Honda investigates possible ransomware attack, networks impacted
Computer networks in Europe and Japan from giant car manufacturer giant Honda have been affected by issues that are reported related to a SNAKE Ransomware cyber attack.
Details are unclear at the moment but the company is currently investigating the cause of the problems that were detected on Monday.
Trouble confirmed, likely SNAKE ransomware
The company has confirmed to BleepingComputer that its IT network is not functioning properly but declined to provide too more information regarding the nature of the issue as an investigation is ongoing.
“Honda can confirm that there is an issue with its IT network. This is currently under investigation, to understand the cause,“ a company representative told us.
From what is known at this point, the issues have not influenced the Japanese production or dealer activities. Furthermore, the company spokesperson said that there is no impact on Honda customers.
“In Europe, we are investigating to understand the nature of any impact” - Honda
While the Japanese car manufacturer is tight-lipped about these events, a security researcher named Milkream has found a sample of the SNAKE (EKANS) ransomware submitted to VirusTotal today that checks for the internal Honda network name of "mds.honda.com".
When BleepingComputer tried to analyze the sample, the ransomware would start and immediately exit without encrypting any files.
The researcher states that this is because the ransomware tries to resolve the "mds.honda.com" domain, and failing to do so, will terminate the ransomware without encrypting any files.
This internal check is a very strong indicator that today's network outages is being caused by a SNAKE ransomware attack.
credit: milkream
It is unclear how many systems are affected but Snake is known to steal data before deploying the encryption routine.
Open database leaks sensitive info
If this proves to be an intrusion from an unauthorized party, it would be a significantly different security incident than what the company had to deal with last year when misconfigured databases exposed sensitive information on the public internet.
At the end of July 2019, security researcher Justin Paine found an unsecured ElasticSearch database containing information on about 300,000 Honda employees across the world, including the CEO.
Apart from personally identifiable information, the database instance included details about machines on the network, like the version of the operating system, hostnames, and patch status.
According to Paine’s research, a table called “uncontrolledmachines” listed systems on the internal network that did not have security software installed.
"If an attacker is looking for a way into Honda's network knowing which machines are far less likely to identify/block their attacks would be critical information. These "uncontrolled machines" could very easily be the open door into the entire network," Paine said
Another open ElasticSearch database belonging to Honda was discovered on December 11 last year by security researcher Bob Diachenko. The records were unprotected on the public internet and included data about customers in North America.
The database was a from a data logging and monitoring server for telematics services. It included full names, email addresses, phone numbers, postal address, vehicle make and model, as well as its identification number (VIN).
The company estimated that about 26,000 unique consumer-related records were exposed due to the misconfigured database.
This is a developing story
Gloss