Last Friday, the City of Atlanta was struck by a ransomware attack that took much of the city’s internal and external services offline. As of today, many of those services have been restored, but two public portals remain offline. On Saturday, the network for Baltimore’s 911 system was also taken offline by an apparent ransomware attack. And yesterday, Boeing’s Charleston facility—which manufactures components for Boeing’s 777 and other commercial jets, and for the Air Force’s KC-46 tanker—was struck by what was initially reported to be WannaCry malware.
While it is not clear at this point if these attacks are related in any way, the vulnerability of both businesses and government agencies—particularly local governments—to these sorts of attacks has been continuously demonstrated over the past few years. Even as organizations have moved to deal with the vulnerabilities that were exploited in the first waves of ransomware and ransomware-lookalike attacks, the attackers have modified their tactics to find new ways into networks, exploiting even fleeting gaps in defenses to gain a destructive foothold.
Baltimore’s 911 emergency weekend
In the case of the Baltimore 911 system, the type of ransomware attack is not yet clear, but the city’s top information systems official confirmed that Baltimore’s computer-aided dispatch (CAD) system was taken offline by ransomware. In a release emailed to Ars Technica, Baltimore Chief Information Officer and Chief Digital Officer Frank Johnson said that the CAD network was shut down over the weekend “due to ‘ransomware’ perpetrators” and that the city’s IT team was able to “isolate the breach to the CAD network itself.” Systems connected to the CAD network, including systems at the Baltimore City Police Department, were taken offline to prevent the spread of the ransomware.
“Once all systems were properly vetted, CAD was brought back online,” Johnson said. “No personal data of any citizen was compromised in this attack. The City continues to work with its federal partners to determine the source of the intrusion.”
While the exact type of ransomware in the Baltimore attack has not been revealed, the point of entry has at least partially been identified. Johnson said that the Baltimore City Information Technology office had determined “that the vulnerability was the result of an internal change to the firewall by a technician who was troubleshooting an unrelated communication issue within the CAD System.”
The firewall change was apparently only four hours old before the attackers exploited it. The gap was likely identified by the attacker through an automated scan. But a Baltimore City spokesperson said that no further details could be shared while the investigation was underway.
Atlanta’s week of ransomware
In Atlanta’s case, the means of access has not been revealed, but the type of attack has been identified: the ransomware message matches that of Samsam, a strain of malware first spotted in 2015. The attackers behind the ransomware demanded $51,000 worth of bitcoin to provide the encryption keys for all affected systems.
According to Atlanta officials, Atlanta Information Management (AIM) first became aware of the attack “on Thursday, March 22 at 5:40am, which affected various internal and customer-facing applications that are used to pay bills or access court-related information.”
The bill payment system, which uses Capricorn—a Java-based self-service portal from Ontario-based SilverBlaze—remains offline. The court’s fine- and ticket-payment system is partially backed up, but a Windows Internet Information Server-based system to access case information is still down. Some internal systems have been restored, according to a statement issued by the Mayor of Atlanta’s Office of Communications.
Analysis of the City of Atlanta’s systems and of previous attack vectors for Samsam suggests two possible points of entry, both associated with the public-facing systems that are currently offline. Samsam attacks in 2016 and early 2017, such as the one on Baltimore’s Union Memorial Hospital, leveraged vulnerabilities in open source Java platforms. But according to a report from Dell’s Secureworks, more recent attacks have turned to brute-force password attacks to gain Remote Desktop Protocol access to a server, then execution of PowerShell scripts that install password-harvesting tools and the ransomware itself.
Based on data from Shodan, the Capricorn portal for paying Atlanta water bills used Apache Tomcat, and one of the court information systems had an open RDP port, as well as Server Message Block (SMB) networking visible from the public Internet. Atlanta has moved much of the rest of the city’s court systems into Microsoft’s Azure cloud.
While one person claiming some knowledge of the Atlanta ransomware attack believed the Capricorn server was involved, SilverBlaze founding partner Dan Mair strongly denied that the company’s software was compromised in the Atlanta attack, stating simply, “Respectfully, your information is incorrect.”
After an image showing the Web address of the ransom page for the Atlanta Samsam infection leaked, as CSO’s Steve Ragan reported, the page was shut off by the attackers.
The case at Boeing is much less clear and most likely will remain that way. According to a statement issued by Boeing Commercial Airplanes Vice President of Communications Linda Mills, Boeing’s cybersecurity operations center “detected a limited intrusion of malware that affected a small number of systems.” Mills said that “remediations were applied; this is not a production and delivery issue”—meaning that manufacturing was not significantly interrupted. Mills told The Seattle Times that the incident “was limited to a few machines. We deployed software patches. There was no interruption to the 777 jet program or any of our programs.”
That was not how internal emails viewed by The Seattle Times’ Dominic Gates initially characterized the episode. A message from Boeing Commercial Airplane Production Chief Engineer Mike VanderWel warned that the malware was “metastasizing rapidly out of North Charleston, and I just heard 777 [automated spar assembly tools] may have gone down.” But those concerns appeared to have been overblown.
The malware involved is unlikely to be the original WannaCry, which hit computers worldwide last May. WannaCry—which the US government recently officially declared was launched by North Korea—leveraged Eternalblue, an NSA-developed exploit of Microsoft Windows’ SMB and NetBIOS over TCP/IP (NBT) protocols, to identify new targets and spread itself across networks. However, it may have been a new version using the same exploit.
Whatever the malware at Boeing was, it appears to have been detected and halted quickly. The bigger question—how it got into Boeing’s Charleston plant to begin with—will likely not be revealed any time soon.
Meanwhile, Denver’s text-to-911 service was down overnight, along with 311 and other Internet-based servivces. Ars will update this story if those outages were ransomware-related.