Ransomware Spotlight Report 2023 is live!

Back-to-back Air India Attacks indicating more than just a data breach?

Posted on Jul 8, 2021 | By Surojoy, Priya

The Airline industry is on the brink of a supply-chain attack from threat groups like APT41. Here is our analysis of the vulnerabilities that APT41 uses for such attacks.

In early June 2021, Air India disclosed a cyber assault on its network, one that began in February 2021, two months before the attack was identified. This disclosure came in the wake of a data breach announced in May 2021, as a result of an attack on SITA—an air travel solutions software popularly used by 90% of the world’s travel industry.

The events compromised around 10 years worth of data, with personal information and credit card details of 4.5 Million passengers exposed to the dark web. The attacks were traced back to a Chinese state-sponsored APT group, APT41, although the events are believed to be two separate incidents.

Could Air India have avoided the attacks?


According to our research findings, there are 20 vulnerabilities associated with the APT41 threat group. If these vulnerabilities had been patched, both the attacks could have been avoided.

CSW warned about 15 of these vulnerabilities as part of Cyber Risk in Working Remotely (June 2020) and Ransomware Reports published in February and May 2021.

APT 41 Analysis

We have been tracking Advanced Persistent Threat (APT) groups, their tactics and techniques, and the vulnerabilities they use to target their victims. Here are our findings.

The threat actor behind the Air India and SITA attacks, APT 41, has been out in the open since October 2012 and is of Chinese origin. They are also known as Bronze Atlas, Red Kelpie, Wicked Panda, Blackfly, Winnti or Barium, and our research has uncovered 20 vulnerabilities that APT41 exploits to mount attacks.  

Analysis by CSW researchers indicate that the APT 41 group prefers victim-specific multi-stage attacks, favoring the use of Maze ransomware to take control and create maximum disruption. 

     APT 41 Cheat Sheet

  • Exploits: 

    • All 20 CVEs are weaponized.

    • Two of these vulnerabilities have both Remote Code Execution (RCE) and Privilege Escalation (PE) capabilities.

    • 16 vulnerabilities are linked to RCE exploits, making them critical for patches.

  • Severity Score: 

    • Nine vulnerabilities are critical according to CVSS v3 rating, with scores of 9.8 and above.

    • Eight vulnerabilities fall under the high severity bracket. 

    • CVE-2017-0213 has a medium severity score of 4.7 based on CVSS v3, but has associated exploits.

    • This indicates a need to approach vulnerabilities with associated risk while prioritizing them for patches, rather than focusing only on the severity.

  • Year of Discovery:

    • There are 16 vulnerabilities that were discovered in 2020 and earlier, of which six are recently trending. This includes a vulnerability as old as 2012, CVE-2012-0158. 

    • Interestingly, CVE-2012-0158 was listed as Department of Homeland Security's Top 30 Targeted High Risk Vulnerabilities / Top 30 Most Commonly Exploited Vulnerabilities. This was also listed in Top 10 Routinely Exploited Vulnerabilities in 2020 by CISA.

    • The list includes 4 new vulnerabilities identified in March 2021, three of which are currently trending.

  • Products and Vendors: 

    • 11 of these vulnerabilities exist across Microsoft products. 

    • A Citrix vulnerability (CVE-2019-19781) and another Pulse Secure vulnerability (CVE-2019-11510)—pet favorites of threat actors—have been repeatedly exploited by multiple groups.

    • A notable mention is CVE-2020-10189 that exists in versions of the Zoho Corp ManageEngine Desktop Central, a Saas-based endpoint management solution. We have observed threat actors increasingly exploiting vulnerabilities in SaaS products, a trend that was recorded in CSW’s Ransomware Spotlight Report

  • Patches: 

    • 19 CVEs have patches that ought to be implemented on priority.

    • The list includes one vulnerability, CVE-2019-16920, that is associated with an end-of-life Dlink firmware. The vendors recommend upgrading to the latest device series as soon as possible. 

  • Weaknesses: 

    • The vulnerabilities belong to a mixed bag of weaknesses that result in improper authentication, control, restriction or mismanagement of data. 

    • Of these, five weaknesses feature in MITRE’s top 10 weaknesses of 2020, three in the top 20 and two CWEs in the top 30 list.

Attack Methodology

The seed for the Air India attacks was sown way back in December 2020. The attackers deployed Cobalt Strike payloads after compromising the network, spreading the payload to other devices within 24 hours. The attackers then established persistence, obtained passwords and began to make their way laterally across the network. At least 20 devices were compromised, one of which was responsible for communicating with the Cobalt Strike payloads, since February 2021. 

According to research, the attackers exfiltrated NTLM hashes and plain-text passwords from local workstations using hashdump and mimikatz, and tried to escalate local privileges with the help of BadPotato malware.

Global Analysis

A global exposure analysis of the CVEs using Shodan show more than 100,000 instances overall that could be vulnerable to attacks by the threat group. CVE-2020-0796, the wormable SMBleeding Ghost vulnerability, exposes over 90,000 deployments across the world to the risk of an attack. This comes as no surprise considering it alarmed the cyber security community last March with a PoC exploit that targeted millions of Windows devices.

CVE-2019-11510 CVE-2019-1652
CVE-2019-1653 CVE-2020-0796
CVE-2021-26855 CVE-2021-26857
CVE-2021-26858 CVE-2019-19781
CVE-2021-27065

 

MITRE ATT&CK Mapping

MITRE ATT&CK Map for APT 41 Air India Attack

 

IoCs

MD5:

20aebf6e20c46b6bfe44f2828adf3b91 

b6b06a95cfeeeeOefe8bc0cd54eac71d 

83249cff833182b3299cbd4aac539c9a 

143278845a3f5276a1dd5860e7488313 

559b7150d936fffe 728092b160c14d28 

9337952aa3beOdacfc12898df3180f02 

212784cf25fOadfaf9ba46db41c373d5 

d414c7ede5a9d6d30e6d3fe547e27484 

83e6da9cd8ccf9b0c04f00416b091076 

7b501402c843034cd79151257aca189e 

69f5c5f67850acdb373ddd106adce48c 

b071a62d2dd745743c6de5f115d633b1 

019122b1d783646f99c73a3c399cc334 

f61dbac694d34c96830f184658610261 

fc208a4d04c085edcealec5f402057f9 

5528bb928e02926179fca52dd388b1f0 

b8ecab09b7bfb42b9ace3666edf867a7 

c4be6b466807540a22f62ffa6829540f 

a00ab8ac0f11c3fcd5c557729afcbf89

 

Good Cyber Hygiene is the order of the day


Researchers have now revealed that Air India’s network  (named "SITASERVER4")  was compromised in December 2020.  Post SITA’s disclosure, it has come to light that Star Alliance, One World Airlines, Finnair, Japan Airlines, Jeju Air, Malaysia Airlines, Air New Zealand, Cathay Pacific, Lufthansa and Singapore Airlines had sensitive customer information published on to the dark web. Additionally, the second attack on Air India was uncovered only after two months of infiltration, by which time the attackers had well-penetrated the network.

A supply chain attack on the Airline industry could cause major disruption in the air travel industry—from ticketing to navigation. When combined with ransomware, the disruption could be even more devastating and its ramifications affecting the nation targeted. Malicious actors could identify and exploit travel patterns of prominent individuals, endangering national and international security apparatus. A lack of cyber hygiene on Air India’s part allowed itself to be attacked, not once, but twice. We urge government entities and organizations in sectors like aviation, military and defence to take cyber hygiene more seriously and address issues as soon as possible.

 

 

Organizations can reach out to Cyber Security Works to improve their security posture.

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito