City of Covington Server Breach and Ransomware Event

On Thursday, March 11th the City of Covington found themselves to be one of about 30,000 U.S. organizations who fell victim to the same cyber-attack. The city of Covington uses an onsite Microsoft Exchange Server to host the email services for the Police department, Fire department, and offices of Public Works, Cultural Arts & Events, Parks & Recreation, and Utility Billing & Finance. From the looks of it, it appears that their phone system resided on the same logical network as that externally-facing Exchange server. Here’s what you need to know about the attack.

On Wednesday, March 3rd a company called Huntress Labs discovered a vulnerability in Microsoft Exchange Servers that would allow an attacker to insert malware (potentially ransomware) onto onsite Exchange Servers. Microsoft estimates that there are about 30,000 onsite exchange servers in the U.S. and hundreds of thousands of them globally, so this was a MAJOR vulnerability. Huntress immediately alerted Microsoft to it and Microsoft pushed out a patch to fix the flaw. What that means is that Microsoft gave users a way to update their servers so that they wouldn’t be vulnerable to the attack anymore. Those that knew about the patch and acted quickly enough to update their servers, were spared. Unfortunately, around 10,000 U.S. servers and 100,000 servers globally were not updated fast enough and suffered from the attack. The City of Covington is part of that statistic.

To make matters worse, it appears that the City of Covington’s server network is a flat network, meaning that the phone system server is on the same network as the Exchange server. When the mail server was attacked, it allowed the malware to perform lateral movement inside the network taking down other critical services on that network. Had the network been segmented, only one critical service of the city’s government would have been affected (ideally). We imagine that the Cybersecurity Alliance that arrived on scene on March 11th, the same day of the attack, will advise and force the city to align themselves with proper security standards and that future vulnerabilities will be minimized as a result. This is by no means over and the city is still in the process of recovery, so we will update this blog as things progress and more details are revealed.

Further reading about this vulnerability is available at the CISA.GOV website.