San Francisco Transit System Breached

This week we hear about how San Francisco Transit System was Breached and how TalkTalk Wi-Fi Router Passwords were Stolen and the Malware Blocks Users’ Internet.

Breach

San Francisco Transit System Breached

On Friday afternoon, the day after Thanksgiving, the San Francisco Muni fare system was hit with a ransomware attack. 100 Bitcoin or approximately $74,000 was demanded by hackers. The attack infected over 2,000 computers, including office desktops, emails, print servers, payroll systems and more that all displayed “You Hacked, ALL Data Encrypted” on monitors.

The software used to hijack the computers is known as Mamba and affects Windows machines by encrypting their hard drives until unlocked by a certain password. Security experts say that the hackers used an automated system to send victims with links to malware or lured them into a malicious website. 

References: Hackers Breached San Francisco’s Transit System and Demanded a Ransom | San Francisco Public Transit Hit With Ransomware Attack | Hackers Threaten to Release 30GB of Stolen Data From San Francisco's Municipal Railway

 

 

 

Mitigation Strategies:

  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Log management could detect any suspicious user account activity
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Anti-virus would detect file infection on the local host
  • FIM solution would detect any type of file modification or addition
  • Mail filtration would scan incoming files and hyperlinks of any malicious links or code
  • Web filtration to prevent users from clicking on malicious websites

Breach

TalkTalk Wi-Fi Router Passwords Stolen and Malware Blocks Users’ Internet

The Mirai worm is widely known and is affecting many internet service providers around the globe. It recently has affected the customers of TalkTalk.  It was revealed that the D-Link DSL-3780 routers have been affected by malware and causing it issues to connect to the internet. To mitigate the issue, affected users are advised to reset the equipment, which forces it to install an update to protect against the attack and use the default wireless network name and password to get back online.

However, a security researcher has discovered that there is a follow-up attack by the same malware causing the router to disclose its Wi-Fi password and Service Set Identifier (SSID) code, potentially affecting approximately 55,000 routers. This means that even after users reset their routers, they are still at risk if they continue to use the same password as before.

TalkTalk is advising its customers to change their Wi-Fi passwords.

References:  TalkTalk Wi-Fi Router Passwords 'Stolen' | TalkTalk Denies Customers' WiFi Passwords Were Stolen in Cyber Attack After Malware Blocks Users' Internet | TalkTalk and Post Office Customers Lose Internet Access as Routers Hijacked

Mitigation Strategies:

  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Mail filtration would scan incoming files and hyperlinks of any malicious links or code
  • Web filtration to prevent users from clicking on malicious websites
  • Netflow traffic may also reveal large data transfers and potential data leakage
  • Ensure router is patched to latest security

This Week's Malicious IP Addresses

118.170.130.207 188.118.2.26
81.183.56.217 46.109.168.179
87.222.67.194 115.28.128.165

*IP addresses provided by Recorded Future.