SFMTA Hacked by Ransomware
Another week, another major hack. After using the Internet of Things to stage an attack on the internet’s “phone book” system in October, hackers have now targeted the San Francisco Municipal Transport Agency (SFMTA) system.
SF Muni acknowledged the attack, beginning the morning of November 26. Ticket systems were offline, and faregates had to be shut down which allowed free rides on the railway and busses. Though media reported servers had been accessed, the transit agency denied any information being stolen. They stated they were in contact with the Department of Homeland Security in order to investigate the hack. By Nov. 28, systems were mostly back online. Let’s dig deeper and dissect what happened.
The only clues to the hackers are their email and admitting they are not from the United States. Through ransomware, the hackers demanded 100 bitcoins or about $73k, to be deposited to their wallet. Forbes found that their wallet only had 0.00240919 BTC - not even $2. The demand was made from Cryptom27@yandex.com. Using broken English, they used Muni displays to announce the hack, and demand payment in exchange for an encryption key. They responded to an email from Forbes - more on that in a moment - revealing a name attached to the email: Andy Saolis.
The same email address used the ransomware HDD Cryptor in the past. The program, also known as Mamba, rewrites a computer’s Master Boot Record, shutting out users. It creates a new user, “mythbusters” with its own password, “123456,” and continues its dirty work, scanning and encrypting files.
In rewriting the boot sectors, it creates its own custom boot, showing the screen announcing the hack, and how to contact the hackers. It does not allow for user interaction. The hackers will only allow interaction once the password has been purchased.
The ransomware only targets network drives, and within the network drives, it targets folders, files, printers, and serial ports. It makes no distinction between companies and personal networks, putting private citizens at risk.
In an ironically helpful twist, some hackers often offer to show how to patch the vulnerability once the bitcoins are in their wallet.
The Cryptom27 address, as mentioned, replied to Forbes, noting they used a Windows 2000 server to breach Muni’s security.
“Company don’t pay attention to Your safety!” the email read. “They give your money and everyday rich more! But they don’t pay for IT security and using very old systems!”
In an email to BoingBoing, they admitted the hack was random, and did not specifically target Muni:
“We don’t attention to interview and propagate news! Our software working completely automatically and we don’t have targeted attack to anywhere! SFMTA network was Very Open and 2000 Server/PC infected by software! So we are waiting for contact any responsible person in SFMTA but I think they don’t want deal! So we close this email tomorrow!”
Muni was able to pull from backups (and if they had been unable to, there are professional services that can perform high-level server data recovery in the wake of a hack) and claim their servers were never actually breached and information was not stolen. By the afternoon of Nov. 28, services were mostly restored, with riders no longer getting in free.
However, this angered the hackers who claimed they did have stolen information in the form of server files.
Gizmodo obtained a list of more than 2,200 compromised Muni servers. Listed names include “PAYROLLHPDC7600,” “MUNIMAIL1,” “MUNIMAIL2,” and “QUICKBOOKS,” likely referring to the payroll software. Also included in the list were “GPOADMIN” and “gpoadmin2,” which refers to “Group Policy Object,” settings and policies put in place by a system admin to govern a network - and a common way of distributing ransomware.
The hackers released another statement shortly thereafter. Instead of paying a ransom for freeing the encrypted computers, it was blackmail. Pay up, or they will release 30 gigabytes of data, presumably including personal information, from the servers - the same ones Muni claims the hackers were unable to access.
“It’s Show to You and Proof of Concept , Company don’t pay Attention to Your Safety !” the hackers wrote. They further stated:
“They give Your Money and everyday Rich more! But they don’t Pay for IT Security and using very old system’s ! We Hacked 2000 server/pc in SFMTA including all payment kiosk and internal Automation and Email and …! We Gain Access Completely Random and Our Virus Working Automatically ! We Don’t Have Targeted Attack to them ! It’s wonderful ! If some Hacker Try to Hack Your Transportation Infrastructure Target-Based , it’s Have More Impact! We Don’t live in USA but I hope Company Try to Fix it Correctly and We Can Advise Them But if they Don’t , We Will Publish 30G Databases and Documents include contracts , employees data , LLD Plans , customers and … to Have More Impact to Company To Force Them to do Right Job!”
As of Nov. 29, the files had not been released, and no significant amount of bitcoins had been added to the specified wallet.
Though the American Public Transportation Association released a set of cyber security guidelines (PDF) in 2014, this clearly did not help SF Muni.
This hack, combined with all the other prolific hacks from hospitals being targeted to the distributed denial of service (DDoS) attack on Dyn’s servers in October, it paints a grim future for cybersecurity.
Imagine if hackers randomly accessed a fitness tracker - one that uploads information to your personal medical file - and the hacker now has access to your personal information, mirroring what could be happening to Muni. Any embarrassing medical secrets could be held for blackmail. Plus, your FitBit could be shut down until you pay up. Your personal network drives could be hacked; your company’s servers held by cyber criminals.
Or, even worse, they could take over a power plant, holding an entire power grid ransom. Hackers shut down multiple substations in an orchestrated attack last year. Instead of simply denying access, they could, in theory, hold the power station ransom - and if no one pays, physically destroy generators simply by introducing malicious code.
Last year, a poll of 129 countries found that 83 percent of the countries ranked cyber attacks in the top three threats to businesses; only 38 percent felt they could adequately respond to an online threat.
In a final ironic twist, it seems the hacker - who has made, conservatively, about $140,000 off of other ransomware attacks, was hacked over the weekend by a security analyst, who then provided well-known security researcher Brian Krebs with information. Andy Saolis is very likely a pseudonym, and the hacker seems to hail from Iran.
Cyber security has been at the forefront of conversations recently, and how changes need to be made to protect not just citizens but corporations. Ransomware as a service is cropping up with increasing regularity, as more and more devices are connected to the internet and local networks. If possible store a backup that is not connected to the server or computer, and preferably off-site. Even a cloud-based backup can be hacked and locked. For more advice on how to prevent a ransomware attack on your systems or servers, read the FBI’s public service announcement from September.