Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/16/2018
01:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

NC Water Utility Fights Post-Hurricane Ransomware

North Carolina's Onslow Water and Sewer Authority was hit with an advanced attack in the wake of Hurricane Florence.

The Onslow Water and Sewer Authority (ONWASA), a critical water utility based in North Carolina, is responding to a sophisticated ransomware attack in the aftermath of Hurricane Florence, the violent and powerful storm that battered the East Coast last month.

ONWASA reports the attack targeted its internal computer system, including servers and personal machines, leaving it with "limited computer capabilities." Officials say customer data was not compromised and the area's environment and public water supply were both unharmed. However, they warn, many other databases must be fully re-created.

The incident started on Oct. 4, when ONWASA began detecting persistent attacks in the form of Emotet, a type of polymorphic malware. Emotet is known as an advanced banking Trojan that mainly works as a downloader for other banking Trojans. It's among the most expensive and destructive forms of malware to hit state and local governments, US-CERT reports.

ONWASA first believed the threat was under control; when it continued, the utility recruited external security experts to work on the problem alongside its internal IT staff.

The situation escalated in the early hours of Oct. 13, when the malware dropped Ryuk, a highly targeted ransomware strain that first appeared earlier this year. Ryuk, which has targeted global organizations, has relatively low technical capabilities but can spread major damage. Unlike most ransomware, which spread via spam, it's exclusively used for tailored attacks.

"In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers," Check Point researchers explain.

Fortunately, one of ONWASA's IT employees was working at 3 a.m. when Ryuk appeared. Staff immediately tried to protect systems by taking the organization offline, but the virus quickly spread, encrypting databases and files along the way. ONWASA reports its incident is similar in nature to cyberattacks affecting major cities, including Atlanta and Mecklenburg County, N.C.

The utility has heard from its attackers, who it says "may be based in a foreign country." It also says their email was consistent with ransomware attacks on other governments and corporations. ONWASA will "not negotiate with criminals nor bow to their demands," it says.

Instead, it will rebuild its databases and systems from the ground up. ONWASA is coordinating with the FBI, Department of Homeland Security, the State of North Carolina, and several cybersecurity companies to investigate the attack and move forward.

While it does, ONWASA says the lack of computing capabilities will affect the timeliness of service for several weeks. All plant and office locations will continue to operate manually. Customers can still pay via credit card over the phone or in person; however, things like service orders and account creation will use manual processes until computer systems are back up and running. Email service has been interrupted for most of the utility, it reports.

Related Content:

 

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/17/2018 | 1:07:27 PM
Restoratoin and backup protocols
AND HERE WE GO AGAIN.  Another organization that apparently lacks a plan to restore and rebuild in event of failure - not just ransomware BUT FAILURE of any kind or type.  I still content that an encrypted server is as dead as a hard drive fail server and new backups should restore data IF timely.   But nobody ever does that. 
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3896
PUBLISHED: 2019-06-19
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
CVE-2019-3954
PUBLISHED: 2019-06-19
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.
CVE-2019-10085
PUBLISHED: 2019-06-19
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
CVE-2019-11038
PUBLISHED: 2019-06-19
When using gdImageCreateFromXbm() function of gd extension in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been ...
CVE-2019-11039
PUBLISHED: 2019-06-19
Function iconv_mime_decode_headers() in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.