We recently reported on the San Francisco MUNI ransomware attack that occurred during Thanksgiving weekend. The attack resulted in free rides for customers and the potential for MUNI to lose over $500,000 in fare revenue. Now, we have more information on the attack and what potentially caused it.
New Information on the Attack
Krebs on Security reports that a security researcher was able to hack into the email account of the hacker and retrieve some information. The security researcher was able to access the account by guessing the answer to the hacker’s “secret question” for his email and then resetting the password.
A security researcher was able to gather more information after infiltrating the hacker’s email by easily guessing the answers to his “secret questions” and resetting the password.
Through this infiltration, the researcher was able to deduce that the attacker has been using various tools to scan large portions of the internet, and then target specific vulnerabilities. In this case, the hacker was able to exploit a year-old Java vulnerability on an Oracle WebLogic server.
This information helps us understand how the ransomware works, however, SFMTA Spokesperson Paul Rose said in a statement that the “network was not breached from the outside, nor did hackers gain entry through our firewalls,” so it is still unclear how the ransomware was able to enter the system.
Initially, the hacker claimed that once the ransom deadline passed, he would delete the contact email account and SFMTA would be unable to unencrypt their files. Paul Rose explained that SFMTA never intended on paying the ransom since SFMTA has their own IT team who was able to restore the systems from older backups. But, the attacker was not willing to give up his payout that easily.
Once the initial ransom deadline passed, the hacker sent a number of emails to various news outlets, claiming that he had extracted sensitive data from the systems before encrypting them. He claims that he will release 30 GB of sensitive data including contracts, employee data, and customer information if the ransom is not paid by Friday. Paul Rose insists that “despite media reports – no data was accessed from any of our servers,” and that customer data is safe since the attacker did not access customer payment systems.
With the initial ransom deadline passed, the hacker now threatens to release 30 GB of sensitive data if SFMTA does not pay.
There is also no evidence that the attacker has this information, and when questioned in email correspondence with Motherboard, explained that he has previously proven his capabilities. He claims he doesn’t want to leak this information, but that is his plan if SFMTA does not “pay attention.”
Although we still don’t know exactly how the ransomware was able to infiltrate the server, similar ransomware and malware attacks could easily occur through malicious emails. This attack gives us just a glimpse at the kind of impact these attacks can have. With cybercriminals getting more savvy every day, email protection, especially malware protection is just as important as ever. With 93% of all system breaches starting with a phishing component, it is just a matter of time before your organization falls victim. Luckily, SFMTA seems confident that no sensitive customer information was accessed, and that they will be able to get all systems back up and running quickly. However, organizations aren’t always so lucky.
93% of all system breaches start with a phishing component.
With the eminent threat of phishing emails for all types of organizations, adequate protection is key. Vade Secure’s domain verification and technical analysis are just some of the features that can help prevent phishing emails and malicious malware from getting into your employees’ inbox. Keep in mind that without the right protections, your company could be just as vulnerable to attack.