Tuesday, March 27, 2018

Atlanta government was compromised in April 2017 - well before last week's ransomware attack

Last Thursday, the City Of Atlanta suffered outages from a ransomware attack. During the press conference (recorded here), city officials indicated that they were invested in cyber security. They noted that they were working with state and federal law enforcement to resolve the incident and had even been in contact with the Secret Service. Officials noted that this type of attack (and outage) were happening to many organizations. Officials attempted to convey that despite adopting cyber security best practices, the City of Atlanta was victimized. This prompts the question “Was the City of Atlanta following cyber security best practices?”

Though little is known about the internals of the city’s cyber security posture, we quickly learned that the city had exposed remote desktop protocol (RDP) to the Internet with no multi-factor authentication*. This is extremely important because if attackers get a valid username and password combination, they can directly access your information systems if no multi-factor authentication is in place.

*Full disclosure: We’re a little biased on the need for multi-factor authentication, Rendition Infosec installs and monitors multi-factor authentication solutions, click here to learn more.

Cybersecurity Hygiene

Leaving RDP open to the Internet is bad, but leaving SMB (windows file sharing, or Server Message Block) open to the Internet is much worse. Most readers probably remember the WannaCry ransomware campaign that shut down services at the UK’s National Health Service and elsewhere in May 2017. These attacks were powered by the leaked NSA (allegedly) exploit EternalBlue. In June, the same leaked exploit was used with the NotPetya attacks to target Ukrainian businesses (though impacts were felt worldwide).  The EternalBlue exploit targets the SMB service on unpatched computers.

Read the full story on the Rendition Infosec corporate blog.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.