In Dec 2019, a researcher found a publicly accessible unsecured Elasticsearch database cluster that exposed 26,000 records of North American Honda Customers. The database contained personally identifiable information (PII), as well as their vehicle information such as make & model, vehicle identification numbers (VINs), and service information.
Disaster strikes again for the Japanese automobile manufacturer in June of 2020, when Honda’s Twitter page posted the first in a series of messages warning customers of looming issues, saying that the customer service and financial departments were "experiencing technical difficulties and are unavailable."
SNAKE ransomware is strongly suspected to be the culprit of the Honda attack, with the SNAKE operators saying they would "not share details about the attack in order to allow the target some deniability." SNAKE is thought to be a relatively unsophisticated ransomware product, and is not thought to exfiltrate data, yet it is able to stop processes within the company network, with Industrial Control Systems (ICS) being a common target of the ransomware.
Analysis of the malware by Virtus total shows that the internal domain mds.honda.com was found embedded in the SNAKE ransomware and used as a killswitch because that domain is not resolvable from the internet. Ironically, SNAKE operators may have learned about that domain from another earlier Elasticsearch misconfiguration data breech in July 2019 that exposed 40GB of data including information about Honda’s internal networks and systems.
The latest statement from Honda spokespeople to Forbes on June 10th says, "Honda has experienced a cyberattack that has affected production operations at some U.S. plants. However, there is no current evidence of loss of personally identifiable information. We have resumed production in most plants and are currently working toward the return to production of our auto and engine plants in Ohio." Plants in Ohio, Turkey, India, and Brazil remain suspended. A plant in the UK restored operations within a couple days.
While most assume that a company like Honda must have had the knowledge, skillset, funding, and sophistication to deploy a solid cyber security solution at their production sites, many secondary global sites operate with relative autonomy, in every industry. Let’s take a look at a few of the solutions which might have been useful in protecting Honda in this situation.
Firewall & Antivirus
It is thought that the SNAKE Ransomware gained entry via a phishing attack, possibly COVID-19 related. Once a server was infected, the ransomware spread quickly and likely infecting production ICS servers, encrypting the data. Although Honda uses network firewalls and anti-virus products, SNAKE was smarter and able to circumvent both because there was little or no cooperation between the firewalls and the endpoint security technologies.
A more holistic solution would be where the firewall, when detecting Command & Control (C&C) communication, tells the endpoint security agent to rescan looking for infection. The rescan would have found the SNAKE files and would have prevented the ransomware from activating by telling the firewall to kill sessions to the C&C server, blocking download of command instructions.
A more robust endpoint security product would have the ability to detect the ransomware encryption process and immediately kill it while identifying and removing the controlling malware file. Then endpoint technology should then search all other systems looking for the same controlling file and removing it networkwide.
Sangfor’s Security Solution for Ransomware
Sangfor provides a security solution tailor made to protect against ransomware. This solution understands each step of the “kill chain” the malware uses to infiltrate, infect, and exploit a network and its systems. It is a holistic solution where solution components like the Sangfor Next-Generation Application Firewall (NGAF) integrates and communicates directly with the Sangfor Endpoint Secure agents to identify malicious network and endpoint behaviours and implement a coordinated response.
Endpoint Secure also has a built-in Ransomware Honeypot capability to detect when ransomware starts to encrypt file, stop it, and then search the organization for the same controlling file and delete it from every system.
You can watch a video of the Sangfor Security Solution for Ransomware in action here.
Sangfor's Incident Response for Ransomware
In addition to its suite of advanced Security products, Sangfor also provides a closed-loop incident response service solution to organizations. Since the beginning of the year, Sangfor has already handled hundreds of cases for the Manufacturing industry, as well as other core industries such as Finance & Banking.
The scope of the incident response service includes, but not limited to: Malware In-depth Analysis, Malware Eradication, Remediation, Security Incident Report and so on.
For more information about Sangfor Incident Response service, please visit our webpage.
Sangfor is committed to building the most useful, cutting-edge and next-level solutions for security, cloud and infrastructure. Sangfor updates are consistent, with our skilled R&D department constantly developing the most requested and needed malware, ransomware and malicious software protection solutions to our partners and customers.
Sangfor Technologies is an APAC-based, global leading vendor of IT infrastructure solutions specializing in Network Security and Cloud Computing. Visit us at www.sangfor.com to learn more about Sangfor’s HCI and SCP cloud solutions, and let Sangfor make your IT simpler, more secure and more valuable.