Like the attack on Twitter last week, Garmin's IT outage will continue to be studied for a long time as an example of a massive hack with serious consequences. Although the manufacturer of navigation and fitness equipment, software and services did not officially admit this at the time of publication, it is highly likely that Garmin became the victim of a targeted attack with data encryption and subsequent ransom demand.
Such incidents occur in corporations on a regular basis, but it is quite rare that we see such large-scale consequences: the attack disabled the site, call center, cloud data synchronization services, a critical tool for amateur pilots, and even production lines.
Sources of information:
- Official communication of the company.
- Publication of Bleeping Computer with anonymous testimonials from Garmin employees.
- Review Publication ThreatPost with links to reports on the Taiwan manufacturing problems.
- ZDNet article with examples of service failure on the user side.
- News on Habré.
Problems with access to Garmin services began on Thursday July 23rd, company representatives confirmed on Twitter the next day. On Saturday, July 25, the manufacturer's website went up with a brief report of the incident. Not disclosing any details, not confirming the cyberattack and describing the situation with a short and meaningless word Outage - "technical problems".
The official position of Garmin is as follows: "problems" affect the entire technical support system (phone, mail, chat). Garmin Connect service is not available for custom fitness devices. If you're out of luck and just bought a Garmin smartwatch, you won't even be able to activate it. Data synchronization does not work either, which is necessary, for example, to view sports statistics in the application. The inReach satellite communication service was partially damaged (the connection itself works, but the data synchronization is broken).
The post does not mention the FlyGarmin platform, but it is completely out of order. This is a professional service for amateur pilots, its refusal does not allow downloading fresh maps, which, in turn, cannot apply for a flight. The only positive thing is that according to Garmin's preliminary estimates, payment and other user data were not affected.
In general, the "technical problems" turned out to be complex, large-scale, affecting almost all areas of the company - from support to production. What was it? For now, we have to rely on the testimonies of the company's employees, who wished to remain anonymous. Apparently, the problem was caused by an attack followed by data encryption. Bleeping Computer provides screenshots of encrypted files ...
… And ransom demands, where the name of the company is indicated. According to one of the sources, the attackers requested $ 10 million.
Ideally, a ransomware attack should not have such large-scale consequences. According to some sources, the entry point could have been production in Taiwan, and under normal circumstances the attack should not have spread to other parts of the infrastructure. But this is too simple a conclusion in the absence of confirmed information. Shutting down a company's digital services could be a precautionary measure. In addition, we are talking about a targeted attack that could have occurred long before it became known. Cybercriminals probably had time to prepare: this is clearly not an "area attack", not the use of a common Trojan at random.
Garmin's detailed incident analysis will help other companies respond more effectively to such attacks. How quickly and to what extent such information will be disclosed depends on the victim. So far, there is only one similar attack, information about which is publicly available in detail: extortion from Maersk after its systems were hacked in 2017. In that case, the entire network infrastructure was also affected, requiring 4,000 servers and 45,000 computers to be reconfigured . The damage was about $ 300 million.
Affected owners of Garmin devices complain of dependence on network infrastructure: without cloud services, it is impossible even to change the watch face. Whether this is justified is another matter, but our dependence on network services can be recognized as a fact. Their owners should clearly invest more in protecting against cyberattacks.
What else happened:
The links in the tweet above lead to interesting research from Google. The question that the experiment was supposed to answer: if a user searches the Internet for symptoms of food poisoning, does an extraordinary inspection of the restaurants he visited give the result? It turns out that there is a benefit: quality control at suspected restaurants revealed violations three times more often than usual. On the one hand, this is an example of using technology to improve security. On the other hand, it demonstrates the incredible possibilities of tracking users.
Bleeping Computer journalists write about the activities of anonymous "noble robbers" who break into the infrastructure of the spam botnet Emotet. Its infrastructure is also used to redirect spam recipients to malicious pages. And it is these links that hackers replace with innocent pictures, carefully selected so that they can troll those who control the botnet. How the "GIFs instead of Trojans" campaign works is shown in the video above.
Another example of activity (still dubious) to correct other people's cyber errors by the hands of the "good Samaritans." Unknowns delete user databases that were made publicly available by mistake, and instead they are left with a business card of one word: "meow."
Updates regarding the main event of the last week (see the previous digest ). Reuters correspondents report that about a thousand employees of the company had access to the console, which provides full control over Twitter accounts. These include people who were not even on the staff, such as representatives of large contractors. It is possible that the rules for accessing the admin panel after the incident will have to be revised.
Ars Technica's great material tells the story of Adobe Flash, once a breakthrough platform for networked creativity, which later became the main Achilles heel of any user's computer for several years. The Flash player is officially "everything" this December.
Apple offers security researchersprepared iPhone with a debug interface that will make it easier to find vulnerabilities in the company's closed ecosystem. The restrictions for program participants are severe. They are obliged to notify Apple about the bugs found, and they are prohibited from transferring the device to third parties.