While most people were busy recovering from Thanksgiving and getting ready for massive shopping sprees, a hacker on Friday shut down the San Francisco Municipal Transportation Agency (SFMTA) computer network, asking for $73,000 in Bitcoin to unscramble the data. In ironic turns of events, the hacker was hacked, as a security researcher guessed the answer to the attacker’s email security question.
The researcher then sent the contents of the hacker’s email address to KrebsOnSecurity.
It turns out that the attacker made a poor choice when it comes to security questions for the email address he had to display on the SFMTA’s computer systems. That’s how ransomware attacks work. The hacker has to make an email address available so funds can be transferred to him or her via Bitcoin.
Looking at the available data, Krebs was able to discover several interesting things about the hacker of the Muni attack.
The attacker did not hit only the SFMTA with ransomware. On November 20th he extorted 63 Bitcoins, or around $45,000, from a US-based manufacturing firm. Krebs says that the criminal got at least $140,000 in Bitcoin since August from several victims, switching Bitcoin wallets regularly. However, the SFMTA refused to pay up, choosing to restore its systems from backups instead.
The email hack also sheds some light on how the attack on the SFMTA was possible. Apparently, the hacker did not actively devise methods to attack the public transportation system. Instead, he or she used a server to find vulnerable targets.
“It appears our attacker has been using a number of tools which enabled the scanning of large portions of the Internet and several specific targets for vulnerabilities,” Holden Security’s Alex Holden told Krebs. “The most common vulnerability used ‘weblogic unserialize exploit’ and especially targeted Oracle Corp. server products, including Primavera project portfolio management software.”
The email also contains elements that could help law enforcement discover the identity, or at least location, of the attacker. According to Krebs, the hacker might be based in Iran, although a phone number connecting the hacker to Russia has also been found — probably a red herring, Krebs said.
Read the Krebs’ full report at the source link.