Reports are surfacing that Honda halted production at one of its vehicle plants for a day this week after finding the WannaCry ransomware that struck globally last month in its computer network. The automaker shut production on Monday at its plant in Japan. IT security experts commented below.
Mark James, Security Specialist at ESET:
“As with most malware, even after the initial impact of a public or global strike, it’s still working its way around the internet looking for victims. In this case when malware uses exploits in common or older versions of Windows, many large manufacturers that use bespoke or embedded systems with software that may not be easily or quickly replaced could be teetering on the edge of disaster frantically trying to protect themselves. It only takes one slip, one email or one web page, from all the hundreds or thousands of employees connected to a network of computers that often has to connect worldwide to enable a smooth global operation.
Of course keeping your systems up to date with the latest updates and patches, and ensuring you have a good regular updating internet security product will help to keep you safe, but educating your staff on the dangers of using the very tools we need them to use for their daily workloads is just as important.”
Andrew Clarke, Director at One Identity:
“Even global, corporate brands are seen to be impacted by WannaCry as illustrated by the news that Honda halted production.
It takes just one vulnerable system to leave the door open. Having been hit in other plants during May, Honda took steps to protect themselves at the time; but as most of us are now aware it is a continuing battle against emerging threats. Microsoft, for example, on their regular patch Tuesdayupdate in June patched 96 security vulnerabilities and continued to resolve issues in Windows XP. It is important in industrial plants, where there are often embedded computer systems, that patches are applied promptly and across all systems. Often due to the complexity of change, it takes some weeks or months to bring all systems up to date. And of course it is not just Microsoft that needs patching, all manner of systems need to be assessed and updated.
Some communication protocols have proven to be very insecure, such as the file sharing server message block SMBV1 which was exploited by the WannaCry ransomware and in fact is being disabled totally from windows 10 later this year. Elsewhere it is recommended that the SMBV1 protocol be disabled if it is not used operationally.
This latest incident reminds us that our efforts to defend our organisations against emerging threats is continuous. Regular review of all systems and their communication protocols is necessary and, more importantly, a thorough analysis of access controls. Ask who has access; what can they access and why do they access? Often in organisations individuals are provisioned to access systems for short periods and are never deprovisoned, which means over time they get excessive access that can be damaging to the business if misused. Tools to control and manage overall access are critical. Malware such as WannaCry takes advantage of gaps in security so to be truly safe requires a continuous and thorough approach which embraces the multiple aspects of cyber security.”
Gavin Millard, Technical Director at Tenable:
“That the exploitation of MS17-010 through WannaCry and other derivatives is still causing a problem is hardly surprising. Conflicker and MS08-67, the main vulnerability it exploited, is still popping up on occasion nine years after it began infecting millions of systems around the world. To reduce the probability of being infected by ransomware, and more concerning a targeted attack leveraging the same vulnerabilities, continuous visibility into the vulnerability status of every asset in the modern computing environment is critical in reducing the available attack surface. Of course, just patching these bugs isn’t always simple as it could cause disruption to the organisation. If that is the case then compensating controls must be put in place and proper, risk-based decisions must be made.
“Put simply if you can’t patch it, protect it, and if you can’t do either then prepare to pay.”
Leigh-Anne Galloway, Cyber Security Resillience Lead at Positive Technologies:
“It comes as no surprise that more and large organisations have been affected by WannaCry. Microsoft released patches in March to fix the vulnerability that has allowed WannaCry to spread, but many organisations have been particularly slow to implement them. Honda has taken the right precautionary measures ceasing production. Safety of employees should be of up most concern. However this incident could have been prevented with basic security hygiene, a patch management program and automatic updates to systems.”
Mike Ahmadi, Global Director of Critical Systems Security at Synopsys:
“A plant shutdown can cost millions of dollars per day in lost production and, in any event, is likely to far exceed the cost of the ransom. Attackers are likely to apply risk management techniques to their attacks going forward that will serve to help them get the most return for each attack. I am not saying this is what happened here, but once attacks become financially motivated, this becomes more likely. Organisations need to start calculating such attacks as very high likelihood, and prepare accordingly.”
Lee Munson, Security Researcher at Comparitech.com:
“The fact that an organisation the size of Honda has been hit with a ransomware a track is not as surprising as some may think – along with phishing it is among the most common threats – but the fact that it is WannaCry is surprising indeed.
A month after the attack died out, especially after the original kill switch came to light, everyone thought it was dead and buried, so how did Honda become infected in the first place?
It sounds to me as though an external storage device may have been introduced to Honda’s network which begs as many questions as why the company had not immunised itself by deploying the latest operating system patches, all the way back to Windows XP.
Whatever the answer, this security breakdown will no doubt prove extremely costly to a manufacturer likely to be feeling highly embarrassed over this incident.”
Marco Cova, Senior Security Researcher at Lastline:
“One of the lessons of this incident is that security is a concern for all type of businesses, including “traditional” ones, and all areas of business, including those that are typically not seen as being “online”: nowadays, every business is an online business and can be affected by a security incident, either as part of targeted attacks or as part of random malicious activity.
This incident also shows that security incidents more and more frequently have an impact in the physical world: just like WannaCry affected the ability of the NHS to offer services to its patient, now we have an example of manufacturing capability being impacted by an attack.”
Javvad Malik, Security Advocate at AlienVault:
“While the initial wave of wannacry infected systems may have passed, it doesn’t mean that attacks have completely ceased and enterprises should become complacent. It’s vital that enterprises take the necessary steps to protect themselves against attacks like wannacry, and keeping ahead of the curve with threat intelligence and having threat detection and incident response capabilities.”
Paul Edon, Director at Tripwire:
“A month has gone by since the WannaCry attack caused global panic and disruption. Yet, despite all the help guides, blogs and news, companies are still being affected. The fix and information is out there and so they need to take action now to better protect themselves. An effective defence strategy in defeating these sorts of attacks include implementing an effective email filtering solution that is capable of scanning content on emails, hazardous attachments and general content for untrusted URL’s. Another strategy would be to better educate the workforce on how to recognise a suspicious email from unknown senders, knowing not to click an untrusted URL, as well as not opening an unexpected attachment. Taking these small steps could make all the difference in securing a system and avoiding a disastrous attack.”
Luda Agronov, Security Research Engineer at Imperva:
“WannaCry was a massive attack that infected tens of thousands computers around the globe, and it is not surprising that large companies like Honda are being affected by it. This is yet another example of how ransomware threatens organisations. Despite of having backups and recovery procedures in place, the impact is mainly the downtime, lost productivity and disruption to the normal course of business, which have the potential to cause extensive damage.”
Csaba Krasznay, PhD, Security Evangelist at Balabit:
“The cost of cyber crime that victims should pay is usually indirect. As we can see, the authors of Wannacry gained a relatively small amount of money directly, but the global market has spent billions of dollars to cybersecurity related countermeasures and loss of business continuity indirectly due to this ransomware like in that case. Meanwhile, we shouldn’t forget the potential errors made by privileged users during the incident management process that can also cause outages in the infrastructure. Cyber security issues has never been revealed in their complexity before as much as in the Wannacry case. We can be sure that this story has not been finished yet.”
Nick Bilogorskiy, Senior Director of Threat Operations at Cyphort:
“Automakers are especially vulnerable to network worms like WannaCry because they often use computers with older versions of Windows and those are vulnerable to security flaws. Unlike other businesses such as banks, automakers do not upgrade their factory floor hardware or software aggressively and may get behind in installing patches. For example, in 2005, Zotob worm exploited holes in Windows Plug and Play service and knocked 13 of Daimler Chrysler’s US auto manufacturing plants offline.
“Once compromised by WannaCry, it is not easy or fast to fully recover. First you need to try to decrypt files on the machine, by using a decryptor like wannakiwi, which may work if you have not yet rebooted the machine. Then power down all infected machines so they do not re-infect the network.
Then, you need to re-image or re-install all infected machines, as that is the only safe method to avoid any back doors that have been dropped by WannaCry.
Finally, locate necessary backups and restore data from them and reset all your systems to pre-WannaCry state, and test that your applications are working as intended.
Even after that, to prevent future infections by WannaCry – patch the underlying vulnerability everywhere. So full recovery may take weeks or months , and the risk of a sudden outburst of re-infections is high.”
Mounir Hahad, PhD, Senior Director at Cyphort Labs:
“This incident speaks to the latent aspect of WannaCry: a computer can be infected without giving much sign of it due to the kill switches. But when that computer gets rebooted, the cycle begins anew and if for whatever reason (computer is now behind a proxy, internet connection is not working, etc.), that computer will encrypt files and try to spread the malware.”
Robert Capp, Authentication Strategist and VP at NuData Security:
“We are seeing an increasing number of hackers using ransomware to extort organizations for money. These attacks can be very destructive to the target and highly lucrative for the attacker. These criminals are responsible for a growing percentage of financial fraud, malware, and other cyber threats. They either make money directly from the attack, from the sale of the data, or from money laundering after successful attacks. They will continually find new ways to penetrate consumer accounts and corporate networks, and evade detection by tools deployed to counter such threats. Organizations that hold critical and personal information about their users or stakeholders have a choice. Rather than just protecting transactional data, accept the full ramifications of data protection and system security by designing their systems to protect their users and ALL account data first.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.