BALTIMORE — The hack that forced Baltimore ’ s 911 dispatch system to be temporarily shut down over the weekend was a ransomware attack, Attack.Ransom city officials said Wednesday . Such a ttacks Attack.Ransom — another of which occurred in Atlanta last week — take over parts of private or municipal computer networks and then d emand payment, Attack.Ransom or r ansom, Attack.Ransom for their release . Frank Johnson , chief information officer in the Mayor ’ s Office of Information Technology , said he was not aware of any specific r ansom request Attack.Ransom made by the hackers of Baltimore ’ s network , but federal authorities are investigating . “ The systems and the software and the files are all being investigated by the FBI right now , ” Johnson said . No personal data of city residents w as compromised, Attack.Databreach he added . Dave Fitz , an FBI spokesman , could not be reached Wednesday . On Tuesday , Fitz said the agency was aware of the breach and providing assistance to the city , but otherwise declined to comment . The attack infiltrated a server that runs the city ’ s computer-aided dispatch , or CAD , system for 911 and 311 calls . The system automatically populates 911 callers ’ locations on maps and dispatches the closest emergency responders there more seamlessly than is possible with manual dispatching . It also relays information to first responders in some cases and logs information for data retention and records . The breach shut down the CAD system from Sunday morning until Monday morning , forcing the city to revert to manual dispatching during that time . While the city ’ s 911 calls are normally recorded online on Open Baltimore , the city dispatch logs stopped recording them at 9:54 a.m. Sunday and didn ’ t resume recording them again until 7:42 a.m. Monday . Johnson said the attack was made possible after a city information technology team troubleshooting a separate communications issue with the server inadvertently changed a firewall and left a port , or a channel to the Internet , open for about 24 hours , and hackers who were likely running automated scans of networks looking for such vulnerabilities f ound Vulnerability-related.DiscoverVulnerability it and gained access . The Baltimore hack comes amid increasing hacking of municipal systems across the country , and follows one in Atlanta last week that paralyzed that city ’ s online bill-payment system , with hackers d emanding Attack.Ransom a $ 51,000 p ayment Attack.Ransom in bitcoin to unlock it . T hat attack Attack.Ransom occurred Thursday , and Atlanta employees only turned their computers back on Tuesday . Johnson said his office works diligently to prevent cyberattacks and is looking to invest more in safeguarding its networks . Baltimore also faced cyberattacks during the unrest in 2015 , when its website was taken offline . Johnson said he was unaware of any other successful attacks on the city ’ s networks . He said the city would be obligated to disclose any a ttacks Attack.Databreach that c ompromised Attack.Databreach residents ’ personal information , health information or crime data . Johnson said he feels the city recovered well from the breach once it was identified , but that he did not want to go into detail about what was done lest he expose the city to more attacks . The city has a $ 2.5 million contract with TriTech Software Systems to maintain its CAD software and provide “ technical support services to ensure the functional integrity ” of the city ’ s CAD system . Scott MacDonald , TriTech ’ s vice president of public safety strategy , said the company worked with city IT personnel to shut down the CAD software after the attack . The breach was not related to the company ’ s software , MacDonald said . “ Our techs connected and worked with the IT staff there , and the CAD system was taken down manually , in combination between our staff and theirs , while the servers could be troubleshooted by the city . ”

The exploit , which h as now been patched, Vulnerability-related.PatchVulnerability affected customers banking with hundreds of financial institutions US-based financial services firm Fiserv h as just fixed Vulnerability-related.PatchVulnerability a flaw in its web platform that exposed the personal and financial details of a vast number of banking customers . With more than 12,000 clients across the world using the company 's services , it is hard to establish how many customers ' details w ere exposed Attack.Databreach in the 'information disclosure vulnerability ' f ound Vulnerability-related.DiscoverVulnerability by security researcher Kristian Erik Hermansen . When logging into his local bank , which uses Fiserv 's platform , Hermansen learned email alerts for financial transactions were assigned an 'event number ' , which he successfully predicted were distributed in sequence , according to KrebsOnSecurity . Using this knowledge , the researcher was able to directly view alerts set up by another customer by rewriting the site 's code in his browser and sending a request for an altered event number . He was able to view the customer 's email address , phone number and bank account number - as well as view and edit alerts they had previously set up . `` I should n't be able to see this data , '' he said . `` Anytime you spend money that should be a private transaction between you and your bank , not available for everyone else to see . '' He added a criminal could have exploited the flaw to s teal Attack.Databreach information from customers . Together with KrebsOnSeceurity author Brian Krebs , Hermansen worked to v erify Vulnerability-related.DiscoverVulnerability whether or not the flaw was exclusive to his own bank 's installation of the platform . They soon d iscovered Vulnerability-related.DiscoverVulnerability hundreds of other Fiserv-affiliated banks may h ave been just as vulnerable Vulnerability-related.DiscoverVulnerability as those they had tested . IT Pro approached Fiserv for comment , and to establish how many institutions in the UK may have been affected , if any , but the company did not respond at the time of writing . A spokesperson told Krebs that Fiserv had responded accordingly , and c orrected Vulnerability-related.PatchVulnerability the issue . `` After receiving your email , we promptly engaged appropriate resources and worked around the clock to research and remediate the situation , '' the spokesperson said . `` We d eveloped Vulnerability-related.PatchVulnerability a security patch within 24 hours of receiving notification and d eployed Vulnerability-related.PatchVulnerability the patch to clients that utilise a hosted version of the solution . We w ill be deploying Vulnerability-related.PatchVulnerability the patch this evening to clients that utilise an in-house version of the solution . '' While information disclosure vulnerabilities are among the most common types of website security issues , according to Krebs , they are also the most preventable and easy to f ix. Vulnerability-related.PatchVulnerability But they can also cause just as much damage to a company 's brand as more severe security risks .

After observing attacks on customers , Cisco is telling users to i nstall Vulnerability-related.PatchVulnerability the fix for a recently disclosed denial-of-service flaw a ffecting Vulnerability-related.DiscoverVulnerability a number of its security appliances . The flaw , t racked as Vulnerability-related.DiscoverVulnerability CVE-2018-0296 , was detailed in an advisory on June 6 and a ffects Vulnerability-related.DiscoverVulnerability Cisco ASA Software and Cisco Firepower Threat Defense ( FTD ) Software . `` Cisco strongly recommends that customers u pgrade Vulnerability-related.PatchVulnerability to a fixed software release to r emediate Vulnerability-related.PatchVulnerability this issue , '' Omar Santos of Cisco 's Product Security Incident Response Team w arned Vulnerability-related.DiscoverVulnerability on June 22 . The attacks follow the publication of proof-of-concept exploits for the flaw . Santos n otes Vulnerability-related.DiscoverVulnerability that a unauthenticated , remote attacker could cause a device to reload unexpectedly and cause a denial-of-service ( DoS ) condition . Additionally , an exploit could cause a DoS or unauthenticated disclosure of information . However , Santos said : `` Only a denial-of-service condition ( device reload ) has been observed by Cisco . '' Cisco h as also updated Vulnerability-related.PatchVulnerability the advisory for CVE-2018-0296 with details about the attacks . The researcher who f ound Vulnerability-related.DiscoverVulnerability the flaw , Michał Bentkowski from Polish security firm Securitum , gave a brief description of the root cause in a tweet shortly after Cisco d isclosed Vulnerability-related.DiscoverVulnerability the bug . Bentkowsky r eported Vulnerability-related.DiscoverVulnerability the issue to Cisco as a way to use directory-traversal techniques to disclose information to an unauthenticated attacker . Cisco labeled its primary impact as a DoS condition , but said it is possible that on certain releases of ASA a device reload would not occur , yet still allow an attacker to use directory-traversal techniques to view sensitive system information . Bleeping Computer i dentified Vulnerability-related.DiscoverVulnerability two proof-of-concept exploits for CVE-2018-0296 on GitHub . One attempts to e xtract Attack.Databreach user names from Cisco ASA . The other states : `` If the web server is vulnerable , the script will dump in a text file both the content of the current directory , files in +CSCOE+ and active sessions . ''

For weeks , perhaps months , hackers could take control of a victim 's ' computer , or install malware on it , just by tricking them into opening a booby-trapped document , thanks to a critical `` zero-day '' bug in most versions of Microsoft Word . When bugs a re unknown Vulnerability-related.DiscoverVulnerability to the vendor , and s till unpatched, Vulnerability-related.PatchVulnerability they 're called zero-days . That 's their value : they will work no matter what , as there 's no fix for them . Criminal hackers , as well as hackers working for governments , sometimes use zero-days , but it 's rare for the same zero-day exploit to be used by both groups . Somehow , however , that 's what happened with that Microsoft Word zero-day . The exploit was used by government hackers , likely inside Russia , to target victims and infect them with the infamous FinFisher spyware since at least late January . The same exploit , according to security firm FireEye , was also used by a criminal gang spreading malware known as Latentbot in March . To add even more mystery to the mix , it appears that multiple researchers independent of each other f ound Vulnerability-related.DiscoverVulnerability the original bug on which the exploit was developed . When Microsoft p atched Vulnerability-related.PatchVulnerability it on Tuesday , it credited three researchers , as well as its own internal teams . That 's not unheard of , but as a recent study pointed out , it 's rare for different teams or researchers to find the same bug , something that 's known as `` bug-collision . '' Ryan Hanson , a security researcher , c laimed Vulnerability-related.DiscoverVulnerability in a tweet that he o riginally found Vulnerability-related.DiscoverVulnerability it in July and d isclosed Vulnerability-related.DiscoverVulnerability it to Microsoft in October . Hanson did not respond to a request for comment , but Motherboard was able to confirm this timeline . For some reason , however , Microsoft did n't p atch Vulnerability-related.PatchVulnerability it until this week . ( For example , previous office bugs f ound Vulnerability-related.DiscoverVulnerability by Google Project Zero g ot patched Vulnerability-related.PatchVulnerability within 90 days . ) The company said in a statement that they heard of a `` small number '' of targeted attacks in the wild using the exploit `` approximately one month ago , '' and added that there were no widespread attacks until McAfee d isclosed Vulnerability-related.DiscoverVulnerability the bug publicly last Saturday . `` This was a complex investigation that took time to thoroughly investigate and patch , '' a Microsoft spokesperson told Motherboard . `` We performed an investigation to identify other potentially similar methods , and ensure that o ur fix addresses Vulnerability-related.PatchVulnerability more than just t he issue reported. Vulnerability-related.DiscoverVulnerability `` It 's unclear who developed the exploit used to spread FinFisher and Latentbot , but it 's possible that the same developer sold it to both groups . `` I think whoever sells to FinFisher also does blackmarket business , '' said John Hultquist , a researcher at FireEye . `` Talent , tools , and techniques move between espionage , criminal , and hacktivist worlds . '' As the CEO of Hacking Team , a company that used to buy zero-day exploits , once said , `` exclusive zero-days do n't exist . '' `` Talent , tools , and techniques move between espionage , criminal , and hacktivist worlds . '' A source who works in the surveillance technology industry said that FinFisher buys exploits from private researchers as well as from Zerodium , a well-known exploit seller . The source , who asked to remain anonymous , said FinFisher recently offered access to an exploit subscription portal that seemed similar to what Zerodium 's predecessor , Vupen , used to offer . Zerodium 's founder Chaouki Bekrar declined to comment . ( FinFisher did not respond to a request for comment . )

For weeks , perhaps months , hackers could take control of a victim 's ' computer , or install malware on it , just by tricking them into opening a booby-trapped document , thanks to a critical `` zero-day '' bug in most versions of Microsoft Word . When bugs a re unknown Vulnerability-related.DiscoverVulnerability to the vendor , and s till unpatched, Vulnerability-related.PatchVulnerability they 're called zero-days . That 's their value : they will work no matter what , as there 's no fix for them . Criminal hackers , as well as hackers working for governments , sometimes use zero-days , but it 's rare for the same zero-day exploit to be used by both groups . Somehow , however , that 's what happened with that Microsoft Word zero-day . The exploit was used by government hackers , likely inside Russia , to target victims and infect them with the infamous FinFisher spyware since at least late January . The same exploit , according to security firm FireEye , was also used by a criminal gang spreading malware known as Latentbot in March . To add even more mystery to the mix , it appears that multiple researchers independent of each other f ound Vulnerability-related.DiscoverVulnerability the original bug on which the exploit was developed . When Microsoft p atched Vulnerability-related.PatchVulnerability it on Tuesday , it credited three researchers , as well as its own internal teams . That 's not unheard of , but as a recent study pointed out , it 's rare for different teams or researchers to find the same bug , something that 's known as `` bug-collision . '' Ryan Hanson , a security researcher , c laimed Vulnerability-related.DiscoverVulnerability in a tweet that he o riginally found Vulnerability-related.DiscoverVulnerability it in July and d isclosed Vulnerability-related.DiscoverVulnerability it to Microsoft in October . Hanson did not respond to a request for comment , but Motherboard was able to confirm this timeline . For some reason , however , Microsoft did n't p atch Vulnerability-related.PatchVulnerability it until this week . ( For example , previous office bugs f ound Vulnerability-related.DiscoverVulnerability by Google Project Zero g ot patched Vulnerability-related.PatchVulnerability within 90 days . ) The company said in a statement that they heard of a `` small number '' of targeted attacks in the wild using the exploit `` approximately one month ago , '' and added that there were no widespread attacks until McAfee d isclosed Vulnerability-related.DiscoverVulnerability the bug publicly last Saturday . `` This was a complex investigation that took time to thoroughly investigate and patch , '' a Microsoft spokesperson told Motherboard . `` We performed an investigation to identify other potentially similar methods , and ensure that o ur fix addresses Vulnerability-related.PatchVulnerability more than just t he issue reported. Vulnerability-related.DiscoverVulnerability `` It 's unclear who developed the exploit used to spread FinFisher and Latentbot , but it 's possible that the same developer sold it to both groups . `` I think whoever sells to FinFisher also does blackmarket business , '' said John Hultquist , a researcher at FireEye . `` Talent , tools , and techniques move between espionage , criminal , and hacktivist worlds . '' As the CEO of Hacking Team , a company that used to buy zero-day exploits , once said , `` exclusive zero-days do n't exist . '' `` Talent , tools , and techniques move between espionage , criminal , and hacktivist worlds . '' A source who works in the surveillance technology industry said that FinFisher buys exploits from private researchers as well as from Zerodium , a well-known exploit seller . The source , who asked to remain anonymous , said FinFisher recently offered access to an exploit subscription portal that seemed similar to what Zerodium 's predecessor , Vupen , used to offer . Zerodium 's founder Chaouki Bekrar declined to comment . ( FinFisher did not respond to a request for comment . )