Crisis24 Breach Incident Score: Analysis & Impact (CRI3110531112725)

In this Rankiteo incident briefing, we review the Crisis24 breach identified under incident ID CRI3110531112725.

The analysis begins with a detailed overview of Crisis24's information like the linkedin page: https://www.linkedin.com/company/crisis24, the number of followers: 71897, the industry type: Security and Investigations and the number of employees: 2157 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 535 and after the incident was 318 with a difference of -217 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Crisis24 and their customers.

Crisis24 (OnSolve CodeRED) recently reported "Ransomware Attack on CodeRED Emergency Notification System by Crisis24", a noteworthy cybersecurity incident.

A ransomware attack compromised the CodeRED emergency notification platform administered by Crisis24, exposing personal data (including names, addresses, emails, phone numbers, and passwords) and disrupting emergency alerts nationwide.

The disruption is felt across the environment, affecting CodeRED legacy platform (OnSolve) and emergency notification system, and exposing names, addresses and email addresses.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like shutdown of CodeRED platform and system rebuild, and began remediation that includes migration to new platform and password reset advisories for users, while recovery efforts such as transferring customers to new system and restoring alert capabilities continue, and stakeholders are being briefed through public statement confirming breach, advisories to change reused passwords and dedicated support contact (866-939-0911, [email protected]).

The case underscores how Ongoing (system rebuild and migration in progress), and recommending next steps like Avoid password reuse across platforms, Monitor dark web for exposed credentials and Implement multi-factor authentication (MFA) for critical systems, with advisories going out to stakeholders covering Urged residents to change passwords if reused elsewhere and Provided direct support contact for data inquiries.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (70%), with evidence including high value targets such as emergency notification system, user credentials, and ransomware attack targeted the CodeRED platform (implied credential abuse) and Exploit Public-Facing Application (T1190) with moderate confidence (60%), supported by evidence indicating systems affected such as CodeRED legacy platform (public-facing emergency notification system). Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (80%), supported by evidence indicating data compromised such as passwords (exfiltrated credentials from platform database) and OS Credential Dumping (T1003) with moderate confidence (50%), supported by evidence indicating system rebuild required (implies potential credential dumping for persistence). Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (95%), with evidence including ransomware such as data encryption such as true, and shutdown of CodeRED platform due to ransomware, Data Destruction (T1485) with moderate to high confidence (70%), supported by evidence indicating rebuild the system from scratch (implies irreversible corruption/destruction), and Endpoint Denial of Service: Application or System Exploitation (T1499.004) with high confidence (90%), supported by evidence indicating complete shutdown of the CodeRED system, halting emergency notifications. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (80%), with evidence including data exfiltration such as true, and data was published online by an organized cybercriminal group and Automated Exfiltration (T1020) with moderate to high confidence (70%), supported by evidence indicating personal data... exposed nationwide (suggests bulk automated exfiltration). Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with moderate confidence (60%), supported by evidence indicating rebuild the system from scratch (implies attacker may have deleted logs/artifacts) and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate confidence (60%), supported by evidence indicating shutdown of CodeRED platform (may indicate disabling of monitoring/alerting). Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with moderate to high confidence (70%), with evidence including password reuse warnings (implies stolen credentials could enable persistence), and migration to new platform (suggests attacker may have embedded backdoors). Under the Lateral Movement tactic, the analysis identified Remote Services: Cloud Services (T1021.006) with moderate confidence (50%), supported by evidence indicating emergency notification system (cloud-based platform likely targeted for lateral movement). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.