Last Friday, the city of Atlanta was hit by a ransomware attack that took most of the city's internal and external services offline. To date, many of these services have been restored, but two public portals remain offline. On Saturday, the network for the Baltimore 91
That's Not Clear If these attacks are somehow linked, the vulnerability of companies and government agencies – especially local governments – to these types of attacks has been steadily demonstrated in recent years. Even as organizations address the vulnerabilities exploited in the first ransomware and ransomware-like attacks, attackers have changed their tactics to find new paths in networks and even exploit volatile defenses to gain a destructive foothold.
Baltimore's 911 Emergency Weekend
In the case of the Baltimore 911 system, the nature of the ransomware attack is still unclear, but the city's official information system official confirmed that Baltimore's computerized mail-order system went offline from Ransomware. In a release filed with Ars Technica, Baltimore Chief Information Officer and Chief Digital Officer Frank Johnson said the CAD network was closed for "ransomware offenders" over the weekend and that the city's IT team was able to Isolate the breakage to the CAD network itself. "Systems connected to the CAD network, including Baltimore Police Department systems, were taken offline to prevent the spread of ransomware.
" After all the systems are working properly CAD was brought back online, "Johnson said." This attack did not compromise a citizen's personal information. The city continues to work with its federal counterparts to determine the source of the intrusion. "
While the exact type of ransomware was not revealed at the Baltimore attack, the access point was at least partially identified, Johnson said Baltimore Information Technology found that "the vulnerability was the result of an internal firewall being modified by a technician who resolved a non-contiguous communication problem within the CAD system."
The change in the firewall appeared to be only four hours old. The attacker was likely to identify the gap by an automated scan, but a spokesman for the city of Baltimore said that no further details could be given during the investigation.
Atlanta's Week of Ransomware
In the Fall from Atlanta, the type of access was not o but the nature of the attack has been identified: the ransomware message agrees with that of Samsam, a malware first discovered in 2015. The raiders behind the ransomware demanded $ 51,000 worth of Bitcoin to provide the encryption keys for all affected systems.
Atlanta Information Management (AIM) first became aware of the attack on Thursday, March 22 at 5:40 am on various internal and customer-related applications that involved paying bills or accessing judicial information be used."
The application of Capricorn, a Java-based self-service portal of Ontario-based SilverBlaze, remains offline. The court's money and ticketing system is partially secure, but a Windows Internet Information Server-based case information access system is still unavailable. Some internal systems have been restored, according to a statement by the Office of Communications of the Mayor of Atlanta.
Analyzing the systems of the city of Atlanta and the earlier attack vectors for Samsam suggests two possible entry points, both of which are related to the public systems that are currently offline. Samsam attacks in 2016 and early 2017, such as the one at Baltimore Union Memorial Hospital, exploited vulnerabilities in open source Java platforms. But according to a report by Dell's Secureworks, recent attacks have been turned into brute-force password attacks to gain remote desktop protocol access to a server, followed by running PowerShell scripts, the password-harvesting tools Installing the Ransomware by Itself
Data from Shodan, Capricorn's water billing portal for Atlanta, used Apache Tomcat, and one of the court information systems had an open RDP port and servers visible over the public Internet Message Block (SMB) networks. Atlanta has moved much of the city's remaining court systems to Microsoft's Azure cloud.
While one person alleged that the Capricorn server was involved, SilverBlaze founding partner Dan Mair strongly denied that the company's software was compromised. Atlanta's attack was compromised: "Respectfully, your information is false."
After leaking an image with the ransom site web address for the Atlanta Samsam Infection, the site was shut down as Steve Ragan of CSO reported from the attackers
The case at Boeing is much less clear and will most likely stay that way. Boeing Commercial Airplanes vice president of communications, Linda Mills, said Boeing's Cybersecurity Operations Center "detected limited intrusion into malware affecting a small number of systems." Mills said that "corrective action has been applied, this is not a production and delivery problem" – meaning that production was not significantly disrupted. Mills said The Seattle Times that the incident was "limited to a few machines, we installed software patches, there was no interruption to the 777 jet program or any of our programs."
So it was not Internal Emails from The Seattle Times Dominic Gates first characterized the episode. A message from Boeing Commercial Airplane Production Chief Engineer Mike VanderWel warned that the malware is "rapidly being metastasized from North Charleston, and I just heard that 777 [automated spar assembly tools] could have perished". But those concerns seem to have been exaggerated.
The affected malware is unlikely to be the original WannaCry that affected computers worldwide last May. WannaCry – which the North American government recently announced officially – used Eternalblue, an NSA-developed attack on Microsoft Windows SMB and NetBIOS over TCP / IP (NBT), to identify new targets and spread across networks. It could also be a new version with the same exploit.
Whatever the Boeing malware was, it apparently was quickly detected and stopped. The bigger question – as she came to the Boeing plant in Charleston – will probably not be known soon. Meanwhile, Denver's text-to-911 service was over night, along with 311 and other Internet-based services. Ars will update this story if these outages are related to ransomware.