Allentown’s city government has been breached and invaded by a serious computer virus known as Emotet, or possibly a new variant of the Emotet malware that adds functionality to make it more dangerous and less easy to detect and remove. Variants of this malware have been a known threat globally since at least 2014, but attackers have been evolving it to better evade detection and mitigation systems since that time. It is typically propagated through Microsoft Word email attachments that are laden with malicious scripts, or macros, that download and install the virus onto a local computer that then looks for connected network devices and folders to spread to.
This particular virus originally functioned as a banking trojan which looks to steal financial information by injecting computer code into the shared folders and drives of connected computers on a network. Emotet now also possesses the capability to steal address book data, crack and steal network passwords, and perform denial of service (DoS) attacks on connected systems. It has since apparently infected critical systems within nearly all of Allentown government and is forcing the city to shut down a large portion of their information operations.
The virus was first discovered in Allentown on or about Thursday, February 15, 2018. At the time, it was already self-replicating and stealing credentials of city employees on Microsoft applications and platforms. However, officials have stated that there is not yet evidence to suggest that any personal information of city residents has been compromised.
Due to the impact of remediating the virus, Allentown’s finance department cannot complete any external banking transactions, local video surveillance networks are down, and city law enforcement cannot access databases controlled by the Pennsylvania State Police and many other day-to-day functions are greatly affected. Essentially, any city function that relies upon information technology assets are either shut down or severely crippled by efforts to remove the virus and repair damage. This particular data breach has proven to be very costly and damaging already, and it is still in the primary stages of containment.
The fix, and overall removal of the virus from all systems, is expected to cost at least an estimated $1 million dollars, perhaps more as these efforts are typically underestimated at the time of the breach. There was an initial contract of $185,000 awarded to a Microsoft emergency response team to assess and stop the spread of the malware. Additional costs exceeding $800,000 to $900,000 will then have to be spent on the recovery of data as well as other repairs for the damage that the virus has done. This does not include additional costs if in fact employee or citizen data has been breached or stolen.
The aforementioned impact and overview information has been compiled from public statements and reports made by city officials regarding the incident. Though Netizen has not performed any work for the city of Allentown related to this breach at this time, the motives, methods, and tools leveraged for this particular attack are highly similar to prior attacks on other entities.
What Can Be Learned From This?
In cases similar to the attack on Allentown city government systems, there are several preventative tools, processes, and resources available to organizations that will help either prevent such attacks in the future altogether or at least mitigate the effects and contain the remediation costs of a breach.
End-user awareness and training is probably the most important approach to preventing an attack from the beginning. Attackers make their way into networks most often through human error – such as clicking on suspicious email attachments. A simple annual (or, better yet, quarterly) training about practicing proper “cyber hygiene”—such as using strong passwords, not sharing credentials, teaching what to look for in a phishing email, how to report a suspected breach, and how to properly secure unattended devices and computer systems – can go a long way in helping mitigate or prevent a large majority of breaches. In the event of Emotet, it is imperative to not trust every email with an attachment. It may ask you to allow or enable macros for the attachment to which you should refuse. Macros should be disabled by default. Examine the email—is this from a sender that you know? And if so, call that person to verify that they had sent you the attachment.
It is also worth utilizing Multifactor Authentication (MFA) as an additional layer of security for network resources. This could be a text alert on your phone to approve a sign in or another MFA device such as a YubiKey or the Microsoft Authenticator app. These are highly cost effective and actually a feature of many modern software applications that just needs to be activated for use. Even if attackers have stolen passwords, they would still need that second level of authentication to access any of the accounts, network shares, and data therein. Another effective defense as well would be to isolate your passwords. This means that once a password is used at home, never use any variation of that at work—or vice versa. Any intermingling will mean that once one account is compromised, that can then be used to try and break into another separate account either at work or on a personal system you own.
A more technical security strategy is proper network segmentation—breaking down a network into various components that are “firewalled” off so malware cannot “crosswalk” across and steal everything. For instance, a computer in the public works department should not be able to access servers and computers in the finance department. Limit the level of access between machines and departments—this includes permissions and privileges amongst employees as well. This is the principle of “least privilege” that is commonly employed to help contain attacks when they occur. Furthermore, if a computer does not need to access the Internet, or would only need it at certain times, then this should be configured on the external firewall. Most business class firewalls can also black list or deny foreign addresses and be configured to do so.
It is also essential to have security and event monitoring capabilities. An open-source resource that we leverage extensively is GrayLog. This log and event monitoring software is scalable, flexible, and customizable – not to mention free. With the proper inputs from IT systems, GrayLog allows you to monitor network traffic to find out who is doing what, where connections are coming and going from, and any other abnormal events that pose a threat. Coupled with vulnerability monitoring, which scans systems and networks for improper configuration, missing patches, and gaps in their security stance, this becomes a very powerful set of tools used to help mitigate the spread of malware across a sensitive network and often help prevent the intrusion in the first place using real-time data. Combined with what are known as Threat Intelligence feeds, it would be easier to spot if your machines are communicating with a known attacker anywhere in the world without you knowing it. Once such popular vulnerability monitoring tool is the Netizen CyberSecure scanner and dashboard, leveraged to scan systems for over 180,000 different types of vulnerabilities and report them in an easy-to-interpret analytics dashboard that can be integrated easily into an existing IT infrastructure.
A centralized antivirus and system management solution provides organizations with a comprehensive view of their antivirus defenses, real-time system-wide status, and granular command and control over network resources. The basic feature set of all antivirus and system management suites is the ability to see all users on the network, know what application versions they’re running, efficiently and expediently update virus signatures and policies, and receive alerts and other reports. You can also control who connects to the network and where at any time. A good example would be Symantec’s Centralized Management Console.
Lastly, having properly documented policies and procedures for data security and backup/recovery operations may not necessarily work to prevent a breach, but can dramatically lessen the impacts and costs involved afterwards. Proper disaster recovery plans and preparations, including having geographically distinct backups sites for data and quarterly backup tests, can mitigate the downtime associated with a breach and also prevent having to spend millions reconstructing damaged or deleted data. A comprehensive security plan addressing roles and responsibilities, organizational policies, and other aspects of information security will also formalize and standardize efforts, thus eliminating or at least greatly reducing the confusion inflicted by such an event.
To summarize, a basic approach consisting of essential proactive cybersecurity measures can be very cost effective to implement, especially in comparison to breach cleanup costs that typically run into the millions of dollars and are almost always underestimated due to numerous hidden costs and damages not known at the time of the breach. The goal of any organization should be to put in place tools, processes, and controls tailored to their acceptable levels of risk and balanced with their budget to ensure they are not a “soft target.” This can prevent the majority of attacks out there and, at the very least, contain the damage inflicted by a breach to acceptable and tolerable levels which are far easier to recover from both financially and otherwise.