Slashdot Mirror
Muni System Hacker Hit Others By Scanning For Year-Old Java Vulnerability (arstechnica.com)
An anonymous reader quotes a report from Ars Technica: The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware on November 25 apparently gained access to the agency's network by way of a known vulnerability in an Oracle WebLogic server. That vulnerability is similar to the one used to hack a Maryland hospital network's systems in April and infect multiple hospitals with crypto-ransomware. And evidence suggests that SFMTA wasn't specifically targeted by the attackers; the agency just came up as a target of opportunity through a vulnerability scan. In an e-mail to Ars, SFMTA spokesperson Paul Rose said that on November 25, "we became aware of a potential security issue with our computer systems, including e-mail." The ransomware "encrypted some systems mainly affecting computer workstations," he said, "as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports, no data was accessed from any of our servers." That description of the ransomware attack is not consistent with some of the evidence of previous ransomware attacks by those behind the SFMTA incident -- which Rose said primarily affected about 900 desktop computers throughout the agency. Based on communications uncovered from the ransomware operator behind the Muni attack published by security reporter Brian Krebs, an SFMTA Web-facing server was likely compromised by what is referred to as a "deserialization" attack after it was identified by a vulnerability scan. A security researcher told Krebs that he had been able to gain access to the mailbox used in the malware attack on the Russian e-mail and search provider Yandex by guessing its owner's security question, and he provided details from the mailbox and another linked mailbox on Yandex. Based on details found in e-mails for the accounts, the attacker ran a server loaded with open source vulnerability scanning tools to identify and compromise servers to use in spreading the ransomware, known as HDDCryptor and Mamba, within multiple organizations' networks.
Well, if you're under attack, you shut down everything to try to halt the attack. If the system is clean and shut down, it won't get infected. If it's infected, it won't spread.
So you shut it all down just as a precaution. Even if it compromised user data, if the system is off, that user data is staying on the system. Given it looks like it might have gotten into critical systems, this was probably the best course of action to prevent the spread.
Now, the interesting thing is - they had backups and have actually restored the critical systems from backups, which apparently pissed off the group to no end - they expected them to pay the $70K and apparently the messaging is getting more and more threatening as they bring up systems from backup. They actually are threatening to release the data, but no idea if it's a bluff or not.
I'm guessing the user workstations will just be reimaged and everything else restored, with a mandatory change in system passwords.
The hackers might have simply gotten too greedy - and attacked a target who not only not had the money to pay, but probably had enough skill and resources to do proper backups and thus it was cheaper to not pay and do the disaster plan than to pay. Even the worst attacks were only asking $20K or so which would shift the balance to "just pay it as it's going to cost more to recover it" to asking $70k which shifts the equation to "screw it, we're starting over as it's cheaper even if we have to give people free rides"