Atlanta, Hit by Ransomware Attack, Also Fell Victim To Leaked NSA Exploits

Zack Whittaker, reporting for ZDNet: It's been almost a week since the City of Atlanta was hit by a ransomware attack, which encrypted city data and led to the shutdown of some services. Mayor Keisha Lance Bottoms said in a press conference Monday that the city's government is working on recovering the network after ransom notes appeared on computer displays on Thursday afternoon. The city has hired local cybersecurity firm SecureWorks to assess the situation. Reports say the notorious SamSam ransomware was used in the Atlanta attack, which exploits a deserialization vulnerability in Java-based servers.

[...] But according to one security firm, last week's cyberattack was not a surprise because the city had fallen victim to leaked government exploits used in the WannaCry outbreak. New data provided by Augusta, Ga.-based cybersecurity firm Rendition Infosec, seen by ZDNet, shows that the city's network was silently infected last year with leaked exploits developed by the National Security Agency. The cybersecurity firm's founder Jake Williams said at least five internet-facing city servers were infected with the NSA-developed DoublePulsar backdoor in late April to early May 2017. That was more than a month after Microsoft released critical patches for the exploits and urged users to install.

GG NSA

[thegarbz]

So while the NSA also failed to keep citizens safe it now is shown to have directly contributed to an attack on its own government.

Well done!

Re: GG NSA

You know I would have assumed that their very role was to ensure any vulnerability they found would have been patched within the USA. This is a pretty major fail.

Re: GG NSA

Yeah, it's strange that there are not ten thousands of NSA special agents with hipster beards walking around in city administration buildings all over the US, mounting miltary-stength defenses against cybercriminals.

Re: GG NSA

They could have switched to Linux.

Re:GG NSA

> NSA also failed to keep citizens safe it now is shown to have directly contributed to an attack on its own government.

Makes you wonder if this is by design. The NSA wasn't suppose to be outed but it serves their purpose to have these kinds of attacks take place. Working with the Mainstream Media (to dismiss their role in this and blame the 'nation-state of the week'), they can get (along with other 3-letter agencies) more oppressive legislation passed and more money in the war against their very country and it's citizens.

Re:GG NSA

[sabbede]

So whoever released their tools gets a pass?

Re: GG NSA

That's some extreme conspiretardthink.

It damages their reputation too much for too little gain. It actually IS far more likely another nation or state would use their developed weaponry against us. Maximum effect for them for minimum cost.

If the NSA wanted what you claim, they'd have used something stolen from, say, Russia or China.

Re:GG NSA

[burtosis]

So whoever released their tools gets a pass?

Maybe the NSA should have shown them more respect than a toddler and his gloves on a school bus.

Re: GG NSA

[gnick]

...I would have assumed that their very role was to ensure any vulnerability they found would have been patched...

You would assume wrong. That's not their role at all. In fact, discovering vulnerabilities and keeping that information to themselves makes them better at fulfilling their actual role.

Of course, discovering vulnerabilities, refusing to disclose them, and then leaking them is a big loss for everyone.

Re: GG NSA

That's some extreme conspiretardthink.

Only if you're an ignorant moron with no knowledge of history and how governments have always behaved.

Read up on some history so thar you've actually got something worthwhile to contribute, both to this conversation and to the cleaning-up of your fascist US government.

Re:GG NSA

[Train0987]

To be fair we have no idea what the NSA has been able to prevent by these practices. As is always the case with secret services we only ever hear about the failures that become publicly known (usually for political reasons).

Re:GG NSA

[thegarbz]

Yes, because weapons have always been known to fall into the wrong hands and that goes double for those based on exploits. Security by obscurity and all that.

Re:GG NSA

[thegarbz]

Nothing fair or unfair about it. The NSA had a remit to protect the nation, and they've failed at it spectacularly.

Re:GG NSA

[Train0987]

"failed at it spectacularly"

You have no way of knowing that. Hyperbole doesn't help anything.

Re:GG NSA

[drinkypoo]

To be fair we have no idea what the NSA has been able to prevent by these practices.

And therefore we have to assume that it was or at least could have been nothing, because that's the responsible thing to do in the absence of evidence.

Re:GG NSA

[Train0987]

Instead of faulting the NSA maybe a bit of blame should be directed to the contractor who stole these tools and then leaked them to the world so he could get some attention and a pat on the back from the /. crowd?

Re:GG NSA

So while the NSA also failed to keep citizens safe it now is shown to have directly contributed to an attack on its own government.

Well done!

I hope the first part of your comment is a joke. Security is the most difficult job to deal with. When you do it right, nobody notices. When something goes wrong, everyone jumps on you. Try to be in the industry and you will see what I mean.

Re:GG NSA

So whoever released their tools gets a pass?

Re:GG NSA

or maybe the exploits that these tools take advantage of should have been closed.

Re: GG NSA

NSA have more than one role. And one of the roles is to keep US computers safe.

Re: GG NSA

No, their job is to protect America.

We have infinitely more to lose from cyber threats than most of our opponents. The math dictates closing holes and alerting US companies to vulnerabilities, literally 100% of the time.

They instead decided to be fucking cowboys, because they watched the movie Hackers too many times and wanted to be 1337. It's more than a fucking embarrassment... It's borderline treason. Americans have been deeply hurt from their blatantly stupid mistakes.

Re: GG NSA

"The NSA isn't spying on us, you conspiracy theorist nut job!"
-You, circa September 2014

Re: GG NSA

[gnick]

I assume they decided they could make America safer by using exploits than by patching bugs.

Re: GG NSA

I blame the NSA for such a stunning lack of security regarding their exploits that they let someone steal it. If the military creates a dangerous weapon, they have a responsibility to safeguard it.

Re:GG NSA

[thegarbz]

You have no way of knowing that.

Their offensive weapons they developed are being used not only against their own people with great success but against their own government.

I have heard of having your head in the sand, but to come up with that statement I think you mistook sand for concrete and then let it set.

Re: GG NSA

I never said that, dipshit. I said if they wanted it to look like another state, they'd have used exploits known to be researched by only the other state.

But thinking that far ahead is hard for you, which is why you're a conspiretard.

Re: GG NSA

Not that AC, but once again since this appears to be difficult for you to grasp, you don't know what has been prevented or accomplished with them up until that point, so they could very easily have been used to great effect far beyond their current negative impact.

Re:GG NSA

[burtosis]

Hold everyone accountable. The NSA deserves no pass. Nor do the criminals who used the exploits. But the NSA created them instead of letting vendors patch, undoubtedly used them criminally, then negligently lost them where they were used against America. The criminal hackers were likely to do the same activities, the NDA just made thier lives easier. I'd put more blame on the NSA.

Re:GG NSA

[drinkypoo]

Instead of faulting the NSA maybe a bit of blame should be directed to the contractor who stole these tools

The problem is that these are NSA contractors. Working for the NSA is such a filthy job that they have to contract out work because they can't hire enough full-time employees, and they're so bad at vetting contractors that they repeatedly hire people who will release their secret information. Keeping that data secure is part of their job, and they failed at that job first by creating a work environment that leads to having to hire contractors, and then by being bad at hiring contractors.

Re: GG NSA

[sjames]

I'm pretty sure none of their roles include leaking their bag of tricks to blackhats so they can be sold on the dark web. That was a collossal screw up that nobody seems to have been held accountable for. Perhaps we should sew their names into their mittens?

Russofascists ahoy!!

No doubt, this vicious attack was yet another dirty Russian active measure.

Time to kerb-stomp these fascist assholes. Because they're not taking a hint, and they're doubling down on their insane, suicidal aggression against the West.

Re: Russofascists ahoy!!

If DC and Moscow both got nuked, so much oppression would be eliminated on both sides.

So much filth in the world; and itâ(TM)s proven to be self-destructive.

Re: Russofascists ahoy!!

You forgot Beijing fuckface.

One Billion dollars. . . .

[Salgak1]

. . . or we re-name all the streets "Peachttree". . .

Oops, too late. . . (grin)

Re:One Billion dollars. . . .

. . . or we re-name all the streets "Peachttree". . .

Oops, too late. . . (grin)

No, only every other block.

Seriously.

Ever been to Atlanta? Travel two or three miles straight on the same damn road, make no turns. And the fucking road changes names four or five times.

But yeah, half of the names will be "Peachtree Something" - "Peachtree Blossom", "Twin Peachtree", "Buzzard's Perch Peachtree", "Peachtree Peachpit", "Peachtree on Cowpie Hill", "Dead Peachtree", "Peachtree with a Rotting Cat Carcass", "Peachtree with a Dead Parrot Nailed in Place"....

Re:One Billion dollars. . . .

[sabbede]

I have offices on Peachtree Road and Street. It's the same damn road!

Re:One Billion dollars. . . .

You are FAKE NEWS!

https://upload.wikimedia.org/w...

Obvusly you have none offices here. There is no offices here.

This is what I hear

[jellomizer]

The government didn’t want to invest into a modern/proper IT infrastructure.
I am sure such changes were brought up, but was probably rejected due to not solving an immediate problem at hand, or gone with the lowest cost budget because they didn’t want to hear the tech talk.

Re:This is what I hear

[Train0987]

You do realize that local governments are funded by taxpayers, right? There's nothing stopping you from writing them a check directly...

Re:This is what I hear

You do realize that local governments are funded by taxpayers, right? There's nothing stopping you from writing them a check directly...

You realize thats not the point they were trying to make. The point is, the squeaky wheel gets the grease. Or in this case the lack of a properly secured infrastructure wasnt a big deal until it was. Time and again Sys Admins bring up security related issues that should be addressed. Its not taken seriously until theres a breach. Most of the time its not even a funding issue. Money exists, its just allocated poorly because Director/Mangement staff dont see any obvious return or value in it.

Re:This is what I hear

the problem is a whole lot of orgs only think about IT when they want something from it, they resist putting money into preventative maintenance and bringing working systems up to date

that's why you have lots of large orgs (both private and gov't) that still use 30+ year old hardware and software

the sad thing is in many cases, they eventually do reach some "upgrade or die" crisis which now because a) so much time has passed and b) it's a crisis with a yesterday deadline, they end up paying more than if they'd kept on top of it all along

just the most obvious, one state org I worked with kept employees on Windows 2000 until they hit crisis point, then paid to upgrade computers with new hard drives and more RAM so they could run Windows XP even though they had a manuf rep showing them how brand new computers with new monitors and everything would be only $50 more per unit and they went the upgrade path because telling them spending $50 now would "save" them $500 in 3 years was pointless

heck with 15,000 computers, the energy savings alone on moving to the new LCD monitors vs the old CRT monitors would have possibly made up the $50

their attitude was compounded by the fact that the many thousands of man-hours they put into doing those upgrades they don't even count as an expense because they consider employees to be a "sunk cost" (even though in reality, it meant they had to hire contractors to help with the regular work those employees should have been doing)

large orgs, both private and public, tend to define the "penny wise and pound foolish" cliche

Atlanta resident

[prisoner-of-enigma]

As a longtime resident of Atlanta (almost 30 years), I can say the incompetence and corruption of the Atlanta city government is well known around here. The higher up people are mostly political cronies who have no idea what they're doing.

Not to impugn the character of the rank-and-file IT workers. No doubt they're doing the best they can with what little the city gives them to work with. If an investigation were launched -- and it never will be -- I have little doubt it would find IT has been screaming for funds to get proper security and backups implemented and those screams have been ignored. Why spend money on IT security when you can spend it on a worthless streetcar system nobody uses? Or perhaps an entertainment venue in the middle of a crime-ridden area nobody wanted to go to? Or how about a mini-golf "fun park" nobody wanted to visit in downtown Atlanta?

All these fiascos were paid for in whole or in part by Atlanta taxpayers and always seemed to get built and run by people really friendly with Atlanta politicians. Nah, no corruption to see here folks. Move along and keep electing the same morons every time the elections come along.

Re:Atlanta resident

Do you want Emperor Xi, because thats how you get Emperor Xi.

Re:Atlanta resident

[rmdingler]

Municipal legislators are ever more inept, and often more corrupt than even State or Federal governors, since as the government gets smaller and more localized there are fewer checks and balances.

We gripe about the ineptitude of our local representatives everywhere in the world, and yet, we barely find the time to vote or serve.

Corruption and ineptitude are interchangeably to blame, but complacency is the fertilizer.

Re:Atlanta resident

[drinkypoo]

We gripe about the ineptitude of our local representatives everywhere in the world, and yet, we barely find the time to vote or serve.

Voting I will do. But run for office? That's unpossible. I'm a regular person who has done regular stuff, so regular people won't vote for me. They will only vote for someone whose life is completely unlike theirs.

Re: Atlanta resident

[Ogive17]

Why give IT department a pass? Doesn't matter if your bosses are inept, that should not stop someone from doing their job.

Re: Atlanta resident

The streetcar will be expanded to the Beltline. We had to use the funds to get the rail laid and the plans started. Could it have been placed more optimally? Yes. But we wouldn't have gotten the federal funds to support it had it gone anywhere else.

Underground is being redeveloped. Everything in the city is being gentrified like crazy. There's a long term vision here.

Stop complaining and be happy with your rising home valuation.

Re: Atlanta resident

I just learned you have lots of African Americas in power in that city. What you call corruption, I call reparations. Yes, they should be honest about taking money via theft, but then nothing would happen. So, you gotta let the untouchables do as they please, and YOU must pay for it. Itâ(TM)s their birthright and your obligation to pay for it.

Never live in a city run by blacks. Lol, just donâ(TM)t

They don't call it Ape-lanta for no reason.

Re: Atlanta resident

Why give IT department a pass? Doesn't matter if your bosses are inept, that should not stop someone from doing their job.

Because inept bosses are the ones who don't provide the commercial tools necessary for one to do their job, nor will they approve the use of freeware tools one could use to do their job. While it may not stop one from performing minimally, it sure hampers actually doing ones job to ones satisfaction.

Now cordially go pound sand.

Re: Atlanta resident

I just learned you have lots of African Americas in power in that city. What you call corruption, I call reparations. Yes, they should be honest about taking money via theft, but then nothing would happen. So, you gotta let the untouchables do as they please, and YOU must pay for it. Itâ(TM)s their birthright and your obligation to pay for it.

Never live in a city run by blacks. Lol, just donâ(TM)t

You're both ignorant and stupid. Atlanta is black majority (54%) city.
It's mostly black people whose money is being stolen and wasted.
We don't see it as reparations when they're stealing from black people.

Re:Atlanta resident

[AmiMoJo]

It's pretty much the same in every line of work. Businesses try to mitigate this by creating systems, ways of doing things that avoid the problems. In software development we have all kinds of methodologies to avoid making poor decisions and create reasonably good designs, and we still fail quite often.

In politics there are fewer such systems, especially at local level. And most of the people doing those jobs have zero training. In fact the only qualification they need to get the job is winning a popular vote.

Re:Atlanta resident

Underground Atlanta was sold to a private developer. How is that the city wasting money?

The streetcar project is part of a larger MARTA expansion that we desperately need. Yeah, it looks useless now, but they had to use the money and had to start somewhere. We can't have everything immediately at once.

Right now I'm glad they're actually working on 285/400 and I can't wait until they extend MARTA up to Old Milton.

Re: Atlanta resident

[prisoner-of-enigma]

Why give IT department a pass? Doesn't matter if your bosses are inept, that should not stop someone from doing their job.

There's this thing called "budget" you would know about if you'd ever been in a management position. It puts together a budget to pay for all the things it says it needs like hardware, software, services, and headcount. We're not talking about some operation in your basement; Atlanta has thousands and thousands of computers and users, a huge network, and all the complexity that goes along with it. Managing something like that requires either very expensive tools or a lot of very competent people (the latter which may be more expensive than the tools).

If the CFO won't approve everything in the budget, something has to be left out. You can make all the arguments in the world about "security needs to be at the top of the list" but the sad fact is many organizations prioritize availability over security. A secure system that crumbles under load because it isn't sized for what it's doing is effectively useless, for example. So if you're the poor schmuck who's told "you can have good, fast, or secure; pick any two" you'd better pick "good" and "fast" and pray you can find a way to secure it because if it isn't "good" or "fast" enough you're going to be fired. It doesn't matter to the higher-ups that you were put in an impossible situation. They don't understand and don't want to understand. They think tiny elves toil away inside these magical boxes we call "servers" and can't understand why we need so much money. I've been in this business for 25 years. Trust me, I'm speaking from bitter experience.

Anecdote: I used to be the IT Director for an Atlanta-based airline (not naming names). Before I was on staff I was an independent contractor for the same airline. I noted one day the server (a Compaq Proliant running Novell back in those days) that filed all the flight plans with the FAA every day was not in good shape and had no failover capacity. I recommended two new servers, one to replace the old one and one to act as a backup to the new one. Total cost: about $10,000. Management said no, that was too expensive. About a month later, that server died in the middle of the night and could not be revived. All flights for the following day had to be cancelled, all tickets refunded, alternate arrangements made, massive PR backlash, all because no flight plans could be filed with the FAA. The crews had to be paid, the planes were fueled, but nothing can take off without FAA flight plans. The airline lost millions of dollars in that one day because they were too stupid to spend $10k when it would've mattered. I got hired about two weeks later and started putting things in order and it never happened again on my watch.

Re: Atlanta resident

[swb]

I would bet in Atlanta the IT department is a bunch of people hired for their race or connections. I've seen this in several government IT offices in places way better managed than Atlanta.

The relatively high wages of IT and the "good career prospects" make it a tempting spot to place associates of politically influential leaders. The backwater nature of most small government unit IT contributes, too, as higher ups tend to see them as safe jobs to give away because they're generally not unionized and the (putative) required skill set makes justifying arbitrary hires pretty easy. The lower wages by corporate pay scale standards also means there's less outside competition if they're actually posting the jobs.

Usually there's a handful of legitimate hires who manage to keep the lights on, but they're often lifers with few other options, too, or there's a major political split along race or some other dangerous line.

I did a project once and of the 6 "admins", 3 were Asian and 1 spoke English so poorly his coworker literally translated from English for him. The other 3 were Caucasians who fought with the Asians at every turn and I think actively tried to subvert them with intentional technical screwups.

Re:Atlanta resident

[dyslexicbunny]

Ugh. The streetcar system was such a stupid proposal and development. And if Atlanta actually had public transit that went places, you never would have needed such a useless piece of crap. And the Peach pass lanes on I-85?

The biggest problem with transportation in Georgia is the politicians and how they poisoned the well with the 400 toll. No one wants to give them more money because they know it will never go away.

Go NSA!

[stooo]

NSA!
Go NSA!
Go NSA!
Go NSA!
Go NSA!
Go NSA!

Why haven't they hired professionals yet?

[ITRambo]

Damn, Atlanta. You seem to never learn. How about hiring some proven professional network admins that actually setup an optimized server and network security?

Re:Why haven't they hired professionals yet?

Probably a /. I.T. side job.

Re:Why haven't they hired professionals yet?

[v1]

I feel no pity for those that get hit repeatedly by this sort of thing. "Fool me once, shame on you. Fool me twice, shame on ME!"

Re:Why haven't they hired professionals yet?

[AHuxley]

When the crpyto works then the NSA cant get in.
So US security stays with plain text and Windows.
Then the NSA can watch what is moving around the web in real time and the USA is totally safe.

Re:Why haven't they hired professionals yet?

"Fool me once, shame on you. Fool me twice, shame on ME!"

ME = Millennium Edition

NSA makes me shiver with delight!

I climax harder and longer ever since I've read leaks about special software from our heroes.

No sarcasm here. USA #1!

Atlanta is 500K people surrounded by 5M people

Atlanta is 500K people surrounded by 5M people. A few of the surrounding govts aren't inept and full of wealth-redistribution plans.

Most people in metro Atlanta aren't impacted by the govt incompetence that happens ITP ("inside the loop" for the unfamiliar people).

Re: Atlanta is 500K people surrounded by 5M people

You're talking about the monorail right?

Re: Atlanta is 500K people surrounded by 5M people

"Inside the perimeter" (interstate 285 encircles the city)

Welp At least one good thing.

With all those sideloading attacks, can't they just exploit Spectre or Meltdown and circumvent the encryption Or there is no PoC code yet?

I live in the Atlanta suburbs and my favorite part

[sabbede]

is how the new Mayor's name is a command. "Keisha, lance bottoms." She should have been a nurse.

Re: I live in the Atlanta suburbs and my favorite

[TimMD909]

After this shitstorm, I think it'd be better if she was Mayor Soiled Bottoms...

Re:I live in the Atlanta suburbs and my favorite p

[ArchieBunker]

Having a mayor named Keisha would really instill me with confidence. But then again you have to look at the demographics of the city.

b-b-but Russia! Putin! HACKERMAN PUTIN!

oh, snap, BITCH

Re:In the Trumpverse

The great wall seems to have kept all the Mexicans out. Job well done.

Re: NSA Cocksucker

So is that NSA cock in your mouth more of a salty or a meaty taste?

Sue the NSA

[surfcow]

No joke.
The NSA created the tools.
The NSA allowed them to be stolen by hackers and used.
The NSA should be held responsible for the damage they do.

I do hope Atlanta sues them, makes their case to the press.
Or forces them to help break the encryption and put out the fire.