Honda has confirmed a cyber attack on its networks that is widely believed to have involved deployment of the “Snake” ransomware.
The £22 billion by market capitalisation automotive giant has admitted that production, sales and development activities are all hit.
Chatter on social networks suggests production globally has been stopped. Computer Business Review could not immediately confirm this.
Samples analysed by Malwarebytes
The attack comes after Honda last year left an Elasticsearch database exposed to the public, with upwards of 40GB of data relating to the firm’s internal systems and devices spotted by security researchers.
Security researcher Justin Paine, who spotted the database on Shodan, said at the time: “The information available in the database appeared to be something like a inventory of all internal machines.
“This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda’s endpoint security software.”
Mass scanning for exposed factory automation end-points meanwhile, is common place; the threat vector could have been anything; it is unclear how poorly segmented networks were, but Honda appears to have had some machines with Remote Desktop Protocol (RDP) access publicly exposed. RDP is a common threat vector for ransomware operations.
Content from our partners
HONDA 🇯🇵 y ENEL 🇮🇹
Ambos con RDP expuesto a Internet./AGL632956.jpn.mds.honda.com
/IT000001429258.enelint.global👉 #RDPExposed pic.twitter.com/vv65yXyHes
— Germán Fernández 🇨🇱 (@1ZRR4H) June 8, 2020
Honda Hacked: “Minimal Business Impact”
“Honda can confirm that a cyber attack has taken place on the Honda network,” a spokesperson said late Tuesday.
“We can also confirm that there is no information breach at this point in time. Work is being undertaken to minimize the impact and to restore full functionality of production, sales and development activities. At this point, we see minimal business impact”.
Honda shipped 4.7 million vehicles over the past 12 months.
At this time Honda Customer Service and Honda Financial Services are experiencing technical difficulties and are unavailable. We are working to resolve the issue as quickly as possible. We apologize for the inconvenience and thank you for your patience and understanding.
— Honda Automobile Customer Service (@HondaCustSvc) June 8, 2020
The company’s Twitter feed shows that both Honda Customer Service and Honda Financial Services, the company’s lending arm, are “experiencing technical difficulties and are unavailable”.
Customers facing issues with their vehicles are being urged to DM their full name, VIN, mileage, address, email, best contact number and other details through to Honda on Twitter. (This has already back-fired at least once, with a customer posting all of these publicly rather than via DM).
Josh Smith, a security analyst at Nuspire, said: “EKANS (SNAKE) Ransomware was identified around the end of 2019 and while the ransomware itself wasn’t very sophisticated, what made it interesting was that it had additional functionality programmed into it to forcibly stop processes, especially items involving Industrial Control Systems (ICS) operations.
He added: “A sample of SNAKE was uploaded to VirusTotal from Japan that attempts to connect to mds[.]honda[.]com. This would appear to be an internal domain for Honda. Furthermore, if a DNS request to the internal domain doesn’t resolve, the sample wouldn’t execute. This is similar to the attack on Fresenius who fell victim to SNAKE, where a DNS query to ads[.]fresenius[.]com resolved to a private IP.”
Network segmentation may have been minimal.
As one commentator on Reddit notes: “Back in 2000 it was not considered important to isolate the ICS network and often times facilities wanted to integrate it in with the rest of the network so that management could run reports and check the production levels of the floor.
“Given that the people who are/were in charge of the floor equipment were at best Controls Engineers and at worst over worked, under-trained skilled maintenance workers there often was not much resistance given from a security perspective. Often the IT teams at the facilities were not security personnel either. They would have looked at the cost of implementing security, if it was brought up, and would most likely have chosen to just do recovery instead of protection”.
Sam Curry, chief security officer at Boston’s Cybereason, added: “With any cyber attack, the devil is in the details and that is certainly the case with Honda…. Today, the harsh reality is that strategic ransomware attacks are on the rise, and if the attackers are holding out for a hefty ransom they might have embedded themselves deeply enough inside Honda to create a challenge for remediation in the short term.
“It would be unfair to further speculate on this outcome, but know that increasing security hygiene and rolling out security awareness training to employees is essential. Utilising threat hunting services around the clock will also increase the likelihood that companies which find themselves in the same spot at Honda down the road will be able to more effectively respond and reduce the downtown of networks and the overall operation of their company. Essentially, downtime means a loss in dollars.”
