Categories
Breach Analysis Company Policy Cyber Security IT Ransomware

Garmin Breach: My Thoughts

What Garmin did well and where they fell short in their 2020 Ransomware Incident.

Written August 11, 2020.

Infected late July 23, 2020, on Monday (July 27) garmin released a statement acknowledging they had been victim to a “cyberattack that encrypted some of our systems.” (9) As you may have heard, less than 4 weeks ago Garmin fell victim to a costly ransomware attack.
Ransomware is a form of malware which fully encrypts contents/files of systems. These files cannot be recovered without either:

  • a. A decryption key, which is acquired by paying the negotiated “ransom”
  • b. Data backups which are not encrypted by the ransomware

The attack was orchestrated by the Russian Hacker group “Evil Corp”.  Allegedly, Evil Corp is only interested in getting paid via their ransomware.  They (Evil Corp) have not shown any evidence of data exfiltration in any instances where their ransomware was used to date.  Further Garmin has stated that “We have no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost or stolen.”(9)

This breach is very recent.  It is difficult to find any information on how Evil Corp were able to get the ransomware into Garmin’s systems. 

Were hackers able to somehow exploit Garmin connect, or similar Garmin services which allow uploading of data, to upload the ransomware?  This could have been done using a variation of an attack listed on the OWASP Top 10 such as a form of Cross Site Scripting or XML External Entity.  Or was the ransomware able to penetrate into Garmin’s systems via a more “Traditional” method such as a compromised computer, spearphishing email, etc.

The attack was orchestrated by the Russian Hacker group “Evil Corp”.  Allegedly, Evil Corp is only interested in getting paid via their ransomware.  They (Evil Corp) have not shown any evidence of data exfiltration in any instances where their ransomware was used to date.  Further Garmin has stated that “We have no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost or stolen.”(9)

This breach is very recent.  It is difficult to find any information on how Evil Corp were able to get the ransomware into Garmin’s systems. 

Were hackers able to somehow exploit Garmin connect, or similar Garmin services which allow uploading of data, to upload the ransomware?  This could have been done using a variation of an attack listed on the OWASP Top 10 such as a form of Cross Site Scripting or XML External Entity.  Or was the ransomware able to penetrate into Garmin’s systems via a more “Traditional” method such as a compromised computer, spearphishing email, etc.

From reading about the incident, I don’t believe a malicious upload on Garmin connect (or similar) was the case.  Garmin has extremely high levels of Quality Control for their Aviation devices and so we can assume all of their software development and design goes through rigorous testing and follows a strict SDLC.  Further, data uploading was one of the first services reinstated after the incident, if Garmin suspected Garmin Connect of being vulnerable there is no doubt they would not have reinstated its functionality so quickly.  While other services and sites remained inaccessible, data uploading was working again shortly after the incident.

In a large enterprise like Garmin, policies and procedures related to incident management are crucial.  This incident illustrates how Garmin’s lack of staff training and procedures on incident management failed.  Example, almost immediately after the breach occurred, some Garmin staff members were sharing sensitive pictures on social media. These pictures show a screen full of infected/encrypted files on a computer system.  It is unfortunate that staff working at an enterprise would think of sharing this information with the world as appropriate conduct.  There is no guarantee that a detailed incident response staff training (or code of conduct) would have prevented the aforementioned scenario, however proper training and planning offer guidance for staff on how to conduct themselves in the event of an incident affecting systems they regularly use.

Next is the issue of data backups.  Evidently Garmin did not have a robust Backup solution in place.  I make this assumption because there is proof of Garmin using a decryption key for the ransomware in order to bring their systems back up and running.  A robust, full backup solution including offsite backups would have saved Garmin millions of dollars in ransom payment because upon infection, the systems could have simply been restored using a full backup (or combination of other backups) from a previous date.

Assuming Garmin is being truthful in their statement regarding customer data, this illustrates the success of Lest Privilege and Separation of Duties type controls they may have in place.  Perhaps Garmin can confidently say that customer data was not breached because the systems housing that data are physically and logically separate from the public facing web services servers.  This customer data may also be protected by very strict privilege.  It is difficult to know, I read through the risks section of the 2019 10-K form (p. 22-23, ref. 10).  There is extensive discussion around cyber security risks and liabilities/insurance.  The form states that “We have technology and processes in place to detect and respond to data security incidents.”(10), however there is no details around exactly what controls are in place.  Of course, there is the possibility Garmin is incorrect, and customer data and information has been breached, and they used the decryption key or backups to restore that data as well as disrupted web services.  As this story develops we will learn more.

I’m sure there will be more information released regarding this data breach over time.  I expect Garmin to conduct an internal Administrative investigation, and Garmin may also be subject to a Criminal investigation.  Garmin will potentially face a criminal investigation because the US Government has placed sanctions on the Russian Hacking Group Evil Corp, and so a company paying a ransom to Evil Corp could face litigation.  I did read that Garmin outsourced a smaller company to negotiate with Evil Corp for the decryption Key, then Garmin paid that smaller company “for their services” of providing the Decryption Key.  This type of negotiation scenario may present a loophole in the US’ action of placing sanctions on hacking groups to discourage US Companies from paying a “ransom” for the decryption key. 

As mentioned, this is still a developing story, which I will be following.  We will see if Garmin faces any criminal investigation or litigation because they allegedly paid the ransom through a 3rd party.  I’ll also be following this story to see if they can somehow prove customer data was never breached and if they ever release further details on how their systems were actually breached (if they even know).  I could easily see this breach also just going away, sort of swept under the rug since they paid the ransomware and restored everything back to normal so quickly.

Assuming Garmin is being truthful in their statement regarding customer data, this illustrates the success of Lest Privilege and Separation of Duties type controls they may have in place.  Perhaps Garmin can confidently say that customer data was not breached because the systems housing that data are physically and logically separate from the public facing web services servers.  This customer data may also be protected by very strict privilege.  It is difficult to know, I read through the risks section of the 2019 10-K form (p. 22-23, ref. 10).  There is extensive discussion around cyber security risks and liabilities/insurance.  The form states that “We have technology and processes in place to detect and respond to data security incidents.”(10), however there is no details around exactly what controls are in place.  Of course, there is the possibility Garmin is incorrect, and customer data and information has been breached, and they used the decryption key or backups to restore that data as well as disrupted web services.  As this story develops we will learn more.

I’m sure there will be more information released regarding this data breach over time.  I expect Garmin to conduct an internal Administrative investigation, and Garmin may also be subject to a Criminal investigation.  Garmin will potentially face a criminal investigation because the US Government has placed sanctions on the Russian Hacking Group Evil Corp, and so a company paying a ransom to Evil Corp could face litigation.  I did read that Garmin outsourced a smaller company to negotiate with Evil Corp for the decryption Key, then Garmin paid that smaller company “for their services” of providing the Decryption Key.  This type of negotiation scenario may present a loophole in the US’ action of placing sanctions on hacking groups to discourage US Companies from paying a “ransom” for the decryption key. 

As mentioned, this is still a developing story, which I will be following.  We will see if Garmin faces any criminal investigation or litigation because they allegedly paid the ransom through a 3rd party.  I’ll also be following this story to see if they can somehow prove customer data was never breached and if they ever release further details on how their systems were actually breached (if they even know).  I could easily see this breach also just going away, sort of swept under the rug since they paid the ransomware and restored everything back to normal so quickly.

Sources:

  1. https://www.techrepublic.com/article/experts-devastating-ransomware-attack-on-garmin-highlights-danger-of-haphazard-breach-responses/
  2. https://cyclingtips.com/2020/08/report-garmin-secured-decryption-key-paid-ransom-to-hackers-2/
  3. https://cyclingtips.com/2020/07/how-did-the-garmin-cyber-attack-happen-and-what-does-it-mean-for-users/
  4. https://www.bleepingcomputer.com/news/security/confirmed-garmin-received-decryptor-for-wastedlocker-ransomware/
  5. https://threatpost.com/garmin-pays-evil-corp-ransomware-attack-reports/157971/
  6. https://www.darkreading.com/attacks-breaches/garmin-takes-app-and-services-offline-after-suspected-ransomware-attack/d/d-id/1338456
  7. https://www.zdnet.com/article/garmin-services-and-production-go-down-after-ransomware-attack/
  8. https://www.zdnet.com/article/new-wastedlocker-ransomware-demands-payments-of-millions-of-usd/
  9. https://newsroom.garmin.com/newsroom/press-release-details/2020/Garmin-issues-statement-on-recent-outage/default.aspx
  10. https://www8.garmin.com/aboutGarmin/invRelations/reports/2019_10K.pdf
Categories
Apps Breach Analysis Company Policy Cyber Security IT Ransomware

intelliGENTS Blog

Enjoy reading and participating in the intelliGENTS Blog.