Atlanta, Hit by Ransomware Attack, Also Fell Victim To Leaked NSA Exploits

Zack Whittaker, reporting for ZDNet: It's been almost a week since the City of Atlanta was hit by a ransomware attack, which encrypted city data and led to the shutdown of some services. Mayor Keisha Lance Bottoms said in a press conference Monday that the city's government is working on recovering the network after ransom notes appeared on computer displays on Thursday afternoon. The city has hired local cybersecurity firm SecureWorks to assess the situation. Reports say the notorious SamSam ransomware was used in the Atlanta attack, which exploits a deserialization vulnerability in Java-based servers.

[...] But according to one security firm, last week's cyberattack was not a surprise because the city had fallen victim to leaked government exploits used in the WannaCry outbreak. New data provided by Augusta, Ga.-based cybersecurity firm Rendition Infosec, seen by ZDNet, shows that the city's network was silently infected last year with leaked exploits developed by the National Security Agency. The cybersecurity firm's founder Jake Williams said at least five internet-facing city servers were infected with the NSA-developed DoublePulsar backdoor in late April to early May 2017. That was more than a month after Microsoft released critical patches for the exploits and urged users to install.

GG NSA

[thegarbz]

So while the NSA also failed to keep citizens safe it now is shown to have directly contributed to an attack on its own government.

Well done!

Re:GG NSA

[Train0987]

"failed at it spectacularly"

You have no way of knowing that. Hyperbole doesn't help anything.

Re:GG NSA

[drinkypoo]

To be fair we have no idea what the NSA has been able to prevent by these practices.

And therefore we have to assume that it was or at least could have been nothing, because that's the responsible thing to do in the absence of evidence.

One Billion dollars. . . .

[Salgak1]

. . . or we re-name all the streets "Peachttree". . .

Oops, too late. . . (grin)

Re:One Billion dollars. . . .

. . . or we re-name all the streets "Peachttree". . .

Oops, too late. . . (grin)

No, only every other block.

Seriously.

Ever been to Atlanta? Travel two or three miles straight on the same damn road, make no turns. And the fucking road changes names four or five times.

But yeah, half of the names will be "Peachtree Something" - "Peachtree Blossom", "Twin Peachtree", "Buzzard's Perch Peachtree", "Peachtree Peachpit", "Peachtree on Cowpie Hill", "Dead Peachtree", "Peachtree with a Rotting Cat Carcass", "Peachtree with a Dead Parrot Nailed in Place"....

Re:One Billion dollars. . . .

[sabbede]

I have offices on Peachtree Road and Street. It's the same damn road!

This is what I hear

[jellomizer]

The government didn’t want to invest into a modern/proper IT infrastructure.
I am sure such changes were brought up, but was probably rejected due to not solving an immediate problem at hand, or gone with the lowest cost budget because they didn’t want to hear the tech talk.

Re:This is what I hear

[Train0987]

You do realize that local governments are funded by taxpayers, right? There's nothing stopping you from writing them a check directly...

Atlanta resident

[prisoner-of-enigma]

As a longtime resident of Atlanta (almost 30 years), I can say the incompetence and corruption of the Atlanta city government is well known around here. The higher up people are mostly political cronies who have no idea what they're doing.

Not to impugn the character of the rank-and-file IT workers. No doubt they're doing the best they can with what little the city gives them to work with. If an investigation were launched -- and it never will be -- I have little doubt it would find IT has been screaming for funds to get proper security and backups implemented and those screams have been ignored. Why spend money on IT security when you can spend it on a worthless streetcar system nobody uses? Or perhaps an entertainment venue in the middle of a crime-ridden area nobody wanted to go to? Or how about a mini-golf "fun park" nobody wanted to visit in downtown Atlanta?

All these fiascos were paid for in whole or in part by Atlanta taxpayers and always seemed to get built and run by people really friendly with Atlanta politicians. Nah, no corruption to see here folks. Move along and keep electing the same morons every time the elections come along.

Re:Atlanta resident

[rmdingler]

Municipal legislators are ever more inept, and often more corrupt than even State or Federal governors, since as the government gets smaller and more localized there are fewer checks and balances.

We gripe about the ineptitude of our local representatives everywhere in the world, and yet, we barely find the time to vote or serve.

Corruption and ineptitude are interchangeably to blame, but complacency is the fertilizer.

Re: Atlanta resident

[prisoner-of-enigma]

Why give IT department a pass? Doesn't matter if your bosses are inept, that should not stop someone from doing their job.

There's this thing called "budget" you would know about if you'd ever been in a management position. It puts together a budget to pay for all the things it says it needs like hardware, software, services, and headcount. We're not talking about some operation in your basement; Atlanta has thousands and thousands of computers and users, a huge network, and all the complexity that goes along with it. Managing something like that requires either very expensive tools or a lot of very competent people (the latter which may be more expensive than the tools).

If the CFO won't approve everything in the budget, something has to be left out. You can make all the arguments in the world about "security needs to be at the top of the list" but the sad fact is many organizations prioritize availability over security. A secure system that crumbles under load because it isn't sized for what it's doing is effectively useless, for example. So if you're the poor schmuck who's told "you can have good, fast, or secure; pick any two" you'd better pick "good" and "fast" and pray you can find a way to secure it because if it isn't "good" or "fast" enough you're going to be fired. It doesn't matter to the higher-ups that you were put in an impossible situation. They don't understand and don't want to understand. They think tiny elves toil away inside these magical boxes we call "servers" and can't understand why we need so much money. I've been in this business for 25 years. Trust me, I'm speaking from bitter experience.

Anecdote: I used to be the IT Director for an Atlanta-based airline (not naming names). Before I was on staff I was an independent contractor for the same airline. I noted one day the server (a Compaq Proliant running Novell back in those days) that filed all the flight plans with the FAA every day was not in good shape and had no failover capacity. I recommended two new servers, one to replace the old one and one to act as a backup to the new one. Total cost: about $10,000. Management said no, that was too expensive. About a month later, that server died in the middle of the night and could not be revived. All flights for the following day had to be cancelled, all tickets refunded, alternate arrangements made, massive PR backlash, all because no flight plans could be filed with the FAA. The crews had to be paid, the planes were fueled, but nothing can take off without FAA flight plans. The airline lost millions of dollars in that one day because they were too stupid to spend $10k when it would've mattered. I got hired about two weeks later and started putting things in order and it never happened again on my watch.

I live in the Atlanta suburbs and my favorite part

[sabbede]

is how the new Mayor's name is a command. "Keisha, lance bottoms." She should have been a nurse.