Atlanta, Hit by Ransomware Attack, Also Fell Victim To Leaked NSA Exploits (zdnet.com)

← Back to Stories (view on slashdot.org)

Atlanta, Hit by Ransomware Attack, Also Fell Victim To Leaked NSA Exploits (zdnet.com)

Posted by msmash on Tuesday March 27, 2018 @10:00PM from the closer-look dept.

Zack Whittaker, reporting for ZDNet: It's been almost a week since the City of Atlanta was hit by a ransomware attack, which encrypted city data and led to the shutdown of some services. Mayor Keisha Lance Bottoms said in a press conference Monday that the city's government is working on recovering the network after ransom notes appeared on computer displays on Thursday afternoon. The city has hired local cybersecurity firm SecureWorks to assess the situation. Reports say the notorious SamSam ransomware was used in the Atlanta attack, which exploits a deserialization vulnerability in Java-based servers.

[...] But according to one security firm, last week's cyberattack was not a surprise because the city had fallen victim to leaked government exploits used in the WannaCry outbreak. New data provided by Augusta, Ga.-based cybersecurity firm Rendition Infosec, seen by ZDNet, shows that the city's network was silently infected last year with leaked exploits developed by the National Security Agency. The cybersecurity firm's founder Jake Williams said at least five internet-facing city servers were infected with the NSA-developed DoublePulsar backdoor in late April to early May 2017. That was more than a month after Microsoft released critical patches for the exploits and urged users to install.

38 of 75 comments (clear)

Min score:

Reason:

Sort:

GG NSA by thegarbz · 2018-03-27 22:02 · Score: 5, Insightful

So while the NSA also failed to keep citizens safe it now is shown to have directly contributed to an attack on its own government.
Well done!
1. Re:GG NSA by sabbede · 2018-03-27 23:52 · Score: 1
  
  So whoever released their tools gets a pass?
2. Re:GG NSA by burtosis · 2018-03-28 00:28 · Score: 1
  
  So whoever released their tools gets a pass?
  Maybe the NSA should have shown them more respect than a toddler and his gloves on a school bus.
3. Re: GG NSA by gnick · 2018-03-28 01:23 · Score: 1
  
  ...I would have assumed that their very role was to ensure any vulnerability they found would have been patched...
  You would assume wrong. That's not their role at all. In fact, discovering vulnerabilities and keeping that information to themselves makes them better at fulfilling their actual role.
  Of course, discovering vulnerabilities, refusing to disclose them, and then leaking them is a big loss for everyone.
  
  --
  He's getting rather old, but he's a good mouse.
4. Re:GG NSA by Train0987 · 2018-03-28 01:35 · Score: 1
  
  To be fair we have no idea what the NSA has been able to prevent by these practices. As is always the case with secret services we only ever hear about the failures that become publicly known (usually for political reasons).
5. Re:GG NSA by thegarbz · 2018-03-28 01:44 · Score: 1
  
  Yes, because weapons have always been known to fall into the wrong hands and that goes double for those based on exploits. Security by obscurity and all that.
6. Re:GG NSA by thegarbz · 2018-03-28 01:44 · Score: 1, Insightful
  
  Nothing fair or unfair about it. The NSA had a remit to protect the nation, and they've failed at it spectacularly.
7. Re:GG NSA by Train0987 · 2018-03-28 01:46 · Score: 2
  
  "failed at it spectacularly"
  You have no way of knowing that. Hyperbole doesn't help anything.
8. Re:GG NSA by drinkypoo · 2018-03-28 01:49 · Score: 3, Insightful
  
  To be fair we have no idea what the NSA has been able to prevent by these practices.
  And therefore we have to assume that it was or at least could have been nothing, because that's the responsible thing to do in the absence of evidence.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
9. Re:GG NSA by Train0987 · 2018-03-28 01:52 · Score: 1
  
  Instead of faulting the NSA maybe a bit of blame should be directed to the contractor who stole these tools and then leaked them to the world so he could get some attention and a pat on the back from the /. crowd?
10. Re: GG NSA by gnick · 2018-03-28 05:35 · Score: 1
  
  I assume they decided they could make America safer by using exploits than by patching bugs.
  
  --
  He's getting rather old, but he's a good mouse.
11. Re:GG NSA by thegarbz · 2018-03-28 05:44 · Score: 1
  
  You have no way of knowing that.
  
  Their offensive weapons they developed are being used not only against their own people with great success but against their own government.
  I have heard of having your head in the sand, but to come up with that statement I think you mistook sand for concrete and then let it set.
12. Re:GG NSA by burtosis · 2018-03-28 09:26 · Score: 1
  
  Hold everyone accountable. The NSA deserves no pass. Nor do the criminals who used the exploits. But the NSA created them instead of letting vendors patch, undoubtedly used them criminally, then negligently lost them where they were used against America. The criminal hackers were likely to do the same activities, the NDA just made thier lives easier. I'd put more blame on the NSA.
13. Re:GG NSA by drinkypoo · 2018-03-28 11:11 · Score: 1
  
  Instead of faulting the NSA maybe a bit of blame should be directed to the contractor who stole these tools
  The problem is that these are NSA contractors. Working for the NSA is such a filthy job that they have to contract out work because they can't hire enough full-time employees, and they're so bad at vetting contractors that they repeatedly hire people who will release their secret information. Keeping that data secure is part of their job, and they failed at that job first by creating a work environment that leads to having to hire contractors, and then by being bad at hiring contractors.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
14. Re: GG NSA by sjames · 2018-03-30 04:42 · Score: 1
  
  I'm pretty sure none of their roles include leaking their bag of tricks to blackhats so they can be sold on the dark web. That was a collossal screw up that nobody seems to have been held accountable for. Perhaps we should sew their names into their mittens?
One Billion dollars. . . . by Salgak1 · 2018-03-27 22:17 · Score: 4, Funny

. . . or we re-name all the streets "Peachttree". . .
Oops, too late. . . (grin)
1. Re:One Billion dollars. . . . by Anonymous Coward · 2018-03-27 23:22 · Score: 2, Funny
  
  . . . or we re-name all the streets "Peachttree". . .
  Oops, too late. . . (grin)
  No, only every other block.
  Seriously.
  Ever been to Atlanta? Travel two or three miles straight on the same damn road, make no turns. And the fucking road changes names four or five times.
  But yeah, half of the names will be "Peachtree Something" - "Peachtree Blossom", "Twin Peachtree", "Buzzard's Perch Peachtree", "Peachtree Peachpit", "Peachtree on Cowpie Hill", "Dead Peachtree", "Peachtree with a Rotting Cat Carcass", "Peachtree with a Dead Parrot Nailed in Place"....
2. Re:One Billion dollars. . . . by sabbede · 2018-03-27 23:54 · Score: 2
  
  I have offices on Peachtree Road and Street. It's the same damn road!
This is what I hear by jellomizer · 2018-03-27 22:26 · Score: 2, Interesting

The government didn’t want to invest into a modern/proper IT infrastructure.
I am sure such changes were brought up, but was probably rejected due to not solving an immediate problem at hand, or gone with the lowest cost budget because they didn’t want to hear the tech talk.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
1. Re:This is what I hear by Train0987 · 2018-03-28 02:35 · Score: 2
  
  You do realize that local governments are funded by taxpayers, right? There's nothing stopping you from writing them a check directly...
2. Re:This is what I hear by Anonymous Coward · 2018-03-28 03:03 · Score: 1
  
  You do realize that local governments are funded by taxpayers, right? There's nothing stopping you from writing them a check directly...
  You realize thats not the point they were trying to make. The point is, the squeaky wheel gets the grease. Or in this case the lack of a properly secured infrastructure wasnt a big deal until it was. Time and again Sys Admins bring up security related issues that should be addressed. Its not taken seriously until theres a breach. Most of the time its not even a funding issue. Money exists, its just allocated poorly because Director/Mangement staff dont see any obvious return or value in it.
Atlanta resident by prisoner-of-enigma · 2018-03-27 22:40 · Score: 5, Insightful

As a longtime resident of Atlanta (almost 30 years), I can say the incompetence and corruption of the Atlanta city government is well known around here. The higher up people are mostly political cronies who have no idea what they're doing.
Not to impugn the character of the rank-and-file IT workers. No doubt they're doing the best they can with what little the city gives them to work with. If an investigation were launched -- and it never will be -- I have little doubt it would find IT has been screaming for funds to get proper security and backups implemented and those screams have been ignored. Why spend money on IT security when you can spend it on a worthless streetcar system nobody uses? Or perhaps an entertainment venue in the middle of a crime-ridden area nobody wanted to go to? Or how about a mini-golf "fun park" nobody wanted to visit in downtown Atlanta?
All these fiascos were paid for in whole or in part by Atlanta taxpayers and always seemed to get built and run by people really friendly with Atlanta politicians. Nah, no corruption to see here folks. Move along and keep electing the same morons every time the elections come along.

--
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
1. Re:Atlanta resident by rmdingler · 2018-03-28 00:10 · Score: 3, Insightful
  
  Municipal legislators are ever more inept, and often more corrupt than even State or Federal governors, since as the government gets smaller and more localized there are fewer checks and balances.
  We gripe about the ineptitude of our local representatives everywhere in the world, and yet, we barely find the time to vote or serve.
  Corruption and ineptitude are interchangeably to blame, but complacency is the fertilizer.
  
  --
  Happiness in intelligent people is the rarest thing I know.
  Ernest Hemingway
2. Re:Atlanta resident by drinkypoo · 2018-03-28 01:40 · Score: 1
  
  We gripe about the ineptitude of our local representatives everywhere in the world, and yet, we barely find the time to vote or serve.
  
  Voting I will do. But run for office? That's unpossible. I'm a regular person who has done regular stuff, so regular people won't vote for me. They will only vote for someone whose life is completely unlike theirs.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re: Atlanta resident by Ogive17 · 2018-03-28 01:45 · Score: 1
  
  Why give IT department a pass? Doesn't matter if your bosses are inept, that should not stop someone from doing their job.
  
  --
  "Action without philosophy is a lethal weapon; philosophy without action is worthless."
4. Re: Atlanta resident by Anonymous Coward · 2018-03-28 04:02 · Score: 1
  
  I just learned you have lots of African Americas in power in that city. What you call corruption, I call reparations. Yes, they should be honest about taking money via theft, but then nothing would happen. So, you gotta let the untouchables do as they please, and YOU must pay for it. Itâ(TM)s their birthright and your obligation to pay for it.
  Never live in a city run by blacks. Lol, just donâ(TM)t
  You're both ignorant and stupid. Atlanta is black majority (54%) city.
  It's mostly black people whose money is being stolen and wasted.
  We don't see it as reparations when they're stealing from black people.
5. Re:Atlanta resident by AmiMoJo · 2018-03-28 04:11 · Score: 1
  
  It's pretty much the same in every line of work. Businesses try to mitigate this by creating systems, ways of doing things that avoid the problems. In software development we have all kinds of methodologies to avoid making poor decisions and create reasonably good designs, and we still fail quite often.
  In politics there are fewer such systems, especially at local level. And most of the people doing those jobs have zero training. In fact the only qualification they need to get the job is winning a popular vote.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
6. Re: Atlanta resident by prisoner-of-enigma · 2018-03-28 08:40 · Score: 2
  
  Why give IT department a pass? Doesn't matter if your bosses are inept, that should not stop someone from doing their job.
  
  There's this thing called "budget" you would know about if you'd ever been in a management position. It puts together a budget to pay for all the things it says it needs like hardware, software, services, and headcount. We're not talking about some operation in your basement; Atlanta has thousands and thousands of computers and users, a huge network, and all the complexity that goes along with it. Managing something like that requires either very expensive tools or a lot of very competent people (the latter which may be more expensive than the tools).
  If the CFO won't approve everything in the budget, something has to be left out. You can make all the arguments in the world about "security needs to be at the top of the list" but the sad fact is many organizations prioritize availability over security. A secure system that crumbles under load because it isn't sized for what it's doing is effectively useless, for example. So if you're the poor schmuck who's told "you can have good, fast, or secure; pick any two" you'd better pick "good" and "fast" and pray you can find a way to secure it because if it isn't "good" or "fast" enough you're going to be fired. It doesn't matter to the higher-ups that you were put in an impossible situation. They don't understand and don't want to understand. They think tiny elves toil away inside these magical boxes we call "servers" and can't understand why we need so much money. I've been in this business for 25 years. Trust me, I'm speaking from bitter experience.
  Anecdote: I used to be the IT Director for an Atlanta-based airline (not naming names). Before I was on staff I was an independent contractor for the same airline. I noted one day the server (a Compaq Proliant running Novell back in those days) that filed all the flight plans with the FAA every day was not in good shape and had no failover capacity. I recommended two new servers, one to replace the old one and one to act as a backup to the new one. Total cost: about $10,000. Management said no, that was too expensive. About a month later, that server died in the middle of the night and could not be revived. All flights for the following day had to be cancelled, all tickets refunded, alternate arrangements made, massive PR backlash, all because no flight plans could be filed with the FAA. The crews had to be paid, the planes were fueled, but nothing can take off without FAA flight plans. The airline lost millions of dollars in that one day because they were too stupid to spend $10k when it would've mattered. I got hired about two weeks later and started putting things in order and it never happened again on my watch.
  
  --
  In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
7. Re: Atlanta resident by swb · 2018-03-28 10:25 · Score: 1
  
  I would bet in Atlanta the IT department is a bunch of people hired for their race or connections. I've seen this in several government IT offices in places way better managed than Atlanta.
  The relatively high wages of IT and the "good career prospects" make it a tempting spot to place associates of politically influential leaders. The backwater nature of most small government unit IT contributes, too, as higher ups tend to see them as safe jobs to give away because they're generally not unionized and the (putative) required skill set makes justifying arbitrary hires pretty easy. The lower wages by corporate pay scale standards also means there's less outside competition if they're actually posting the jobs.
  Usually there's a handful of legitimate hires who manage to keep the lights on, but they're often lifers with few other options, too, or there's a major political split along race or some other dangerous line.
  I did a project once and of the 6 "admins", 3 were Asian and 1 spoke English so poorly his coworker literally translated from English for him. The other 3 were Caucasians who fought with the Asians at every turn and I think actively tried to subvert them with intentional technical screwups.
8. Re:Atlanta resident by dyslexicbunny · 2018-03-29 01:42 · Score: 1
  
  Ugh. The streetcar system was such a stupid proposal and development. And if Atlanta actually had public transit that went places, you never would have needed such a useless piece of crap. And the Peach pass lanes on I-85?
  The biggest problem with transportation in Georgia is the politicians and how they poisoned the well with the 400 toll. No one wants to give them more money because they know it will never go away.
Go NSA! by stooo · 2018-03-27 23:21 · Score: 1

NSA!
Go NSA!
Go NSA!
Go NSA!
Go NSA!
Go NSA!

--
aaaaaaa
Why haven't they hired professionals yet? by ITRambo · 2018-03-27 23:23 · Score: 1

Damn, Atlanta. You seem to never learn. How about hiring some proven professional network admins that actually setup an optimized server and network security?
1. Re:Why haven't they hired professionals yet? by v1 · 2018-03-27 23:51 · Score: 1
  
  I feel no pity for those that get hit repeatedly by this sort of thing. "Fool me once, shame on you. Fool me twice, shame on ME!"
  
  --
  I work for the Department of Redundancy Department.
2. Re:Why haven't they hired professionals yet? by AHuxley · 2018-03-28 01:18 · Score: 1
  
  When the crpyto works then the NSA cant get in.
  So US security stays with plain text and Windows.
  Then the NSA can watch what is moving around the web in real time and the USA is totally safe.
  
  --
  Domestic spying is now "Benign Information Gathering"
I live in the Atlanta suburbs and my favorite part by sabbede · 2018-03-27 23:57 · Score: 5, Funny

is how the new Mayor's name is a command. "Keisha, lance bottoms." She should have been a nurse.
Re: I live in the Atlanta suburbs and my favorite by TimMD909 · 2018-03-28 01:12 · Score: 1

After this shitstorm, I think it'd be better if she was Mayor Soiled Bottoms...
Re:I live in the Atlanta suburbs and my favorite p by ArchieBunker · 2018-03-28 01:48 · Score: 1

Having a mayor named Keisha would really instill me with confidence. But then again you have to look at the demographics of the city.

--
Only the State obtains its revenue by coercion. - Murray Rothbard
Sue the NSA by surfcow · 2018-03-28 07:15 · Score: 1

No joke.
The NSA created the tools.
The NSA allowed them to be stolen by hackers and used.
The NSA should be held responsible for the damage they do.
I do hope Atlanta sues them, makes their case to the press.
Or forces them to help break the encryption and put out the fire.