Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/25/2019
03:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Johannesburg Ransomware Attack Leaves Residents in the Dark

The virus affected the network, applications, and databases at City Power, which delivers electricity to the South African financial hub.

Johannesburg's City Power, the municipal entity delivering power to the South African financial hub, was hit with a ransomware attack that encrypted its network, databases, and applications.

The attack struck Thursday morning and prevented residents from buying electricity, uploading invoices, or accessing the City Power website. Officials said it also affected response time to logged calls, as some of the internal systems to dispatch and order material were slowed down.

"Ransomware virus is known globally to be operated by syndicates seeking to solicit money," the City of Joburg tweeted after the attack. "We want to assure residents of Johannesburg that City Power systems were able to proactively intercept this and managed to deal with it quickly." The city, which owns City Power, notes there was no personal data compromised in the attack.

Johannesburg implemented temporary measures to help those affected. Suppliers seeking to submit invoices were told to bring them to City Power offices; customers were asked to log calls on their cellphones using the mobile site, as they couldn't access the utility's website. Residents called a local radio station to say the attack had left them without power, Reuters reports.

At the time of the attack, City Power spokesperson Isaac Mangena said to News24 that cold weather could lead to unplanned outages, as the electrical system overloads with higher demand. Plans were in place to deal with unplanned outages, he added; City Power had sent more technicians to regions of the city where unplanned, repeated outages frequently occur.

City Power and Johannesburg officials have been regularly posting updates to both entities' Twitter accounts; the City of Joburg most recently reported most of the IT applications and network affected by the attack "have been cleaned up and restored."

Johannesburg joins a growing number of cities targeted with ransomware as criminals take aim at municipalities around the world. Other victims include Baltimore, Atlanta, and Riviera Beach, Florida. While security experts typically recommend not paying ransom — and US mayors have committed to follow their advice — unprepared victims may have no choice. Riviera Beach recently paid $600,000 to its attackers, a decision that could potentially have "far-reaching consequences," said Ilia Kolochenko, founder and CEO of security company ImmuniWeb.

Kolochenko anticipates attacks like these will continue. "Cities, and especially their infrastructure sites, are usually a low-hanging fruit for unscrupulous cyber gangs," he says. "These victims will almost inevitably pay the ransom as all other avenues are either unreliable or too expensive." What's more, he adds, is cryptocurrencies can't be traced back to the attackers; as a result, most get away with it.

Cybercriminals are taking the time to profile and target entities that are more likely to pay more money, says Matt Walmsley, Vectra's director of EMEA. City Power was an appealing target: The broad scope of disruption to its databases and other software, affecting most its applications and networks, suggests ransomware was able to quickly spread throughout the organization.

"The disruption to their services, as well as consumer backlash, will further compound the pressure on City Power's IT and security teams to rapidly restore systems to a known good condition from backups, or chance of paying the ransom," Walmsley explains.

Kolochenko also notes the risk of dangerous ransomware attacks will grow unless governments develop and enforce security regulations to protect their cities. Humans feel very real effects of ransomware in incidents like these: Following the City Power attack, Twitter posts reflected the struggles of individuals and families who found themselves without power. Future incidents could affect airports, for example, and other components of critical infrastructure.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/29/2019 | 11:20:46 PM
Re: Separation of duties
Thank you for reviewing my responses. Yes I agree that IPv6 could address a number of issues, not all but at least it would help with identifying where the attack came from, encrypt traffic, employ segmentation and a number of other issues as indicated in my prior post. Todd
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/29/2019 | 9:02:31 PM
Re: Separation of duties
IPv6 IPSec AES256 ESP/AH VPN can reduce the level of attacks 10 fold as long as it is configured properly with hours of testing. Ok. That makes sense. As IPv6 would have more security features than IPv4.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/29/2019 | 9:00:35 PM
Re: Separation of duties
This heightened level of security makes this area an internal "jump area" or quasi-DMZ. Good point. DMZ would help to segregate web from data layer where they would harder time to pass-through
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/29/2019 | 8:58:07 PM
Re: Separation of duties
There should have been conversations on creating a separate network utilizing VDI as a way to connect Well put and good point. It should be well architectured as it is always possible to jump from network to network.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/29/2019 | 8:55:37 PM
Re: Separation of duties
A number of organizations have not implemented "segmentation" at the network layer. This a good point, separation helps in the network tremendously.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/29/2019 | 8:52:09 PM
More cities
No more cities. Obviously ransomware attackers found a better target: all cities anymore.
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/27/2019 | 3:48:13 PM
Separation of duties
A number of organizations have not implemented "segmentation" at the network layer. I am not sure how the hack took place but why did the Utility company connect their SCADA infrastructure to the Internet? There should have been conversations on creating a separate network utilizing VDI as a way to connect and perform management procedures using an area in the network with limited capability (a small network segment that is monitored and tracked to the highest extent where access is authorized by management staff and NAC (Network Access Control) devices).

Cybersecurity Utility

And the other aspect of the network should have been on IPv6. If the internal SCADA network is on IPv6 and the external network is on IPv4 (admin or mgmt network), we can limit the ability of the hacker to access the VDI environment. Since the VDI is limited with IPv6 (dual-homed) with specific IPv6 addresses on the Mgmt Network, access to the SCADA environment can provide limited accessibility when it comes to external actors. This heightened level of security makes this area an internal "jump area" or quasi-DMZ. This helps to improve security levels by reducing MITM (Man in the Middle Attacks) enabling encryption (in-flight & at rest). IPv6 IPSec AES256 ESP/AH VPN can reduce the level of attacks 10 fold as long as it is configured properly with hours of testing. Remember, if you look at most of the hack attempts that took place in the world, they use IPv4 (not to say that they don't use IPv6), this would give the organization a leg up on addressing this issue and it adds a certain level of complexity or obfuscation to the mix.

Another consideration would be to stand up a test environment with hardened OSes, this practice could affect the application especially when PLC devices are involved; having a test environment that mimics production is vital to the organization's security posture.

Hopefully, they will be working with security vendors to address some of their issues.

Todd

 
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4483
PUBLISHED: 2019-08-20
IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X...
CVE-2019-4484
PUBLISHED: 2019-08-20
IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164068.
CVE-2019-4485
PUBLISHED: 2019-08-20
IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164069.
CVE-2019-7593
PUBLISHED: 2019-08-20
Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).
CVE-2019-7594
PUBLISHED: 2019-08-20
Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP).