DFIR

Hello All. Again we see that basic cybersecurity hygiene such as the use of default passwords has again slipped the minds of another well-respected company. It seems as though Nissan North America, yes the same Nissan that manufacture cars and SUVs we know such as the Maxima and the Pathfinder have leaked source code online from a misconfigured Git server.

The leaked included 20GB of source code for the following applications:

  • Nissan NA Mobile apps
  • Components of the Nissan ASIST diagnostics tool
  • Dealer Business Systems / Dealer Portal
  • Nissan internal core mobile library
  • Nissan/Infiniti NCAR/ICAR services
  • Client acquisition and retention tools
  • Sales / market research tools and data
  • Nissan vehicle logistics portal
  • Vehicle connected services / Nissan connect things

The leak originated from a Git server that was left exposed on the internet with its default username and password combo of admin/admin.

Contents of the Torrent file “nissan-na-gitdump-EXCONFIDENTIAL”:

A post on a hacker forum explaining what happened:

Nissan was quoted following the breach in saying, “Nissan conducted an immediate investigation regarding improper access to proprietary company source code. We take this matter seriously and are confident that no personal data from consumers, dealers or employees was accessible with this security incident. The affected system has been secured, and we are confident that there is no information in the exposed source code that would put consumers or their vehicles at risk.”

This only proves that simple cybersecurity hygiene could be the difference between retaining your intellectual property or losing it to thieves. In the case of Nissan, even if they fix the problem and investigate further, the damage is already done with source code up on torrent sites.

Read more

Hello All. The deadline of December 31, 2020 that DHS’s Cybersecurity and Infrastructure Security Agency (CISA) have imposed requiring that all US federal agencies to update their SolarWinds Orion platform to the latest version of Orion has come and gone. We all know having been on the sharp end of the stick requiring the business to update vulnerable software can sometimes end with the business accepting the risk. This is essentially what CISA is requiring US Government depts. and agencies to do if they are unable to upgrade for some reason or another.

They also have to provide proof that a “forensic analysis” has been conducted to verify that a breach has not already occurred using the vulnerable install of Orion. However, there is even an exception for those who are unable to perform a forensic analysis – “Agencies running affected versions that have no capability to conduct forensic analysis (system memory, host storage, network, and cloud) shall, at minimum, hunt for IOCs or other evidence of threat actor activity published in ED 21-01, Activity Alert AA20-352A, and future associated guidance. Agencies that, through hunting and/or forensic analysis, find these IOCs or evidence of threat actor activity, such as secondary AOO, shall assume breach and must report it as an incident to CISA through https://us-cert.cisa.gov/report”

Here is the supplemental guidance v3 from CISA:

“This supplemental guidance v3 requires (1) agencies that ran affected versions conduct forensic analysis, (2) agencies that accept the risk of running SolarWinds Orion comply with certain hardening requirements, and (3) reporting by agency from department-level Chief Information Officers (CIOs) by Tuesday, January 19, and Monday, January 25, 2020.”

Would be interesting to know what the stats are on the remaining affected installations of Orion and what depts. and agencies are affected. With all the exceptions in place, do you think the US Government is leaving themselves open for breaches?

Read more on the CISA site: https://cyber.dhs.gov/ed/21-01/#supplemental-guidance

Read more