Honda has confirmed it has been hit with a cyber attack which has impacted some of its operations, including production systems outside of Japan. “Honda can confirm that a cyber attack has taken place on the Honda network,” a spokesperson said. “We can also confirm that there is no information breach at this point in time”. The company added: “Work is being undertaken to minimize the impact and to restore full functionality of production, sales and development activities. At this point, we see minimal business impact”. The company said it had experienced difficulties accessing servers, email and internal systems and that there was also an impact on production systems outside of Japan. It said its “internal server” was attacked externally and a “virus” had spread – but that it would not disclose any further details for security reasons.
It appears Honda has suffered a business crippling SNAKE ransomware attack. The international automotive giant was also impacted by WannaCry in 2017. It’s concerning that Honda seems to not have made significant changes to their security program to address like threats – SNAKE and WannaCry share some principles of effects.
This strain of ransomware doesn’t steal data, so Honda customer information likely isn’t at risk, but given Honda’s financial presence, they will likely pay a hefty ransom letter or hire a third-party incident response team to help with the cleanup. The fact that the ransomware affected global operations, inclusive of factory operations, is an indicator their network may not be segmented and isolated in a way to prevent “jumps” between different business functions. For example, manufacturing organizations usually isolate the technology systems that build stuff to protect them from attacks like this. One department getting hit with ransomware should not impact other core business processes.
Ransomware is a tremendously growing threat. More powerful variants and strains are constantly emerging, and there are more capabilities for it to be remotely (and confidentially) managed. The best way to defend against ransomware is readiness and timely response. The role of the cyber threat intelligence should inform what methods a modern ransomware would take and if your company has a credible defense investment. Enterprises must have a comprehensive network segmentation strategy in place to quarantine an outbreak to a localized facility or business unit. Additionally, organizations should employ advanced solutions that allow security teams to continuously test the effectiveness of their company’s security controls (do I have a credible defense), as well as exercise an incident response plan that can be emulated when a real threat occurs (could I respond and stop this in a timely matter?).
Not adopting a more proactive approach to security means organizations are just upping their cyber insurance policies and suffering the business impact and reputation damage—but that’s also changing. Cyber insurers are getting wise and increasing premiums for organizations with immature security postures or are stipulating expectations of certain security capabilities be in place. If companies claim to have a defense, but it does not work, they may not be covered.
In our experience, one of the things that sets the \”snake/ekans\” malicious threat actor reportedly involved in the Fresenius ransomware attack apart is a relatively high amount of manual effort/targeting typically involved in the operator placement activity, which can sometimes enable them to have a bigger impact on the victims. With some of the recent attacks observed, it appears that the malicious threat actors are expanding the list of targets. While the attack behaviours used by the malicious ransomware payload itself are fairly trivial, the golang-based payload encryption process, and also the list of processes that are terminated to maximise the ability of the ransomware to encrypt sensitive data and impact the targets appear to be longer that some of the other ransomware instances observed, and some of the past instances of the malware family also included impacting processes from the ICS/SCADA/OT environments that are often found in large industrial operations, likely the case with the recent Honda breach, which is relatively uncommon for ransomware.
EKANS (SNAKE) Ransomware was identified around the end of 2019 and while the ransomware itself wasn’t very sophisticated, what made it interesting was that it had additional functionality programmed into it to forcibly stop processes, especially items involving Industrial Control Systems (ICS) operations.
A sample of SNAKE was uploaded to VirusTotal from Japan that attempts to connect to mds[.]honda[.]com. This would appear to be an internal domain for Honda. Furthermore, if a DNS request to the internal domain doesn’t resolve, the sample wouldn’t execute. This is similar to the attack on Fresenius who fell victim to SNAKE, where a DNS query to ads[.]fresenius[.]com resolved to a private IP.
We’ve all seen global corporations put strong security stacks in place and even so, fall victim to ransomware, and a major take-away is: train and invest in your security team. It’s more important than ever to prevent security team burnout, which can easily happen given talent shortages, skills gaps and the unique pressures the current pandemic is presenting. That’s why many organizations are turning to gamified training platforms to help keep security teams engaged and equipped. The alternative consequences, to the organization and to CISO, make this a smart investment.
A well-known information security best practice is isolating any internet accessible servers into a DMZ network that has extremely limited access to any other networks in an organization to prevent widespread damage in the event a single system is compromised. Honda’s statement that an internal server was externally attacked could mean that they did not take this step to prevent an attacker propagating to other areas of the organization. Unfortunately, many applications that organizations rely on are often not architected to support this level of segmentation, so it’s possible that Honda had few other options in exposing their internal network to the internet.
This attack appears to be a ransomware attack associated with the SNAKE cybercrime group as samples of malware the check for an internal system name and public IP addresses related to Honda have surfaced publicly on the internet. The malware exits immediately if associations with Honda are not detected. This strongly implies that this was a targeted attack rather than a case of cybercriminals spraying out ransomware indiscriminately. More concerning is that the SNAKE ransomware team has historically attempted to exfiltrate sensitive information before encrypting their victim’s computers. This combined with the targeted nature of the malware’s “pre-checks” indicates that the attackers likely had access to Honda’s internal systems for some time before launching the ransomware’s encryption functions. Without confirmation from the SNAKE group or Honda, it is impossible to say how long the attackers were present or what sensitive data they may have been able to steal.