An individual hacked back the San Francisco Muni hacker

Pierluigi Paganini December 07, 2016

In November, an unknown attacker hacked the computer systems of the San Francisco’s Municipal, now an individual hacked back the San Francisco Muni hacker.

A couple of weeks ago, an unknown attacker hacked the computer systems of the San Francisco’s Municipal railway giving riders a free ride all day on Saturday. Now the same hacker seems to have been hacked. According to the popular investigator Brian Krebs, an individual took over the email account of one of the San Francisco’s Municipal hackers that was reported in the ransom note provided in the attack.

The ransom demanded in the specific case to the FMTA was 100 BTC, or $73,184 USD with current exchange rates.

The hackers that targeted the San Francisco’s Municipal railway left the following message on the compromised machines in the Muni stations:

“Contact for key ([email protected])”

Muni hacker hack back

Infected machine at the SF Muni station (Source: Brian Krebs)

The individual who hacked backed the Muni hacker broke into the email account by guessing the security question protecting it, then he reset the password and locked down the account and secondary address [email protected].

“On Monday, KrebsOnSecurity was contacted by a security researcher who said he hacked this very same [email protected] inbox after reading a news article about the SFMTA incident. The researcher, who has asked to remain anonymous, said he compromised the extortionist’s inbox by guessing the answer to his secret question, which then allowed him to reset the attacker’s email password.” wrote Krebs. “A screen shot of the user profile page for [email protected] shows that it was tied to a backup email address, [email protected], which also was protected by the same secret question and answer.”

The analysis of the Bitcoin wallets used by the Muni hacker revealed that he earned $140,000 in the last three months, a circumstance that confirms that he is a cyber criminal. In this period he used to continuously switch Bitcoin wallets randomly every few days or weeks in order to make harder the investigation. Most of the attampts of extortion targeted US-based construction and manufacturing companies, and in many cases, the victims appear to have complied with the demands.

“On Nov. 20, hacked emails show that he successfully extorted 63 bitcoins (~$45,000) from a U.S.-based manufacturing firm.” added Krebs. ““Emails from the attacker’s inbox indicate some victims managed to negotiate a lesser ransom. China Construction of America Inc., for example, paid 24 Bitcoins (~$17,500) on Sunday, Nov. 27 to decrypt some 60 servers infected with the same ransomware — after successfully haggling the attacker down from his original demand of 40 Bitcoins. Other construction firms apparently infected by ransomware attacks from this criminal include King of Prussia, Pa. based Irwin & Leighton; CDM Smith Inc. in Boston; Indianapolis-based Skillman; and the Rudolph Libbe Group, a construction consulting firm based in Walbridge, Ohio.””

The analysis of the account revealed a number of messages sent to the attacker’s [email protected] account. These messages show a financial relationship with at least two different hosting providers. The hacked inbox also included emails containing credentials needed to manage one of those servers, then Krebs shared them with some experts such as Alex Holden, chief information security officer at Hold Security Inc.

The expets discovered that the server was used to hack into systems worldwide, it was hosting several open-source hacking tools.

“It appears our attacker has been using a number of tools which enabled the scanning of large portions of the Internet and several specific targets for vulnerabilities,” Holden said. “The most common vulnerability used ‘weblogic unserialize exploit’ and especially targeted Oracle Corp. server products, including Primavera project portfolio management software.”

The experts discovered that the Muni hacker used internet addresses based in Iran, they found also some notes which were translated into Farsi.

“That server kept detailed logs about the date, time and Internet address of each login. A review of the more than 300 Internet addresses used to administer the server revealed that it has been controlled almost exclusively from Internet addresses in Iran. Another hosting account tied to this attacker says his contact number is +78234512271, which maps back to a mobile phone provider based in Russia.” continues Krebs. “But other details from the attack server indicate that the Russian phone number may be a red herring.”

It is bad time also for crooks!

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Muni hacker, hacking back)

you might also like

leave a comment