Garmin Web-Based Utilities Down After Suspected Attack (Updated)

12

On Monday, July 27, 2020 Garmin officially announced it was the victim of a cyber attack that encrypted some of its systems during the previous business week. The data outage spread across nearly all of Garmin’s consumer markets, stopping the flow of data between Garmin devices and its cloud storage network. This included flyGarmin and its website, plus the Garmin Pilot app. That in turn shut down flight planning on Garmin’s platform, halted nav data downloads and locked out electronic logbook data.

Multiple markets were relieved when data started flowing again early Monday. And with safety-of-flight critical data mostly back, Garmin addressed consumer identity concerns from the attack.

“We immediately began to assess the nature of the attack and started remediation. We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen,” it said in the statement. It said affected systems are being restored and expects its systems will return to normal in a few days.

Forbes is reporting Garmin has been told by ransomware hackers to pay $10 million to restore the accounts of millions of users worldwide who have been without cloud-based services since Friday. Quoting BleepingComputer, Forbes says Garmin’s systems were taken down by the WastedLocker ransomware and it cut quite a swath through the company’s extensive list of cloud accounts.

Pilots who use Garmin’s web-based planning tools, including flyGarmin and FltPlan.com, as well as syncing functions inside the Garmin Pilot app, had been severely affected by a massive outage that began on July 23, 2020. Many of Garmin’s key “cloud” systems were down most of Thursday, but by Friday morning (July 24), several of the company’s Connext services had been restored, including phone and SMS features sent via Iridium satellite devices. Some flight plan filing features and account syncing via Garmin Pilot were still down.

On Friday, Garmin told AVweb that as they work to restore the data, users will likely still experience degraded performance in flight planning and even with database concierge utilities, and it’s likely that various services will come back and others go offline as the company acts to restore service and implement data-recovery procedures. That turned out to be true.

The outage also affected Garmin’s call centers, and the company was unable to receive phone calls, emails and chats on Friday. Web-based forums were also down.

Aviation users aren’t alone—the outage also affected the Connect utility used by Garmin fitness devices. This hinders syncing the device with the Connect app, and all the sports training logs you’ve stored in the fitness platform vanish. We can attest to losing a lot of training data, and are pleased to now have it back!

WastedLocker is a relatively new type of ransomware run by a malware exploitation gang called Evil Corp. It is believed to be based in Russia according to Malwarebytes Labs. The ransomware works differently from others and can be tailored specifically to the security set up at an individual target, usually large companies in the U.S. and a few in Europe. The malware encrypts each file and uses the name of that file to log a ransom note in the system. Like all malware, it gets into a system through a bogus alert or request that someone with credentials mistakes for a legitimate issue, typing in his or her login. After that, the infiltration is virtually unstoppable and can even affect cloud backups of data.

Other AVwebflash Articles

12 COMMENTS

    • More likely, someone needs to refer the accounting department to this as a reason *not* to keep trying to cut corners on the IT department’s budget. Everywhere I’ve worked, it’s always been a battle to get the funding to do what is necessary to keep things working properly, only to have the budget slashed and told we’re (IT) just an expense. It’s only when disasters strike that suddenly IT is no longer an expense, but rather an investment.

  1. Let’s be perfectly clear.
    Someone at Garmin had to open an email and click on a link that executed the malware payload and releasing the ransomware. Or it took them to a website that did the same.
    That is how ransomware attacks work. Hackers don’t break in they are invited in by an unsuspecting (poorly trained) employee sitting at their computer.
    This all goes to training, awareness, and training. Some blame can be laid at their ISP as well.
    Garmin’s IT department needs to work on their inhouse email servers and firewalls…..and training.
    Did I remember to mention training?
    I was an IT contractor for several departments/agencies at DOD (retired now) and training in IT security is required every year for everyone. Now, that is not foolproof and things can still happen but it helps to minimize attacks. Pluss those IT systems are locked far deeper than any company is willing to do or pay for.
    Where my wife works their IT folks randomly send out a bogus phishing/malware email to see who bites. once in a while someone bites surprisingly a younger new person.
    We are never going to be 100% safe but with training and awareness, a lot can be mitigated.

    • “We are never going to be 100% safe but with training and awareness….”

      Which is where the aforementioned proper backup procedures come in. End-user training minimizes the number of events and hence the associated downtime. But only robust, in-depth backup procedures will protect from the inevitable “wrong click”. Backups are boring, dull, unsexy… until they’re needed.

      As you know, (but for those who don’t) Phishing attacks (fake e-mails) have become really good in the past couple of years. Gone are the days of spotting e-mails due to poor spelling, foreign grammar, or outrageous offers. They’re now called “Spear Phishing” because they are so well targeted. The hackers will carefully craft specific e-mails written just for one person in an organization. Once “in”, they’ll spend days/weeks/month studying data flow to figure out who to hit and exactly how. It’s practically an inside-job.

    • It’s not so much “Monday morning quarterbacking” as it is discussing something that can happen to anyone with a computer that has internet access. Yes, individuals can be targeted and have their own data ransomed, just like what happened with Garmin. It’s the same reason we read and discuss accidents that happen at the “majors”, because we can learn something from them.

  2. About two weeks ago the US extradited the Nigerian boss of a mafia which made billions, with a b, by getting basic company details, then ringing up the finance departments at 4 pm Friday afternoons and saying “hello John (or what ever the first name of the deputy assistant accountant with authority for transfers was) this is the Jake Bigshot, the CEO. Look, I am in China (India, Thailand) now and have really come across a great deal, and i need you to transfer $2.37 million into this account now or we will loose it…” and they did.
    Come Monday turns out the CEO was on the golf course and by the end of the month wondering why the payroll was bouncing…
    The thing is it took years to get this chap to the stage where he will face trial, even though the bank trail of where all the money went was clear. Eventually he was nabbed in UAE a part of the world which now does not want to get a reputation worse than it already has, for dirty money.
    With Garmin, I bet they cannot find any law agency interested in arresting the criminals who wanted the ransom, even though they could trace them, complete with name, address, photo and internet provider bill in about all of two minutes. And that is the problem. Garmin could do it its-self, slightly longer, and then what — send the goons around? See the problem when the police are not interested.

  3. Read “Sandworm” by Andy Greenberg to understand how security issues with software can provide “back door” access to a company’s IT systems. And also how vulnerable infrastructure like our power grid is.

  4. Even a fraction of $10 million should be enough to attract the interest of a tech savvy merc. Of course a performance based contract would be required. “Thinning the herd” could be an effective deterrent for this kind of activity.