Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/25/2019
03:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Johannesburg Ransomware Attack Leaves Residents in the Dark

The virus affected the network, applications, and databases at City Power, which delivers electricity to the South African financial hub.

Johannesburg's City Power, the municipal entity delivering power to the South African financial hub, was hit with a ransomware attack that encrypted its network, databases, and applications.

The attack struck Thursday morning and prevented residents from buying electricity, uploading invoices, or accessing the City Power website. Officials said it also affected response time to logged calls, as some of the internal systems to dispatch and order material were slowed down.

"Ransomware virus is known globally to be operated by syndicates seeking to solicit money," the City of Joburg tweeted after the attack. "We want to assure residents of Johannesburg that City Power systems were able to proactively intercept this and managed to deal with it quickly." The city, which owns City Power, notes there was no personal data compromised in the attack.

Johannesburg implemented temporary measures to help those affected. Suppliers seeking to submit invoices were told to bring them to City Power offices; customers were asked to log calls on their cellphones using the mobile site, as they couldn't access the utility's website. Residents called a local radio station to say the attack had left them without power, Reuters reports.

At the time of the attack, City Power spokesperson Isaac Mangena said to News24 that cold weather could lead to unplanned outages, as the electrical system overloads with higher demand. Plans were in place to deal with unplanned outages, he added; City Power had sent more technicians to regions of the city where unplanned, repeated outages frequently occur.

City Power and Johannesburg officials have been regularly posting updates to both entities' Twitter accounts; the City of Joburg most recently reported most of the IT applications and network affected by the attack "have been cleaned up and restored."

Johannesburg joins a growing number of cities targeted with ransomware as criminals take aim at municipalities around the world. Other victims include Baltimore, Atlanta, and Riviera Beach, Florida. While security experts typically recommend not paying ransom — and US mayors have committed to follow their advice — unprepared victims may have no choice. Riviera Beach recently paid $600,000 to its attackers, a decision that could potentially have "far-reaching consequences," said Ilia Kolochenko, founder and CEO of security company ImmuniWeb.

Kolochenko anticipates attacks like these will continue. "Cities, and especially their infrastructure sites, are usually a low-hanging fruit for unscrupulous cyber gangs," he says. "These victims will almost inevitably pay the ransom as all other avenues are either unreliable or too expensive." What's more, he adds, is cryptocurrencies can't be traced back to the attackers; as a result, most get away with it.

Cybercriminals are taking the time to profile and target entities that are more likely to pay more money, says Matt Walmsley, Vectra's director of EMEA. City Power was an appealing target: The broad scope of disruption to its databases and other software, affecting most its applications and networks, suggests ransomware was able to quickly spread throughout the organization.

"The disruption to their services, as well as consumer backlash, will further compound the pressure on City Power's IT and security teams to rapidly restore systems to a known good condition from backups, or chance of paying the ransom," Walmsley explains.

Kolochenko also notes the risk of dangerous ransomware attacks will grow unless governments develop and enforce security regulations to protect their cities. Humans feel very real effects of ransomware in incidents like these: Following the City Power attack, Twitter posts reflected the struggles of individuals and families who found themselves without power. Future incidents could affect airports, for example, and other components of critical infrastructure.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/29/2019 | 11:20:46 PM
Re: Separation of duties
Thank you for reviewing my responses. Yes I agree that IPv6 could address a number of issues, not all but at least it would help with identifying where the attack came from, encrypt traffic, employ segmentation and a number of other issues as indicated in my prior post. Todd
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/29/2019 | 9:02:31 PM
Re: Separation of duties
IPv6 IPSec AES256 ESP/AH VPN can reduce the level of attacks 10 fold as long as it is configured properly with hours of testing. Ok. That makes sense. As IPv6 would have more security features than IPv4.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/29/2019 | 9:00:35 PM
Re: Separation of duties
This heightened level of security makes this area an internal "jump area" or quasi-DMZ. Good point. DMZ would help to segregate web from data layer where they would harder time to pass-through
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/29/2019 | 8:58:07 PM
Re: Separation of duties
There should have been conversations on creating a separate network utilizing VDI as a way to connect Well put and good point. It should be well architectured as it is always possible to jump from network to network.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/29/2019 | 8:55:37 PM
Re: Separation of duties
A number of organizations have not implemented "segmentation" at the network layer. This a good point, separation helps in the network tremendously.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/29/2019 | 8:52:09 PM
More cities
No more cities. Obviously ransomware attackers found a better target: all cities anymore.
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/27/2019 | 3:48:13 PM
Separation of duties
A number of organizations have not implemented "segmentation" at the network layer. I am not sure how the hack took place but why did the Utility company connect their SCADA infrastructure to the Internet? There should have been conversations on creating a separate network utilizing VDI as a way to connect and perform management procedures using an area in the network with limited capability (a small network segment that is monitored and tracked to the highest extent where access is authorized by management staff and NAC (Network Access Control) devices).

Cybersecurity Utility

And the other aspect of the network should have been on IPv6. If the internal SCADA network is on IPv6 and the external network is on IPv4 (admin or mgmt network), we can limit the ability of the hacker to access the VDI environment. Since the VDI is limited with IPv6 (dual-homed) with specific IPv6 addresses on the Mgmt Network, access to the SCADA environment can provide limited accessibility when it comes to external actors. This heightened level of security makes this area an internal "jump area" or quasi-DMZ. This helps to improve security levels by reducing MITM (Man in the Middle Attacks) enabling encryption (in-flight & at rest). IPv6 IPSec AES256 ESP/AH VPN can reduce the level of attacks 10 fold as long as it is configured properly with hours of testing. Remember, if you look at most of the hack attempts that took place in the world, they use IPv4 (not to say that they don't use IPv6), this would give the organization a leg up on addressing this issue and it adds a certain level of complexity or obfuscation to the mix.

Another consideration would be to stand up a test environment with hardened OSes, this practice could affect the application especially when PLC devices are involved; having a test environment that mimics production is vital to the organization's security posture.

Hopefully, they will be working with security vendors to address some of their issues.

Todd

 
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17513
PUBLISHED: 2019-10-18
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .