Back-to-Back Air India Attacks Indicating More than Just a Data Breach?

The airline industry is on the brink of a supply chain attack from threat groups like APT41. Here is our analysis of the vulnerabilities that APT41 uses for such attacks.

In early June 2021, Air India disclosed a cyber assault on its network that began in February 2021, two months before the attack was identified. This disclosure came in the wake of a data breach announced in May 2021 as a result of an attack on SITA—an air travel solutions software popularly used by 90% of the world’s travel industry.

The events compromised around 10 years’ worth of data, with the personal information and credit card details of 4.5 million passengers exposed to the dark web. The attacks were traced back to a Chinese state-sponsored APT group, APT41, although the events are believed to be two separate incidents.

Could Air India Have Avoided the Attacks?

According to our research findings, there are 20 vulnerabilities associated with the APT41 threat group. If these vulnerabilities had been patched, both attacks could have been avoided.

Securin warned about 15 of these vulnerabilities as part of its Cyber Risk in Working Remotely (June 2020) and Ransomware Reports published in February and May 2021.

APT41—Analysis

We have been tracking Advanced Persistent Threat (APT) groups, their tactics and techniques, and the vulnerabilities they use to target their victims. Here are our findings.

The threat actor behind the Air India and SITA attacks, APT41, has been out in the open since October 2012 and is of Chinese origin. It is also known as Bronze Atlas, Red Kelpie, Wicked Panda, Blackfly, Winnti, or Barium, and our research has uncovered 20 vulnerabilities that APT41 exploits to mount attacks.  

The analysis by Securin’s researchers indicates that the APT41 group prefers victim-specific multistage attacks, favoring the use of the Maze ransomware to take control and create maximum disruption.

     APT41—Cheat Sheet

  • Exploits

    • All 20 CVEs are weaponized.

    • Two of these vulnerabilities have both Remote Code Execution (RCE) and Privilege Escalation (PE) capabilities.

    • Sixteen vulnerabilities are linked to RCE exploits, making them critical for patches.

  • Severity Scores 

    • Nine vulnerabilities are critical according to CVSS V3 rating, with scores of 9.8 and above.

    • Eight vulnerabilities fall under the high severity bracket.

    • CVE-2017-0213 has a medium severity score of 4.7 based on CVSS V3 but has associated exploits.

    • This indicates a need to approach vulnerabilities with associated risks while prioritizing them for patches rather than focusing only on the severity.

  • The Year of Discovery

    • There are 16 vulnerabilities that were discovered in 2020 and earlier, of which six are recently trending. This includes a vulnerability as old as 2012, CVE-2012-0158.

    • Interestingly, CVE-2012-0158 was listed as one of the Department of Homeland Security’s Top 30 Targeted High-Risk Vulnerabilities/Top 30 Most Commonly Exploited Vulnerabilities. CISA also listed this in the Top 10 Routinely Exploited Vulnerabilities in 2020.

    • The list includes four new vulnerabilities identified in March 2021, three of which are currently trending.

  • Products and Vendors

    • Eleven of these vulnerabilities exist across Microsoft products.

    • Multiple groups have repeatedly exploited a Citrix vulnerability (CVE-2019-19781) and another Pulse Secure vulnerability (CVE-2019-11510)—pet favorites of threat actors.

    • A notable mention is CVE-2020-10189,10189, which exists in versions of the Zoho Corp ManageEngine Desktop Central, a Saas-based endpoint management solution. We have observed threat actors increasingly exploiting vulnerabilities in SaaS products, a trend that was recorded in Securin’s Ransomware Spotlight Report.

  • Patches

    • Ninetten CVEs have patches that ought to be implemented on priority.

    • The list includes CVE-2019-16920, associated with an end-of-life Dlink firmware. The vendors recommend upgrading to the latest device series as soon as possible.

  • Weaknesses

    • The vulnerabilities belong to a mixed bag of weaknesses that result in improper authentication, control, restriction, or the mismanagement of data.

    • Of these, five weaknesses feature in MITRE’s top 10 weaknesses of 2020, three in the top 20, and two CWEs in the top 30 list.

Attack Methodology

The seed for the Air India attacks was sown way back in December 2020. The attackers deployed Cobalt Strike payloads after compromising the network, spreading the payload to other devices within 24 hours. The attackers then established persistence, obtained passwords, and began to make their way laterally across the network. At least 20 devices were compromised, one of which was responsible for communicating with the Cobalt Strike payloads since February 2021.

According to research, the attackers exfiltrated NTLM hashes and plaintext passwords from local workstations using hashdump and mimikatz and tried to escalate local privileges with the help of the BadPotato malware.

Global Analysis

Global exposure analysis of the CVEs using Shodan shows more than 100,000 instances overall that could be vulnerable to attacks by the threat group. CVE-2020-0796, the wormable SMBleeding Ghost vulnerability, exposes over 90,000 deployments across the world to the risk of an attack. This comes as no surprise,surprise, considering it alarmed the cybersecurity community last March with a PoC exploit that targeted millions of Windows devices.

CVE-2019-11510 CVE-2019-1652
CVE-2019-1653 CVE-2020-0796
CVE-2021-26855 CVE-2021-26857
CVE-2021-26858 CVE-2019-19781
CVE-2021-27065

MITRE ATT&CK Mapping

MITRE ATT&CK Map for APT 41 Air India Attack

IoCs

MD5:

20aebf6e20c46b6bfe44f2828adf3b91

b6b06a95cfeeeeOefe8bc0cd54eac71d

83249cff833182b3299cbd4aac539c9a

143278845a3f5276a1dd5860e7488313

559b7150d936fffe 728092b160c14d28

9337952aa3beOdacfc12898df3180f02

212784cf25fOadfaf9ba46db41c373d5

d414c7ede5a9d6d30e6d3fe547e27484

83e6da9cd8ccf9b0c04f00416b091076

7b501402c843034cd79151257aca189e

69f5c5f67850acdb373ddd106adce48c

b071a62d2dd745743c6de5f115d633b1

019122b1d783646f99c73a3c399cc334

f61dbac694d34c96830f184658610261

fc208a4d04c085edcealec5f402057f9

5528bb928e02926179fca52dd388b1f0

b8ecab09b7bfb42b9ace3666edf867a7

c4be6b466807540a22f62ffa6829540f

a00ab8ac0f11c3fcd5c557729afcbf89

Good Cyber Hygiene Is the Order of the Day

Researchers have now revealed that Air India’s network (named “SITASERVER4”) was compromised in December 2020. After SITA’s disclosure, it has come to light that Star Alliance, One World Airlines, Finnair, Japan Airlines, Jeju Air, Malaysia Airlines, Air New Zealand, Cathay Pacific, Lufthansa, and Singapore Airlines had sensitive customer information published on the dark web. Additionally, the second attack on Air India was uncovered only after two months of infiltration, by which time the attackers had well-penetrated the network.

A supply chain attack on the airline industry could cause a major disruption in the air travel industry—from ticketing to navigation. The disruption could be even more devastating when combined with ransomware, and its ramifications affect the targeted nation. Malicious actors could identify and exploit the travel patterns of prominent individuals, endangering national and international security apparatus. A lack of cyber hygiene on Air India’s part allowed it to be attacked, not once but twice. We urge government entities and organizations in sectors like aviation, military, and defense to take cyber hygiene more seriously and address issues as soon as possible.

Organizations can reach out to Securin to improve their security posture.

Share This Post On