Back-to-Back Air India Attacks Indicating More than Just a Data Breach?
Surojoy & Priya
Securin Team
Jul 8, 2021
In early June 2021, Air India disclosed a cyber assault on its network that began in February 2021, two months before the attack was identified. This disclosure came in the wake of a data breach announced in May 2021 as a result of an attack on SITA—an air travel solutions software popularly used by 90% of the world’s travel industry.
The events compromised around 10 years’ worth of data, with the personal information and credit card details of 4.5 million passengers exposed to the dark web. The attacks were traced back to a Chinese state-sponsored APT group, APT41, although the events are believed to be two separate incidents.
Could Air India Have Avoided the Attacks?
According to our research findings, there are 20 vulnerabilities associated with the APT41 threat group. If these vulnerabilities had been patched, both attacks could have been avoided.
APT41—Analysis
We have been tracking Advanced Persistent Threat (APT) groups, their tactics and techniques, and the vulnerabilities they use to target their victims. Here are our findings.
The threat actor behind the Air India and SITA attacks, APT41, has been out in the open since October 2012 and is of Chinese origin. It is also known as Bronze Atlas, Red Kelpie, Wicked Panda, Blackfly, Winnti, or Barium, and our research has uncovered 20 vulnerabilities that APT41 exploits to mount attacks.
APT41—Cheat Sheet
- Exploits
- Severity Scores
- The Year of Discovery
- Products and Vendors
- Patches
- Weaknesses
Attack Methodology
The seed for the Air India attacks was sown way back in December 2020. The attackers deployed Cobalt Strike payloads after compromising the network, spreading the payload to other devices within 24 hours. The attackers then established persistence, obtained passwords, and began to make their way laterally across the network. At least 20 devices were compromised, one of which was responsible for communicating with the Cobalt Strike payloads since February 2021.
According to research, the attackers exfiltrated NTLM hashes and plaintext passwords from local workstations using hashdump and mimikatz and tried to escalate local privileges with the help of the BadPotato malware.
Global Analysis
Global exposure analysis of the CVEs using Shodan shows more than 100,000 instances overall that could be vulnerable to attacks by the threat group. CVE-2020-0796, the wormable SMBleeding Ghost vulnerability, exposes over 90,000 deployments across the world to the risk of an attack. This comes as no surprise,surprise, considering it alarmed the cybersecurity community last March with a PoC exploit that targeted millions of Windows devices.
MITRE ATT&CK Mapping
IoCs | |
MD5: 20aebf6e20c46b6bfe44f2828adf3b91 b6b06a95cfeeeeOefe8bc0cd54eac71d 83249cff833182b3299cbd4aac539c9a 143278845a3f5276a1dd5860e7488313 559b7150d936fffe 728092b160c14d28 9337952aa3beOdacfc12898df3180f02 212784cf25fOadfaf9ba46db41c373d5 d414c7ede5a9d6d30e6d3fe547e27484 83e6da9cd8ccf9b0c04f00416b091076 | 7b501402c843034cd79151257aca189e 69f5c5f67850acdb373ddd106adce48c b071a62d2dd745743c6de5f115d633b1 019122b1d783646f99c73a3c399cc334 f61dbac694d34c96830f184658610261 fc208a4d04c085edcealec5f402057f9 5528bb928e02926179fca52dd388b1f0 b8ecab09b7bfb42b9ace3666edf867a7 c4be6b466807540a22f62ffa6829540f a00ab8ac0f11c3fcd5c557729afcbf89 |
Good Cyber Hygiene Is the Order of the Day
Researchers have now revealed that Air India’s network (named “SITASERVER4”) was compromised in December 2020. After SITA’s disclosure, it has come to light that Star Alliance, One World Airlines, Finnair, Japan Airlines, Jeju Air, Malaysia Airlines, Air New Zealand, Cathay Pacific, Lufthansa, and Singapore Airlines had sensitive customer information published on the dark web. Additionally, the second attack on Air India was uncovered only after two months of infiltration, by which time the attackers had well-penetrated the network.
A supply chain attack on the airline industry could cause a major disruption in the air travel industry—from ticketing to navigation. The disruption could be even more devastating when combined with ransomware, and its ramifications affect the targeted nation. Malicious actors could identify and exploit the travel patterns of prominent individuals, endangering national and international security apparatus. A lack of cyber hygiene on Air India’s part allowed it to be attacked, not once but twice. We urge government entities and organizations in sectors like aviation, military, and defense to take cyber hygiene more seriously and address issues as soon as possible.
Share this post on:
