Havoc Shield Blog

The Latest Hack - Garmin

Written by Brian Fritton | Jul 27, 2020 5:00:00 AM

The past few days have been rough for Garmin device owners/users, and no doubt rougher for Garmin's cybersecurity professionals.  Numerous reports suggest that Garmin has been the subject of a ransomware attack that resulted in systems outages for the cloud components that many Garmin products rely on.  Recently, reports have emerged that the specific root cause was a WastedLocker ransomware attack.

How the Attack Went Down

Garmin has not yet confirmed that they suffered a WastedLocker ransomware attack.  However, if the reports to that effect turn out to be based in fact, here is how the attack likely went down.

First, it's important to know that the group behind WastedLocker has a reputation for creating highly tailored modules that allow WastedLocker to uniquely target the cybersecurity flaws of a specific organization.  Much like a spear phishing attack is a more tailored and targeted version of a phishing attack, WastedLocker is a more tailored and targeted version of a typical ransomware attack.  It is likely that the defenses of Garmin infrastructure have been evaluated by this hacking group for some time leading up to the attack, and that a custom module was created to take advantage of vulnerabilities specific to Garmin.  Sound elaborate?  It is.  And it allows them to target larger organizations that have the ability to pay outsized ransomware amounts.

Second, once the custom module was created to specifically target Garmin, the hackers would have deployed the malware.  They'd use the custom module specific to this target company, designed to exploit specific vulnerabilities in the target's infrastructure.

Third, the WastedLocker malware would encrypt the contents of the infected servers and other hosts, and leave an unmistakable message behind.  The message would indicate that the contents of the filesystem are now encrypted, and that retrieving the key is possible -- but at a cost.  Rumors in this particular case indicate that the ransom demand was $10,000,000.

How Companies Can Prevent This Attack

This particular highly-targeted and tailored attack doesn't have a simple/easy 1-step defense.  Rather, this type of highly sophisticated attack requires "defense-in-depth" -- multiple layers of technology and process that collectively make it incredibly difficult to identify a vulnerability.

Some of the defense-in-depth measures that would make it difficult to stage this type of attack on your company, include:

  1. Antivirus including malware protection: this goes without saying, but hosts and endpoints in your organizations need to have endpoint protection.  There is a constant battle between providers of endpoint protection and hacking groups, each trying to keep up with and supersede the other -- but it would be foolish to not implement modern endpoint protection like the kind included in Havoc Shield subscriptions.
  2. Monitoring & Measurement on All Servers:. a combination of monitoring and measurement should exist on all hosts.  Illustrative examples include CPU usage monitoring, monitoring of erratic/unexpected disk usage trends, monitoring of atypical network traffic patterns, etc.  Although not as valuable against this type of attack as malware protection that specifically identifies and alerts at the first sign of trouble, a strong monitoring & measurement implementation will often lead a company to identify unusual patterns worthy of investigation early on... maybe early enough to head off the attack.  For example, an unusual and sustained level of CPU usage across a server fleet could lead to an investigation that might reveal an ongoing encryption process.  Catching that in-progress rather than after-the-fact would be tremendously helpful.
  3. Web Application Firewalls:  this type of infrastructure filters inbound network traffic that it deems suspicious.  It is especially powerful when paired with human-in-the-loop review of logs of rejected network traffic.
  4. Backups with Point-in-Time Restore:  this falls more on the remediation side than the prevention side.  However, it's an important part of defense-in-depth.  If you find yourself the subject of a malware attack and you have the ability to restore your systems to the point-in-time immediately before the attack, you are ahead of the game in terms of having choices other than paying the ransomware sum.  It can be non-trivial to identify the point-in-time to restore to, but it's better to have the option than not.

Although implementing these strategies does not mean a certain ability to avoid an attack of this nature, these strategies are important elements of defense-in-depth.  The stronger an organization's defense-in-depth, the more difficult it is for hackers to stage a tailored/targeted malware attack.

Want to discuss these or additional options for protecting your organization?  We're here to help.

Interested in more articles in our series The Latest Hack?  Continue here:

Any additional suggestions of recent hacks that you'd like us to write our perspectives on?  Drop us a note in the comments section below!