Attacks on San Francisco Muni and Deutsche Telekom
This week saw two high profile attacks which highlight broader information security trends.
In this briefing, we will take a closer look at both.
San Francisco’s transportation system Muni was hit by a ransomware attack which forced operators to allow customers to ride for free. The ransomware took over a significant percentage of general purpose computers on the network as well as of specialized ticket vending machines.
While often not apparent to customers, virtually all modern terminal systems like ATMs, ticket vending machines or self-checkin counters are regular computers running regular operating systems with a specialized software on top. While discontinued and out of support, Windows XP and Windows NT 4 systems are still somewhat common.
Since many of these systems are connected to the internet, they are relatively easy targets for hackers.
The attacker tried to extort roughly $73,000 from Muni which in turn hired security experts to clean up the system and try to identify the source of the attack. Most recent reports indicate that the attacker himself/herself has subsequently been hacked. Investigations are ongoing.
This attack highlights two trends:
- Ransomware, which offers a relatively straightforward way to monetize compromised machines, is still gaining popularity.
- Terminal systems continue to catch the interest of attackers due to their often remote location, lax maintenance and outdated software.
Operators of large IT infrastructures are advised to continue to be on high alert against ransomware attacks - especially if parts of the infrastructure are seldom audited.
In a separate attack, a large segment of the customers of Deutsche Telekom - Germany’s largest ISP and phone carrier - were disconnected from the internet on Monday. Reports released indicate that a variant of the Mirai botnet targeted routers on a large scale. Infected and likely infected machines were cut off from the network.
It is important to note that this attack does not seem to have been directed against Deutsche Telekom specifically but rather against routers with vulnerable firmware.
This implies that similar attacks might have succeeded without being noticed or reported on other networks.
The Mirai botnet, which first came to infamy when it conducted large scale DDoS attacks against DNS hoster Dyn using hijacked IoT devices, continues to evolve, adapt and grow. Whoever operates it has clearly realized that the millions of forgotten or unmaintained embedded devices such as routers, smart-appliances and other IoT infrastructure make for a much easier and more manageable targets than classic workstations and servers.
Companies and end-users are advised to pay close attention with all smart devices connected to the internet. Firmware updates should always be installed as quickly as possible and out of support devices should be decommissioned.