Read on Twitter
This isn't your everyday service outage. Garmin has been down for about 12h with hardly any customer comms, and it's leaking out they've been attacked by ransomware. These services have a 24/7 health record of all of their wearable customers, as well as homes and training routes. https://twitter.com/campuscodi/status/1286354171692810240
It's now been about 24h. Hard to say for sure, because @Garmin service status doesn't disclose history, just current status. Not a peep from the company in the last 17 hours. Someone really doesn't know how SaaS is done.
https://connect.garmin.com/status/
https://connect.garmin.com/status/
It seems that only ZDNet has been tracking this. Sports sites are just referring to this article, but few of any beyond ZDN note this is not about run tracking or connecting their wearables to Strava. https://www.zdnet.com/article/garmin-services-and-production-go-down-after-ransomware-attack/
Garmin flight computers are ubiquitous on smaller aircraft and GPS navigation is an essential, practically mandatory feature. That's down. So the planes are grounded.
The wearable service Garmin Connect has 24/7 health and location history data for its users. Remember how Strava Labs leaked military base inside layouts? Well, this has potential to compromise safety of millions of Garmin customers. That's speculation now, of course.
The silence from the company is deafening. GDPR requires them to notify data protection offices in 72h of learning of any breach. Notifying also customers is implied. We don't know when they learned of this, but the outage itself has now burned 1/3 of that budget.
Here's the journalist to follow on the Garmin outage: @campuscodi https://twitter.com/campuscodi/status/1286435177791664128?s=19
Not just intelligence agencies, either. https://twitter.com/mikko/status/1286408533010001923?s=20
It's now been about 24h since the last time @garmin said anything. Their head of communications has been completely silent throughout this episode. https://twitter.com/riskawareco/status/1286624153026666496?s=19
Incredible. @Garmin has now been down for 48 hours and still no update. If I had a role in either tech leadership or communication there, I could expect to be fired after a performance like this. Quarterly earnings call next week is going to be salty.
This is the second news article about Garmin's incident with anything that looks like new info. Apparent confirmation that a WastedLocker ransomware infestation has shut down everything. https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/
Garmin self hosts everything, including their email servers. And they all run on Windows in the same auth domain. This is the only way the attack could affect everything or even justify an "abundance of caution" shutdown at this scale.
I'm also really disappointed how the media still hasn't realized this isn't about a couple of fitness tracking smart watches. Garmin offers critical services in their fly and inReach product lines used where 24/7 really matters. Those are also down for the 3rd day.
No new info here, but a collection of reactions. Also points out that while vocal majority are the sports watch users, the real impact is felt through the professional lines of product users. https://securityboulevard.com/2020/07/garmin-users-furious-as-ransomware-freezes-firm/
Guardian was the first mainstream daily to note the Garmin attack. Nothing in the article I haven't shared in previous links already, though. And another "smarwatch maker". Would Apple also be described as a smartwatch maker? https://www.theguardian.com/business/2020/jul/24/smartwatch-maker-garmin-hit-by-outages-after-ransomware-attack
Isn't it amusing how a 3rd party social fitness app can communicate about Garmin downtime better than Garmin can, even though most of Garmin's truly important stuff is out of scope of social fitness? https://twitter.com/Strava/status/1286855293461098496?s=19
The first things you do when hit by an IT attack:
1. Pull up the game plan you've made for this situation
2. Round up everyone who's been in the exercises - also those on vacation
3. Name the people who will keep internal stakeholders and customers informed
1. Pull up the game plan you've made for this situation
2. Round up everyone who's been in the exercises - also those on vacation
3. Name the people who will keep internal stakeholders and customers informed
What you do BEFORE:
1. Assess your critical assets
2. Outline the threat model for each
3. Prioritize work needed to address critical weaknesses
4. Outline the game plan on threat response
5. Schedule at least a semi-annual exercise to rehearse said plan
1. Assess your critical assets
2. Outline the threat model for each
3. Prioritize work needed to address critical weaknesses
4. Outline the game plan on threat response
5. Schedule at least a semi-annual exercise to rehearse said plan
How you reduce risk of attack:
Hold regular training sessions to educate staff on expected modes of attack and their correct response (for most; "report to CISO, do nothing else").
Yep, that's it. Just educate.
Hold regular training sessions to educate staff on expected modes of attack and their correct response (for most; "report to CISO, do nothing else").
Yep, that's it. Just educate.
How you reduce impact when attack does occur:
Segment your architecture so that no one gate opens to everything. That's what "firewalls" are. They're not the eggshell around your soft, mushy Internals.
DO NOT run everything yourself. Externally hosted services are your friend.
Segment your architecture so that no one gate opens to everything. That's what "firewalls" are. They're not the eggshell around your soft, mushy Internals.
DO NOT run everything yourself. Externally hosted services are your friend.
What your communication plan must include, at minimum:
- outline of regular exec team update
- customer outreach plan and comms channels - which are kept open at all times
- internal all-hands update content, to be updated at least twice a day
- investor update named contacts
- outline of regular exec team update
- customer outreach plan and comms channels - which are kept open at all times
- internal all-hands update content, to be updated at least twice a day
- investor update named contacts
Shutting down all of your external and internal comms channels (such as email servers) as part of incident response is basically saying "a nuclear bomb went off, our HQ is now a glowing crater. Good luck, beware of zombies and mutant cockroaches."
Keeping shut down might have seemed like a good idea at first, but in the 3rd day it reeks of panic. And in about 15 hours, they'll have exceeded the GDPR notice deadline - if they haven't already, since I saw a maintenance announcement Mon/Tue this week. https://twitter.com/Kladum/status/1286946195626229760?s=19
It seems not many Garmin executives are on Twitter. Perhaps that's why they didn't take any notes last week about how to inform impacted stakeholders. #garmindown #garminhacked https://twitter.com/osma/status/1286971484192280579?s=19
Here's some detail of what might and might not work in Garmin inReach, an emergency beacon product for backpackers, climbers and people on other hard to reach places. That is, SOS perhaps works, except if you share a location for the message. https://twitter.com/simonw/status/1287018914564542466?s=19
Questions to @Garmin CEO Cliff Pemble 1/n
1. When did Garmin IT learn of the attack?
2. When were you personally informed?
3. What was the group who made decision to shut everything down?
4. Why was keeping customers informed not part of the decision?
1. When did Garmin IT learn of the attack?
2. When were you personally informed?
3. What was the group who made decision to shut everything down?
4. Why was keeping customers informed not part of the decision?
2/n
5. Was there a disaster recovery plan for a similar scenario?
6. What were the contents of that plan?
7. Was the plan followed?
8. What key learnings have been collected during incident management?
9. Who has lead the management and recovery process?
5. Was there a disaster recovery plan for a similar scenario?
6. What were the contents of that plan?
7. Was the plan followed?
8. What key learnings have been collected during incident management?
9. Who has lead the management and recovery process?
3/
10. What in the company's organizational structure enabled whole-systems takeover of this scale?
11. What in the company's IT architecture enabled an incident to escalate from services to support to factory production lines at once?
10. What in the company's organizational structure enabled whole-systems takeover of this scale?
11. What in the company's IT architecture enabled an incident to escalate from services to support to factory production lines at once?
4/
12. Why did the systems shutdown also cover all communication channels?
13. How did the executive team ensure customers would be kept informed throughout the incident?
14. Why did that fail and no information was shared?
15. What outside expertise has been engaged since?
12. Why did the systems shutdown also cover all communication channels?
13. How did the executive team ensure customers would be kept informed throughout the incident?
14. Why did that fail and no information was shared?
15. What outside expertise has been engaged since?
5/5
16. How has Garmin ensured customers' personal data security?
17. How will Garmin ensure no such incident escalation will happen again?
18. What is the budget of Garmin's data security unit?
19. Who leads that unit and what are his/her credentials?
16. How has Garmin ensured customers' personal data security?
17. How will Garmin ensure no such incident escalation will happen again?
18. What is the budget of Garmin's data security unit?
19. Who leads that unit and what are his/her credentials?
Linking also Threatpost here, although it doesn't look like @wirelesswench has found any info I didn't have linked here before. https://threatpost.com/garmin-suffers-ransomware-attack/157698/
If you'd like to see Garmin answer to what they've been up to during and leading to this incident, one way to help could be to like/retweet this reply to draw their attention (if there's any) https://twitter.com/osma/status/1287028854092177409?s=19
Here's another thread with good perspective and some new info: apparently the flight services are recovering. Looking for confirmation. https://twitter.com/attack_monkey/status/1286919269771509760?s=19
