Recently, Arnold Clark became one of the latest victims of note to Play ransomware. Arnold Clark customer data stolen in attack claimed by Play ransomware (bleepingcomputer.com)
This has huge implications for customers of Arnold Clark, never mind Arnold Clark themselves with the potential GDPR fines involved. Customer data not only has been stolen, but presumably used as leverage by the attackers in an attempt to get a reasonably nice pay day to release the crypto keys.
Judging by their latest statement, it is safe to assume that Arnold Clark did not negotiate or pay any ransom, and customer data is now existing somewhere on the dark web. I imagine this is a great pay day for the attackers, as the information is likely to be valuable if it’s collected. From experience in the motor trade, there’s a fair chance that you could collate information to commit online identity theft if you have access to a comprehensive set of email exchanges. Lots of documents are simply emailed for simplicity of having the sales team get your finance applications sorted for your new motor.
An old friend in the motor trade advises me on second hand information that the method of attack was compromising a public facing MTA. While I can’t comment on what happened inside of Arnold Clark, or their security procedures, I can apply a few assumptions based on what I know from previously working in the motor trade (not with Arnold Clark), and from performing comprehensive cybersecurity risk assessments as part of my work.
Working under the assumption that Arnold Clark are using a similar groupware stack to most other motor traders of a similar size and structure, and perhaps some knowledge from folks in industry, there’ll be Microsoft Exchange servers somewhere in the stack, which are likely to be crypto’d by ransomware if they’re not deployed in accordance with full best practices.
I’m not here to critique the failings of potentially lacking security risk assessments, penetration tests, information security controls, or technical competence of Arnold Clark. However, there’s some lessons you can take away to increase your security posture that you might want to consider if you operate a similar groupware stack, or deal with similar sorts of information.
Musing 1 – Doing a risk assessment
I wrote a whitepaper for Nexor recently, titled ‘The Importance of Security Context in a Secure By Design Approach’, which ultimately details how you can use Nexor’s adapted methodologies to understand the risks a system may have, and what controls you need to apply in order to gain confidence that your information really is secure. I will update this post with a link to access it at Nexor’s website once it has been published.
A comprehensive risk assessment should not only identify how an attacker may attempt to compromise your system, but their motivations, and the impact if they were to successfully carry out an attack.
Another thing to consider with risk assessments and evaluating security, is that they should be ‘evergreen’ – i.e. reviewed regularly, and ensuring that assessments and risk treatment plans are still providing appropriate and effective security controls.
Musing 2 – Commodity attacks that are targeted
There are rumours around the deployment configuration being the method in which the attackers were able to realise their attack. These styles of attack really don’t need sophisticated threat actors to exploit. Just enough motivation that there’s a good enough pay day on the dark web or in a ransom.
Musing 3 – Understand the Context
This is where enterprise architects tend to add value in an organisation, and think about the bigger picture. What is the business trying to achieve and what is that interaction. The outcome may have been a system could have been deployed or developed that might have kept sensitive information out of the email chain, i.e., a secure web portal or application that could manage the process of doing business, or even just transferring the documents into a secure ‘drop box’. While I appreciate some of this might be more of what you see in the mid-high assurance world, it is nonetheless a great way to evaluate if there are more secure repositories to store data, that may be more difficult for commodity threats to compromise.
Musing 4 – Secure your software and appliances once they’re deployed
In short, should your management interfaces be accessible from the public internet? Absolutely not. Although my knowledge of deploying Exchange dates back to the beginning of my career when I last did it, I have reason to believe that it may default to having all URLs and interfaces accessible from absolutely everywhere. It’s a good idea to make sure those URLs are not accessible, and perhaps stick a proxy and web application firewall between the internet and your Exchange web server. A WAF is also great way to defend against potential commodity zero-day vulnerabilities that might exist in the daemon that hosts the management interface or web application (such as Outlook Web Access), as it so happens.
Similarly to management interfaces, if you have features that you’re not using accessible, turn them off. Occasionally, there are zero-day vulnerabilities found in software that are isolated to features or paths that simply don’t need to be accessed. If you follow the MITRE ATT&CK framework, or even Dr Reason’s Swiss Cheese model, you only need to thwart an attacker at one step in the attack chain to prevent an attacker from realising their goals.
Summary
I hope that I’m wrong about the information that has potentially leaked on the dark web. If you’re an Arnold Clark customer reading this, I would take extra steps to ensure that your bank accounts are secured appropriately (i.e. you have 2FA, passwords haven’t been compromised, perhaps also cut your cards and get new ones issued), and let your bank know that you’ve fallen victim to this. I have personally seen ID documents and such go through the mail systems in a similar sized motor trade company to Arnold Clark, and they can potentially be used to do some nasty identity theft attacks.
While I’ve never worked with Arnold Clark, I seriously hope they use this breach as an opportunity to review how they gain confidence in the security of their IT systems.
Leave a Reply