The US Attorney 's Office for the District of Northern Georgia announced Wednesday that a federal grand jury had returned indictments against two Iranian nationals charged with executing the March 2018 ransomware attack Attack.Ransom that paralyzed Atlanta city government services for over a week . Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri are accused of using the Samsam ransomware to encrypt files on 3,789 City of Atlanta computers , including servers and workstations , in an attempt to extort Attack.Ransom Bitcoin from Atlanta officials . Details leaked by City of Atlanta employees during the ransomware attack Attack.Ransom , including screenshots of the demand message posted on city computers , indicated that Samsam-based malware was used . A Samsam variant was used in a number of ransomware attacks Attack.Ransom on hospitals in 2016 , with attackers using vulnerable Java Web services to gain entry in several cases . In more recent attacks , including one on the health industry companies Hancock Health and Allscripts , other methods were used to gain access , including Remote Desktop Protocol hacks that gave the attackers direct access to Windows systems on the victims ' networks . The Atlanta attack was not a targeted state-sponsored attack . The attackers likely chose Atlanta based on a vulnerability scan . According to the indictment , the attackers offered Attack.Ransom the city the option of paying Attack.Ransom six Bitcoin ( currently the equivalent of $ 22,500 ) to get keys to unlock all the affected systems or 0.8 Bitcoin ( about $ 3,000 ) for individual systems . `` The ransom note directed the City of Atlanta to a particular Bitcoin address to pay the ransom Attack.Ransom and supplied a web domain that was only accessible using a Tor browser , '' a Department of Justice spokesperson said in a statement . `` The note suggested that the City of Atlanta could download the decryption key from that website . '' But within days of the attack , the Tor page became unreachable , and the City of Atlanta did not pay the ransom Attack.Ransom . Savandi , 27 , of Shiraz , Iran , and Mansouri , 34 , of Qom , Iran , have been charged under the Computer Fraud and Abuse Act ( CFAA ) for `` intentional damage to protected computers ... that caused losses exceeding $ 5,000 , affected more than 10 protected computers , and that threatened the public health and safety , '' the Justice Department spokesperson said . They are also charged in a separate indictment in the US District Court for the District of New Jersey in connection with another ransomware attack Attack.Ransom , in which a ransom was apparently paid Attack.Ransom .

Users of open source webmail software SquirrelMail are open to remote code execution due to a bug ( CVE-2017-7692 ) discovered Vulnerability-related.DiscoverVulnerability independently by two researchers . “ If the target server uses Sendmail and SquirrelMail is configured to use it as a command-line program , it ’ s possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command , ” the explanation provided by MITRE reads . “ For exploitation , the attacker must upload a sendmail.cf file as an email attachment , and inject the sendmail.cf filename with the -C option within the ‘ Options > Personal Informations > Email Address ’ setting. ” The bug was found Vulnerability-related.DiscoverVulnerability by researchers Filippo Cavallarin and Dawid Golunski , independently of one another , and affects SquirrelMail versions 1.4.22 and below . Golunski reported Vulnerability-related.DiscoverVulnerability it to SquirrelMail ( sole ) developer Paul Lesniewski , who asked for a delay of publication of the details until he could fix Vulnerability-related.PatchVulnerability the flaw . But as Cavallarin published Vulnerability-related.DiscoverVulnerability details about it last week ( after not receiving any reply by the SquirrelMail developer ) , Golunski did the same during the weekend . Both researchers provided Vulnerability-related.DiscoverVulnerability a proof-of-concept exploit for the flaw , and Cavallarin even offered Vulnerability-related.PatchVulnerability an unofficial patch for plugging Vulnerability-related.PatchVulnerability the hole . All this prompted Lesniewski to push out Vulnerability-related.PatchVulnerability a patch on Monday , and new , patched version snapshots of the software ( 1.4.23-svn and 1.5.2-svn ) . He also told The Register that exploitation of the bug is difficult to pull off . “ In order to exploit the bug , a malicious user would need to have already gained control over a mail account by other means , SquirrelMail would need to be configured to allow users to change their outgoing email address ( we recommend keeping this disabled ) , the user would need to determine the location of the attachments directory ( by gaining shell access or making guesses ) , the permissions on said directory and files would need to allow access by other processes ( by default this will usually be the case , but prudent admins will exert more stringent access controls ) and of course , SquirrelMail needs to be configured to send via Sendmail and not SMTP ( default is SMTP ) , ” he explained . Still , according to Golunski , the 1.4.23 version snapshot offered Vulnerability-related.PatchVulnerability on Monday was still vulnerable Vulnerability-related.DiscoverVulnerability . But another one was pushed out Vulnerability-related.PatchVulnerability today , so it ’ s possible that the issue was finally , definitely fixed Vulnerability-related.PatchVulnerability . Users can wait to update their installation until things become more clear , and in the meantime , they can protect themselves by configuring their systems not to use Sendmail .

Users of open source webmail software SquirrelMail are open to remote code execution due to a bug ( CVE-2017-7692 ) discovered Vulnerability-related.DiscoverVulnerability independently by two researchers . “ If the target server uses Sendmail and SquirrelMail is configured to use it as a command-line program , it ’ s possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command , ” the explanation provided by MITRE reads . “ For exploitation , the attacker must upload a sendmail.cf file as an email attachment , and inject the sendmail.cf filename with the -C option within the ‘ Options > Personal Informations > Email Address ’ setting. ” The bug was found Vulnerability-related.DiscoverVulnerability by researchers Filippo Cavallarin and Dawid Golunski , independently of one another , and affects SquirrelMail versions 1.4.22 and below . Golunski reported Vulnerability-related.DiscoverVulnerability it to SquirrelMail ( sole ) developer Paul Lesniewski , who asked for a delay of publication of the details until he could fix Vulnerability-related.PatchVulnerability the flaw . But as Cavallarin published Vulnerability-related.DiscoverVulnerability details about it last week ( after not receiving any reply by the SquirrelMail developer ) , Golunski did the same during the weekend . Both researchers provided Vulnerability-related.DiscoverVulnerability a proof-of-concept exploit for the flaw , and Cavallarin even offered Vulnerability-related.PatchVulnerability an unofficial patch for plugging Vulnerability-related.PatchVulnerability the hole . All this prompted Lesniewski to push out Vulnerability-related.PatchVulnerability a patch on Monday , and new , patched version snapshots of the software ( 1.4.23-svn and 1.5.2-svn ) . He also told The Register that exploitation of the bug is difficult to pull off . “ In order to exploit the bug , a malicious user would need to have already gained control over a mail account by other means , SquirrelMail would need to be configured to allow users to change their outgoing email address ( we recommend keeping this disabled ) , the user would need to determine the location of the attachments directory ( by gaining shell access or making guesses ) , the permissions on said directory and files would need to allow access by other processes ( by default this will usually be the case , but prudent admins will exert more stringent access controls ) and of course , SquirrelMail needs to be configured to send via Sendmail and not SMTP ( default is SMTP ) , ” he explained . Still , according to Golunski , the 1.4.23 version snapshot offered Vulnerability-related.PatchVulnerability on Monday was still vulnerable Vulnerability-related.DiscoverVulnerability . But another one was pushed out Vulnerability-related.PatchVulnerability today , so it ’ s possible that the issue was finally , definitely fixed Vulnerability-related.PatchVulnerability . Users can wait to update their installation until things become more clear , and in the meantime , they can protect themselves by configuring their systems not to use Sendmail .

Simon Kenin , a security researcher at Trustwave , was – by his own admission – being lazy the day he discovered Vulnerability-related.DiscoverVulnerability an authentication vulnerability in his Netgear router . Instead of getting up out of bed to address a connection problem , he started fuzzing the web interface and discovered Vulnerability-related.DiscoverVulnerability a serious issue . Kenin had hit upon unauth.cgi , code that was previously tied to two different exploits in 2014 for unauthenticated password disclosure flaws . The short version of the 2014 vulnerability is that an attacker can get unauth.cgi to issue a number that can be passed over to passwordrecovered.cgi in order to receive credentials . Kenin tested their exploits and was able to get his password . [ Learn about top security certifications : Who they 're for , what they cost , and which you need . The following day he started gathering other Netgear devices to test . While repeating the process , he made an error , but that did n't prevent him from obtaining credentials . That accidental discovery Vulnerability-related.DiscoverVulnerability resulted in CVE-2017-5521 . `` After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I haven’t seen Vulnerability-related.DiscoverVulnerability anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models , '' Kenin explained in a recent blog post . There are at least ten thousand devices online that are vulnerable Vulnerability-related.DiscoverVulnerability to the flaw that Kenin discovered Vulnerability-related.DiscoverVulnerability , but he says the real number could reach the hundreds of thousands , or even millions . `` The vulnerability can be used by a remote attacker if remote administration is set to be Internet facing . However , anyone with physical access to a network with a vulnerable router can exploit it locally . This would include public Wi-Fi spaces like cafés and libraries using vulnerable equipment , '' Kenin wrote . Kenin reached out to Netgear and reported the problems , but it was no easy task . The first advisory listed 18 devices that were vulnerable Vulnerability-related.DiscoverVulnerability , followed by a second advisory detailing an additional 25 models . A few months later , in June 2016 , Netgear finally published an advisory that offered Vulnerability-related.PatchVulnerability a fix for a small subset of the vulnerable devices , and a workaround for others . Eventually , Netgear reported that they were going to fix Vulnerability-related.PatchVulnerability all the unpatched models . They also teamed up with Bugcrowd to improve their vulnerability handling process . Netgear has a status page on the vulnerability , they also provide a workaround for those who ca n't update their firmware yet . It was n't until after the story ran that the PR firm representing Trustwave and pitching the research named Simon Kenin as one who made the discovery Vulnerability-related.DiscoverVulnerability . Netgear issued a statement , downplaying the discovery some Vulnerability-related.DiscoverVulnerability , and reminding users that fixes are available Vulnerability-related.PatchVulnerability for most of the impacted devices . The emailed comments are reprinted below : NETGEAR is aware of the vulnerability ( CVE-2017-5521 ) , that has been recently publicized Vulnerability-related.DiscoverVulnerability by Trustwave . We have been working with the security analysts to evaluate the vulnerability . NETGEAR has published Vulnerability-related.DiscoverVulnerability a knowledge base article from our support page , which lists the affected routers and the available firmware fix Vulnerability-related.PatchVulnerability . Firmware fixes are currently available Vulnerability-related.PatchVulnerability for the majority of the affected devices . To download the firmware release that fixes Vulnerability-related.PatchVulnerability the password recovery vulnerability , click the link for the model and visit the firmware release page for further instructions .