Unfortunately this thread broke in half due to me forgetting to bookmark a toot - here’s the original half https://cyberplace.social/@GossiTheDog/115134898389127599
The lapsus guys continue to go nuts on IRC^H^H^HTelegram https://www.bbc.co.uk/news/articles/c4gqepe5355o
Jaguar Land Rover have contained their network and stopped production after what appears to be a ransomware incident. VPNs and network border in UK all down.
To back up ReliaQuest - this is the exploit LAPSUS guys have running around with on SAP Netweaver, just had a look this evening after acquiring the exploit. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
There’s a metric ton - over 5 figures - of these boxes directly internet facing. Worse; from version printing, less than 5% are patched for the two CVEs being exploited.
Liverpool Echo reports Jaguar Land Rover production still isn't running, with factory staff told to stay at home, and report it impacts all manufacturing locations. https://www.liverpoolecho.co.uk/news/liverpool-news/update-jaguar-land-rover-shut-32411513
Separately, the network border is also still offline (I have monitoring in place to see when they come back online).
If anybody runs into a LAPSUS$ incident at their org hit me up on Signal, I can try to help profile their MO as been there, done that.
They'll frequently not even bother to deploy ransomware, they'll also do crazy things (and like to write about poo, and send people poo packages in the mail). It's basically like fighting Mr Bean, who is also good at computers.
ITV News 6pm lead story on Jaguar Land Rover
Key take away is anonymous source at JLR saying they may need UK government support for motor sector off the back of the incident.
One surprising thing with the Jaguar Land Rover incident - they've only isolated JAGUAR LAND ROVER AUTOMOTIVE PLC (AS205756), the UK network. The India, China etc networks are still online.
When I dealt with LAPSUS elsewhere they entered via a different country network/biz unit and then pivoted to target country/biz unit.
JLR UK have got one internet facing system back online - wslx.jlrext.com
Single factor auth only because that's how automotives roll. If you visit direct IP, it's still branded Ford - Ford sold the business in 2008.
JLR are keeping car production closed until least Monday. They also say “some data was impacted”, whatever that means.
https://www.liverpoolecho.co.uk/news/liverpool-news/jaguar-land-rover-issues-crisis-32447659
Unite are calling on the government to urgently intervene over the Jaguar Land Rover cyber incident, to introduce a furlough scheme for JLRs suppliers.
If anybody is interested, TCS’ website says JLR outsourced cybersecurity (not sure which bits) to it a few years ago.
TCS also run security operations and monitoring for Co-op (my old team) along with their IT and IT helpdesk, and M&S secops monitoring, IT and IT helpdesk.
In my own story, I discovered JLR outsourced different cybersecurity areas to TCS and then made many of the UK team redundant 6 months ago.
Liam Byrne MP, the chair of the Commons business and trade committee has said "We think this is an attack which is much, much worse than the attack that took down Marks and Spencer."
He's calling for the government to insure suppliers via taxpayer money when orgs get hit with ransomware.
https://www.bbc.co.uk/news/articles/cwyrqxj3eqqo
This is JLR's parent company, and this is JLR's network border today - personally, I think there's no way the government should have the obligation to bail out this situation.
JLR just made their most profits in a decade, after making cybersecurity staff redundant in March. JLR need their suppliers to resume production. JLR should pay their suppliers: they can afford it, and need them.
Or business could improve their IT Security rather than worrying about paying shareholders ever-increasing dividends.
Why should taxpayers subsidise incompetent or careless businesses? 🤔
Say Tata to your business.
So JLR don't have business interrupion and or Consiquential Losses insurance? 🫤
Or money in the bank? 🤔
If JLR's workers we're getting paid (and they should be) then that's partial mitigation for some employees service providers (local businesses, shops etc).
Those business to business service providers should have their own mitigations in place for business interruption issues as JRL should.
Ultimately it is an interconnected market economy, not largely state controlled. Although JLR might be heading that way, if it remains viable.
If UK Gov needs to hand out "free" cash it then perhaps it needs to own part or all if the business? Before it's later sold to VW Group or Stalantis 🤔🤷♂️
@simonzerafa @womble “Those business to business service providers should have their own mitigations in place for business interruption issues as JRL should.”
What’s interesting in this case is most automotive is on a JIT delivery model so they don’t warehouse components. e.g. Mini bumpers arrive in colour order at Oxford to match the cars going down the assembly line. They don’t just get a truckload of red ones, then blue ones, etc. Suppliers incur fines if parts don’t arrive (halting production) and conversely Mini can cop large fines if they have to request a shipping pause (because the suppliers also have no warehousing for finished parts and need them out the door, or *they* have to halt production). JLR will have similar provisions and I’d be fascinated to know what liabilities they’ve incurred stopping prod for weeks. Presumably claiming force majeur and saying “no one gets anything”, which will be fun for the lawyers.
@GossiTheDog as a tax payer, but also a union member: screw that.
JLR should have insurance to cover this.
It isn't JLR that's affected here though (although they are, and friends of mine who work for them are currently having nightmares) - it's their suppliers. By that argument, they should also have insurance.
I guess tying a small company's entire output to one upstream behemoth used to be a safe bet, but not now.
And `admin` // `Superman123!` is definitely not the creds
@GossiTheDog ah, but what kind of system is it running on? IIS on a 2008 R2 box?
Edit: Shodan shows it reporting Apache at a UK ip, plus a bunch of related subdomains on AWS in Germany.
Kevin Beaumont
The Penguin of Evil
Alastair Temple
Rairii 
Third spruce tree on the left
effectuator
Simon Zerafa
Neil Craig
Fazal Majid
I can’t believe its not @twcau
b3lt3r
Darryl Ramm
fuzzyfuzzyfungus
Martin Boller 
Brian Clark
Sleeper_cell_spy
lnxgeek
Matt Palmer
richh
Gary 
Greem (Graeme. Not Graham!)
T1- Push The Button
Alex
Jernej Simončič �
Alan Miller 
🇺🇦
Adrian Sanabria
J$
Khleedril
rx13 
Rob
Bill Bernard
TheTomas
GezThePez
Tanawts
Steven Reed