Research

Attacks on San Francisco Muni and Deutsche Telekom

Written by Reflare Research Team | Nov 30, 2016 12:42:00 PM

The Mirai botnet has been directly linked with a number of massive DDoS attacks, and it can now add Germany’s largest telecom company Deutsche Telekom to its list.

First Published 30th November 2016

"Guten tag! Hallo... Hallo?"

3 min read  |  Reflare Research Team

This week saw two high-profile attacks which highlight broader information security trends. In this briefing, we will take a closer look at both.

San Francisco’s transportation system Muni was hit by a ransomware attack which forced operators to allow customers to ride for free. The ransomware took over a significant percentage of general-purpose computers on the network as well as specialised ticket vending machines.

While often not apparent to customers, virtually all modern terminal systems like ATMs, ticket vending machines or self-check-in counters are regular computers running regular operating systems with specialised software on top. While discontinued and out of support, Windows XP and Windows NT 4 systems are still somewhat common.

Since many of these systems are connected to the internet, they are relatively easy targets for hackers.

The attacker tried to extort roughly $73,000 from Muni which in turn hired security experts to clean up the system and try to identify the source of the attack. Most recent reports indicate that the attacker himself/herself has subsequently been hacked. Investigations are ongoing.

This attack highlights two trends:

  1. Ransomware, which offers a relatively straightforward way to monetize compromised machines, is still gaining popularity.

  2. Terminal systems continue to catch the interest of attackers due to their often remote location, lax maintenance and outdated software.

Operators of large IT infrastructures are advised to continue to be on high alert against ransomware attacks - especially if parts of the infrastructure are seldom audited.

In a separate attack, a large segment of the customers of Deutsche Telekom - Germany’s largest ISP and phone carrier - were disconnected from the internet on Monday. Reports released indicate that a variant of the Mirai botnet targeted routers on a large scale. Infected and likely infected machines were cut off from the network.

It is important to note that this attack does not seem to have been directed against Deutsche Telekom specifically but rather against routers with vulnerable firmware.

This implies that similar attacks might have succeeded without being noticed or reported on other networks.

The Mirai botnet, which first came to infamy when it conducted large-scale DDoS attacks against DNS hoster Dyn using hijacked IoT devices, continues to evolve, adapt and grow. Whoever operates it has clearly realised that the millions of forgotten or unmaintained embedded devices such as routers, smart appliances and other IoT infrastructure make for much easier and more manageable targets than classic workstations and servers.

Companies and end-users are advised to pay close attention to all smart devices connected to the internet. Firmware updates should always be installed as quickly as possible and out-of-support devices should be decommissioned.