Learning from the City of Atlanta Cyberattack
It has been over 2 months since the City of Atlanta suffered a cyberattack, but a city official said at a public meeting that the effects of the cyberattack seem “to be growing every day”.
On March 22, 2018, the City of Atlantaexperienced a ransomware cyberattack that affected the city’s multiple software applications and computers. A ransomware is a malicious software (malware) that locks files on infected computers and asks for ransom payment to unlock files.
The City of Atlanta, in a statement, said that as a result of the attack, “some City data is encrypted and customers are not able to access City applications”.
Atlanta Information Management head Daphne Rackley told the Atlanta City Council that more than a third of the city’s 424 software applications have been thrown offline or partially disabled as a result of the cyberattack. Rackley added that nearly 30% of the affected software applications are considered “mission critical” to the city’s core services, including courts and police.
Interim City Attorney Nina Hickson also told the City Council that only 6 out of the 77 computers her office has are operational after the attack. She added that her office lost a decade worth of legal documents as a result of the incident. Atlanta Police Chief Erika Shields, meanwhile, told local television news station WSB-TV 2that the cyberattack wiped out the department’s dashcam archive.
Atlanta Information Management head said that the city needs an additional $9.5 million to help pay for recovery costs. Channel 2 Action Newsfirst reported that records showed that the City of Atlanta shelled out nearly $2.7 million on 8 emergency contracts following the cyberattack on city networks.
The attackers demanded from the City of Atlanta $51,000 worth of Bitcoin for unlocking the data that they’ve encrypted. The city said it didn’t pay any ransom to the attackers.
SamSam Ransomware: A Patching Lesson
Based on the language of the ransom messageused by the City of Atlanta attackers, the ransom note resembles that of the other ransom notes made by SamSam ransomware attackers.
Similar to other types of ransomware, SamSam ransomware locks files on infected computers and asks owners to pay ransom in order to unlock the files. The ransom note is posted on the screens of the compromised computers.
This ransomware was first observed in 2015. Since then, this ransomware has morphed into several versions. Researchers at Fortinetestimated in March 2018 the group responsible for SamSam had extorted nearly a million dollars from its victims.
While SamSam ransomware victims may appear to be targeted – as servers of organizations are mostly affected, the delivery of this malware appears to be opportunistic in nature, rather than targeted. While most ransomware use drive-by-downloads (opening a compromised webpage could allow malware to install on your device) and social engineering techniques (malicious email attachments) to infect computers, according to Ciscoresearchers, SamSam ransomware compromised computers by infecting unpatched servers or servers that haven’t applied security updates and use them to infect computers connected to the servers and lock the files of these infected computers for ransom.
The early version of SamSam ransomware used an open-sourced tool Jexbossto scan the internet and look for unpatched servers running Red Hat’s JBoss enterprise products. “Once the attackers have successfully gained entry into one of these servers by exploiting vulnerabilities in JBoss, they use other freely available tools and scripts to collect credentials and gather information on networked computers,” Symantecsaid. “Then they deploy their ransomware to encrypt files on these systems before demanding a ransom.”
To date, the manner in which the attackers was able to deliver the SamSam ransomware into the network of City of Atlanta hasn’t been revealed. Researchers at Rendition, however, reported that prior to the March 22, 2018 ransomware attack, the City of Atlanta suffered a cyberattack in April 2017.
In late April and May 2017, Rendition conducted a research on the extent of the EternalBlue exploit – one of the spying tools believed to be used by the U.S. National Security Agency (NSA) that was leaked by a group calling themselves Shadow Brokers on April 14, 2017.
EternalBlue exploits the vulnerability in Microsoft Server Message Block (SMB) 1.0. This cybervulnerability is also called vulnerability MS17-010. SMB allows “applications in a computer to read and write to files and to request services” from server programs in a computer network or over the internet.
According to Microsoft, the EternalBlue exploit has already been fixed with the security update that the company released a month before Shadow Brokers publicly released the spying tools.
According to Rendition, even as Microsoft had issued a patch or security update in March 2017, many organizations don’t patch for 30 to 60 days or more. In late April and early May 2017, Rendition scans the internet looking for machines compromised with the EternalBlue exploit. They discovered that more than 148,000 machines were compromised with the EternalBlue exploit. Five of the 148,000 compromised internet facing servers belonged to the City of Atlanta.
As demonstrated by SamSam ransomware, some cyberattacks aren’t targeted but rather opportunistic in nature. Attackers will simply automate the process of looking for vulnerable machines like server operating systems that haven’t applied the latest security update.
If your organization uses JBoss enterprise products, you should check to see if they’re running unpatched versions and if so, update immediately. Security updates for server operating systems similarly have to be applied as soon as possible. Installing software updates for many organizations, however, isn’t a simple matter.
At GenX Solutions, our cybersecurity experts and partners have the skill and the expertise to help your business. Contact us today if your organization needs assistance in updating your software, for instance, your server operating system.