Full Report
OnSolve CodeRED was damaged by the attack and has been nonoperational since earlier this month. Dozens of agencies and their respective users have been impacted by the outage and data theft. The post Crisis24 shuts down emergency notification system in wake of ransomware attack appeared first on CyberScoop.
Analysis Summary
# Incident Report: Ransomware Attack on OnSolve CodeRED Emergency Notification System
## Executive Summary
OnSolve CodeRED, a voluntary emergency notification system managed by Crisis24, was compromised by a targeted ransomware attack earlier this month, leading to its permanent shutdown. Dozens of agencies and their users experienced service outages for approximately two weeks, and attackers exfiltrated Personally Identifiable Information (PII) of CodeRED users, which was subsequently leaked. Crisis24 contained the incident to the legacy platform environment and accelerated the migration of customers to a new, unaffected CodeRED system.
## Incident Details
- **Discovery Date:** Earlier this month (Specific date not provided in the text)
- **Incident Date:** Earlier this month (Specific date not provided in the text)
- **Affected Organization:** OnSolve CodeRED (Service Provider: Crisis24)
- **Sector:** Public Safety / Emergency Services / Technology Services
- **Geography:** National (Used by agencies across the country)
## Timeline of Events
### Initial Access
- **Date/Time:** Earlier this month
- **Vector:** Targeted attack by an organized cybercriminal group.
- **Details:** The attack vector used to gain initial access is not specified in detail, but it impacted the legacy OnSolve CodeRED environment.
### Lateral Movement
- **Details:** The forensic analysis indicated the incident was "contained within that environment, with no contagion beyond" the CodeRED environment. Specific lateral movement techniques are not disclosed.
### Data Exfiltration/Impact
- **Details:** Attackers stole data contained in the OnSolve CodeRED platform. Personally identifiable information (PII) of CodeRED users was exfiltrated and subsequently leaked online by the threat actor. The primary impact was the damage that rendered the legacy platform permanently nonoperational.
### Detection & Response
- **Details:** Crisis24 alerted its customers earlier this month. The company contained the incident within the legacy environment. Response actions included notifying law enforcement, initiating a full security audit, and third-party penetration testing on the legacy system.
## Attack Methodology
- **Initial Access:** Targeted attack by an organized cybercriminal group. (Specific technique unknown)
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified, though user passwords were stolen.
- **Discovery:** Not specified.
- **Lateral Movement:** Contained to the legacy OnSolve CodeRED environment.
- **Collection:** PII of CodeRED users (names, addresses, emails, phone numbers, passwords).
- **Exfiltration:** Data theft occurred, leading to a public leak of user PII.
- **Impact:** Damage to the OnSolve CodeRED platform, leading to physical decommissioning; operational outage impacting dozens of agencies. **Threat Actor Claim:** INC ransomware claimed responsibility for the attack.
## Impact Assessment
- **Financial:** Not specified (Costs associated with decommissioning and auditing/migrating customers).
- **Data Breach:** Confirmed data theft of user PII, including names, addresses, email addresses, phone numbers, and passwords. Users advised to change reused passwords immediately.
- **Operational:** OnSolve CodeRED system was nonoperational for approximately two weeks, forcing agencies to operate without the system. Affected agencies subsequently terminated contact with the legacy CodeRED service. The national Emergency Alert System remained unimpacted.
- **Reputational:** Major disruption to public warning capabilities across dozens of jurisdictions; crisis communication efforts required by affected agencies.
## Indicators of Compromise
*While specific IoCs were not provided in the text, the following general indicators are relevant:*
- **Network Indicators:** (None explicitly mentioned/defanged)
- **File Indicators:** (None explicitly mentioned)
- **Behavioral Indicators:** Evidence of ransomware deployment/activity associated with the INC ransomware group on the legacy CodeRED servers.
## Response Actions
- **Containment measures:** Incident contained within the legacy OnSolve CodeRED environment.
- **Eradication steps:** Decommissioning of the damaged legacy platform initiated.
- **Recovery actions:** Accelerated rollout and customer transfer to the new, unaffected CodeRED by Crisis24 platform.
- **Other Actions:** Notified law enforcement; initiated full security audit and third-party penetration testing.
## Lessons Learned
- The necessity of isolating critical legacy systems (CodeRED ran on a separate environment, which aided containment).
- The severe operational impact of even voluntary/opt-in emergency systems being disrupted.
- Immediate necessity for customers to enforce credential hygiene across other services if passwords were reused.
- The need for continuous security modernization, as the company was already building a new platform.
## Recommendations
- For Crisis24: Complete thorough security audits of the new platform before reliance on it becomes universal. Maintain strict segmentation between legacy and modern systems.
- For Agencies/Users: Immediately change passwords for any systems utilizing the same credentials as the compromised CodeRED account.
- General: Review continuity of operations plans for emergency notification redundancy, especially if relying on third-party systems.