Unfortunately this thread broke in half due to me forgetting to bookmark a toot - here’s the original half https://cyberplace.social/@GossiTheDog/115134898389127599
The lapsus guys continue to go nuts on IRC^H^H^HTelegram https://www.bbc.co.uk/news/articles/c4gqepe5355o
Jaguar Land Rover have contained their network and stopped production after what appears to be a ransomware incident. VPNs and network border in UK all down.
To back up ReliaQuest - this is the exploit LAPSUS guys have running around with on SAP Netweaver, just had a look this evening after acquiring the exploit. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
There’s a metric ton - over 5 figures - of these boxes directly internet facing. Worse; from version printing, less than 5% are patched for the two CVEs being exploited.
Liverpool Echo reports Jaguar Land Rover production still isn't running, with factory staff told to stay at home, and report it impacts all manufacturing locations. https://www.liverpoolecho.co.uk/news/liverpool-news/update-jaguar-land-rover-shut-32411513
Separately, the network border is also still offline (I have monitoring in place to see when they come back online).
If anybody runs into a LAPSUS$ incident at their org hit me up on Signal, I can try to help profile their MO as been there, done that.
They'll frequently not even bother to deploy ransomware, they'll also do crazy things (and like to write about poo, and send people poo packages in the mail). It's basically like fighting Mr Bean, who is also good at computers.
ITV News 6pm lead story on Jaguar Land Rover
Key take away is anonymous source at JLR saying they may need UK government support for motor sector off the back of the incident.
One surprising thing with the Jaguar Land Rover incident - they've only isolated JAGUAR LAND ROVER AUTOMOTIVE PLC (AS205756), the UK network. The India, China etc networks are still online.
When I dealt with LAPSUS elsewhere they entered via a different country network/biz unit and then pivoted to target country/biz unit.
JLR UK have got one internet facing system back online - wslx.jlrext.com
Single factor auth only because that's how automotives roll. If you visit direct IP, it's still branded Ford - Ford sold the business in 2008.
JLR are keeping car production closed until least Monday. They also say “some data was impacted”, whatever that means.
https://www.liverpoolecho.co.uk/news/liverpool-news/jaguar-land-rover-issues-crisis-32447659
Unite are calling on the government to urgently intervene over the Jaguar Land Rover cyber incident, to introduce a furlough scheme for JLRs suppliers.
So JLR don't have business interrupion and or Consiquential Losses insurance? 🫤
Or money in the bank? 🤔
If JLR's workers we're getting paid (and they should be) then that's partial mitigation for some employees service providers (local businesses, shops etc).
Those business to business service providers should have their own mitigations in place for business interruption issues as JRL should.
Ultimately it is an interconnected market economy, not largely state controlled. Although JLR might be heading that way, if it remains viable.
If UK Gov needs to hand out "free" cash it then perhaps it needs to own part or all if the business? Before it's later sold to VW Group or Stalantis 🤔🤷♂️
@simonzerafa @womble “Those business to business service providers should have their own mitigations in place for business interruption issues as JRL should.”
What’s interesting in this case is most automotive is on a JIT delivery model so they don’t warehouse components. e.g. Mini bumpers arrive in colour order at Oxford to match the cars going down the assembly line. They don’t just get a truckload of red ones, then blue ones, etc. Suppliers incur fines if parts don’t arrive (halting production) and conversely Mini can cop large fines if they have to request a shipping pause (because the suppliers also have no warehousing for finished parts and need them out the door, or *they* have to halt production). JLR will have similar provisions and I’d be fascinated to know what liabilities they’ve incurred stopping prod for weeks. Presumably claiming force majeur and saying “no one gets anything”, which will be fun for the lawyers.
Kevin Beaumont
Simon Zerafa
Matt Palmer
richh