The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware ogained access to the agency’s network by way of a known vulnerability in an Oracle WebLogic server.
That vulnerability is similar to the one used to hack a Maryland hospital network’s systems in April and infect multiple hospitals with crypto-ransomware. It appears that the hackers did not appear to have targeted SFMTA specifically. It was just spotted with a vulnerablity scan.
SFMTA spokesperson Paul Rose said that the agency became aware of a problem on 25 November. The ransomware encrypted some systems mainly affecting computer workstations.
The SFMTA network was not breached from the outside, nor did hackers gain entry through its firewalls. Muni operations and safety were not affected. Customer payment systems were not hacked and no data was nicked.
Based on communications uncovered from the ransomware operator behind the Muni attack published by security reporter Brian Krebs, an SFMTA Web-facing server was likely compromised by what is referred to as a “deserialization” attack after it was identified by a vulnerability scan.
Krebs said that it was possible to access to the mailbox used in the malware attack on the Russian e-mail and search provider Yandex by guessing its owner’s security question, and he provided details from the mailbox and another linked mailbox on Yandex.
Based on details found in e-mails for the accounts, the attacker ran a server loaded with open source vulnerability scanning tools to identify and compromise servers to use in spreading the ransomware, known as HDDCryptor and Mamba, within multiple organizations’ networks.