Emergency Communications Network Breach Incident Score: Analysis & Impact (EME1392513112625)

In this Rankiteo incident briefing, we review the Emergency Communications Network breach identified under incident ID EME1392513112625.

The analysis begins with a detailed overview of Emergency Communications Network's information like the linkedin page: https://www.linkedin.com/company/emergency-communications-network-llc, the number of followers: 1019, the industry type: IT Services and IT Consulting and the number of employees: 56 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 100 and after the incident was 100 with a difference of 0 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Emergency Communications Network and their customers.

OnSolve (Crisis24) recently reported "OnSolve’s legacy CodeRED platform hit by cyberattack claimed by INC Ransom", a noteworthy cybersecurity incident.

OnSolve, a cloud-based critical-event and mass-notification platform, suffered a highly disruptive cyberattack that forced it to sunset its legacy CodeRED environment and move to a new version.

The disruption is felt across the environment, affecting legacy CodeRED platform, and exposing user contact information (name, address, email, phone numbers), passwords and sensitive organizational data.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like sunsetting legacy CodeRED platform and migration to new version, and began remediation that includes rebuilding from outdated backups, and stakeholders are being briefed through customer notification and password reset advisory.

The case underscores how ongoing (FBI notified), and recommending next steps like avoid password reuse across accounts, regular backup testing and modernize legacy systems, with advisories going out to stakeholders covering password reset advisory for users.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate to high confidence (85%), supported by evidence indicating legacy CodeRED platform targeted; legacy system vulnerabilities cited as root cause and Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating user profiles and passwords compromised; no explicit MFA/credential abuse mentioned. Under the Persistence tactic, the analysis identified Server Software Component: Web Shell (T1505.003) with moderate confidence (60%), supported by evidence indicating sunsetting legacy CodeRED platform suggests long-term unauthorized access mechanism. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Default Accounts (T1078.001) with moderate to high confidence (75%), supported by evidence indicating legacy system vulnerabilities may include default/admin credentials in outdated software. Under the Defense Evasion tactic, the analysis identified Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (80%), supported by evidence indicating ransomware attack implies disabling security tools; outdated backups suggest tampering with recovery mechanisms and Indicator Removal: File Deletion (T1070.004) with high confidence (90%), supported by evidence indicating permanent loss of recent customer accounts and data due to attack actions. Under the Credential Access tactic, the analysis identified Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with high confidence (95%), supported by evidence indicating passwords exfiltrated; users advised to change passwords across other platforms and OS Credential Dumping: Security Account Manager (T1003.002) with moderate to high confidence (70%), supported by evidence indicating legacy system vulnerabilities may include SAM database dumping for lateral movement. Under the Discovery tactic, the analysis identified File and Directory Discovery (T1083) with moderate to high confidence (85%), supported by evidence indicating screenshots of customer data posted on Tor leak site imply file system enumeration and System Owner/User Discovery (T1033) with moderate to high confidence (80%), supported by evidence indicating user contact information (name, address, email, phone numbers) targeted for exfiltration. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with moderate confidence (65%), supported by evidence indicating cloud-based critical-event platform suggests internal lateral movement via RDP/SSH. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating names, addresses, emails, phone numbers, and passwords exfiltrated from local databases and Automated Collection (T1119) with moderate to high confidence (80%), supported by evidence indicating screenshots of customer data suggest automated scripts/tools for bulk data harvesting. Under the Command and Control tactic, the analysis identified Encrypted Channel: Symmetric Cryptography (T1573.001) with high confidence (90%), supported by evidence indicating iNC Ransom group known for encrypted C2; Tor leak site used for data publication. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with high confidence (95%), supported by evidence indicating sensitive user data exfiltrated with high risk of leakage; screenshots posted on Tor and Exfiltration Over C2 Channel (T1041) with moderate to high confidence (85%), supported by evidence indicating data exfiltration confirmed; INC Ransom’s standard TTPs include C2-based exfiltration. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (95%), supported by evidence indicating ransomware attack by INC Ransom with permanent loss of recent customer accounts and data, Data Destruction (T1485) with high confidence (90%), supported by evidence indicating rebuild from outdated backups (>6 months old) due to irreversible data loss, and Endpoint Denial of Service: Application or System Exploitation (T1499.004) with moderate to high confidence (85%), supported by evidence indicating disrupted critical emergency communication services; decommission its legacy CodeRED environment. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.