GOT(IT) #32: Ransomware attack on Atlanta cripples basic services, plus VPNFilter’s router botnet is alive and growing

This week’s recap might feel a bit like Skynet is taking over, and it would explain quite a lot of things!

Sadly, (or luckily?), the large-scale threats that struck the world in the past week were human made, and they gives us some insight on what an IoT cyber-warfare could look like if it erupted.

Ransomware Costed Atlanta Over $10M in Repairs so far


Last March Atlanta suffered a major cyber-attack that initially caused $2.7M in clean-up costs and repairs. The method? The devastating SamSam ransomware, which crackled the city’s network for weeks.

The attackers crippled the city’s basic services by encrypting crucial data and demanding $50,000 in ransom to unlock the systems.

Most digital processes and services were down: 140 applications were affected, the city Attorney’s office lost 10 years of documents and 71 computers, even the police forces suffered the impact with years of dashcam footage lost.

The initial $2.7M budget didn’t last, and an extra $9.5M were proposed to recompose the infrastructure of fallen software programs. During the first assessment, officials concluded no major application had been affected, but in reality about 30 percent of the total had been tackled by SamSam. What’s more, 30 percent of the affected programs are considered “mission critical”, and affect core services such as the city’s courts.

Atlanta’s Information Management head Daphne Rackley added that the damages were ‘a lot more, and they seem to be growing every day’ as they continue to assess and repair.

These sort of events spark some nasty but necessary questions: is the state ready to tackle these sort of attacks? What is the state of the backup infrastructure behind a city’s services, and how easy can it be crippled? Public offices using obsolete systems and out-of-date protocols will slowly emerge as a threat if not properly assessed.


VPNFilter Botnet Escalates and Targets More Models


Remember last week’s GOT(IT) when we talked about the VPNFilter router malware? The monstrous IoT botnet? The one that you had to restart all routers to prevent? Well, it didn’t stop with the FBI’s intervention, and instead Cisco’s Talos Intelligence group reported that it’s growing and targeting new devices.

According to the update, the malware that targeted a couple dozen of router models is now capable of infecting at least 56 more models from Asus, Huawei, ZTE, and other major manufacturers.

Talos has also confirmed that VPNFilter carries man-in-the-middle attacks, intercepting HTTP/S traffic, monitoring the network, capture credentials, and possibly target network devices. These new capabilities came with the discovery of a module that injects content into web traffic, ‘ssler’, which can be configured to target specific domains with malicious JavaScript.

That’s not all! The good ol’ ‘turning it off, and on again’ didn’t do the trick, because it seems there are other elements in the malware that possibly allow the VPNFilter’s restoration after a power reset. So, what steps can you take as prevention?

Make sure your router has been receiving its firmware updates, and if possible, do a hard-reset and re-configure credentials, port forwarding, and interfaces such as FTP and UPnP. VPNFilter’s attack exploits old passwords and out-of-date exploits, so dust-off the log in and clean up your network, just in case!


The IoT scares never end, but hey, it’s probably great for Black Mirror’s writers!

Nicolas Poggi

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.