Search This Blog

Showing posts with label airline industry. Show all posts

Email Phishing Attack Revealed by American Airlines

Several passengers of American Airlines are being warned that their personal information might have been compromised as a result of threat actors getting access to employee email accounts. 

The airline said that a phishing attempt led to hackers gaining access to the mailboxes of a limited number of employees. The stolen email accounts held some consumers' personal data. The airline noted in notice letters distributed on Friday, September 16th, that there is no proof that the disclosed data was misused.

The hack was detected on July 5th by American Airlines, which then swiftly protected the affected email accounts and recruited a cybersecurity forensics company to look into the security incident.

American Airlines had hired a cybersecurity forensics company to look into the incident. The inquiry revealed that unauthorized actors had obtained the personal information of both customers and workers. Although they did not say how many consumers were impacted, they did say that names, dates of birth, addresses, emails, phone numbers, passport numbers, and even certain medical information could have been exposed.

American Airlines issued the following statement to BleepingComputer by the Manager for Corporate Communications. "American Airlines is aware of a phishing campaign that resulted in a small number of team members' mailboxes being improperly accessed."

A very small amount of customers' and workers' personal information was found in those email accounts, according to American Airlines, which also provided a two-year membership to Experian's IdentityWorks.

With regard to the incident, the company stated "data security is of the utmost importance and we provided customers and team members with precautionary support. We also are actively developing additional technical safeguards to avoid a similar incident from happening in the future, even though we have no proof that any personal information has been misused."

In March 2021, the Passenger Service System (PSS), which is used by many airlines worldwide, including American Airlines, was infiltrated. SITA, a leading provider of air information technology, revealed that hackers broke into its systems.

To help employees recognize targeted phishing attacks, firms must ensure that staff receives adequate security training. Organizations' IT and security departments should explain to staff how communications will be handled. It is crucial to always inform people about how to recognize phishing emails. 

Major Vulnerabilities Found in Wireless LAN Devices in Airlines

The two major vulnerabilities were found in the series of the flexlan, a LAN device providing internet services in airlines. The Necrum security labs’ researchers Samy Younsi and Thomas Knudsen, initiated the research which led to tracking two critical vulnerabilities which were identified as CVE-2022-36158 and CVE-2022-36159. 

The vulnerabilities were detected in the Flexlan series named FXA3000 and FXA2000 and have been associated with a Japan-based firm known as Contec. 
The researchers said while considering the first vulnerability, that during the execution of reverse engineering on firmware, we found a hidden web page, which was not entailed in the list of wireless LAN manager interfaces. They also added that it simplifies the enforcement of the Linux command over the device with root privileges. The researchers mentioned that the first vulnerability gave access to all the system files along with the telnet port which allows to access the whole device.   
Regarding the second vulnerability, the researchers said, it makes use of hard-coded, weak cryptographic keys and backdoor accounts. While carrying out the research, the researchers were also able to recover and get access to a shadow file within a few minutes with the help of a brute-force attack. The file contained the hash of two users including root and users. 
The researchers explained the issue that the device owner is only able to change the password from the interface of the web admin as the root account is reserved for maintenance purposes by Contec. This allows the attacker with a root hard-coded password able to access all Flexlan FXA2000 and FXA3000 series effortlessly. 
With respect to the solutions, researchers emphasized the importance of mentioned to maintaining cyber security, with regard to the first Vulnerability. They said, “the hidden engineering web pages should be removed from all unfortified devices. As weak passwords make access easier for cyber attackers.” For the second vulnerability, the advisory commented, “the company should create new strong passwords, for every single device with the manufacturing process."

Akasa Air Confirmed a Data Breach to CERT-In

Some Akasa Air passengers' private information, including names, gender, email addresses, and phone numbers, was exposed to unauthorized individuals, the airline said on Sunday. The newest carrier in India claimed it reported the incident on its own to the government-authorized nodal organization entrusted with handling cases of this sort, the Indian Computer Emergency Response Team CERT-In.

Ashutosh Barot, a cyber security researcher located in Mumbai who serves as Deputy Manager at a premier international consulting business, was the subject of the investigation. On August 7, the day Akasa Air conducted its maiden commercial flight, he discovered the leak while taking a break from work. He claimed he made an attempt to contact Akasa Air the very following day by sending a personal message on Twitter.

"I was given the airline's standard email address. Since the issue involves the leakage of critical information about website visitors, I asked them to put me in touch with the security in charge", he added.

Barot informed a journalist after the airline failed to respond, and the journalist subsequently contacted Akasa Air.

"System security and the safety of client information are of the utmost importance to Akasa Air, and our goal is to always deliver a secure and dependable customer experience. The security of all our systems has been further enhanced through the implementation of additional measures," according to Anand Srinivasan, co-founder, and chief information officer of Akasa Air. Although stringent protocols are in place to prevent incidents of this nature, we have taken these additional steps nonetheless.

The business said that by entirely shutting down the system components involved in the hack, it was able to block unauthorized access.  It stated that after implementing new safeguards to solve the issue, log-in and sign-up services had resumed. Additionally, Akasa stated that it is doing more evaluations to fortify its systems against similar attacks in the future.

In addition to the aforementioned information, it was made clear that no trip-related data, travel records, or payment data were exposed.

The airline announced that it has conducted extra checks to guarantee that the security of all its systems is further strengthened. The airline expects to run 150 weekly flights by the end of September.

Anand Srinivasan, the airline's chief information officer, said in a statement to the media on Sunday night that Akasa Air will "continue to maintain" its "strong" security processes and, if necessary, work with partners, researchers, and security professionals to fortify its systems.

Data Breach Reported by Cleartrip: User Data Traded

On July 18, the airline and hotel booking company Cleartrip had a serious data breach after hackers allegedly posted the stolen data on the dark web.

In an email to consumers, Cleartrip stated that a security anomaly had allowed for unauthorized and illegal access to some of its internal systems. The site, which is run by e-commerce major Flipkart, informed that it is still looking into the matter and that it has hired a forensic team from outside to assist it. 

"We would like to reassure you that, other than some information, no sensitive information belonging to your Cleartrip account has been compromised due to this anomaly in our systems. The investigation has thus far shown that limited information including name, email address, and phone number are thought to have been impacted," a business official stated.

The company claimed that it has notified the Indian cyber police and is planning to take legal action if necessary.

After SpiceJet disclosed that it had been the target of a ransomware attack in May, hundreds of passengers were left detained at airports all around India. According to a TechCrunch report from 2020, a security researcher was able to breach SpiceJet's servers and obtain the personal data of 1.2 million passengers, including numerous government figures.

Cleartrip is a global online travel company that also operates in Oman, Qatar, Kuwait, Bahrain, and Saudi Arabia in addition to India. This is not the first data theft that Cleartrip has experienced, a gang known as Turtle Squad hacked the website in 2017 and temporarily vandalized it, as per the reports. 

Chinese Threat Group Chimera Attacks Airline Industry


For the last few years, a Chinese threat group under the name Chimera has been targeting the airline industry with the intention of amassing passenger data, and later to monitor their movement and track the persons, selectively. However, the operations of Chimera have been under the radar of the cybersecurity organizations for a while and experts suspect the threat actors behind Chimera to be working in alignment with the interests of the Chinese state. The Cyber Security Organization CyCraft first described the actions of the group in a paper written and presented at the Black Hat Conference in 2020. Chimera has also been suspected to coordinate attacks against the Taiwanese superconductor industry as mentioned in the paper written report. 

In a recent study released last week by the NCC Group and its affiliate Fox-IT, the two companies said that the intrusions of the group were larger than what was originally believed- even targeting the airline sector besides the superconductor industry. This spanning was not limited to Asia but was done for assorted geographical areas as well. They also cited that in several cases, actors had been cloaking within networks for more than three years before they were identified. 

The attack on the superconductor industry of Taiwan was targeted at stealing intellectual property, although the target was different in the case of the airline industry. The companies further alleged that the actors wanted to gather Passenger Name Record (PNR) for which they were targeting the victims. With further investigation, the companies observed that the assorted custom DLL files were continuously used to extract PNR information from the memory structures where the main data is generally stored. 

"NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020," added the two companies. 

The report provided by NCC and its affiliate Fox-IT states the modus operandi of the actors whose first step is to collect data like the user login credentials which would be leaked in the public domain or the dark web after the data breach has occurred at other companies. This collected data is later used by the actors for ‘credential stuffing’ and ‘password spraying’ attacks against the target’s personnel accounts, as the email account.