In a bid for transparency and resilience, Tarrant Appraisal District (TAD) has released a comprehensive Incident Response Report detailing a cybersecurity breach that unfolded during the Fall of 2022. The report, conducted in collaboration with Apollo Information Systems Corp., unveils a series of events, analyses, and outcomes, providing valuable insights into the incident that impacted TAD's website services.
Executive Summary
The report, copyrighted by Apollo Information Systems Corp., dives into the heart of the cybersecurity incident that unfolded at Tarrant Appraisal District. Engaging Apollo on September 6, 2023, TAD sought to address the fallout from a breach that left its website services unavailable during multiple periods in 2022 and 2023.
Major Incident Takeaways
The report identifies key takeaways, including the inability to pinpoint the initial source of the attack (Patient Zero), the absence of direct evidence of data theft, and minimal indications of ongoing threat actor persistence.
Summary of Events
A critical time lapse hindered the identification of the intrusion vector. Threat actor activity spanned multiple endpoints, with www-Happe-90 and NFS-101-Server experiencing notable attention.
The report reveals challenges in determining if there was any reconnaissance of systems before the attack.
TAD's attempts at containment involved taking the website down, creating a sanitized server, and utilizing an interim site. The original servers were taken offline in April 2023.
Despite forensic analysis, no direct evidence of data exfiltration was found. The report highlights vulnerabilities that could have facilitated data extraction.
Initial response efforts were deemed ineffective, resulting in the destruction of evidence. The vulnerabilities contributing to the incident were not promptly identified or fixed. All systems associated with the investigation were taken offline in April 2023, with a new website replacing the old, addressing identified vulnerabilities.
Efforts to find TAD-specific data on the darknet yielded inconclusive results, given the prevalence of numerous breaches of Texas citizens' personally identifiable information.
Analysis Details
The report delves into the objectives and methodology of Apollo's analysis, detailing the limited information available for investigation and the reliance on best practices for responding to cybersecurity incidents.
Phases of the threat actor's reconnaissance, preparation, execution, and response/recovery are outlined, highlighting key activities and tactics.
Extensive details on vulnerabilities in operating systems, Docker versions, software, and databases across multiple endpoints are provided.
Conclusion
The incident response produced outcomes aligned with established objectives:
- Threat actors likely lost access with the replacement of the old infrastructure in April 2023.
- Evidence showed activity starting in April 2022, but the definitive time and vector of malicious activity could not be identified.
- No evidence of lateral movement within the network was found, indicating direct connections from outside the network to vulnerable servers.
- While no evidence of data exfiltration was found, the website's configuration before April 2023 posed potential risks.
In conclusion, the report stands as a testament to Tarrant Appraisal District's commitment to transparency and cybersecurity resilience. By dissecting the incident, TAD aims to learn from past vulnerabilities, fortify its defenses, and continue providing secure services to the community. As cyber threats evolve, such proactive disclosures and thorough analyses play a crucial role in shaping a secure digital future.