Ahh, the luxury of Mercedes-Benz cars: The high-end upholstery, plush carpeting, polished wood trim, LED mood lighting. “Even the scent signals that this vehicle is special,” as the automaker sighs.
Of course, even a company like Mercedes-Benz can inadvertently fart out customer data. That’s what the automaker admitted to on Thursday, when Mercedes-Benz USA disclosed that one of its vendors has leaked customer information out of its cloud storage system.
A Slow Data Skid
The situation is murky, but one thing seems to be certain: This spill was prolonged, as in, the data was exposed for over three years. The company – which is the American subsidiary of the German automotive brand Daimler AG – said in its advisory that the information was entered by customers and interested buyers on dealer and Mercedes-Benz websites between Jan. 1, 2014 and June 19, 2017. The company credited an unnamed external security researcher for giving it the heads-up.
A Mercedes-Benz spokesperson told Threatpost that its vendor confirmed its findings on June 11, 2021. The company declined to explain why it took four years to come to light, what happened in 2017 to cause the leak to plug up, nor what brought about the eventual discovery. The spokesperson reiterated that the vendor confirmed that the issue is corrected and that “such an event cannot be replicated.”
We will continue our investigation to ensure that this situation is properly addressed and will not comment further with regard to our internal protocols.
Tom Garrubba, CISO at the third-party risk-management firm Shared Assessments, told Threatpost on Friday that he views the situation in two parts: “First, a lack of proper security around the data containers at the cloud service provider, and second, lack of proper due diligence from Mercedes-Benz in asking questions and performing such due diligence in understanding how they are securing their data (network, systems, etc.).”
The good news is that at least so far, there’s been no evidence of the carmaker’s systems having been tampered with, nor that customer records were misused, according to the advisory: “No Mercedes-Benz system was compromised as a result of this incident, and at this time, we have no evidence that any Mercedes-Benz files were maliciously misused.”
The bad news is that, for whatever reason, the vendor was apparently collecting Social-Security numbers, dates of birth and other highly sensitive information from customers. Mercedes-Benz said that data pertaining to less than 1,000 Mercedes-Benz customers and interested buyers were inadvertently exposed, and that the dataset consisted “mainly of self-reported credit scores.”
But there were also “a very small number” of records that included:
- Driver-license numbers
- Social-Security numbers
- Credit-card information
- Dates of birth
The Mercedes-Benz spokesperson told Threatpost that the data is associated with a third-party vendor that manages digital sales and marketing activities for Mercedes-Benz customers and interested buyers.
Acquiring sensitive data like Social-Security numbers and driver’s-license numbers can allow malicious actors to take out loans, intercept tax refunds or open new bank accounts posing as the victim, pointed out Anurag Kahol, CTO and cofounder of Bitglass. To properly protect customer data, “companies must have complete visibility and control over all data across the IT ecosystem – including data stored in the cloud,” he observed to Threatpost on Friday.
Mercedes-Benz noted that in order to view the information, somebody would need “knowledge of special software programs and tools,” given that “an internet search would not return any information contained in these files.”
Naturally, Mercedes-Benz refrained from giving a laundry list of the programs and tools a threat actor would need to unravel its vendor’s files, but that’s cold comfort: Sophisticated threat actors are adept at using whatever it takes to help them tap into lucrative files. After all, “sophisticated” is a term that’s increasingly linked to cybercrooks, whether they’re in the ransomware game, setting up pandemic-themed scams or buffing up their business email compromise (BEC) gambits.
Shared Assessment’s Garrubba said that while yes, the “special tools” argument is indeed cold comfort, there’s a good chance that nobody – at least, nobody with sophisticated hacker know-how – stumbled on these records.
“Threat actors certainly are aware of such tools, but it comes down to if any threat actor would be aware of such vulnerability and at this particular cloud service provider,” he noted. “The threat actor would have to be familiar with the provider’s network and know where to go to find the container that was holding Mercedes-Benz’ data.”
Maybe Mercedes-Benz isn’t up for giving laundry lists, but security experts don’t mind: Anurag Gurtu, CPO of cloud-based security operations and management firm StrikeReady, suggested these “special software programs and tools” that might be used to access NAS devices: FileZilla, Classic FTP, Cyberduck, FireFTP, WinSCP, and other programs that support File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), or Web-based Distributed Authoring and Versioning (WebDAV) may be used to access NAS devices.
A Web-based Distributed Authoring and Versioning system is an alternative method for remote access, Garrubba added. Data can be accessed, copied and edited remotely using WebDAV, an extension of HTTPS, he said.
In a nutshell, the tools to nab NAS data don’t have to be sophisticated. Erich Kron, of KnowBe4, told Threatpost that it’s they’re common tools such as WinRAR, WinZip or the equivalent tools for other platforms. “It would be technically true that the data would not be viewable from an ‘internet search'”, he noted.
Mercedes-Benz launched an investigation to assess the accessibility of around 1.6 million unique records, the “vast majority” of which included information such as name, address, emails, phone numbers and some purchased-vehicle information.
The company has already begun to contact the fewer than 1,000 people whose additional personal information was made publicly accessible. It’s offering two years of free credit monitoring to those whose credit-card information, driver’s-license number or Social-Security number was included in the exposed data.
Some security experts were a bit concerned that the “less than 1,000 records” claim will hold up, given that those records have been out there so long. James McQuiggan, security awareness advocate at KnowBe4, noted to Threatpost that “for an exposed database of over three years, it is concerning that only less than a thousand records were disclosed. With the length of the exposed data, it would seem based on previous attacks, that thousands of records would have been exposed.”
As it is, financially speaking, Mercedes-Benz owners are no schlubs, he observed, and their data is none too shabby either.
“Cybercriminals will consider this data at a higher value because most customers of Mercedes-Benz are people who have a solid financial position, possibly more than the typical victim,” he said. “This position can only increase the value of the data for sale on the Dark Web. The cybercriminals can hope to extort money from the victims by leveraging the stolen information and will claim to delete it if paid. Additionally, they can craft very targeted emails to trick victims and access their systems or data for further exploitation.”
The Thick Smog of Misconfigured Cloud Storage
Unfortunately, cloud storage configuration is the roadkill of the current age. In March, arts-and-crafts retailer Hobby Lobby left 138GB of sensitive information open to the public internet, thanks to a cloud-bucket misconfiguration.
Cloud misconfigurations are a common threat vector for organizations of all sizes. For example, an analysis last fall found that 6 percent of all Google Cloud buckets are misconfigured, left open to the public internet for anyone to rifle through their contents.
Bitglass’ Kahol observed that it’s far too easy for companies to overlook security issues that leave data exposed for long periods of time, such as with the Mercedes-Benz incident. “In this case, customers’ personally identifiable information (PII) was exposed and possibly accessible by threat actors for over three years,” he noted.
He said that in organizations that are responsible for highly sensitive PII, there’s “no margin for error.”
“They must leverage multi-faceted and robust cybersecurity platforms that include cloud security posture management (CSPM), data loss prevention (DLP), multi-factor authentication (MFA), and user and entity behavior analytics (UEBA),” he continued. “Secure access service edge (SASE) platforms deliver end-to-end protection for data in sanctioned cloud resources, and are essential in any zero-trust framework. With a comprehensive solution that proactively monitors for threats and risks, organizations can defend customer data in real time.”
062821 08:47 UPDATE: Added input from Mercedes, Erich Kron and Anurag Gurtu.
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.