UK flooring firm pwned

 

Attackers are always looking for new targets to attack. With the vast expanse of the internet, the field is ripe with people and businesses with data or operations to leverage for a fee. A company acknowledged its issue in late November 2020. Headlam Group, a UK flooring group distributor based in Birmingham, experienced a successful attack, acknowledged on November 24. The attackers were able to exfiltrate data as part of the attack. The attackers were able to access the system’s back end, including their email system. The company was able to restore its email system for usage. Fortunately, the company’s customer and supplier information was accessed. The company did not disclose the method the attackers used, however, this was effective. We can learn from their unfortunate issue. All the attackers need is one vulnerability or user to click on one link or picture, while the blue defensive team has to work to patch everywhere possible, monitor the threat feeds for the latest attacks, think through various attacks that could occur, and secure the data at rest.

 

 

PLEASE contact us when we may be of assistance with embedded systems cybersecurity architecture, validation, and penetration testing. We have a full lab ready to perform.

Charles Parker, II; Principal Scientist; MBA/MSA/JD/LLM/PhD/DCS (IP)

charlesparkerii@gmail.com

810-701-5511

Of all targets, you chose Sophos

 

You know it’s not going to be a good day when a cybersecurity company is breached. Cybersecurity companies are supposed to be the top tier and subject matter experts of cybersecurity. Since they are selling and marketing their services to other companies, one would infer their stance and defensive posture is without reproach. A recent issue with Sophos recently shown light on this. Sophos is a cybersecurity company, selling many services, located in the UK. The company is well-known in the industry, for good reasons. In mid-November of this year, the company experienced an attack and subsequent breach. The attackers were able to exfiltrate data during the attack, including user names, emails, and contact numbers. Fortunately, per Sophos, only a small number of customers were affected by the issue. This is an example of why we need to maintain vigilance with cybersecurity. This field changes frequently and is not static. The lack of regular updates and monitoring provides for too many viable attacks points to try.

 

PLEASE contact us when we may be of assistance with embedded systems cybersecurity architecture, validation, and penetration testing. We have a full lab ready to perform.

Charles Parker, II; Principal Scientist; MBA/MSA/JD/LLM/PhD/DCS (IP)

charlesparkerii@gmail.com

810-701-5511

Hope you don’t expect automobile connectivity to slow down anytime soon

 

Automobiles are becoming more connected with each innovation and year. This is an extension of consumer’s desires in functionality. These innovations haven’t been only mechanical or with efficiency, but with the electronics and software applications. These innovations, while increasing and improving the user experience, the connectivity as a bi-product has also allowed for more of an attack surface. There are more points to attack with this in place. This has been noticed by the automobile manufacturers. In response to the increased attack points and vulnerabilities, the OEMs and Tier 1 and 2 manufacturers have refocused on cybersecurity. This has included additional work from the beginning of the projects, focusing on software, hardware, and dependencies. For instance, it is not a general focus with software coding, validating the functionality, testing the software, and working to detect any vulnerabilities not previously addressed. Regarding the hardware, each vehicle has an increased number of ECUs (electronic control units) to accommodate the additional functions. These also represent more points for the attackers to address. Providing more points to explore is never a good thing. 

 

 

PLEASE contact us when we may be of assistance with embedded systems cybersecurity architecture, validation, and penetration testing. We have a full lab ready to perform.

Charles Parker, II; Principal Scientist; MBA/MSA/JD/LLM/PhD/DCS (IP)

charlesparkerii@gmail.com

810-701-5511

Not enough attention paid to industrial automated systems

 

Nearly all the products we purchase are processed by automated systems. If these were to stop working, or workflow maliciously adjusted, there would be a clear issue immediately as the products were assembled incorrectly or broken during the “adjusted” process. While this potential to wreck our way of life if implemented on a large scale, there has not been a sufficient amount of attention paid to it. Recently, a new vulnerability was uncovered with the equipment. This vulnerability, which is critical, is in the real-time automation’s (RTA) 499E5 EtherNet/IP (ENIP) stack. The stack is widely used and is the standard for factory floor I/O applications in North American plants. If the attacker is able to exploit this, the equipment could experience a DoS-type attack, and allow for remote code execution. This vulnerability, CVE-2020-25159, has the opportunity to not only shut down a line and part of a plant but also be instructed to do whatever the unauthorized third party directs it to. Based on the pertinence to society these automated processed play and the costs associated with these lines not being productive, more of a focus needs to be applied to this. There is even a tool available used to scour the internet seeking the robots used in these processes which are not properly secured. Without cybersecurity, in place, there is the potential for individual attacks and much worse with a concerted attack.

Please contact us when we may be of assistance with embedded systems cybersecurity architecture, validation, and penetration testing. We have a full lab ready to perform.

Charles Parker, II; Principal Scientist; MBA/MSA/JD/LLM/PhD/DCS (IP)

charlesparkerii@gmail.com

810-701-5511

Medical arts still targeted

 

The medical field has been targeted over the last few years for attacks. The focus has and continues to be the data being held. These attacks may take any of the many different forms of attack, dependent on the target’s equipment, configurations, and other factors. The data targeted by the attackers has value to them and for resale. A recent case directly involved this. UCSF experienced a successful attack on June 1, 2020, with its School of Medicine’s IT environment. While the method was not published, the data involved was. The attacker may have had access to the current and former employee’s names, social security number, government ID numbers, medical information, health insurance ID numbers, and possibly financial information.

After the attack was discovered, UCSF did contract with a cybersecurity consultant, and others to investigate the breach. The IT system was also analyzed for areas to harden, to minimize the opportunity for this to happen again.

The successful method used for the breach was not available. This could have been a simple phishing attack, or a more complex, multi-step attack on their system. This attack however does emphasize the need for a complete, defense in depth. This involves staff training, patch management, and updates.

Embedded systems software: Still vulnerable

 

Our computer systems run on software. Without this, the industry has a vast inventory of boat anchors, paperweights, and expensive equipment to prop doors open. With this, we have finely-tuned equipment that works through miraculous tasks. With our dependency on these systems, seemingly, as a culture and industry, we could learn from our oversights and mistakes. This begins in 2015 with the infamous Miller & Valasek Jeep Hack. At this point in time, the embedded systems industry though passwords made the products secure, no one would be interested in attacking wireless sensors or cellular, and a device with a singular function would never be a target. These faulty beliefs were clearly wrong and our industry was built on curing these issues.

 Embedded systems continue to be excessively insecure, unfortunately. These systems continue to be very accessible. There is no license required to purchase these. The cybersecurity researcher simply has to drive to an auto parts store, log into eBay, or call a junkyard to secure one or more of these units to test. Once secured there are numerous online resources available to assist the researcher through the hardware configuration and OS (e.g. CANbus).

 These systems are often not secured. The researcher simply has to connect to these and begin the attack. This is the case, especially with the CANbus. Other systems may use Linux or Android for certain systems within a vehicle. These, while an improvement to for cybersecurity, still have ample vulnerabilities based on the version and other factors.

 With these systems, due to their importance in our lives, security should be built in from the beginning phases through production. Adding this in at the last bit of the project has not and will not work. We’ve seen this repeatedly. Cybersecurity needs to be incorporated from the beginning and not bolted on at the end of the project unless you enjoy the opportunity to fix the bug or vulnerability for your product located across the globe.

 One of the crown jewels for the attackers is the data. This has to be secured at rest and when this is between the sender and receiver (in transit). When you don’t have this in place and the appropriate measures working, there will be issues.

 Finally, you should think like the attacker would. The person attacking your system isn’t going to care about the project gates or deadlines and why the cybersecurity issues are not fully addressed or the thousandth of a penny, you saved by not fully implementing adequate security. The attacker is focused on how to break into your system using present or past tools, or creating new ones to ensure their success.

Barbie is not happy: Mattel hit with ransomware

 

Toys bring a smile to a child’s face. At certain events and holidays, children and some adults look forward to for an entire year. As much joy and happiness as these bring to most people, these are manufactured by big business. These, while having a definite role in society, also are a target. The business and its locations for warehousing and manufacturing hold data, and computer systems that could be exploited. Recently, the toymaker was hit with ransomware and joined the club of other businesses given the opportunity to work through this issue. With the holidays around the corner, the attackers have no heart!

Mattel

Mattel has been a common name around households for decades as they have created and produced so many toys and different toys. Mattel has risen to the second-largest toymaker in the world. The corporation presently has an estimated 24,000 employees with its headquarters in California. The business is rather large, as an MNB (multi-national business) with locations in 35 different countries. Notably, the business manufactures Barbie. Other subsidiaries familiar to the parents and children are Fisher-Price, American Girl, Thomas & Friends, and Hot Wheels.

Attack

Mattel was the recipient of the ransomware attack. The tool used appears to have been the Trickbot variant. This malware piece was so well used, it was voted the most dangerous threat to healthcare in 2019. This particular variant has tended to compromise entire networks. The attack occurred on July 28, 2020. Mattel published this in early November 2020 and in their 10-Q (quarterly report to the U.S. Securities and Exchange Commission). The report noted on page 31 “On July 29, 2020, Mattel discovered that it was the victim of a ransomware attack on its information technology systems that caused data on a number of systems to be encrypted.” This was also noted on page 52 of the same report.

After the Detection

As eluded to earlier, this did affect operations. The attack did affect a portion of their business operations. Fortunately, there was no data theft. Once the attack was detected, the business began its response protocols. This included methods to stop the attack and begin to restore the impacted systems. Fortunately, through the good work of their cybersecurity team, the attack was contained. The business did a complete forensic investigation to ensure the issue was contained and removed from their system. The forensic team noted no data was exfiltrated, which is a clear benefit.

Discussion

Educating your staff continues to be the first round of defense against ransomware. With this in place, the opportunity to have the ransomware take over your system is limited.

 

Resources

Abrams, L. (2020, November 3). Leading toy maker mattel hit by ransomware. Retrieved from https://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/

Bizga, A. (2020, November 4). Toymaker mattel discloses ransomware attack. Retrieved from https://hotforsecurity.bitdefender.com/blog/toymaker-mattel-discloses-ransomware-attack-24476.html

Cimpanu, C. (2020, November 4). Toy maker mattel discloses ransomware attack. Retrieved from https://www.zdnet.com/article/toy-maker-mattel-discloses-ransomware-attack/

Comeau, Z. (2020 November 4). Toymaker mattel says it was hit with ransomware. Retrieved from https://mytechdecisions.com/network-security/toymaker-mattel-says-it-was-hit-with-ransomware/

Muncaster, P. (2020, November 4). Mattel reveals July ransomware attack impacting business. Retrieved from https://www.infosecurity-magazine.com/news/mattel-reveals-july-ransomware/

Spring, T. (2020, November 4). Toymaker mattel hit by ransomware attack. Retrieved from https://threatpost.com/mattel-hit-by-ransomware/160947/

Starks, T. (2020, November 4). Nothing is sacred: Ransomware attack hit toy maker mattel’s systems this summer. Retrieved from https://www.cyberscoop.com/ransomware-attack-mattel-toys/

Weston, S. (2020, November 4). Mattel admits it was hit by a ransomware attack. Retrieved from https://www.itpro.co.uk/security/ransomware/357651/mattel-hit-by-ransomware-attack

 

Why are embedded systems being ignored?

 

In InfoSec, most of the focus and attention has been on the enterprise. When students are matriculating or getting certifications, the focus is on the enterprise. Granted, the enterprise is experienced through the business network, laptops, servers, and the infamous data center. One area though which has not received the relative attention it should are the embedded systems. These are present in many of the products we experience day in and day out, during the workday, and as consumers. These include the IoT devices that we use every day, the vehicles use these throughout their system, and other equipment. With these being in use through the majority of our lives, both at work and home, these should be more known, and more persons should be concerned with these. The issue, by extension, is there is not the focus on securing these there should be.

One point with this is the perception that building in cybersecurity from the beginning of the project, through development, and into production is expensive. Granted there is a cost with this due to the direct labor, materials, and overhead. With the direct labor tasked with this, a full-time employee is not required in most instances. The person may be tasked across several projects. The tasked cybersecurity expert may have their costs distributed across the various projects, making this less costly per project. Compare this with the cost of a breach. As an example, the FCA Jeep hack began at $17M and the costs have increased exponentially with the lawsuits.

Projects have a timeline. The project team lead has certain gates they have to meet at certain points in time. If these are not met, there can be rather significant financial effects. When a project is a bit behind, certain areas may need to be worked on at a later date if the client refuses to budge or work with the vendor. One of these, unfortunately, has tended to be cybersecurity. Somehow along the way, project managers created the idea cybersecurity could be added at the end of the project or later in time. There is the impression this can just be bolted on at some point to the project. Nothing could be more different from reality. The cybersecurity solution architected for the specific use case is not a simple, short process in most instances due to the technical nature of compromises and the complexity of connected systems. This requires a well thought through solution. This needs to be incorporated from the beginning of the project and built-in through every step.

The alternative to these is to have a product with an insecure embedded system and we have seen how this has not worked out well.