‘Serious’ Ransomware Emergency in Oakland, Calif. — Legacy FAIL
Oakland is still reeling from last week’s ransomware attack. San Francisco’s poorer neighbor is asking for help.
Interim City Administrator G. Harold Duffey (pictured) is tight-lipped about what happened. But he did declare an emergency: The idea is to set in train California and federal processes to help the underfunded city, which is thought to be chock-full of legacy kit.
In the meantime, Oakland’s not even saying if the public’s private information is at risk. In today’s SB Blogwatch, we dig below the surface.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The hardest people.
Transparency: We’ve Heard of It
What’s the craic? Katy St. Clair, Keith Burbank and Audrey Asistio report—“Oakland Declares State of Emergency”:
“Older systems and limited resources”
Interim City Administrator G. Harold Duffey … issued a local state of emergency due to “ongoing impacts” of network outages caused by ransomware. … The declaration of the emergency will allow the city to expedite its attack on the malicious software: [It] will assist with equipment and materials and the activation of emergency workers as the city seeks to safely restore its systems.
…
Oakland was particularly vulnerable, due to its older systems and limited resources, which is common in many local governments. … The city says it’s working with forensics, cybersecurity and tech firms to restore services. It’s also investigating the attack with federal and state officials.
Sounds serious? Sergiu Gatlan hasn’t much to go on—“State of emergency after ransomware attack”:
“The ransomware group behind the attack”
The incident did not affect core services, with the 911 dispatch and fire and emergency resources all working as expected. … Many systems taken down immediately after the incident to contain the threat are still offline.
…
A City of Oakland spokesperson could not provide additional details. … The ransomware group behind the attack is currently unknown.
Let’s turn to Jaime Omar Yassin—@hyphy_republic—who broke the initial ransomware story:
“Archaic, under-resourced IT system”
City Council is holding a special meeting to ratify the … state of emergency … resolution [which] will also request state and federal [help]. Duffey says they’re trying to move “expeditiously to move systems back online”, not much more than that. [He] also said they haven’t gotten to the point where they would tell the public that any of their information has been exposed, but will if there is evidence that happened. [He] says that they’re still “scrubbing” the system, and hope to be more functional next week.
…
Key: He didn’t say they would be fully functional. The attack is serious. … The ransomware impact is far from done, and it’s not clear that the City knows when that will be. … Two sources I spoke to about this almost immediately complained about the City’s archaic, under-resourced IT system and dept leading to this.
It’s not just Oakland. u/lobsangr sounds kinda depressed:
Most … agencies are working with legacy equipment, default passwords, weak credentials, not a single snmp trap. [Here] in Florida, I see it first hand every day visiting different sites for my job.
…
Police stations, courthouses, jail systems. You name it. Nobody is actually paying attention to any of this.
Worrying. And unxdfa agrees:
This sort of stuff doesn’t surprise me any more. I’ve been on a number of “desktop support” sessions over the last few years and seen some ****. The common denominator seems to be entirely unpatched obsolete stuff … where either someone turned the updates off because they knew better or stopped paying their MSP for service immediately after they had been set up and assumed it’d just work forever.
…
Stock RTM windows 7 with stock IE in 2021 was my favourite. … People like that and the associated competence level are rolling out the red carpet.
Sounds like a people problem. gavron has tough love for Oakland:
Next thing someone will get a call from The Big Boss and wire funds to random idiots. Oh wait, they do.
…
Fire them all. … Stop making excuses for incompetence in management.
Is there no oversight? u/paperJokeIsTearable guesses not:
Same headline for 20+ years. This is why cybersecurity compliance should be enforced upon every government, business, non profit, etc. … Many have cyber requirements, but no outside audit requirements (so it’s all self reported).
It’s just taking them a while to restore from backups, right? mr_mitm is in the middle:
They may just be in the “it takes some time” phase at the moment. Tapes are not exactly the fastest medium. Plus, you may want to determine the exact time at which you were compromised, or else you’ll be restoring potentially tainted backups. … That alone will take quite some time, especially considering that your logs may be encrypted as well.
…
Don’t forget about the amount of legacy **** and budget constraints many orgs have to deal with. That comes with many pitfalls and a lot of opportunities to make a mistake.
However, Time-L0rd ain’t so understanding:
It’s not that hard to run the malware in cuckoo sandbox, figure out how it works and write a patch. My grandma is faster then these guys. The problem is they won’t make the malware public so we can study in a timely matter.
Meanwhile, u/eco_go5 knows exactly what caused it:
That’s what happens when the Raiders leave Oakland.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: G. Harold Duffey (via LinkedIn)
