Tim Compston, Features Editor at Security News Desk and SecurityMiddleEast.com discovers that cyberattacks on transportation infrastructure are on the rise with ransomware the latest attack vector to come to prominence.
San Francisco Targeted
A security breach at the San Francisco Municipal Transportation Agency (Muni) last month, which resulted in it having to offer a free service to customers on the public transit system over the Thanksgiving weekend, certainly provides food for thought, given the financial impact and operational impact and, worryingly, the sheer vulnerability of this critical infrastructure to interference by external actors. In this case it appears that Muni was the victim of a ransomware attack that managed to find its way into the agency's internal computer systems, including email. One media report said that during the incident screens on San Francisco's ticket kiosks were displaying the phrase: "You Hacked, ALL Data Encrypted."
In the immediate aftermath of what transpired in San Francisco a number of cybersecurity vendors were quick to offer comment. For its part Avast revealed that the hackers were, apparently, demanding a ransom of 100 Bitcoin from Muni to regain access to its systems, a figure which amounts to about US $70,000 - a not insubstantial sum. According to Avast the malware that infected the system was likely to have been HDDCryptor, a new ransomware variant that has the ability to rewrite a computer's MBR (Master Boot Record) boot sectors and then lock users out of their systems.
Tony Anscombe, Senior Security Evangelist at Avast takes up the story on HDDCrytor, confirming that the virus was first discovered earlier this year: "While we have tracked a low but consistent presence within the threat landscape, we have noted a spike in the last two weeks [of November]. HDDCryptor uses two legitimate tools to execute: Netpass for obtaining credentials to access network drives, and DiskCryptor to encrypt files and render them inaccessible without the ransom sum being paid."
Anscombe says that, to stay ahead of these types of ransomware attacks, organisations, like transportation operators, need to protect themselves by implementing a series of preventative measures. These measures, he explains, include: installing good antivirus software as the first line of defence for any device connected to the Internet and ensuring that Windows and browser updates are downloaded and installed when available - doing this automatically is recommended. In addition Anscombe stresses that it is important for organisations to regularly review and assess the state of any third party software running on their servers: "Vulnerabilities in packages are common attack vectors." Planning ahead and running regular backups of files is also key here: "This can be the only way to recover valuable data after a ransomware attack," concludes Anscombe.
The Rise Of Exploit Kits
Turning to the rise of ransomware, when I first interviewed Anscombe during the summer, well before the San Francisco incident, even then he reckoned that in terms of cybersecurity issues it was ransomware - malicious software designed to block access to a computer system until a sum of money is paid - which was high on the agenda: "Well one of our concerns in a piece we wrote recently about ransomware was the shift from it using standard vulnerabilities to moving to exploit kits. Exploit kits, because they are widely used, have a much larger distribution so we might see a lot more people getting ransomware on their machines. That was really our big concern around that."
According to Anscombe exploit kits, which are becoming more of a factor with ransomware, are basically software packages that are available for sale and are then used by malicious operators to readily create malware that can perform a wide variety of malicious functions. Such malware can, for instance, be installed on hacked web servers and then go on to attack the machines of visitors to specific websites, in many instances, without their knowledge."
Anscombe's feels that ransomware really fits into a broader picture where, over a number of years, threats have become more targeted and the intention of the threat is monetization: "That is kind of the interesting part and that is why ransomware is particularly grabbing the attention of both the media and the security industry because, of course, it has a level of direct monetizing mechanisms built into it as well."
Returning to the wider cybersecurity vulnerabilities in transport related systems and the need for constant vigilance, over the years a number of incidents and studies have served to underline the dangers and vulnerabilities which are out there. These range from the situation back in January 2009 when the Texas Department of Transportation saw hackers ‘for fun’ alter the message on a portable digital road sign in the city of Austin to read ‘Zombies Ahead’. Even more concerning was the research by the University of Michigan, published in 2014, which demonstrated how it is possible to hack into wirelessly networked traffic lights and to then the change the state of those lights.