Cyber Incident Weekly Report - Week of June 10, 2024

Traverse City Shuts Downs Network Following Cyber Attack.??????????????????????????????????????????????????????????????????????????????????????????????????????????

WHAT HAPPENED:? In a press release on its website, the city of Traverse City, Michigan, announced that it had decided to shut down the main information network used by both the Grand Traverse County and Traverse City governments. Dozens of offices and departments are affected, and emergency services such as law enforcement and firefighting use radio communications to work through the outage. At the time of writing, city officials have stated, "We are fairly certain that no customer information has been shared." However, based on the first few indicators and the initial work done by the internal IT department and the Michigan State Police, they fully believe it was a ransomware incident.

CONCERNING: Traverse City, Michigan, Ransomware.

SENSCY'S ANALYSIS: As reported by SensCy back in April, Traverse City has already been targeted by a ransomware gang when the Medusa group disrupted the network at Traverse City Area Public School, forcing it to cancel classes for days. While no group has claimed the attack so far, it is essential to remember that it is common for the county to manage the largest city's IT network. This makes it more attractive for threat actors and ransomware groups if they can access a much more significant source of valuable information. The first reports of the incident indicate that the city and the county had a robust incident response in place, allowing them to make a rapid decision. While entirely shutting down the main network might seem like an extreme measure, it allows the internal IT team and forensic partners to scan each device to analyze the systems one by one and to turn them back on gradually. Reports also indicated that the county had off-site backups that would be used to replenish the databases. A robust incident response plan, business continuity plan, segregated websites, and off-site backups are proactive cybersecurity measures that will play a significant positive role in Traverse City’s ability to recover from the incident.

Life360 Confirms Data Breach.?

WHAT HAPPENED: The location tracking company Life360, a subsidiary of Tile, disclosed a data breach after a threat actor contacted the company claiming to have stolen data. The investigation started when unauthorized access was detected in the Tile customer support platform. The stolen data includes names, addresses, phone numbers, email addresses, and Tile device identification numbers. The threat actor reportedly gained access to the system using compromised login credentials for an administrator accoun

CONCERNING: Life360, Tile, Data Breach, Ransomware

SENSCY'S ANALYSIS: SensCy has observed increased cyber-attacks targeted at customer support systems and platforms. Customer support systems are often integrated with other company systems, including CRM or billing. Compromising the support platform can serve as a gateway to accessing broader company networks and more valuable assets. Customer support also offers social engineering opportunities to gather information or manipulate the employees. In the case of Life 360, the threat actor likely gained access to login credentials by conducting a phishing campaign or using data from previous breaches available on the dark web. All organizations must monitor the dark web to be alerted of exploited company information. Organizations should also understand the risks related to customer service platforms and systems. The combination of valuable information, potential for further access, and opportunities for exploitation make these platforms attractive to hackers.?

Cleveland Forced to Shutdown City Hall After Cyber Attack.

WHAT HAPPENED: On Monday, June 10, 2024, Cleveland, Ohio, was forced to shut down city hall to allow officials to investigate a cyber attack. While it is still unclear which systems were impacted, police, fire, and emergency medical services are still functioning, as is the 911 dispatch center. City officials stated that the incident was declared when they spotted abnormal activity on their network over the weekend.?

CONCERNING: Cleveland, Cyber Incident, Incident Response Plan.

SENSCY'S ANALYSIS: Hackers and threat actors can target city halls across the U.S. for several reasons, the obvious being to access and steal sensitive information to commit identity theft or fraud. However, city halls are integral to the functioning of local government and public services. Successful disruptions of their operations can cause significant damage to the public. According to the statements made by city officials, the city of Cleveland rapidly engaged the pre-existing incident response plan and shut down the affected systems to isolate the threat. These proactive measures were likely paired with threat monitoring systems, allowing for an early detection of the anomaly. While these are essential cybersecurity measures, training employees to recognize and respond to cyber threats will ensure that proactive measures can positively impact a potential attack.?