Cyber-Attack Disrupts OnSolve CodeRED Emergency Notification System

A cyberattack targeting OnSolve’s CodeRED emergency notification system has disrupted services and potentially exposed user data across multiple US states. The breach forced Crisis24, the provider of CodeRED, to take down its legacy environment and rebuild the system on a new, isolated infrastructure. This action followed the confirmed theft of data, although Crisis24 initially stated there was no evidence of the information being posted online.

The stolen data includes names, addresses, email addresses, phone numbers, and critically, passwords linked to CodeRED user profiles. While several cities have clarified that financial information was not collected by the platform, the potential exposure of personal information is significant. Some local governments, numbering across 15 states, have issued public notices, some even exploring options to terminate CodeRED contracts, and are migrating to the new, rebuilt environment. The restored system relies on backups from March 31, 2023, which may result in missing user accounts.

The INC Ransom group has claimed responsibility for the attack, stating they accessed OnSolve systems on November 1 and encrypted files on November 10 after failed ransom negotiations. They have posted screenshots allegedly showing customer data, including clear-text passwords, on the dark web and are reportedly selling the stolen data. This claim amplifies the severity of the incident, as it directly contradicts Crisis24’s initial assessment that data was not yet posted.

Technical details revealed that the attack targeted the legacy CodeRED platform. Cities are emphasizing that the breach did not affect their internal systems. Security teams should be aware of the potential for password reuse and advise users to update their credentials, especially if they used the same password for their CodeRED account on other services. Crisis24 stated that the new platform underwent a full security audit and external penetration testing.

Affected agencies should prioritize communication with residents and provide clear guidance on mitigating potential risks. Actions such as migrating to the new CodeRED platform, ensuring robust password policies are enforced across all systems, and monitoring for any signs of data compromise are critical. The decommissioning of the legacy platform and the ongoing rebuilding of CodeRED by Crisis24 signifies a serious response to the attack; however, continued vigilance remains essential.

To read the complete article see: Infosecurity Magazine