The airline industry is on the brink of a supply chain attack from threat groups like APT41. Here is our analysis of the vulnerabilities that APT41 uses for such attacks.
In early June 2021, Air India disclosed a cyber assault on its network that began in February 2021, two months before the attack was identified. This disclosure came in the wake of a data breach announced in May 2021 as a result of an attack on SITA—an air travel solutions software popularly used by 90% of the world’s travel industry.
The events compromised around 10 years’ worth of data, with the personal information and credit card details of 4.5 million passengers exposed to the dark web. The attacks were traced back to a Chinese state-sponsored APT group, APT41, although the events are believed to be two separate incidents.
Could Air India Have Avoided the Attacks?
According to our research findings, there are 20 vulnerabilities associated with the APT41 threat group. If these vulnerabilities had been patched, both attacks could have been avoided.
We have been tracking Advanced Persistent Threat (APT) groups, their tactics and techniques, and the vulnerabilities they use to target their victims. Here are our findings.
The threat actor behind the Air India and SITA attacks, APT41, has been out in the open since October 2012 and is of Chinese origin. It is also known as Bronze Atlas, Red Kelpie, Wicked Panda, Blackfly, Winnti, or Barium, and our research has uncovered 20 vulnerabilities that APT41 exploits to mount attacks.
The analysis by Securin’s researchers indicates that the APT41 group prefers victim-specific multistage attacks, favoring the use of the Maze ransomware to take control and create maximum disruption.
The seed for the Air India attacks was sown way back in December 2020. The attackers deployed Cobalt Strike payloads after compromising the network, spreading the payload to other devices within 24 hours. The attackers then established persistence, obtained passwords, and began to make their way laterally across the network. At least 20 devices were compromised, one of which was responsible for communicating with the Cobalt Strike payloads since February 2021.
According to research, the attackers exfiltrated NTLM hashes and plaintext passwords from local workstations using hashdump and mimikatz and tried to escalate local privileges with the help of the BadPotato malware.
Global exposure analysis of the CVEs using Shodan shows more than 100,000 instances overall that could be vulnerable to attacks by the threat group. CVE-2020-0796, the wormable SMBleeding Ghost vulnerability, exposes over 90,000 deployments across the world to the risk of an attack. This comes as no surprise,surprise, considering it alarmed the cybersecurity community last March with a PoC exploit that targeted millions of Windows devices.
MITRE ATT&CK Mapping
Good Cyber Hygiene Is the Order of the Day
Researchers have now revealed that Air India’s network (named “SITASERVER4”) was compromised in December 2020. After SITA’s disclosure, it has come to light that Star Alliance, One World Airlines, Finnair, Japan Airlines, Jeju Air, Malaysia Airlines, Air New Zealand, Cathay Pacific, Lufthansa, and Singapore Airlines had sensitive customer information published on the dark web. Additionally, the second attack on Air India was uncovered only after two months of infiltration, by which time the attackers had well-penetrated the network.
A supply chain attack on the airline industry could cause a major disruption in the air travel industry—from ticketing to navigation. The disruption could be even more devastating when combined with ransomware, and its ramifications affect the targeted nation. Malicious actors could identify and exploit the travel patterns of prominent individuals, endangering national and international security apparatus. A lack of cyber hygiene on Air India’s part allowed it to be attacked, not once but twice. We urge government entities and organizations in sectors like aviation, military, and defense to take cyber hygiene more seriously and address issues as soon as possible.