BMW breached

Attackers are always looking for new targets rich with data. One industry frequently targeted has been the auto manufacturers. This may take the form of patent information, technology secrets, mechanical solutions, corporate secrets, intellectual property, schematics, new systems, or other personally identifiable information. Nearly all of this is marketable on the dark web and for industrial espionage.

Targets

The number of attacks continues to grow with each month, quarter, and year. In recent history, there have been successful attacks on the OEMs. These entities hold a mass amount of data on their operations, projections, and corporate confidential data. One recent notable attack was on Toyota in Australia.  

Attackers

The attack was perpetrated allegedly by APT32, the Vietnamese group with ties to the Vietnamese government. The group is also known as Ocean Lotus. They have been operating since at least 2014. This group is responsible for the subject BMW breach, and they have been active with other recent attacks including Hyundai.

Breach

With an attack on a large enterprise, distinguishing when the attack actually took place or was initiated may not be as simple as it may seem. With the breach, a branch of BMW had its network compromised sometime in the spring of 2019. In this instance, BMW did detect the breach. The management did allow the attackers to maintain their presence. While this seems counter-intuitive, there was a rationale for this. They wanted to follow their actions to gauge how far the attackers were able to penetrate into the network. BMW did remove their access once they were able to understand the attack and the extent in November 2019.

Method

Breaching a system for a global manufacturer may not be an easy task. In this case, the attackers used an indirect method, versus attacking the network head-on. The attacker’s set-up a website that appeared to be for the BMW branch in Thailand. Curiously, the same method was used successfully with Hyundai. Once connecting, Cobalt Strike infected the hosts. This is a legitimate cybersecurity assessment tool. This is used to perform assessment and penetration tests. For this use case, the tools showed any misconfigurations and vulnerabilities not patched. This allowed the attackers to gain further access into the network, monitor and control systems, gaining login credentials, and increasing the infected areas. They also installed a backdoor into the breached network, which was how they were detected.

Data

BMW noted no sensitive data was access by the attackers, which is positive.

In closing…

This successful attack shows the importance of working with the staff. The staff needs to understand how important cybersecurity is and how it is everyone’s responsibility. This isn’t to be addressed once a year with the mandatory training. The training should reinforce the issues with websites and what can happen when the wrong website is visited. Attention detail is important.

 

Resources

Cimpanu, C. (2019, December 6). BMW and Hyundai hacked by Vietnamese hackers, report claims. Retrieved from https://www.zdnet.com/article/bmw-and-hyundai-hacked-by-vietnamese-hackers-report-claims/

EHacking News. (2019, December 7). BMW and Hyundai networks compromised by Vietnamese hackers. Retrieved from https://www.ehackingnews.com/2019/12/bmw-and-hyundai-networks-compromised-by.html

Gatlan, S. (2019, December 6). BMW infiltrated by hackers hunting for automotive trade secrets. Retrieved from https://www.bleepingcomputer.com/news/security/bmw-infiltrated-by-hackers-hunting-for-automotive-trade-secrets/

NewtonBaba. (2019, December 7). BMW & Hyundai hacked by Vietnamese hackers-Report. Retrieved from https://www.newtonbaba.com/bmw-hyundai-hacked

Paganini, P. (2019, December 7). Alleged Vietnamese ocean lotus (APT32) hackers breached the networks of the car manufacturers BMW and hyundai to steal trade secrets. Retrieved from https://securityaffairs.co/wordpress/94805/hacking/ocean-lotus-hacked-BMW-hyundai.html

Toulas, B. (2019, December 7). Vietnamese hackers “APT32” hacked Hyundai and BMW. Retrieved from https://www.technadu.com/vietnamese-hackers-apt32-hacked-hyundai-bmw/86959/

 

Here we go again: Jackpotting ATMs

 

Everyone loves money. This allows us a certain level of freedom for the items we use, where we would like to travel, gifts to our friends, and a level of comfort for the future. They say cash is king, and certainly, during this time period, it has tended to be. One piece of equipment that holds a mass amount of cash is the ATM. People have dreamed of simply walking by and money flying out at them. As bizarre as this sounds, these attacks have been part of the proof-of-concept since at least 2010. The history lesson begins with Black Hat in 2010. Barnaby Jack’s presentation showed two different methods to the jackpot, or direct the ATM to spew out the bills it contained. One of the attacks was done over the internet and the other required hardware access through the front of the machine. The audience was naturally excessively impressed by his expertise. At the time he was the Director of Security Research at IOActive Labs. Over the years, the research continued and other methods to jackpot the ATMs were found and published.

The new attack is focused on the Diebold Nixdorf machines. Diebold Nixdorf made $3.3B from ATM sales and the associated service plans in 2019. This is one of the favored and notable manufacturers for ATM machines.

New Attack

Well, there is a new ATM attack in town. This does not work on all ATMs. The attackers have been using the new method against Diebold’s ProCash 2050xe USB terminals. The newly published attack utilizes a black box applying proprietary code to the attack surface in the ATM. The code is from the ATM manufacturer (Diebold). The attackers have to connect the black box to the ATM to complete the attack. This is done through unlocking the ATM chassis, drilling holes into the chassis at selected points, or otherwise physically bypassing the physical security. At this point, the attacker would plug their patch cord into the CMD-V4 dispenser in the place of the cord already plugged in. At this point, the ATM pwned as the attacker issues the malicious dispense commands.

The end result is for the cash to flow from the machine to the attackers, who are not authorized to receive the money. Depending on the inventory held in the ATM, this could be as many as 40 bills every 23 seconds or $800/23 seconds if the machine only holds $20’s.

From what is known, the attacks appear to use a portion of the ATM software stack. It isn’t known for certain how the attackers were able to gain access to the code, as the software is proprietary and anyone isn’t able to simply goto Dr. Google and download it. They may have, however, gained the requisite information from an unencrypted hard drive that was unaccounted for.

PoC or not?

By noting an attack is workable and potentially viable is one thing. To show this and also show where this has been done outside of the lab in the real world is another issue completely. In this case, this attack has been used across Europe.

Mitigations

All is not lost and there does not need to be a 24-hour security guard at these specifically affected machines. Diebold has provided mitigations for this and urgently recommended their customers verify if these were in place yet. These include using the firmware version 2011 or later for CMD V4, enabling the firmware fuse, secure encryption handling, enhanced keystore format, 3DES encryption, and verify this encryption is active and verify this is actually being done. The document from Diebold is very helpful in the implementation.

Potential

Yes, indeed this is a viable attack and not just a lab exercise. This, however, would need to be done is a very limited scope of potential events. After all, if one of these was in the mall, someone isn’t going to waltz up at noon on a Saturday and gingerly pry open the front of the ATM and hope no one notices or calls law enforcement, or better yet drill through the aluminum plating several times and thread a patch cord through a hole. There is always the key to unlock the ATM, however, this would probably appear a bit fishy also as the attackers plug in the cord to the machine. If the machine were to be outside, perhaps the attack could be done in the darkness. The issue with this is there are cameras everywhere in the environment. The attackers probably would be recorded, and they also run the risk of law enforcement stopping by.

It is also notable that the black box does not need to be a 13-inch monitor laptop. This could be built with an Arduino or Raspberry Pi. The housing for these is also very small comparatively. While this would indeed appear a little odd to the shoppers in our scenario or others, the hardware is easily hiding and manipulated.

 

Resources

Diebold Nixdorf. (2020, July 15). 020-27/0003-Jackpotting with black box in Europe. Retrieved from https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/diebold-nixdorf-security-alert-2.pdf

Diebold Nixdorf. (n.d.). Cyber attacks are on the rise. Find out how you can protect your network comprehensively. Retrieved from https://www.dieboldnixdorf.com/-/media/diebold/files/banking/insights/brochures/dn_brochure_security-jackpotting-overview_fa_20181005.pdf

Goodin, D. (2020, July 20). Crooks have acquired proprietary diebold software to “jackpot” ATMs. Retrieved from https://arstechnica.com/information-technology/2020/07/crooks-are-using-a-new-way-to-jackpot-atms-made-by-diebold/

ThreatPost. (2020, July 21). Diebold ATM terminals jackpotted using machine’s own software. Retrieved from https://www.newsbreak.com/news/1604274576845/diebold-atm-terminals-jackpotted-using-machines-own-software and https://www.thetechstreetnow.com/tech/diebold-atm-terminals-jackpotted-using-machines-own-software/1305153191397515153/1305153191397515153/ and https://threatpost.com/diebold-atm-terminals-jackpotted-using-machines-own-software/157575/

Zetter, K. (2010, July 20). Researcher demonstrates ATM ‘jackpotting’ at black hat conference. Retrieved from https://www.wired.com/2010/07/atms-jackpotted/

 

If someone has to tell you of your compromise...

Marketing has changed over the years. In the last decade or so, this has transitioned from the prior print, radio, and television media to digital media. While these have the same goal, the media itself has changed. The persons involved with this, social influencers, aren’t just taking selfies, but have made this into a business for themselves. One firm embracing this is Preen.Me, based in Tel Aviv. The firm is a next-generation marketing platform. A bi-product of this involves cybersecurity and attacks, which they found out the hard way.

Attack

This is an odd situation. Yes, there was a breach and the data and information were exfiltrated. This is documented via the sample provided. Generally, when this happens, the situation demands everyone relevant to get involved to investigate it. There may also be third parties involved with this to fully review the attack, methods, and other aspects. At least through the three weeks after the organization learned of the breach, they still have not announced anything with this attack. The publication of the attack methods and post-breach remediation will probably not be announced either. It’s interesting the organization did not know they had been breached. With the third party letting them know, seemingly, the cybersecurity department would be really working intensely on this to find the root of the issue. 

Discovery

As a rule of thumb, the organization should generally be aware when they have been breached. The cybersecurity area should be there to review the logs, alerts, and other red flags indicating there has been a problem. When the organization has no idea, this infers there is some form of a systemic problem. In this case Preen.Me was notified by Risk Based Security of the issue. Risk Based Security discovered the compromise on June 6, 2020, when the attacker revealed they had successfully attacked Preen.Me’s system and exfiltrated the data. To document this, 250 of these records were posted to PasteBin on June 6th.  

Data

While this was not the largest breach, the number of those affected is still significant. In this case, approximately 100,000 social media influencers had their personal information accessed by an unauthorized third party. While this was detrimental, this breach also led to another 250,000 social media users have their information likewise on a dark web site. The data itself consists of the social media influencer’s links to their individual social media accounts, email addresses, names, phone numbers, and home addresses.

Effects

While merely having the data in the dark web for anyone to view is not the optimal scenario, there is another use of this for the attackers. The data, curiously, may also be used for scamming the persons involved. This does not appear, from the published accounts, to have confidential data stolen that the attackers could sell rapidly (e.g. social security numbers). The hope is the company does provide an announcement and do something for the affected persons.

 

Resources

Coker, J. (2020, June 25). 350,000 social media influencers and users at risk following data breach. Retrieved from https://www.infosecurity-magazine.com/news/data-breach-social-media/

Dissent. (2020, June 25). Personal data of 350,000+ social media influencers and users compromised following preen.me hack. Retrieved from https://www.databreaches.net/personal-data-of-350000-social-media-influencers-and-users-compromised-following-preen-me-hack/

Duran. (2020, June 29). The personal data of 350,000 social media influencers and users is at risk after a preen.me data breach. Retrieved from https://www.cyclonis.com/personal-data-of-350000-social-media-influencers-users-at-risk-after-preen-me-data-breach/

RBS. (2020, June 24). Personal data of 350,000+ social media influencers and users compromised following preen.me hack. Retrieved from https://www.riskbasedsecurity.com/2020/06/24/personal-data-of-350000-social-media-influencers-and-users-compromised-following-preen-me-hack/

Security Experts. (2020, June 26). Experts on 350,000 social media influencers and users at risk following data breach. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/experts-on-350000-social-media-influencers-and-users-at-risk-following-data-breach/

Maine State Police database pwned

Each municipality and state has some form of a police presence. Maine is no different. The police departments hold an immense amount of data on past crimes, current investigations, and other issues.

 

Target

The database was used for information sharing for federal, state, and local law enforcement. The database breach may have jeopardized ongoing investigations. The database, in the Maine Information and Analysis Center (MAIC), is intended to assist with protecting against terrorism and other significant crimes. The database mostly holds information on criminal offenses and bulletins. The bulletins often contain identifying information, such as full name and date of birth under an investigation. This allows regional law enforcement to share data and collaborate to solve crimes.

 

Attack

The state police were notified on June 20, 2020, by Netsential of the data breach. This may have included certain information from Maine Information and Analysis Center (MAIC). Netsential has been contracted by the state police since 2017. The company provides web hosting services to hundreds of law enforcement and government agencies across the country. The attack vector and method(s) used have not been published. This is unfortunate, as this could be a learning experience for others.

 

Post-Breach

The state police contacted the FBI’s Houston Field Office to investigate and determine the extent of the data breach. While the details are scant, this serves as another example of why an organization needs to have an incident response plan in place. While affected a database, it could have been much larger and devastating.

 

 

Resources

Associated Press. (2020, June 27). Security breach impacts maine state police database. Retrieved from https://www.boston.com/news/local-news/2020/06/27/security-breach-impacts-maine-state-police-database

Boston Globe. (2020, June 28). Security breach impacts maine state police database. Retrieved from https://www.newsbreak.com/maine/augusta/news/0PSSTMTZ/security-breach-impacts-maine-state-police-database

Caledonian Record. (2020, June 28). Security breach impacts state police database. Retrieved from https://www.caledonianrecord.com/news/regional/security-breach-impacts-state-police-database/article_868571e7-55ca-5514-99da-fc012f15b021.html

Coleman, M. (2020, June 27). Security breach impacts maine state police database. Retrieved from https://upnewsinfo.com/2020/06/27/security-breach-impacts-maine-state-police-database/

England, K. (2020, June 26). Main state police statement on third-party data breach involving the maine information and analysis center (MIAC). Retrieved from https://www.maine.gov/dps/msp/media-center/public-releases/maine-state-police-statement-third-party-data-breach-involving-maine

WGAN. (2020, June 29). Security breach impacts maine state police database. Retrieved from https://wgan.com/news/074470-security-breach-impacts-maine-state-police-database/