The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware on November 25 apparently gained access to the agency’s network by way of a known vulnerability in an Oracle WebLogic server. That vulnerability is similar to the one used to hack a Maryland hospital network’s systems in April and infect multiple hospitals with crypto-ransomware. And evidence suggests that SFMTA wasn’t specifically targeted by the attackers; the agency just came up as a target of opportunity through a vulnerability scan.
In an e-mail to, SFMTA spokesperson Paul Rose said that on November 25, “we became aware of a potential security issue with our computer systems, including e-mail.” The ransomware “encrypted some systems mainly affecting computer workstations,” he said, “as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports, no data was accessed from any of our servers.”
That description of the ransomware attack is not consistent with some of the evidence of previous ransomware attacks by those behind the SFMTA incident—which Rose said primarily affected about 900 desktop computers throughout the agency. Based on communications uncovered from the ransomware operator behind the Muni attack published by security reporter Brian Krebs, an SFMTA Web-facing server was likely compromised by what is referred to as a “deserialization” attack after it was identified by a vulnerability scan.
A security researcher told Krebs that he had been able to gain access to the mailbox used in the malware attack on the Russian e-mail and search provider Yandex by guessing its owner’s security question, and he provided details from the mailbox and another linked mailbox on Yandex. Based on details found in e-mails for the accounts, the attacker ran a server loaded with open source vulnerability scanning tools to identify and compromise servers to use in spreading the ransomware, known as HDDCryptor and Mamba, within multiple organizations’ networks.
Krebs reported that the e-mails he reviewed showed many paid the attacker, including one organization that sought recommendations from the ransomware operator on how to prevent future attacks. In response, the ransomware operator sent a link to a November 2015 advisory from Oracle regarding a vulnerability in the Apache Commons library of server-side Java components.
That vulnerability, which uses maliciously crafted data objects to exploit how the affected libraries “deserialize” them to unpack them for processing, is the same class of vulnerability used to attack MedStar, the Maryland health system that had multiple hospitals lose access to critical systems in April as the result of a ransomware attack. In that case, the attacker (who deployed Samsam crypto-ransomware across MedStar’s network) also apparently used an open source vulnerability scanning tool (JexBoss) to find and compromise a server running the open source JBoss platform.
Rose toldthat ticket machines for Muni trains were not directly affected by the ransomware. “In coordination with our partners at Cubic Transportation Systems, which operates [the ticketing kiosk system] Clipper, we took the precaution of turning off the ticket machines and faregates in the Muni Metro subway stations, starting on Friday until 9am Sunday,” he wrote. “This action was to minimize any potential risk or inconvenience to Muni customers.” He added that the SFMTA’s payroll system was not hit by the attack, “but access to it was temporarily affected. There will be no impact to employees’ pay.”
SFMTA did not pay the 100-Bitcoin (about $73,000) ransom demanded by the attacker, Rose said. SFMTA’s internal information technology team is instead restoring systems from backups. “Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next two days.”
Rose also said that the Department of Homeland Security and FBI were contacted immediately after the discovery of the malware, and SFMTA has been working with the agencies to isolate the malware used in the attack and investigate who may have been behind it.