Search This Blog

Showing posts with label Airline. Show all posts

Major Vulnerabilities Found in Wireless LAN Devices in Airlines

The two major vulnerabilities were found in the series of the flexlan, a LAN device providing internet services in airlines. The Necrum security labs’ researchers Samy Younsi and Thomas Knudsen, initiated the research which led to tracking two critical vulnerabilities which were identified as CVE-2022-36158 and CVE-2022-36159. 

The vulnerabilities were detected in the Flexlan series named FXA3000 and FXA2000 and have been associated with a Japan-based firm known as Contec. 
 
The researchers said while considering the first vulnerability, that during the execution of reverse engineering on firmware, we found a hidden web page, which was not entailed in the list of wireless LAN manager interfaces. They also added that it simplifies the enforcement of the Linux command over the device with root privileges. The researchers mentioned that the first vulnerability gave access to all the system files along with the telnet port which allows to access the whole device.   
 
Regarding the second vulnerability, the researchers said, it makes use of hard-coded, weak cryptographic keys and backdoor accounts. While carrying out the research, the researchers were also able to recover and get access to a shadow file within a few minutes with the help of a brute-force attack. The file contained the hash of two users including root and users. 
 
The researchers explained the issue that the device owner is only able to change the password from the interface of the web admin as the root account is reserved for maintenance purposes by Contec. This allows the attacker with a root hard-coded password able to access all Flexlan FXA2000 and FXA3000 series effortlessly. 
 
With respect to the solutions, researchers emphasized the importance of mentioned to maintaining cyber security, with regard to the first Vulnerability. They said, “the hidden engineering web pages should be removed from all unfortified devices. As weak passwords make access easier for cyber attackers.” For the second vulnerability, the advisory commented, “the company should create new strong passwords, for every single device with the manufacturing process."

Ransomware Attack Disrupt the Operations of SpiceJet Flight

 

An attempted ransomware assault halted the operations of budget carrier SpiceJet on Tuesday night, leaving passengers stranded for hours across the country’s airports on Wednesday morning. 

The controversy started after a SpiceJet passenger, Mudit Shejwar, flagged the delay of his flight to Dharamshala even after 80 minutes of the boarding formalities were completed.

“On board flight SG2345 to Dharmshala, it's been already 80 mins since we boarded the plane, we have not taken off yet, the only communication is of some server down and issue with paper work for fuel, is this for real,” Mudit tweeted, tagging Spicejet, Civil Aviation Minister Jyotiraditya Scindia, Airport Authority of India and the Delhi airport authority. 

“Certain SpiceJet systems faced an attempted ransomware attack last night that impacted and slowed down morning flight departures today. Our IT team has contained and rectified the situation, and flights are operating normally now,” the airline tweeted. 

However, the reply did not sit well with the passenger, who said that all the passengers were stuck on the aircraft for close to four hours without food. “Operating normally?? We are stuck here since 3 hrs and 45 mins? Neither cancelling nor operating, sitting in the flight not even the airport. No breakfast, no response,” Shejwar replied. 

The airline did not disclose whether it had paid the attacker. Industry sources said the attack was identical to the one on Indigo in December 2020. Then, too, the airline had confirmed the attack and said some segments of data servers had been breached. However, little is known yet regarding the outcome of an investigation, or whether any payment was made. 

Last year, over 78 percent of Indian organizations surveyed were hit with ransomware attacks, up from 68 percent in 2020. The average ransom paid by Indian organizations to get their data encrypted was $1.2 million, says a report by British cybersecurity firm Sophos released earlier this month. 

According to the Directorate General of Civil Aviation, SpiceJet is the second-largest airline in India, operating a fleet of more than 90 aircraft, with a market share of 13.6% as of March 2019. 

In 2021, SpiceJet went through severe financial trouble result of grounding its fleet due to COVID-19 restrictions, The struggling airline’s accumulated losses neared ₹5,478 crore, while its liabilities exceeded assets by ₹6,347 crore during the same period.

Slack API Exploited by Iranian Threat Actor to Attack Asian Airline

 

According to IBM Security X-Force, the Iran-linked advanced persistent threat (APT) attacker MuddyWater has been discovered establishing a backdoor that exploits Slack on the network of an Asian airline. 

The hacking gang, also known as MERCURY, Seedworm, Static Kitten, and ITG17, predominantly targets throughout the Middle East and other regions of Asia. 

MuddyWater successfully infiltrated the networks of an undisclosed Asian airline in October 2019, according to IBM X-Force, with the detected activities continuing into 2021. 

According to IBM's security researchers, the adversary used a PowerShell backdoor named Aclip, which uses a Slack communication API for command and control (C&C) operations such as communication and data transmission. 

Provided that numerous different Iranian hacking groups got access to the very same victim's infrastructure in far too many cases, IBM X-Force suspects that the other adversaries were also associated in this operation, particularly considering that Iranian state-sponsored malicious actors have already been targeting the airline industry – primarily for monitoring purposes – for at least a half-decade. 

A Windows Registry Run key has been exploited in the observed event to permanently perform a batch script, which then runs a script file (the Aclip backdoor) using PowerShell. The malware could collect screenshots, acquire system information, and exfiltrate files after receiving commands via attacker-created Slack channels. 

The attacker guarantees that malicious traffic mixes in along with regular network traffic while using Slack for communication. Other virus groups have also leveraged the collaborative application for similar objectives. 

Following notification of the malicious activities, Slack initiated an investigation and removed the reported Slack workspaces. 

“We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service,” Slack said.

IBM's researchers are certain that the malicious actor is behind the activities based on custom tools used throughout the attack, TTP overlaps, used infrastructure, and MuddyWater's previous targeting of the transportation sector.