Back-to-back Air India Attacks indicating more than just a data breach?
Posted on Jul 8, 2021 | By Surojoy, Priya
The Airline industry is on the brink of a supply-chain attack from threat groups like APT41. Here is our analysis of the vulnerabilities that APT41 uses for such attacks.
In early June 2021, Air India disclosed a cyber assault on its network, one that began in February 2021, two months before the attack was identified. This disclosure came in the wake of a data breach announced in May 2021, as a result of an attack on SITA—an air travel solutions software popularly used by 90% of the world’s travel industry.
The events compromised around 10 years worth of data, with personal information and credit card details of 4.5 Million passengers exposed to the dark web. The attacks were traced back to a Chinese state-sponsored APT group, APT41, although the events are believed to be two separate incidents.
Could Air India have avoided the attacks?
According to our research findings, there are 20 vulnerabilities associated with the APT41 threat group. If these vulnerabilities had been patched, both the attacks could have been avoided.
CSW warned about 15 of these vulnerabilities as part of Cyber Risk in Working Remotely (June 2020) and Ransomware Reports published in February and May 2021.
APT 41 Analysis
We have been tracking Advanced Persistent Threat (APT) groups, their tactics and techniques, and the vulnerabilities they use to target their victims. Here are our findings.
The threat actor behind the Air India and SITA attacks, APT 41, has been out in the open since October 2012 and is of Chinese origin. They are also known as Bronze Atlas, Red Kelpie, Wicked Panda, Blackfly, Winnti or Barium, and our research has uncovered 20 vulnerabilities that APT41 exploits to mount attacks.
Analysis by CSW researchers indicate that the APT 41 group prefers victim-specific multi-stage attacks, favoring the use of Maze ransomware to take control and create maximum disruption.
APT 41 Cheat Sheet
The seed for the Air India attacks was sown way back in December 2020. The attackers deployed Cobalt Strike payloads after compromising the network, spreading the payload to other devices within 24 hours. The attackers then established persistence, obtained passwords and began to make their way laterally across the network. At least 20 devices were compromised, one of which was responsible for communicating with the Cobalt Strike payloads, since February 2021.
According to research, the attackers exfiltrated NTLM hashes and plain-text passwords from local workstations using hashdump and mimikatz, and tried to escalate local privileges with the help of BadPotato malware.
A global exposure analysis of the CVEs using Shodan show more than 100,000 instances overall that could be vulnerable to attacks by the threat group. CVE-2020-0796, the wormable SMBleeding Ghost vulnerability, exposes over 90,000 deployments across the world to the risk of an attack. This comes as no surprise considering it alarmed the cyber security community last March with a PoC exploit that targeted millions of Windows devices.
MITRE ATT&CK Mapping
Good Cyber Hygiene is the order of the day
Researchers have now revealed that Air India’s network (named "SITASERVER4") was compromised in December 2020. Post SITA’s disclosure, it has come to light that Star Alliance, One World Airlines, Finnair, Japan Airlines, Jeju Air, Malaysia Airlines, Air New Zealand, Cathay Pacific, Lufthansa and Singapore Airlines had sensitive customer information published on to the dark web. Additionally, the second attack on Air India was uncovered only after two months of infiltration, by which time the attackers had well-penetrated the network.
A supply chain attack on the Airline industry could cause major disruption in the air travel industry—from ticketing to navigation. When combined with ransomware, the disruption could be even more devastating and its ramifications affecting the nation targeted. Malicious actors could identify and exploit travel patterns of prominent individuals, endangering national and international security apparatus. A lack of cyber hygiene on Air India’s part allowed itself to be attacked, not once, but twice. We urge government entities and organizations in sectors like aviation, military and defence to take cyber hygiene more seriously and address issues as soon as possible.
Organizations can reach out to Cyber Security Works to improve their security posture.
Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!