Latest in Security

Image credit: Justin Sullivan/Getty Images

San Francisco MUNI hacker was hacked

Evidence suggests that the hacker has made a fortune targeting companies with insecure servers.
487 Shares
Share
Tweet
Share
Save

Sponsored Links

Justin Sullivan/Getty Images

Over the weekend, San Francisco's transit system was hacked by an individual (or group) going by the name Andy Saolis. The attack forced the city to offer Muni rides for free while its staff raced to rectify the breach on its servers. But while Saolis was threatening to expose gigabytes of data if his ransom wasn't paid, they were the subject of a hack themselves. An anonymous individual contacted Krebs on Security, claiming to have breached Saolis' email and found out a few clues as to their identity.

The hacker was able to breach Saolis' Yandex mail account by correctly guessing a security question for password reset. They were then able to access other email addresses and Bitcoin wallets that suggest Saolis has earned anything up to $140,000 from attacking companies. Their key attack vector was to target firms that used Oracle server products as well as its Primavera project-management tool. The servers are especially vulnerable to a software flaw that had been patched in November 2015.

San Francisco's transit agency was something of an outlier, since Saolis mostly targeted businesses that -- allegedly -- quietly paid the ransom rather than public bodies. It appears that construction firms were regularly attacked since Saolis had been in contact with companies like China Construction of America, CDM Smith and Skillman. Other companies that are also mentioned in the list included Irwin & Leighton and the Rudolph Libbe group, a building consultancy.

Despite shifting between multiple Bitcoin wallets and email addresses to avoid detection, the anonymous hacker has left some clues as to their identity. Personal notes were written in a language believed to be Persian or Farsi, suggesting that they're located in the Middle East. There is also a belief that Andy Saolis also uses the pseudonym Ali Reza, a common name in the wider Arab world.

Krebs ends the piece with the usual exhortation for companies and individuals to take better care of their data. Back up files regularly, keep them offline and make sure that your software is kept up to date with the latest patches. In addition, if you're using a web-based email server, make sure that you aren't using easily-guessable answers to your security questions. Otherwise all it takes is for you to say the wrong thing on social media and boom -- all of your secrets are exposed.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
487 Shares
Share
Tweet
Share
Save

Popular on Engadget

The best consoles, games and accessories for students

The best consoles, games and accessories for students

View
Gene editing tool could treat many diseases created by mutations

Gene editing tool could treat many diseases created by mutations

View
Volvo's Polestar engineered XC60 is fast, but still reserved

Volvo's Polestar engineered XC60 is fast, but still reserved

View
Netflix thriller 'Clickbait' will explore the dark side of social networks

Netflix thriller 'Clickbait' will explore the dark side of social networks

View
'Dota 2' champions won more money than top Wimbledon players

'Dota 2' champions won more money than top Wimbledon players

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr