It likely comes as no great surprise – cybersecurity is a paramount concern in the automotive industry.
For all of the same reasons it’s a critical concern in virtually every other industry, it’s important in the automotive industry. But the world of vehicle production does have some of its own unique concerns when it comes to cybersecurity, which put it at greater potential risk – like the increasing digitization of production and (even more critically) of the vehicles themselves.
When it comes to cars, complex computer systems and interconnected networks mean that threat actors could exploit vulnerabilities to compromise safety functions – brakes, steering, navigation, and more. In automotive components and vehicle production, effective cybersecurity is crucial to safeguard manufacturing processes and prevent disruptions. Production lines increasingly rely on interconnected systems – making every vulnerability or misconfiguration a potential entry point for threat actors. Successful cyberattacks on manufacturing processes can result in production delays, financial losses, quality issues, reputational damage and regulatory penalties.
In one of our large multinational automotive clients, we recently identified and mitigated two pretty dangerous attack paths that could have easily led to production shutdowns – if not endangered business continuity itself.
But why identify and explore their attack paths?
Attack Paths in Automotive
Attack paths are the routes by which attackers can take to enter systems and reach assets. Certain exposures on their own, can be leveraged in any significant way by attackers. But if you’ve been following the XM Cyber blog, you’ll know that attackers don’t look at the individual exposure – instead they leverage a combination of vulnerabilities, misconfigurations, overly permissive identities, and other security gaps to move across systems and reach sensitive assets. This allows them to cause significant and ongoing damage while hiding inside networks.
Understanding attack paths helps us understand how attackers can compromise critical assets. And by understanding the construct of attack paths, we can better understand how the attacks would have occurred – and importantly, how to prevent similar attacks down the road.
In this particular environment, all of these attack paths revolved around potential credential dumping – obtaining user credentials like usernames and passwords, or tokens from an operating system or software. These credentials enable a threat actor to move laterally within the network, gain access to restricted information, install malware, and basically do anything else.
Here’s what we discovered:
Attack Path #1
- The attack path – Security analysts located a client machine from which a threat actor could compromise an AD admin account, which was a member of a highly privileged AD Security Group. This enabled the hacker to get permissions to access the domain controller – compromising the domain itself in just four hops.
- In just one further step, even the domain could be compromised – again, leading to potential company-wide compromise.
- The impact – The permissions defined in Active Directory are critical, as a single vulnerable Windows device was essentially a choke point – potentially leading to full compromise. Domain compromise can enable unrestricted access, data breaches, and manipulation of online assets – jeopardizing privacy, security, and potentially causing widespread harm.
Attack Path #2
- The attack path – XM Cyber security analysts found that a device linked to a Helpdesk Group member was vulnerable. A threat actor who gained access to this particular device and using credential harvesting methods could reset a highly privileged user password. From this, the threat actor could gain direct access to further critical assets.
- The impact – Due to a simple AD group membership issue, nearly all critical assets were at risk. Reviewing Active Directory membership and permissions were crucial for the company’s security.
These attack paths were remediated by a combination of privileged access strategy, securing privileged access, and methods to avoid accounts being cached, like Credential Guard, Protected User Group, more tightly securing the AD account, implementing tiering models and by suggesting that the company use a separate device known as a Privileged Access Workstation for remote connections.
Overall, the instances above illustrate how Active Directory security needs to be brought to the forefront of security leader mindshare – in the automotive and other industries as well. AD is a core identity and access management solution – mission critical to enterprises of all sizes. Attack paths like the examples above are highly-common, and place mission-critical company assets at risk.