Missouri County Declares State of Emergency Amid Suspected Ransomware Attack (arstechnica.com) 41
An anonymous reader quotes a report from Ars Technica: Jackson County, Missouri, has declared a state of emergency and closed key offices indefinitely as it responds to what officials believe is a ransomware attack that has made some of its IT systems inoperable. "Jackson County has identified significant disruptions within its IT systems, potentially attributable to a ransomware attack," officials wrote Tuesday. "Early indications suggest operational inconsistencies across its digital infrastructure and certain systems have been rendered inoperative while others continue to function as normal."
The systems confirmed inoperable include tax and online property payments, issuance of marriage licenses, and inmate searches. In response, the Assessment, Collection and Recorder of Deeds offices at all county locations are closed until further notice. The closure occurred the same day that the county was holding a special election to vote on a proposed sales tax to fund a stadium for MLB's Kansas City Royals and the NFL's Kansas City Chiefs. Neither the Jackson County Board of Elections nor the Kansas City Board of Elections have been affected by the attack; both remain open.
The Jackson County website says there are 654,000 residents in the 607-square-mile county, which includes most of Kansas City, the biggest city in Missouri. The response to the attack and the investigation into it have just begun, but so far, officials said they had no evidence that data had been compromised. Jackson County Executive Frank White, Jr. has issued (PDF) an executive order declaring a state of emergency. The County has notified law enforcement and retained IT security contractors to help investigate and remediate the attack. "The potential significant budgetary impact of this incident may require appropriations from the County's emergency fund and, if these funds are found to be insufficient, the enactment of additional budgetary adjustments or cuts," White wrote. "It is directed that all county staff are to take whatever steps are necessary to protect resident data, county assets, and continue essential services, thereby mitigating the impact of this potential ransomware attack."
The systems confirmed inoperable include tax and online property payments, issuance of marriage licenses, and inmate searches. In response, the Assessment, Collection and Recorder of Deeds offices at all county locations are closed until further notice. The closure occurred the same day that the county was holding a special election to vote on a proposed sales tax to fund a stadium for MLB's Kansas City Royals and the NFL's Kansas City Chiefs. Neither the Jackson County Board of Elections nor the Kansas City Board of Elections have been affected by the attack; both remain open.
The Jackson County website says there are 654,000 residents in the 607-square-mile county, which includes most of Kansas City, the biggest city in Missouri. The response to the attack and the investigation into it have just begun, but so far, officials said they had no evidence that data had been compromised. Jackson County Executive Frank White, Jr. has issued (PDF) an executive order declaring a state of emergency. The County has notified law enforcement and retained IT security contractors to help investigate and remediate the attack. "The potential significant budgetary impact of this incident may require appropriations from the County's emergency fund and, if these funds are found to be insufficient, the enactment of additional budgetary adjustments or cuts," White wrote. "It is directed that all county staff are to take whatever steps are necessary to protect resident data, county assets, and continue essential services, thereby mitigating the impact of this potential ransomware attack."
Another one bites the dust... (Score:2, Insightful)
Seriously, WTF? Looks like half-assing IT Security is getting less and less sustainable.
Re:Another one bites the dust... (Score:5, Insightful)
Looks like half-funding IT Security is getting less and less sustainable.
There we go. All fixed now. Spending your life fighting tooth and nail to fund even basic defenses against a $2 trillion+ market comprised of dedicated threat actors spanning the globe and hitting you 24 hours a day is maybe *not* the best approach to security.
I *love* how every armchair super pro has a comment on this whilst also having zero understanding of what the realities are.
The really funny bit is how funding is suddenly freed up during/post these incidents whilst all those farkwits in charge scurry to show how involved and concerned they are. It's a comedy of idiots.
Re: (Score:1)
Well, if there are $2 trillion in threat actors out there you have zero chance without the one thing that protects against ransomware attacks.
Backups. The one thing every IT department in the world scrimps on. Because it's costly, time consuming and difficult with a mobile work force.
Re: (Score:1)
Backups might help you if/when the criminals have encrypted all of your data / direct access storage volumes.
Re: (Score:1)
Remember, you don't pay to do backups, you pay to do restores. But you are not wrong. :)
... Because it's costly, time consuming and difficult with a mobile work force.
Re: (Score:3, Interesting)
Re: (Score:2)
I've been out of IT for many years now, but one question I always have about these ransom scenarios is this: wouldn't advanced journaliing filesystems make recovery from an attack much easier, particularly filesystems where you can mount a shapshot? You could just start serving a past snapshot then make any updated files available as you clear them.
Back in the day I had customers who had incompetent DBAs bork their databases with bad SQL DML and DDL. Where the customer was using Oracle it was pretty easy t
Re: (Score:1)
No need to fix anything. Half-assing IT Security obviously includes funding it inadequately, not hiring enough or unqualified people, changing plans all the time, buying specific products or services without asking the experts first, trying to do it without risk-analysis or sane requirements and all the usual project management and "leadership" mistakes.
An "IT pro" would understand that.
Re: (Score:3, Interesting)
Seriously. All it takes to stop these types of attacks in their tracks is append-only storage. For example, a zfs fileserver with auto-snapshotting and ssh disabled. The attacker can modify files but the old content just remains in the snapshots until you delete them by accessing the server in person**.
** You *could* leave ssh open if remote access is critical to you, e.g. out of disk space in the middle of the night, but it does open a new point of weakness.
It's frustrating to me that we don't just do th
Re: (Score:3, Interesting)
Well, yes. And no. Because you also need software that can handle that type of storage and most cannot. (I am not defending that state of affairs, merely recognize it.)
What you do instead is write-protected backups and regular restore tests. And what you also need to critically do is be prepared to identify and fix the attack vector. Otherwise you just get attacked again after restoring.
Re: (Score:2)
Agreed that one party can't solve it - that it requires cooperation on both the software and hardware side (hence the reason why I referred to "the industry"). But it's eminently solvable, and yet we've done nothing, I see no signs of anything being done about it in the near future, and innocent people continue to suffer as a result.
Re: (Score:3)
As for write-protected backups, it's the "write protected" that usually gets people when it comes to ransomware. They leave their backup system connected to the user system because it's far more convenient that way. And then we get back to my original post: if the writes aren't append-only, then your backup system is just as hosed as your user system.
Even nominally offline backups are vulnerable while you're creating them and they're connected (sometimes even while you're trying to restore from them, if th
Re: Another one bites the dust... (Score:2)
Our tiny-business solution: a separate backup micro-server (think NUC) that mounts data to be backed up (read-only) and makes snapshot backups to disks that no other system can access. In containers, it does other tasks as well (PiHole, etc).
If any system is compromised, it cannot touch the backups. If the backup server is compromised, it cannot write to the live files. The backup disks are periodically swapped out, to provide a mostly-up-to-date offline copy.
If a mom'n'pop business can do this, anyone
Re: (Score:2)
The simple solution is physically offline storage. Anybody can do these and the cost is small as long as you do not have more data than fits on typical USB storage. The harder solution is WORM storage. Still not that hard to do (sftp-in with low-priv SFTP server, mover daemon with high priv, 2FA with separate offline credentials, hardened installation, restricted reachability via firewall and _nothing_ else on that _physical_ server). But you have to do it and you have to resist doing it on the cheap. For e
Re: (Score:2)
Sorry, bit that is just nonsense. A proper WORM backup comes with a storage server that has a minimal attack surface. It is not that hard to do. Your append-only fetish helps you nothing when the kernel of that filesystem gets compromised.
Re: (Score:2)
WORM is append-only.
Re: (Score:2)
And re "compromising the kernel of a fileserver", you're describing something that, while not impossible, is highly implausible in the described situation. In a typical attack, an attacker finds a weakness somewhere in your system (most often via social engineering) to get a foothold, and then piggybacks on stolen credentials to expand their reach in your network. A fileserver offering only e.g. NFS and no other services, with no SSH access, is not a likely target for compromise. They would have to find
Re: (Score:2)
See my other answer.
Incidentally, NFS does not have a good security record in r/w scenarios and that is in large parts an architectural problem and cannot be fixed. A read-only export via an unprivileged NFS server process that itself only has ro access is a bit better. sftp/ssh configured right (very limited for file dropping, 2FA and hardened for login) is far, far better.
Re: (Score:2)
Nope. It is write once, no appending or other changes at all after the file handle is closed. Appending allows attacks.
Re: (Score:2)
Both of these statements are wrong.
You can keep appending to the end of WORM tape until the tape until it runs out. *The part you've written to* can't be overwritten, but you absolutely can append to the media. It's the very definition of append-only.
Appending does NOT allow attacks, by the very definition of appending, e.g. that the previous data continues to exist rather than being overw
Re: (Score:2)
I think probably the easiest way to go about it would be to implement it as a multi-node motherboard, but with one node being minimal and only running an embedded ZFS server offering e.g. NFS services. Have a case header for the board to allow for a button to let you switch graphics & keyboard / mouse back and forth between the main OS and the file server. The file server GUI just offers a really basic, user-friendly OS setup and snapshot management system (but offering a shell for power users who want
Re: (Score:2)
Re: (Score:2)
Seriously, WTF? Looks like half-assing IT Security is getting less and less sustainable.
From the description, it's probably just a Microsoft update.
Re: (Score:2)
Hehehehe, you have a point. Their stuff has not gotten any more reliable (or secure), while the real-world requirements are getting higher and higher.
Roll over and pay. (Score:2)
Re: (Score:2)
and then send them an state income tax bill for that payment
Re: (Score:2)
They made their bed (Score:4, Insightful)
Re: (Score:1)
Re: (Score:3)
How good could the IT people have been if they didn't make their #1 priority to have functioning daily backups?
I like tossing people under busses as much as the next guy, but I haven't read anything about a lack of backups.
In an incident like this, reconstruction is - apparently - complicated. From what I've heard, you can't just nuke & restore on your own hardware because law-enforcement and insurers want forensic access for investigation. You can't just immediately stand up some new VMs in AWS or Azure because if you do, you're restoring a config that you know has been compromised and is untrustworthy. Yo
Re: (Score:2)
You've got that right. I used to work for a federal agency (the NIH), and once, it got hit with malware. Our division, not so much - we had one machine compromised (the rest ran Linux). Shut the box down, removed and copy the hard drive, provide the original to security. Rebuild the box, and restore data from backups.
Backups? Oh, yes, the ones I did monthly. Using hard drives in an eSATA drive bay. And then removed, and put into the fire safe. (Before I left, we had a *lot* of drives in that safe).
I do the
Re: (Score:2)
This is slashdot. Stop being so god damned reasonable. You need to pull that trigger fast and hard if you want to fit in. Whatever you hit, you hit. Just keep shooting.
Re: (Score:2)
If there is anyone out there who objects to this u (Score:3)
Speak now, but to stop all Missouri dead in its tracks is the very definition of overkill in *any* dictionary
oh good! (Score:2)
Re: (Score:2)
Cybersecurity is wokeism. (Score:2)
Would be nice to get low level details (Score:2)