Last week I posted a story with Sky News claiming that Garmin had paid the people behind their ransomware attack. The people behind this are likely Evil Corp for the record as the ransomware that was used was reportedly “wasted locker”. In that story I said this:
The thing is, Sky News offers up no proof whatsoever. At least when the news that Garmin had been pwned by ransomware first appeared, there was proof from a variety of sources to back this up. But that’s not the case here.
Well, Sky News is back, and they back up their claims this time:
According to people with knowledge of the matter, speaking to Sky News on the condition of anonymity, Garmin had initially sought to pay the ransom using another firm which specialises in responding to these incidents.
However, this firm responded that it didn’t negotiate ransom payments in WastedLocker cases due to the risk of running foul of the sanctions.
The sources said after being initially rebuked, Garmin then sought the services of Arete IR, a firm which claims that the links between the WastedLocker ransomware and sanctioned individuals have not been proven.
And:
Separate sources confirmed to Sky News that Arete IR made the payment as part of its ransomware negotiation services, although Arete argues that WastedLocker is not conclusively the work of Evil Corp.
Neither Garmin nor Arete IR disputed that the payment was made when offered the opportunity to do so.
Arete IR is a company that does the following:
Arete Advisors has assembled an elite global team of incident response experts to create unparalleled capability to assist clients in preparing for and defending themselves against a cyber-attack, from incident response readiness assessments to post-incident remediation and ongoing hunt services. Our core skills include triage, digital forensics, malware reverse engineering, remediation, managed detection response, hunt and testifying expertise. Arete works with organization of all size to provide highly customized advice specific to your industry. Arete’s advisory services provide legally defensible, compliant cyber strategies that assist the C-Suite and Boards of Directors to continuously improve the organizations’ cyber posture, by aligning cyber risk management strategy with corporate risk.
But more interestingly, they also do this:
While some companies require insureds to get funds up front, costing precious hours and days to the clients in crises. Arete, has created a simple, easy way for Breach Coaches and Insureds to immediately respond by facilitating the entire technical and financial process of purchasing the Bitcoin, while managing the negotiation with the bad actor for a flat fee, to be paid in 30 days. Allowing clients to focus on restoring their business to health
Thus it’s safe to conclude that Garmin paid the gang behind the ransomware. And the fact that neither Garmin nor Arete IR deny that they paid underscores that. So Evil Corp or whomever was behind this won. I get that the need for Garmin to get back up and running, but I am a firm believer that you should never pay the ransom as it only encourages these scumbags. So it is unfortunate that the bad guys have effectively won.
Why Does The Tacx Utility Need To Read The Clipboard Of My Mac Via My iPhone? [UPDATE: Fixed]
Posted in Commentary with tags Garmin, Tacx on October 12, 2020 by itnerdAs frequent readers of this blog know, my wife and I are avid cyclists. To help us keep in shape, we bought a Tacx Neo 2T Smart indoor trainer. What an indoor trainer does is that after you put your bike on it, it can simulate any sort of road riding experience. For example if you climb a hill with a 10% gradient, it will simulate that. If you go down a hill with at 3% gradient, it will simulate that. And something that is exclusive to the Tacx Neo 2T, it will simulate things like wooden bridges, cobbles, and gravel with the correct physics that you would feel if you rode over those surfaces in the real world. To aid with this, you need to use a program like Zwift along with a computer or tablet to place you in a virtual environment so that all of this comes to life. This is a setup that has really taken our cycling to the next level as we can ride and keep in shape 12 months of the year.
Like all pieces of electronic gear, The Neo 2T Smart requires firmware updates from time to time to fix bugs and enhance features. So on Sunday I decided to use the Tacx Utility app on my iPhone to check for firmware updates. That’s when I noticed something that got my attention.
If you watch the top of the screen, after the Tacx Utility starts up, a notification appears from iOS 14 saying that the Tacx Utility copied the clipboard of my Mac via my iPhone. Except that I never did a copy and paste from my Mac via Apple’s Universal Clipboard feature. Thus this was clearly a problem.
Here’s a picture of the prompt:
This notification is one of the many privacy focused features that appeared in iOS 14. And for good reason. The clipboard is where text that has been copied and pasted is temporarily stored. Given that users may have sensitive information copied to the clipboard, such as passwords, this could pose privacy and security concerns. And if you combine that with apps that were caught during the iOS 14 beta process looking in the clipboard for no good reason, then this notification will help you to make sure that you know when an App is doing something that might be shady. And how did this come to light, some researchers tripped over this in March and their discovery, and during the iOS 14 beta process, beta testers “named and shamed” apps that did this. Which included TikTok and LinkedIn among others. Who then promptly came out with some very weak excuses while quickly updating their apps to not do this.
To be frank, there’s only a handful of reasons why an app needs to access the clipboard on its own and without a user doing a copy and paste. So that leads to this question: Why precisely does the Tacx app which exists only to update firmware troubleshoot issues on Tacx trainers need to access my clipboard every time the app starts up? In my mind, there’s no good reason for that app to do so. But in the interest of giving Tacx a chance to explain themselves, I posted this to Twitter:
I also posted the same video that I embedded above from my YouTube account. I included the #iOS14 so that it would be noticed by a wider audience as well. And in case you are wondering why Garmin is included in my Tweet, Garmin owns Tacx. Thus in my mind, both companies have some explaining to do. Here’s what Tacx came back with:
Then another user of Tacx products jumped in and responded to this before I could as I was asleep at the time:
To which Tacx responded with this:
I’ll give Tacx kudos for jumping on this quickly. It shows that they weren’t doing anything sketchy and it sounds like a bug that they are going to investigate and hopefully fix. I will keep you updated on that front.
If I could give you some advice, if you see a prompt like the one above, and you didn’t do a copy and paste, I would report it with screen shots to the app vendor. Give them a chance to explain this as snooping in your clipboard is something that apps shouldn’t be doing except in some very unique circumstances. That will ensure that apps you use are safe. And if a company doesn’t respond like Tacx does, then you know who the bad actors are.
UPDATE: This issue seems to be resolved with Tacx Utility version 2.3.3 for iOS. It was released on the Apple App Store on November 18th and with this version I can no longer reproduce the issue
1 Comment »