Latest in Security

Image credit:

San Francisco MUNI hacker was hacked

Evidence suggests that the hacker has made a fortune targeting companies with insecure servers.
Daniel Cooper, @danielwcooper
November 29, 2016
Share
Tweet
Share

Sponsored Links

Justin Sullivan/Getty Images

Over the weekend, San Francisco's transit system was hacked by an individual (or group) going by the name Andy Saolis. The attack forced the city to offer Muni rides for free while its staff raced to rectify the breach on its servers. But while Saolis was threatening to expose gigabytes of data if his ransom wasn't paid, they were the subject of a hack themselves. An anonymous individual contacted Krebs on Security, claiming to have breached Saolis' email and found out a few clues as to their identity.

The hacker was able to breach Saolis' Yandex mail account by correctly guessing a security question for password reset. They were then able to access other email addresses and Bitcoin wallets that suggest Saolis has earned anything up to $140,000 from attacking companies. Their key attack vector was to target firms that used Oracle server products as well as its Primavera project-management tool. The servers are especially vulnerable to a software flaw that had been patched in November 2015.

San Francisco's transit agency was something of an outlier, since Saolis mostly targeted businesses that -- allegedly -- quietly paid the ransom rather than public bodies. It appears that construction firms were regularly attacked since Saolis had been in contact with companies like China Construction of America, CDM Smith and Skillman. Other companies that are also mentioned in the list included Irwin & Leighton and the Rudolph Libbe group, a building consultancy.

Despite shifting between multiple Bitcoin wallets and email addresses to avoid detection, the anonymous hacker has left some clues as to their identity. Personal notes were written in a language believed to be Persian or Farsi, suggesting that they're located in the Middle East. There is also a belief that Andy Saolis also uses the pseudonym Ali Reza, a common name in the wider Arab world.

Krebs ends the piece with the usual exhortation for companies and individuals to take better care of their data. Back up files regularly, keep them offline and make sure that your software is kept up to date with the latest patches. In addition, if you're using a web-based email server, make sure that you aren't using easily-guessable answers to your security questions. Otherwise all it takes is for you to say the wrong thing on social media and boom -- all of your secrets are exposed.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

NASA shares first images from OSIRIS-REx's touchdown on Bennu

NASA shares first images from OSIRIS-REx's touchdown on Bennu

View
Get ready to raid 'Ghost of Tsushima' on October 30th

Get ready to raid 'Ghost of Tsushima' on October 30th

View
Google Fi's phone subscription gets you a Pixel 4a for just $15 per month

Google Fi's phone subscription gets you a Pixel 4a for just $15 per month

View
Xbox chief Phil Spencer hints at an xCloud streaming stick

Xbox chief Phil Spencer hints at an xCloud streaming stick

View
'Uncharted' set photos offer our first look at Tom Holland as Nathan Drake

'Uncharted' set photos offer our first look at Tom Holland as Nathan Drake

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr