Here we go again, and again, and again…: Texas PD Server Compromised Again
“Those who cannot remember the past are condemned to repeat it.” -George Santyana
In the InfoSec field, the professionals strive to protect the enterprise, create or update processes to secure the users as much as possible, and if an issue falls through the cracks, to analyze the issue with a forensic lens. Although this sounds like a pretty simple process, this is rather complex with the number of persons and departments involved, all of which have to agree.
One particular area within our operations which tends to be frustrating involves breaches. Occasionally things happen and users click on something (link, picture, etc.) they truly should not have. The lure may be an enticing picture, promise of a package delivery, or virtually any other topic. When, however, this happens repeatedly, especially after the increase in training and announcements, the InfoSec Department begins to wonder what are the users thinking, what can be done so this does not happen again. These thoughts are meandering through the InfoSec mind all the while remediating, or attempting to, the issue. Depending on the compromise, this may be re-imaging a workstation, analyzing effects on a server farm, or simply taking a moment to ponder “Why me?”
An incident like this occurred in Texas recently. This involved ransomware being introduced into the Riverside Fire and Texas Police Department computer servers (http://www.ehackingnews.com/2018/05/texas-police-department-server-again.html). This attack occurred on May 4th of 2018. Ransomware is well-known and used throughout the globe. The issue compounding this was the police department was a victim of ransomware attack previously on April 23rd of 2018. With the initial attack, the police department lost approximately 10 months of sensitive data generated by on-going investigations. In this latest attack, the ransomware was coded to lock the files and delete others located on the affected server.
In this case, the police department did not pay the ransom, and was able to recover some of the data. The police department finally had learned their lesson with this set of operational exercises. There is a back-up protocol in place, and the admin staff only had to re-enter approximately eight hours of work.
The initial attack vector was the simple phishing email, however the second attack’s method of successful delivery is unknown. This emphasizes the need for communication and staff training. To supplement this, there may be an internal, entity based phishing campaign. The results of this may also be used as another training tool and opportunity.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.