The city of Allentown, Pennsylvania, is struggling to remediate a malware attack that could cost nearly $1 million to mitigate.
According to local paper The Morning Call, the city’s critical systems have been hit by the malware known as Emotet, impacting both financial and public safety operations, according to Mayor Ed Pawlowski. Allentown’s finance department can’t complete any external banking transactions, the city’s 185 surveillance cameras are impacted and the police department can’t access Pennsylvania State Police databases, Pawlowski said.
Emotet spread like wildfire around the city’s networks, self-replicating (Emotet can spread itself to other systems by stealing an address book from a computer on the network) and harvesting city employees’ credentials along the way. There’s an intimation that phishing was the initial infection vector: Pawlowski warned city residents not to open emails and attachments from city employees. In the past Emotet has been spread via weaponized Microsoft Word documents.
The virus impacted all city systems that run Microsoft, so the city has hired Microsoft engineers to handle emergency response to the crisis for an initial $185,000. Though the virus has now been contained, Pawlowski said it will cost $800,000 to $900,000 to fully remediate the damage.
Further details remain shadowy.
“I’m not trying to in any way shape or form hide anything from the public,” Pawlowski told the city council. “But we just don’t want to divulge how we’re aggressively attacking this because if it is a hacker, they can always modify their attack.”
“Shame on us for doing a disservice to our intelligence community,” said Allentown IT director Matthew Leibert, chastising the council for holding an open hearing on the incident, given that there’s an ongoing criminal investigation into where the virus came from.
Pawlowski also said the virus evaded the city’s “extensive” antivirus and firewall systems.
“This particular virus actually is unlike any other virus,” he said. “It has intelligence built in, so it keeps adapting to our systems, thus evading any firewalls that we have up.”
Emotet first emerged in 2014 as a Trojan designed to steal banking credentials from targets in Austria and Germany. It searches the targeted system for sensitive information that will be exfiltrated to the command-and-control (C2) servers under the attackers’ control. The attacker can then sell the information harvested or log into the account themselves to steal more information.
Starting late last year, the malware began spreading beyond financial targets and into the US and other arenas, while adding new capabilities, including a new dropper, sandbox awareness and anti-analysis capabilities.