primavera p6 security hacked

Just over a week ago, the city of San Francisco lost millions in revenue as a hacker’s attack left the city’s MUNI municipal transportation kiosk system completely inoperable.

The trains and buses were running, but everyone was rode for free for 2 days as IT experts struggled with a ransomware demand. All MUNI computer terminals displayed the “hacked” message: “Contact for key (,” the message read.

The hacker’s ransomware program had comprised thousands of PCs and servers at the SFMTA, encrypting their harddrive data, leaving it inaccessible without the single digital key that would unlock it all. The hacker demanded 100 Bitcoins, equivalent to $73,000 USD to release the key.

However, officials refused to pay.

Even after the hacker threatened to permanently delete 30 Gigabytes of data, officials called the hacker’s bluff and restored harddrives from backups to get systems up and running again.

What seems like a victorious outcome for SF wasn’t that rosy in the eyes of IT pundits.

“SF’s Transit Hack Could’ve Been Way Worse—And Cities Must Prepare,” was the headline on Wired Magazine.

What’s particularly interesting to us in this situation, is how the hacker was able to access Muni systems. The hacker, now known to authorities, actually admitted to SFMTA how he was able to thwart their security. It was through a vulnerability in Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) software.

He wrote, “Read this and install patch before you connect your server to internet again,” including this link to an Oracle Security Advisory page for Oracle WebLogic, the web engine that Primavera P6 EPPM runs on top of. The advisory outlines a known ‘weblogic unserialize exploit’ and was released in November 2015 to patch a hole in WebLogic that would allow remote code execution (this is techno-speak for run a malicious program without anyone knowing). It seems as though the staff at SFMTA were not keeping up with their patches.

Ransomware attacks of this nature have become commonplace with today’s complex IT infrastructure. Patching holes in critical systems is a full-time job.

In a strange twist, authorities were able to hack the hacker’s server and discovered his techniques and tools, not to mention an inbox that detailed his previous successful attacks on construction firms. The list included Pa. based Irwin & LeightonCDM Smith Inc. in Boston; Indianapolis-based Skillman; and the Rudolph Libbe Group, a construction consulting firm from Ohio. It’s not known if any of these firms paid a ransom to the hacker to regain access to their files.

The firms above are not large enough to make headlines when hacked, unlike recent victim San Francisco Muni. But it doesn’t detract from the fact that not only are large-sized firms constantly targeted, but small to medium companies are as well. If that’s you, then you need to ensure your protected from hackers who are savvy and know about potential vulnerabilities that you might be at risk for.

How to Strengthen Primavera P6 Security & Prevent Hackers

1. Don’t Use The Default Passwords

If there’s one thing I’ve learned over the years as Primavera P6 consultant, it’s that Primavera P6 administrators don’t much care for it’s security features. I would wager that most Primavera P6 installs around the world were put in place along with most of the default settings, many of which are not secure. Most don’t bother to go through the exercise of establishing proper security profiles or other measures.

Sometimes we think “it’s just project data, it’s not like it’s financial data.” True, but hackers can take advantage of any vulnerability regardless and are notorious for using any easy door in to gain further access and go deeper.

One of the main issues with Primavera P6 are the database user accounts that the application uses to connect to the database. There are 3 accounts in play here:

  • privuser
  • pubuser
  • admuser

By default, you’ll find that the passwords to these accounts match the account name – to the bane of many IT administrators. Anyone who knows these passwords can access your Primavera P6 data directly from the database. To boost up your security, get a dba to change these passwords and make them complex that someone won’t be able to guess them.

I would really recommend changing the default P6 admin user password as well. Anyone can guess it and by then, you might be in the headlines.

2. Apply Patches Regularly

I know, I know. Paying for support from Oracle is expensive and you don’t seem to get much! But how hard are you going to kick yourself when the ransomware hacker demands $65,000 to get your data back?

Patching your software and applying regular updates is going to keep your data secure. The situation in San Francisco couldn’t make it more clear. If the SFMTA had been regimented with patching their enterprise software, the whole thing might not have happened.

If you are an Oracle customer, it might be time to talk to them about how to gain access to their Oracle Support site and how stay on top of bugs that may be critical to your security. Even if you purchased software from Oracle or a partner, you may not have been granted access to Oracle Support.

Oracle’s Support site is where you can find a full list of bugs, patches, and other solutions to keep Primavera software humming along, and safe from malicious attacks.

3. Follow Oracle’s Critical Patch Advisories

Four time a year, Oracle issues critical patches to all of their products to their customers with valid support contracts. These occur on the 17th of the following months:

  • January 17th
  • April 17th
  • July 17th
  • October 17th

Get more information and subscribe to email alerts on their page.

These alerts could be very relevant to you, like this alert from Oct 2016’s Advisory, even if you don’t have a support contract.

For Primavera P6 EPPM admins, monitoring these alerts is even more important to maintaining the security of your Primavera P6 install, as EPPM relies on a webserver and Java; 2 platforms that could leave you vulnerable.

4. Set Regular Backups

San Francisco’s transit authority were able to avoid paying for the removal of their ransomware because they had backups. Backups can save you, and not only when you’ve been hacked. In terms of beefing up Primavera P6 security, setting up regular backups is about the smartest and cheapest thing you can do.

Most of us rely on database backups. IE: our dba has set our database to be backed up daily/weekly (hopefully not monthly!) and those backups are hopefully kept offsite or in the cloud for security. This is the typical enterprise approach.

But what if you’re running Primavera P6 locally? How are you doing backups?

What if your PC is hacked and ransomware is demanding you pay $30,000? Do you have a backup strategy to handle this conundrum and recover your P6 schedule?

What if your PC is hacked and ransomware is demanding $30,000? Do you have a backup strategy to handle this conundrum and recover your P6 schedule? – Michael Lepage

Well you should. Because it’s 110% more likely to occur than the database server crashing.

I’ve told my Plan Academy students how you can automate backups of Primavera P6 projects to an XER file. Databases still hold their data in files, so backing up an entire database is easier than you think – you can simply use Dropbox or any other cloud syncing tool to sync your database files to the cloud.

5. Lock Down Primavera P6’s Application Security

What do I mean when I say “lock down” P6 security?

There are a few thing involved in locking something down security-wise.

a) Scale Back Admin access: I recommend for installs of 5 or more, there should only be 1 or 2 accounts with administrator access. Anything more is too little control.

b) Scale Back User Privileges: Nobody likes to hear those words, and I know having minimum access might not help you get your job done. In any Enterprise environment, there should be restrictions on what actions users can do, and that list should not prohibit the user from being successful in using the tool.

c) Audit SDK & API Access: Is it still being used? Are these accesses secure and adequately password protected?

d) Is Everything Behind a Firewall? Firewalls prevent unauthorized access from outside the organization. If you’re using EPPM or any other web-based Primavera tool, is it behind the firewall or is it securely accessible from the outside via VPN or another secure solution?

It goes without saying – update your virus scanner, don’t click strange links from strange emails, get an adblocker for browsing the web and keep your OS up to date as well.

We’ve all been too lax with our view of security for Primavera P6. But as the city of San Francisco has shown us, being lazy or ignorant is going to cost you. Luckily, a good backup strategy saved them from the oversight of an uninstalled Primavera P6 patch.

I’ve provided some tips in this article, but I would also recommend you checkout these tips for avoiding ransomware courtesy of the FBI.


What is your experience with keeping Primavera P6 secure? Let me know in the comments.


primavera p6 eppm ondemand course