Dealership M&A Cyber Vulnerabilities

Summary

RedXray is cyber threat notification service though Red Sky Alliance that simplifies cybersecurity monitoring for organizations and supply chains.  This document summarizes threats reported by RedXray for Lithia Motors Incorporated (Inc.) over the past three years.  In this timeframe, data from multiple collection indices was observed.  Lithia Motors Inc. is in the process of three Tampa Bay, FL dealerships for nearly $40 million.  Lithia, based in Medford, Ore., will purchase Wesley Chapel Toyota and Wesley Chapel Honda from the Williams Automotive Group.  Cyber vulnerabilities multiple when mergers and acquisitions are in process.   

Raw data is also available in companion .CSV files.

Details

Lithia Motors Incorporated is an American nationwide automotive retailer headquartered in Medford, Oregon.  It is the third largest automotive retailer in the US.  In 2015, Lithia Motors broke into the Fortune 500 list at #482.

RedXray “hits” are derived from primary sourced intelligence collections and take inputs from customer infrastructure, such as domains and IPs.  The following is an example of the RedXray dashboard displaying threats for domains, networks and companies associated with Lithia Motors Inc.

3717248643?profile=RESIZE_710xRedXray focuses on four general categories: Malware Infections, Data breaches, Malicious emails, and Phishing.  The following are examples for Lithia Motors with context and general mitigations.

RECENT DATA (< 6 MONTHS AGO):

  • Data breaches & leakage

This includes any sensitive data that has been compromised whether as a result of malware infection or a 3rd party database breach.  Breach data can come from several other sources on the deep and dark webs.  The following are examples of breach data captured for Lithia Motors:

3717252364?profile=RESIZE_710x

What does this mean?

Depending on the nature of the leaked database, exposed information may vary from just email addresses, to username and password combinations and other personally identifiable information (PII).   RedXray contains the raw breach data so you can easily view what type of data has been exposed.  If the breach data contains passwords, then Red Sky Alliance recommends enforcing a password reset and investigating whether there has been unauthorized access of the account. In this case, passwords are included in the breach data but redacted above for privacy.

HISTORICAL DATA (> 6 MONTHS AGO):

  • Malware infections

RedXray can identify possible malware installation using either our botnet tracker collection, sinkhole_traffic collection, or keylogger collection.  In many cases, it can also identify the malware protocol resulting in high confidence hits. The following shows botnet related hits for Lithia Motors.

3717256400?profile=RESIZE_710x

The following shows captured Keylogger data for Lithia Motors in which Lithia Motors was seen mentioned in the web address of a keylogged web portal, or in which Lithia Motors email accounts were seen logging in to a keylogged web portal:

3717256981?profile=RESIZE_710x

What does this mean?

If your IP address or domain is found in botnet tracker, it means that it was seen in a communication with a malicious endpoint.  This does not automatically indicate a malware infection as there are a number of reasons why two IP addresses might communicate.  For keylogger related activity, the traffic may be the result of a captured weblog or clipboard data captured by a keylogger. All traffic should first be inspected before escalating to incident responders. Red Sky Alliance can help with support.

  • Malicious Emails

It is good to be aware of malicious email campaigns targeting your organization because it serves as an early warning. If your domain or IP address shows up in this collection, then it was observed in the header of an email that has been identified as malicious (1 or more AntiVirus detection). The following is an example of an IP address belonging to the Lithia Motors email service provider being targeted with a malicious email.

3717258164?profile=RESIZE_710x

What does this mean?

It should be noted that some AV vendors classify emails as malicious when they are benign.  All malicious emails hits only indicate targeting, not malware infections or data-loss. Since the above is an example where an email server was targeted, it is important to note that this does not necessarily mean Lithia Motors is directly being targeted by a malicious email, but that the Lithia Motors email service provider is hosting mail servers on which malicious emails are being relayed.

  • Pastebin

Pastebin is a site used by bad actors to post data, which may be sensitive, for others to view it freely. Oftentimes the hacking group Anonymous will use Pastebin to list targets for the group’s members to attack. The following are examples of Pastebin hits in which Lithia Motors email users were mentioned.

3717260691?profile=RESIZE_710x

What does this mean?

A Pastebin hit simply means your information was observed in a paste on pastebin.com. There are numerous reasons information would be contained in a paste – some malicious and some benign. Each Pastebin hit must be individually analyzed to determine context.

  • Phishing

Phishing attacks are responsible for a large amount of compromised credentials.  Our Threat-Recon collection aggregates phishing data and we allow searching of keywords in this data set in order to identify both targeted phishing attacks and spoofed URLs.  The following shows related phishing hits for the IP address on which Lithiamotors.com is hosted.

3717261039?profile=RESIZE_710x

What does this mean?

If you receive a phishing hit (ThreatRecon) in RedXray then the first step is to first identify if the phishing campaign is targeting an organizational account or targeting the organizations customers.  Red Sky Alliance can assist in providing context to these hits.

Conclusion

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice.  However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

Red Sky Alliance, formerly known as Wapack Labs, is in New Boston, NH USA.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at (888)-(RED)-(XRAY) or (888)-733-9729, or email feedback@wapacklabs.com   

Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Resources

 

CASE STUDIES