A Downed Aviation Industry Still Hit by Cyber-Attacks

Posted by Trevagh Stankard on Tue, May 4th, 2021

The last 12-months have been dreadful for airlines the world over. The Covid-19 pandemic has grounded flights and caused a widespread economic impact. KPMG research predicts global losses in the airline industry in 2020 to be $252 billion. However, cybercriminals have decided to hit the airlines even while they are down, with fraud and cyber-attacks continuing to plague the aviation industry. Attacks include a “sophisticated” data breach from SITA Passenger Service System Inc., in February 2021, which included the theft of the personal data of passengers and affected multiple airlines. Independent of this breach, SITA previously stated that only around 35% of airlines and 30% of airports are adequately prepared for cyber-attacks.

Cyber-attack types on the aviation industry are varied and include ransomware, Distributed Denial of Service (DDoS) attacks on websites, and Advanced Persistent Threats (APTs). A recent attack by the LazyScripter APT group demonstrates the sophistication and highly targeted methods that cybercriminals are using against airlines.

An Advanced Persistent Threat (APT) to the Airline Industry

The LazyScripter APT attack on the aviation industry shows how insidious and complex attacks have become. LazyScripter is a hacking group that has recently been identified although is likely to have been active since 2018. The group was recently detected by Malwarebytes, using a Remote Access Trojan or RAT to specifically target job seekers at airlines. The targets include the International Air Transport Association (IATA) and various airlines; the common link appears to be a use of “BSPLink” software, which is used by IATA as a billing and settlement application.

The RAT was first discovered by researchers at Malwarebytes, who have identified tactics and remote toolkit upgrades that help in detection evasion. For example, the hackers have recently changed the way they trick users by mimicking a new feature in IATA’s software stack known as “IATA ONE ID” -- a contactless passenger processing tool.

The researchers noted certain tactics being used to deploy the RAT:

1. Phishing emails were used to deliver malware loaders in the form of batch files, VBScript, and registry files, hidden in zips or documents. This type of delivery mechanism is known as ‘maldocs’ or ‘Malicious Office documents’, the malicious files masquerade using PDF, Word, or Excel icons.
2. The phishing emails used either IATA or job-related themes to trick users into believing the emails were legitimate. Emails also had themes associated with Microsoft updates and Covid-19.
3. Documents or zip files as email attachments were used as the initial infection vector. These files contain the malware loader.
4. Some spam emails contained a shortened link. On clicking the link, the user would be redirected to a download of the loader named “KOCTOPUS”. Alternatively, a document contained an embedded version of KOCTOPUS.
5. In one version, a PowerShell script loader file was used to expose local ports of the victim system over the internet. In all, seven executables were found to be associated with KOCTOPUS. Signals from these files indicated that remote updates had been carried out.
6. GitHub was used by LazyScripter to host its toolkits, which included open-source security toolkits, but the accounts have subsequently been deleted.

How to Prevent a Targeted Cyber-attack

An important takeaway from the LazyScripter example is that cybercriminals think carefully about how they carry out an attack. These hacking groups are dedicated criminals, intent on causing mayhem and destruction, with their goal often being financial -- stealing data to sell on or commit financial fraud. There is no one-size-fits-all approach to addressing cyber-threats that target specific industries. The hackers behind the attacks take the time to understand their target and victims to ensure that they build successful attack scenarios -- the LazyScripter gang used recognized legitimate software and branded emails to trick users into thinking they were safe. Detection and prevention of these types of highly targeted cyber-threats need a proactive security stance and tools that are fit for purpose. As well as protecting customer data, it is vital to ensure that staff are security-aware. But even the most aware employees can still be duped into clicking a link when clever tactics such as maldocs are used. Phishing emails, and especially spear-phishing emails, are very difficult for even security-savvy employees to spot. Robust prevention against phishing and links to malicious sites is needed as a “first catch net”. These tools work to prevent malicious emails even getting into an employee’s inbox, and if they still manage to get through, the tools will stop the employee from going to a dangerous website:

Malicious Website Protection

Smart content filtering tools prevent employees from navigating to malicious sites by clicking on a link in a phishing email - even links cleverly disguised as seen in the LazyScripter phishing emails. These machine-learning enabled tools check a website to make sure it does not contain malware and is not a phishing site.

Phishing Prevention:

Phishing can be prevented using an email and spam prevention solution. These tools scan all in-bound emails looking for signals that indicate an email is spam or contains malicious attachments or dangerous links. Some tools, such as SpamTitan protect against Zero-Day vulnerabilities using intelligent technologies. This latter capability is important as cybercriminals continue to use zero-day flaws to circumvent security protection such as patching and endpoint anti-malware.

Cybercriminals don’t care if an industry has been severally impacted by a poor economy or a disaster such as the Covid-19 pandemic. All they care about is creating complex and sophisticated attack chains that are hard to detect and prevent. Thankfully, the security industry is countering these cyber-threats with sophisticated tools of our own.

TitanHQ provides advanced threat protection to protect against phishing attacks. Learn more about TitanHQ’s multi-layered protection today. Contact us.