Dallas County Stops Recent Cyber Attack

Dallas County said Tuesday that its IT staff interrupted an attempt to steal data and “effectively prevented any encryption of its files or systems.” They claim that an attempt to hack into its network earlier this month was blocked and investigators are continuing to look into the incident.

The County believes that its cyber defenses withstood the attack, stating “Due to our containment measures, Dallas County interrupted data exfiltration from its environment and effectively prevented any encryption of its files or systems. It appears the incident has been effectively contained, partly due to the measures we have implemented to bolster the security of our systems.

These measures include:

  • Extensive deployment of an Endpoint Detection and Response (EDR) tool across servers and endpoints connected to our network.
  • Forcing password changes for all users to grant access to our systems.
  • Mandating multi-factor authentication for remote access to our network.
  • Blocking ingress and egress traffic to IP addresses identified as malicious.

The County Update on the attack states: “Currently, there is no evidence of ongoing threat actor activity in our environment. Given these measures and findings, it appears at this time that the incident has been successfully contained and that Dallas County’s systems are secure for use.”

However… The Record informs us that “On Saturday, the Play ransomware gang posted the county to its leak site, claiming to have stolen an undisclosed amount of data, which it threatened to leak by November 3.”

Steve Hahn, Executive VP, BullWall had this to say:

   “Since around 2018 Ransomware Threat Actor groups have increasingly targeted Cities across the United States. Baltimore and Oakland both down for months before returning to full operation and forced to declare a state of emergency as essential services were incapacitated. Texas has seen more than 40 government entities impacted since that time, clearly taking the brunt of this new focus on Cities.

   “The reasons for this are varied. Russian based threat actor groups are largely responsible for these attacks and the disruption and even loss of life they can cause is a major driver. 911 services are taken down, emergency response, healthcare services, even court case documents wiped out for serious criminals. The other driver for this is clearly the lack of robust security controls for City and State governments.

   “I’ve seen first hand how the security leaders in these cities plead for funding and resources for the most basic security controls and are repeatedly denied funding for essential products. Unfortunately, it’s not until after the fact, that they tend to receive that funding. The security leaders know what they need, better prevention tools and the latest technologies like Ransomware Containment solutions, but they just can’t navigate the political landscape sufficiently to get that funding. Until then, we will see a continued rise in Ransomware attacks with increasing levels of severity. These new attacks not only encrypt files, they also disable massive amounts of the critical IT infrastructure rendering it inoperable.”

I guess we’ll have to wait to see how much data that the Play ransomware group swiped. It’s not clear how long they were inside the environment, thus anything is possible.

Leave a Reply

%d bloggers like this: