Apparently Transport for London are dealing with a cyber security incident.
It’s buried on their website, not on the front page or news sections. https://tfl.gov.uk/campaign/cyber-security-incident
Conversation
Notices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Sep-2024 03:03:15 JST 
Kevin Beaumont
-
Embed this notice
Elliot Sandell (esandell@cyberplace.social)'s status on Tuesday, 03-Sep-2024 03:12:24 JST 
Elliot Sandell
@GossiTheDog @joshbal4 received via email alert as well.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Sep-2024 03:27:19 JST
Kevin Beaumont
Orgs, you probably don’t want to email a million people at 6.30pm saying ‘whoopsie we have a happy little cyber incident’ with no actionable info as it will just spark concern and leave an information void for people to fill themselves.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Sep-2024 17:13:58 JST
Kevin Beaumont
Transport for London has set the contactless sign in link to
Maintenance mode.Ryan Castellucci :nonbinary_flag: repeated this. -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Sep-2024 17:39:33 JST
Kevin Beaumont
Transport for London have a genuine internal security incident running and are reverting to paper processes. #threatintel
GreenSkyOverMe (Monika) repeated this. -
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 03-Sep-2024 18:00:46 JST 
Ryan Castellucci :nonbinary_flag:
spins the wheel of incidents
Hmm. Ransomware.
camera cuts to wheel of incidents, it's mostly ransomware with a tiny sliver marked insider threat, a couple of sparkly "state actor" wedges and "hardware did a fucky wucky"
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 03-Sep-2024 18:05:45 JST
Ryan Castellucci :nonbinary_flag:
@jjacobsson @GossiTheDog That'll be either ransomware or state actor tbh.
-
Embed this notice
Joacim Jacobsson (jjacobsson@mastodon.gamedev.place)'s status on Tuesday, 03-Sep-2024 18:05:46 JST 
Joacim Jacobsson
@ryanc @GossiTheDog somebody found a USB drive on the side walk and plugged it into their work laptop.
-
Embed this notice
dangercake (dangercake@mas.to)'s status on Tuesday, 03-Sep-2024 19:01:08 JST 
dangercake
@ryanc @GossiTheDog _"vendor did a fucky wucky"_ is beautiful, and from today I'll be looking for ways to use it in documentation 😂 https://attack.mitre.org/techniques/T1199/
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Tuesday, 03-Sep-2024 19:01:08 JST
Ryan Castellucci :nonbinary_flag:
@dangercake @GossiTheDog TBH, I originally wrote "hardware" instead of "vendor", but "vendor" includes both hardware failures, us-east-1, and whatever nonsense clownstrike is up to.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Sep-2024 21:30:49 JST
Kevin Beaumont
Transport for London have shut down outbound internet access and restricted systems inbound, eg they have cut off some Netscaler VPNs but left up others for home users.
They appear to be doing a containment. Unclear if ransomware so far as haven’t had time to crawl network traffic.. but it’s the containment steps you take for ransomware and extortion groups.
-
Embed this notice
grey (grey@infosec.exchange)'s status on Tuesday, 03-Sep-2024 23:59:46 JST 
grey
@GossiTheDog TFL's internal IT helpdesk for employees is saying that there is a "widespread IT issue...impacting all IT systems, services, and applications"
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 04-Sep-2024 03:33:08 JST
Kevin Beaumont
Looked into this, the TfL API server for tube data is down (has been for about a day) https://rouge.eu.org/@jfparis/113075038253616195
#threatintel -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 05-Sep-2024 04:57:47 JST
Kevin Beaumont
The Transport for London cyber incident is still ongoing.
The attackers onto the corporate network, which is currently contained.
The operational (ICS) network wasn’t reached so services to customers continue uninterrupted.
Boundary internet services often offline, VPN restricted to home users, ERP systems, API systems etc offline.
-
Embed this notice
Bernard Quatermass (quatermasstools@infosec.exchange)'s status on Thursday, 05-Sep-2024 19:26:01 JST 
Bernard Quatermass
@GossiTheDog my traintrackr board looks so sad without all the data.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 05-Sep-2024 19:31:24 JST
Kevin Beaumont
If anybody is interested, the Transport for London cyber incident is still ongoing 3 days later - systems remain contained.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 05-Sep-2024 19:43:00 JST
Kevin Beaumont
Two of the systems shut down 😅 https://beta.shodan.io/host/195.40.85.10
-
Embed this notice
Tony Hoyle (tony@toot.hoyle.me.uk)'s status on Thursday, 05-Sep-2024 19:44:37 JST 
Tony Hoyle
@GossiTheDog It's always fascinated me that large networks take so long to deal with that stuff. My disaster recovery plan for such an event is to shut everything down and reimage/recover the backups.. obviously spend a bit of time first to find out how they got in but not *too* much because people gotta work.
Clearly there's a reason it takes that long, it's just outside my experience.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 06-Sep-2024 20:02:46 JST
Kevin Beaumont
If anybody is wondering, Transport for London are still in containment 5 days in #tfl #threatintel
-
Embed this notice
DJGummikuh (djgummikuh@mastodon.social)'s status on Friday, 06-Sep-2024 20:40:30 JST 
DJGummikuh
@GossiTheDog what exactly does that mean - who is in control of their infrastructure? and does that mean that the attack is still ongoing?
-
Embed this notice
DJGummikuh (djgummikuh@mastodon.social)'s status on Friday, 06-Sep-2024 20:45:25 JST
DJGummikuh
@GossiTheDog ok so the battle IS still raging there and they don't have positive control of their infrastructure?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 07-Sep-2024 00:25:02 JST
Kevin Beaumont
Update on Transport for London incident.
I can see prior traffic from their network to a crimeware group. #tfl #threatintel
-
Embed this notice
Moritz Dietz (moritzdietz@mastodon.social)'s status on Saturday, 07-Sep-2024 01:01:09 JST 
Moritz Dietz
@GossiTheDog do they have to eventually reported publicly what is happening?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 09-Sep-2024 06:36:08 JST
Kevin Beaumont
Transport for London are still in containment phase, 7 days into their cyber incident.
Hopefully it focuses minds on boards who believe large scale cyber incidents can be resolved in a day. #tfl #threatintel
-
Embed this notice
secureisd (secureisd@infosec.exchange)'s status on Monday, 09-Sep-2024 07:06:03 JST 
secureisd
@GossiTheDog Do we see m/any lessons learned in resilience strategies from any of these incidents?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 11-Sep-2024 03:43:01 JST
Kevin Beaumont
Day 9 of the Transport for London incident
Two updates
- I’ve confirmed they’re still in containment phase, and internal services and API remain down.
- @zackwhittaker has an excellent spot - they’ve removed the statement about no evidence of customer data exfiltration, and then not commented when asked about it. https://techcrunch.com/2024/09/10/londons-transit-agency-drops-claim-it-has-no-evidence-of-customer-data-theft-after-hack/
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 12-Sep-2024 22:31:57 JST
Kevin Beaumont
Transport for London tell me they have identified data exfiltration of customer names, contact details, email addresses, and - in a small number of cases - bank account numbers and sort codes. #tfl #threatintel
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 12-Sep-2024 22:50:43 JST
Kevin Beaumont
The NCA have arrested a teenager over the Transport for London hack HT @mattburgess #tfl #threatintel
-
Embed this notice
kurtseifried (he/him) (kurtseifried@infosec.exchange)'s status on Thursday, 12-Sep-2024 23:19:25 JST 
kurtseifried (he/him)
@GossiTheDog @mattburgess I like how the whole #infosec world largely ignore the fact of the teenagers can completely stomp these large companies, let alone organized crime, let alone a nation state.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 13-Sep-2024 00:53:50 JST
Kevin Beaumont
For any press covering the #TfL hack - the 5000 bank accounts is separate to the customer names, emails and home addresses bit.
TfL didn't say how many people's details overall were accessed.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 13-Sep-2024 01:06:57 JST
Kevin Beaumont
One of the things TfL have done in their containment phase is locked their IT staff's accounts, who aren't working on recovery -- and they're working to manually reauthenticate who their staff are, i.e. check their identities.
In entirely unrelated (👀) news, teenagers in LAPSUS$ and Scattered Spider often obtain access by calling up the helpdesk and saying they've lost their phone for MFA and/or forgot their password.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 13-Sep-2024 18:57:37 JST
Kevin Beaumont
Transport for London latest - they are resetting the login and MFA details for 30,000 employees in person, accounts are locked. #TfL #threatintel
-
Embed this notice
jaark (jaark@infosec.exchange)'s status on Friday, 13-Sep-2024 19:07:14 JST 
jaark
@GossiTheDog am I reading the last bit right.. That they are not allowing people to work from tfl offices (but presumably able to wfh)?
Seems the opposite of what I expected.
-
Embed this notice
DeterioratedStucco (softwaretheron@mas.to)'s status on Friday, 13-Sep-2024 19:18:38 JST 
DeterioratedStucco
@BernardSheppard @jaark @GossiTheDog
If that's correct, then IMO and with no inside knowledge:Compromised access via the networks serving specific locations. Not necessarily the locations themselves.
Traffic management springs to mind.
-
Embed this notice
Bernard Sheppard (bernardsheppard@mastodon.au)'s status on Friday, 13-Sep-2024 19:18:48 JST 
Bernard Sheppard
@jaark @GossiTheDog Seems to imply that, in order to secure their network, they have had to remove *access* to their network from some offices / locations. Which implies?
-
Embed this notice
Richard Bairwell (rbairwell@mastodon.org.uk)'s status on Friday, 13-Sep-2024 19:20:07 JST 
Richard Bairwell
@GossiTheDog I don't get the "non-permanent employees...must bring in a credit/debit cars" bit. What does that prove? Asking them to bring proof of a recent payment from TFL/affiliates (payslip) would be better. And isn't the hardware they are bringing on to be authorised asset tagged which would count as some sort of proof?
-
Embed this notice
jaark (jaark@infosec.exchange)'s status on Friday, 13-Sep-2024 19:27:09 JST
jaark
@GossiTheDog @SoftwareTheron @BernardSheppard
And I guess it is easier to verify and lock down a citric environment that most people can use, rather than god knows how many offices that will have to be checked individually. -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 13-Sep-2024 21:08:16 JST
Kevin Beaumont
The #TfL queue to get account access back #threatintel
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 13-Sep-2024 22:43:23 JST
Kevin Beaumont
FWIW I’ve heard the TfL incident is Scattered Spider again, in a surprise to nobody. #TfL #threatintel
-
Embed this notice
cR0w (cr0w@infosec.exchange)'s status on Friday, 13-Sep-2024 22:55:13 JST 
cR0w
@GossiTheDog In before the 1337 INFOSEC nerds denigrate them as "script kiddies" again despite being more effective than the "professionals" ever will be.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 14-Sep-2024 01:43:31 JST
Kevin Beaumont
Btw, I think Transport for London have done a really good job containing this. It would have been much worse, one suspects, had they not.
It sucks for staff but they prioritised customer service (i.e. transport) and safety over short term recovery, and that is very likely the correct pivot. I've seen these things go the opposite direct when orgs under react and it often ends really poorly.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 14-Sep-2024 01:47:39 JST
Kevin Beaumont
@mhoye yeah, they basically totalled their usual IT setup to get the threat actor out and keep (transport) service running. Literally locked 30k accounts and shut down internet, 13 days ago.
-
Embed this notice
mhoye (mhoye@mastodon.social)'s status on Saturday, 14-Sep-2024 01:47:40 JST 
mhoye
@GossiTheDog I’m coincidentally in London this week and while I’m sure the IT staff are having the worst week they can remember I haven’t seen a single notice of tube closure anywhere, or even heard a person mention outside of infosec circles mention it.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 15-Sep-2024 01:42:59 JST
Kevin Beaumont
Message from head of Transport for London to staff about their cyber incident, sent out to staff via WhatsApp. #tfl #threatintel
-
Embed this notice
MeaTLoTioN (meatlotion@mas.erb.pw)'s status on Sunday, 15-Sep-2024 03:08:37 JST 
MeaTLoTioN
@GossiTheDog is it just me or is there no sound?
-
Embed this notice
Matt Hardy (technicaladept@awscommunity.social)'s status on Sunday, 15-Sep-2024 03:09:33 JST 
Matt Hardy
@GossiTheDog As soon as I heard that a teenager from Walsall has been arrested for this, I started the countdown to the attack being described as "sophisticated"
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 19-Sep-2024 04:57:47 JST
Kevin Beaumont
Transport for London on if this was a ransomware or extortion group: “It is not appropriate to comment on this while the investigation is ongoing.”
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 19-Sep-2024 04:59:31 JST
Kevin Beaumont
Transport for London say they have completed containment stage of their cyber incident and are on their way through recovery. #tfl #threatintel
-
Embed this notice
All GNU social JP content and data are available under the