NENA Bulletin on May 12 Widespread Cyber Attacks
Friday, May 12, 2017
Posted by: Chris Nussman
On Friday, May 12th, 2017 NENA Headquarters became aware of a widely-reported ransomware attack affecting both private- and public-sector enterprises in multiple countries. Open-source reporting on the attack is available here. NENA is not aware of any attacks affecting PSAP systems or 9-1-1 service at this time. However, reporting indicates that life-safety institutions in the U.K., including several hospitals, have been affected. Consequently, we are issuing this special alert to help members defend against any attacks that may occur.
The so-called “WannaCry” attack leverages recently-released vulnerabilities (CVEs 2017-0143 through 0148) and exploit techniques to take control of Windows-based computers. After infecting vulnerable machines, the attack software encrypts data on the system, and demands payment of $300+ in an internet currency known as BitCoin. Victims that fail to pay are threatened with deletion of the encryption key, which renders their data irretrievable.
To protect critical public safety services from this attack, NENA recommends that members take the following steps:
1. PSAP IT departments should download, validate, test, and install a Microsoft-issued patch to all affected machines as soon as possible. Microsoft has issued a critical security bulletin and update (MS17-010) to resolve the vulnerability.
2. Center Managers should ensure that on- and off-site backups for all critical systems are being routinely maintained. Existing backups should be verified and test restores performed using systems without an active internet connection.
3. PSAP IT departments should consider permanently disabling the SMB 1.0, SMB 2.0, and CIFS file sharing support of all Windows systems. SMB 3.0 is currently maintained, offers higher speeds, and provides greater security than these legacy protocols.
4. Shift supervisors should remind front-line employees to report any unusual computer behavior, and to exercise added care when clicking links and entering credentials, even in normally-trusted systems.
5. In the event of a compromise, DO NOT PAY! Contact your local FBI field office, notify the National Cybersecurity and Communications Integration Center of any 9-1-1 service impacts at 888.282.0870, and take steps to preserve log files and other materials that may have forensic value.
PSAPs with questions or concerns may contact Trey Forgety at firstname.lastname@example.org or via telephone at 202.681.4392.