[German]The municipality of Montreux, located on the shores of Lake Geneva and known for its mild microclimate and the Montreux Jazz Festival in July, seems to have been the victim of a successful cyber-attack yesterday (Sunday). Not many details are known at the moment, the municipality's website is down – here is some information on what is already known.
Advertising
As the Riviera Security Association (ASR), which includes ten municipalities in the region, announced on Sunday evening, the IT of the Swiss municipality of Montreux in the canton of Vaud has probably already fallen victim to the successful cyber attack on Sunday morning. According to reports from various media here, here, here and here (all in German), a crisis team was convened and a criminal complaint was filed.
It looks like it was a ransomware attack in which the data of the municipality's IT systems was encrypted. It is currently unclear whether data was extracted and later offered on the darknet. For security reasons, the municipality of Montreux has taken immediate technical measures and disconnected the administration's computer system from that of the canton of Vaud. The administration currently has neither Wifi nor Internet access. The site watson.ch quotes a spokeswoman for the municipality as saying, "We no longer have wifi or internet. We are a bit cut off from the world."
According to this medium, the association (ASR) wants to provide continuous information about further developments – this on the website and the social media channels of the municipality. I once tried to access the website in question at securite-riviera.ch, and was greeted with the following error page.
Website of the municipality of Montreux after ransomware attack (2021/10/11)
Advertising
At the moment, the web server can't connect to the SQL server, either because the SQL server is no longer accessible due to the disconnection of the IT from the network or because it might have been encrypted by the ransomware attack. What really puzzled me, however, was the signature in the footer of the web page. This indicates .NET Core 3.1.18 X64 v4.0.0.0, Microsoft.AspNetCore.Hosting version 3.1.18, with the whole thing running on Microsoft Windows 10 build 10.0.14393. That's either Windows 10 version 1607 or Windows Server 2016. No idea if they're running an LTSC variant – but you seem to have gotten off on the wrong foot there. I find it kind of strange that they use a Windows machine as a web server for the association of municipalities – but there will be reasons for that. What architecture the IT of this association uses, I don't know.
A few months ago, in the German blog post Schweizer Ort Rolle: Daten der Bürger nach Ransomware-Angriff im Darknet aufgetaucht, I had reported that the small Swiss town Rolle on Lake Geneva was the victim of such an attack. At that time, the data of many citizens ended up on the Darknet.
