• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

The World’s Busiest Airport Shuts off Wi-Fi Amid a Ransomware Attack

March 23, 2018 By Ryan Orsi

Today the Wall Street Journal reported that the Hartsfield-Jackson Atlanta International Airport shut off Wi-Fi service as a security precaution while an active ransomware attack took place on the city.  Early reports are indicating that multiple city official computers have had their files encrypted and held at ransom by an attack known as SamSam.  The Atlanta airport had “pulled the plug” on their Wi-Fi service likely to avoid the attack spreading to airport authority computers, airline computers, and possibly customers’ computers.

Although travelers didn’t experience any disruption to their flights, they surely were puzzled to see the Wi-Fi SSID disappear from their phones, tablets, and laptops.

The ransomware

Ransomware is a type of advanced malware attack that encrypts files on a computer system so they cannot be used and demands a ransom to be paid in exchange for the decryption keys to restore the files back to a usable state.  Usually the ransomware is hidden or packaged into a legitimate-looking file or e-mail attachment that unsuspecting victims click and open, infecting their machines.  A file can come to a user’s computer in many ways such as over Ethernet wires, over cellular data, and of course Wi-Fi.

So what does ransomware have to do with Wi-Fi?

If ransomware infects machines through one or more malicious files, then why did the Atlanta airport shut off Wi-Fi service if people’s laptops, tablets, and phones will simply switch from Wi-Fi to cellular connectivity still exposing them to the malicious files?  The answer is that the good network and security people in Atlanta’s airport understand that Wi-Fi is an easy way for attackers to spread malicious files with simple to use and well automated attack tools that perform man-in-the-middle (MiTM) attacks.

Spreading malicious files, possibly ransomware, via man-in-the-middle Wi-Fi attacks

The Atlanta airport understood that If an attacker wanted to spread malicious ransomware to airport authority computers connected the Atlanta airport Wi-Fi, it could be done and so they pulled the plug to avoid the threat altogether.  Without going into too much detail, the basics of a Wi-Fi man-in-the-middle attack are simply that a nearby bad actor spoofs the SSID, sometimes even MAC address of a legitimate access point thereby creating an Evil Twin access point.  Users’ machines will connect to the Evil Twin not realizing that all the traffic is being eavesdropped by an attacker who can easily spoof splash pages or manipulate the data stream to place malicious files onto victims machines.  This video explains an Evil Twin Wi-Fi attack in more detail.

Recommendations 

Although being overly cautious during a cyber attack is totally understandable, the world’s busiest airport may have felt comfortable leaving Wi-Fi service in place if the buildings are properly protected with a Wireless Intrusion Prevention System (WIPS) that keeps private airport and airline computers connected to the correct access points, neutralizing any possible man-in-the-middle attack attempt to spread ransomware.  For more information on WIPS, see watchguard.com/wifi.  Additionally, it’s critically important to implement proper network security and detection & response capabilities within a network to achieve a layered security defense strategy against such advanced cyber attacks as ransomware.  More information is available here.

Share This:

Related

Filed Under: Editorial Articles Tagged With: airport, atlanta, ransomware, secure wi-fi, Wi-Fi, WiFi, WIPS

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • The RCE Vulnerability That Wasn’t
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • CISA Warns of Weaponized RMM Software
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • Report Roundup
  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use