{"id":3121,"date":"2018-03-28T12:57:18","date_gmt":"2018-03-28T19:57:18","guid":{"rendered":"https:\/\/zed.inguardians.com\/?p=3121"},"modified":"2019-08-19T13:41:08","modified_gmt":"2019-08-19T20:41:08","slug":"municipal-governments-battle-cyber-attacks","status":"publish","type":"post","link":"https:\/\/zed.inguardians.com\/brief\/municipal-governments-battle-cyber-attacks\/","title":{"rendered":"Municipal Governments Battle Cyber Attacks."},"content":{"rendered":"
\u00a0Municipal governments battle cyber attacks.<\/h5>\n
\n
\n

Issue<\/strong>
\nThe Georgia cities of Atlanta and Loganville are the latest victims in an ongoing trend of attacks on municipalities. First, on Thursday, March 22nd, the City of Atlanta announced that its networks had been shut down due to a ransomware attack. At the time of this posting, the city is working with the FBI and the Department of Homeland Security, as well as external partners from Microsoft and Cisco\u2019s cybersecurity response team, to investigate the situation.<\/p>\n

The City of Loganville (a suburb of Atlanta), announced on Monday, March 26th on its Facebook page that an external threat actor had successfully perpetrated a breach of an internal server. The Loganville breach may not be related to that of Atlanta.<\/p>\n

Impact<\/strong>
\nIn Atlanta, the ransomware has cut off electronic access to court records, while many departments are using pen and paper to perform their duties. Many city services, such as electronic bill pay, are still unavailable to city residents. As a precautionary measure, the public wireless network (Wi-Fi) at Hartsfield-Jackson airport has also been suspended.<\/p>\n

Evidence suggests the Atlanta malware is SamSam, which has been seen in other government targeted attacks, like the one that occurred at Colorado\u2019s state Department of Transportation. \u00a0In particular, the letter shared by local media during the early stages of the ransomware infection in Atlanta is clearly a SamSam ransom note. The wording \u2014 including typos \u2014 is identical to the examples shared by researchers working for Cisco\u2019s Talos group earlier this year. The only difference was the directory where the contact portal is hosted.<\/p>\n

Once attribution to SamSam became public knowledge, the SamSam group deleted the contact portal that the city of Atlanta would use to make payment. Given the SamSam group\u2019s actions, it isn\u2019t clear if payment is even possible now. While it is possible other portals exist for the systems infected in Atlanta, the city hasn\u2019t released any technical details to the public.<\/p>\n

In Loganville, the breach is believed to have exposed personally identifiable information, (PII) such as social security numbers, to the attacker.<\/p>\n

Recommendations<\/strong>
\nInGuardians echoes the sentiments of the newly elected Atlanta Mayor who is quoted as saying, \u201cthis is bigger than a ransomware attack, it\u2019s an attack on government and therefore an attack on all of us.\u201d<\/p>\n

It is increasingly apparent that organizations must make the resources available and establish effective policies and preventative measures to strengthen their security postures in order to mitigate these threats.<\/p>\n

InGuardians recommends that all leaders of municipal governments view themselves as a likely soft target and create internal Information Security programs to address emerging threats. We also recommend that all business leaders continue to follow this case for lessons learned, such as:<\/p>\n<\/div>\n

    \n
  • Do not leave Remote Desktop Protocol (RDP), Windows Server Message Block (SMB), Secure Shell (SSH) or Telnet available to the Internet \u2013 use VPNs and firewall white lists<\/li>\n
  • Confirm that no operations systems use SMB version 1<\/li>\n
  • Apply Windows group policy objects (GPOs) to harden government systems uniformly<\/li>\n
  • Do not allow users to have local administrative privilege on their desktop machines<\/li>\n
  • Make sure that all patches are deployed quickly \u2013 malware victims have lost a race with an attacker<\/li>\n<\/ul>\n
    \n

    Additional Resources<\/strong><\/p>\n

    Small Towns Confront Big Cyber Risks (GovTech)
    \nhttp:\/\/www.govtech.com\/security\/GT-OctoberNovember-2017-Small-Towns-Confront-Big-Cyber-Risks.html<\/p>\n

    Atlanta Working \u201cAround the Clock\u201d to Fight Off Ransomware Attack (NPR)
    \nhttps:\/\/www.npr.org\/sections\/thetwo-way\/2018\/03\/27\/597208778\/atlanta-working-around-the-clock-to-fight-off-ransomware-attack<\/p>\n

    We Are a Resilient City \u2013 Atlanta Works to Move Forward Following Cyber Attack (11Alive)
    \nhttp:\/\/www.11alive.com\/article\/news\/we-are-a-resilient-city-atlanta-works-to-move-forward-following-cyber-attack\/85-532179763<\/p>\n

    Metro Atlanta City Reports Its Own Data Breach (Atlanta Journal Constitution)
    \nhttps:\/\/www.ajc.com\/news\/local-govt\u2013politics\/metro-atlanta-city-reports-its-own-data-breach-warns-customers\/GsK565pH9L8y3GOk0NvERI\/<\/p>\n

    Atlanta\u2019s Computers Crippled by Ransomware \u2013 Issues Unresolved After 4 Days (SmartCities Dive)
    \nhttps:\/\/www.ciodive.com\/news\/fbi-ransomware-attack-atlanta\/519865\/<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

    \u00a0Municipal governments battle cyber attacks. Issue The Georgia cities of Atlanta and Loganville are the latest victims in an ongoing trend of attacks on municipalities. First, on Thursday, March 22nd, the City of Atlanta announced that its networks had been shut down due to a ransomware attack. At the time of this posting, the city […]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[169],"tags":[107,105,117,84],"_links":{"self":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3121"}],"collection":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/comments?post=3121"}],"version-history":[{"count":1,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3121\/revisions"}],"predecessor-version":[{"id":3122,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3121\/revisions\/3122"}],"wp:attachment":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/media?parent=3121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/categories?post=3121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/tags?post=3121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}