A tale of two cities
Dickens’ great novel famously opens: “It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness.”The same could be said about today when it comes to dealing with network-based attacks. Instead of talking about London and Paris during the French Revolution, let’s look at how two other cities -- Baltimore and Atlanta-- experienced attacks in the past couple of weeks. Certainly there have been several notable examples, and how these two city governments handled their computer network security – or didn’t -- are instructive.
City officials in Atlanta were warned about the potential for a cyber attack months before their March event, according to this report from a local TV station. Fixes were planned for this spring but unfortunately not completed before the attack happened.
Atlanta was first attacked on March 22, and then a separate attack occurred April 5. The first one took down a number of city services, including online bill paying, the water department and court systems, but they were able to make payroll and their city-owned airport operations weren’t affected. The city was asked to pay $51,000 in ransom. It seemed they refused based on subsequently events, when they hired Secureworks to help resolve their issues.
The attack was based on the SamSam malware. CSOonline has details about the ransom notes and how it was tied to SamSam. SamSam ransomware differs from other ransomware because the attackers don’t rely on user-based attack vectors, such as phishing campaigns. Instead, they use compromised hosts to gain a foothold and then move laterally through the network.
The second attack in April hit the water department website again, according to Reuters.
Certainly, ransomware is on the rise. The Verizon Data Breach Investigations Report for 2018 says that ransomware has “overtaken all other forms of malware to be the most prevalent variety of malicious code for” 2017.
One of the issues for Atlanta was how exposed it was. The city had open RDP ports with no MFA protection and also had open SMB shares and FTP servers too, making them very easy to access and infect. Rendition Infosec documents these issues in a blog post here. These consultants had found the infamous NSA-based DoublePulsar malware on several city computers last year -- computers that weren’t patched for several weeks after their owners were notified.
So what can we learn from Atlanta? Lax security, delayed patching, lots of open ports to access all led to the inevitable, and one of the reasons why getting its online sites up and running took the better part of two weeks. Let’s move on to the Baltimore PSAP 911 center that was hacked shortly after Atlanta. The computer-aided dispatch system was down for the better part of a day, and emergency crews had to be manually scheduled until the systems were back online the next day.
Once again we have an open port that was left in that state for about a day. The City admitted it was an error done by their IT staff. Other than that, city officials didn’t share specifics, hiding behind “an active police investigation,” although they said that no personal data was leaked.
How do attackers find these open ports? Easy, they are constantly scanning the city networks, looking for vulnerabilities. Other 911 call centers have been breached over the years: it is a natural place for hackers to visit, given its high profile role.
Should you pay the ransom? It is tempting, particularly when you find out how bad your backups are for your data. “A lot of backups aren’t effective. After an attack, companies find out their backups have holes in them or they aren’t able to recover their data,” says Ken Pipkins, a cybersecurity account manager for Cisco that I interviewed recently.
Pipkins has seen numerous companies pay the ransom demands. “Ransoms are low enough dollar amounts, so many companies are paying them. But they are taking a chance on getting a decryption key that doesn’t work and hoping that they won’t have a disruption to their businesses. That is a big gamble, and there is no guarantee that you will get your files decrypted,” he says. So take some time to vet your backup and recovery procedures now, before another Atlanta situation happens to you.