Volvo Cars under Snatch attack

Volvo Cars under Snatch attack

In its press release, Volvo Cars, a Swedish multinational luxury vehicle manufacturer based in Torslanda, Gothenburg, reported unlawful third party access to its records. Upon discovery of the violation, the company notified the relevant authorities and took steps to prevent further access to its property. Immediately shares of Volvo Cars fell 3.2% at 3:55 p.m. GMT. Besides, the company’s IPO on October 29 was the largest in Europe this year.

Volvo Cars investigates the incident of data breach

According to Wikipedia in March this year, the company announced a rebranding to a fully electric car maker by 2030. In June 2021, Swedish battery developer and manufacturer Northvolt and Volvo Cars made public their plans to launch a 50/50 joint venture consisting of the Research and Development Center (R&D) and the gigafactory. In December 2021, a statement revealed that the R&D Center would be located in Gothenburg, Sweden.

“Volvo Cars is conducting its own investigation and is working with third-party specialists to investigate the theft of property. The company does not see, with the information currently available, that this has an impact on the safety of its customers’ cars or on their personal data, ”reads a statement released by a company.

The investigation showed that only a number of the company’s R&D was accessed. Information uncovered in the course of the investigation indicates that there may be some impact on the operation of the company. Although there is no indication that the security of personal data or cars of its customers has been endangered. The Snatch ransomware gang claimed responsibility for the attack. As proof, the hackers disclosed 35.9 MB of documents claiming to have been stolen from Volvo’s servers. Although the company in the media communication did not confirm the Snatch involvement.

Snatch has exploded onto the scene, with an array of executables and tools to perform carefully orchestrated attacks. A new variant of ransomware known as “Snatch” has been spotted in the campaigns, forcing Windows machines to restart in Safe Mode before initiating the encryption process. It is one of the multiple components of a malware constellation used in carefully orchestrated attacks that also involve rampant data collection.

What Snatch ransomware is?

Snatch operators appear to have been active since the summer of 2018, according to the analysis, however, the Safe Mode aspect is a new added feature. Snatch attacks Windows machines with a collection of malware that includes the executable of the ransomware; a personalized data thief; a Cobalt Strike reverse shell; and several publicly available tools that are typically used by penetration testers, system administrators, or technicians. Plus, everything is obscured by an open source packer called UPX.

Hackers named themselves “Snatch Team” in homage to the 2000 Guy Ritchie film. They use automated brute-force attacks to infiltrate corporate networks before spreading laterally. In an incident in October, attackers forced the password for an administrator account on a Microsoft Azure server. Subsequently they were able to connect to the server using Remote Desktop (RDP). There, Snatch released other executables. They were designed to give attackers remote access. And it is without having to rely on the compromised Azure server, to 200 machines, or roughly 5% of the computers in the company’s internal network.

The attackers also connected to a domain controller (DC) on the same network.

The attackers also connected to a domain controller (DC) on the same network. Then they monitored the network for several weeks, also collecting and downloading data using an “Update_Collector”.EXE. Additionally, Snatch Team installed a free Windows utility called Advanced Port Scanner. Threat actors used it to discover additional machines on the network that they might target.

Researchers say Snatch has been observed in attacks in the United States, in Canada and several European countries. In all cases, the ransomware portion of the attack occurred several days or weeks after the initial network breach.

Leave a Reply

Your email address will not be published. Required fields are marked *