driving. The vehicles manufactured within the last decade and going forward are and will continue to be connected. This may take the form of the GPS to alert the driver where they are located, radio, internet access, and other beneficial functions.

While this connectivity clearly is helpful for the users, there are drawbacks. The connectivity allows for additional attack points. One of these recently detected and exploited was the MyCar app. This all began when the security researcher purchased a remote car starter for his girlfriend. As he installed this, he began to think through the process and if it was secure, or not. The attack and exploitation were presented by Jmaxx at the 2019 DEFCON. Having attended the presentation, the elaborated issues were fully explored in a technical yet graspable manner.

MyCar

The app was created and is marketed by the Canadian company Automobility. The SW is rebranded and sold under various other names, including MyCarKia, Visions MyCar, Carlink, and other names. This allows the user to interact at a distance with the vehicle. This connection allows, among other functions, to start the car. This is especially useful when the user is in the office in the middle of January in the Midwest.

Vulnerability

The exploit affected over 60,000 vehicles. One vulnerability is enough of an issue. The more vulnerabilities, the greater the problematic nature of the system. The flaws noted with this MyCar issue may, among other acts, allow the attacker to steal a vehicle. With the flaws exploited, the attacker has the ability to filter by the vehicle model they would choose. The flaw allows someone to locate, identify, unlock, and start the vehicle, along with triggering the alarm. The attacker could access any user’s data. This is also open to a SQL injection, allowing access to and ability to send commands to any of the subject user’s vehicles. To document the viability of the issue and remove any opinion, Automobility issued a statement to the effect the company was addressing this.

Danger

The issue is not only with the vulnerability, but also what an attacker is able to do with this. This allows, for the subject vehicles, the unauthorized access by the attackers to start the vehicle, among other actions. This breach is significant and may also lead to life-threatening circumstances. If the vehicle were to be started in an enclosed area, e.g. a garage, this could lead to carbon monoxide poisoning for the users in the residence. Curiously, the researcher was able to collect 2k location points for the car over a 13 day period. Previously, it was unknown that the vehicle was collecting this much data.

Mitigation

Fortunately, the researcher did notify the organization so they could work on it. As of the presentation, the issues had been primarily resolved.

Resources

EHacking News. (2019, August 12). MyCar exposes thousands of vehicles to hackers. Retrieved from  https://www.ehackingnews.com/2019/08/mycar-exposes-thousands-of.html

Greenberg, A. (2019, August 10). A remote-start app exposed thousands of cars to hackers. Retrieved from https://www.wired.com/story/mycar-remote-start-vulnerabilities/

IANS. (2019, August 11). Remote-based app exposed thousands of vehicles to hackers. Retrieved from https://auto.ndtv.com/news/remote-based-app-exposed-thousands-of-vehicles-to-hackers-2083648

IANS. (2019, August 11). Remote-based app exposed thousands of vehicles to hackers-details inside. Retrieved from https://www.timesnownews.com/technology-science/article/remote-based-app-exposed-thousands-of-vehicles-to-hackers-details-inside/467106