Article Originally Published Here
The Inc ransomware gang took responsibility for the attack earlier this month and claimed it stole sensitive subscriber data.
A cyberattack on risk management provider Crisis24 earlier this month led the company to shut down its CodeRED emergency notification platform, sending shockwaves through city, county, and state government agencies amid the Thanksgiving holiday.
The OnSolve CodeRED platform is a voluntary system that issues emergency notifications and alerts for city, county, and state government agencies, not to be confused with the federal government-operated Emergency Alert Service (EAS). Customers use the platform to issue alerts to residents through phone calls, emails, and text messages in situations such as weather emergencies or outages to government services.
In a disclosure published Wednesday, Crisis24 parent company GardaWorld Corporation said it suspended all access to the platform on Nov. 10 in response to a breach of the CodeRED environment. “As the OnSolve CodeRED platform was damaged during the cyberattack, we have decommissioned the platform,” the statement read. “We have also confirmed that the incident was contained within that environment, with no contagion beyond. All customers have since transitioned to the new CodeRED by Crisis24.”
The Inc ransomware gang claimed responsibility for the attack earlier this month in a post on its Dark Web leak site. According to the gang, Inc., actors first gained access to the CodeRED environment on Nov. 1 and encrypted the platform’s files on Nov. 10.
Inc operators also claimed that during ransom negotiations, Crisis24 offered a $100,000 payment, which was rejected. As a result, the group said it was putting the stolen data up for sale and published samples on Nov. 23.
GardaWorld’s statement acknowledged that a “cybercriminal group” claimed responsibility for the attack, that the company believed threat actors stole data from the platform, and that it “may contain information for OnSolve CodeRED subscribers.” The company also said it had not yet confirmed whether the published sample data originated from CodeRED.
Dark Reading contacted Crisis24 for comment, but the company did not respond at press time.
Government Agencies React to CodeRED Attack
Crisis24 said it notified state, county, and municipal governments “shortly” after confirming the CodeRED environment had been compromised. Still, some customers appear to have been caught off guard and publicly expressed frustration with the company.
For example, the Public Safety Communications Department for Weld County, Colo., said on Nov. 14 that it was alerted three days earlier that CodeRED had been taken offline due to concerns from Crisis24’s IT department. “There has been no further update from CodeRED, nor has the Weld County representative for CodeRED returned any of the county’s calls/emails,” the department’s press release stated.
Like other affected customers, Weld County’s Public Safety Communications Department informed its constituents that CodeRED’s disruption did not impact 911 operations or emergency services.
While Crisis24 transitioned customers to the new CodeRED platform — which GardaWorld said “resides in a non-compromised, separate environment that has been subjected to a comprehensive security audit” — some customers weren’t buying it. The sheriff’s office in Douglas County, Colo., issued a press release on Nov. 24 stating that it had dropped the platform.
“The Douglas County Sheriff’s Office, in collaboration with the Douglas County 911 Board, has taken immediate action to terminate our contract with CodeRED for cause. Our top priority is the privacy and protection of our citizens, which led to the decision to end our agreement with CodeRED,” the press release stated.
The sheriff’s office also included the text of a notification from Crisis24 that warned of a threat actor “removed” of sensitive data from the platform, including subscribers’ names, addresses, email addresses, phone numbers, and passwords for their CodeRED accounts.
The town governments of Chesterfield and Goshen, Mass., said in a public service announcement that the state’s Commonwealth Fusion Center, a threat intelligence sharing entity, was investigating the CodeRED attack. The PSA also noted that Inc ransomware’s leaked sample data appears to show passwords in plaintext, meaning the passwords were not encrypted or hashed by Crisis24.
Mitigating Risks to CodeRED Subscribers
If Inc actors obtained clear-text passwords to CodeRED subscribers’ accounts, then this presents a significant risk to those individuals, even if the platform is shut down and presumably inaccessible to threat actors with those passwords. First, attackers could send fake alerts and notifications to users and use stolen passwords to convince targets that the alerts are legitimate, allowing threat actors to exploit that trust further.
Additionally, GardaWorld highlighted the dangers of password reuse. “We have encouraged our customers to inform subscribers who may have reused their OnSolve CodeRED password for any other personal or business accounts to change those passwords immediately,” the company said in its disclosure statement.
Several CodeRED customers urged their residents to take immediate action. For example, Sioux City’s government published an advisory on Nov. 28 urging all CodeRED subscribers who may have used the same password for other accounts for email, banking, shopping, or enterprise services to update those accounts immediately. The advisory also recommended that subscribers enable multifactor authentication (MFA) “wherever possible” and to monitor their accounts for suspicious activity.
