Malware Activity
Southwest Airlines and American Airlines Disclose Data Breach Due to Third-Party Vendor
Two of the largest airlines in the world, Southwest Airlines, and American Airlines, disclosed data breaches on June 23, 2023, due to the compromise of their third-party vendor Pilot Credentials. Pilot Credentials is an independent service provider that manages pilot applications and recruitment portals for the air transport industry. Southwest and American Airlines were informed of the Pilot Credentials compromise on May 3, 2023, where an unauthorized actor gained access to the vendor's systems on April 30, 2023, and exfiltrated documents. The documents involved data that was "provided by certain applicants in the pilot and cadet hiring process." Each airline submitted its own data breach notification, and American Airlines noted that the compromised data contains the following personal information: names and Social Security numbers (SSNs), driver's license numbers, passport numbers, dates of birth, Airman Certificate numbers, and other government-issued identification numbers. American Airlines also noted that 5,745 individuals were impacted by this data breach. Southwest did not specify all of the exposed data fields besides impacted individuals' names, driver's license numbers, and identification card numbers, but did note that 3,009 individuals have been impacted by this data breach. There is currently no evidence indicating that the pilots were specifically targeted or that the stolen information was exploited, and the airlines have stated that they will no longer be utilizing Pilot Credentials. CTIX analysts will continue to monitor technical details of the Pilot Credentials incident and will provide updates as necessary.
- Bleeping Computer: Southwest Airlines and American Airlines Data Breaches Article
- Office of the Maine Attorney General: Southwest Airlines Data Breach Notification
- Office of the Maine Attorney General: American Airlines Data Breach Notification
Threat Actor Activity
Threat Profile: Midnight Blizzard
Recent trends throughout the threat landscape now show a significant rise in credential theft targeting residential individuals to government organizations. One of the threat organizations involved in this surge is the Russian-aligned Midnight Blizzard threat group. This threat group, tracked under numerous monikers including APT29 and BlueBravo, has gained attention from its major operations including the SolarWinds supply chain compromise, espionage acts against the Democratic National Committee, as well as various government, foreign ministries, and diplomatic organizations. Midnight Blizzard continues to maintain a strong connection with the Russian Foreign Intelligence Service (SVR), which is known for its electronic surveillance and cyberespionage efforts against those opposing Russia. In its recent campaign, Midnight Blizzard actors have utilized numerous credential access methods to exploit and infiltrate public-facing infrastructure through the use of session replay, brute force, token theft, and password spraying attacks. To increase their chances of successful attacks with low/no detection, Midnight Blizzard actors incorporate residential proxy services into their operations to minimize network detection. The group has also been known to target users with specific vulnerabilities on their systems including the elder Roundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026) and the recent Microsoft Outlook zero-day CVE-2023-23397. Lastly, the primary delivery sought by Midnight Blizzard actors comes through socially engineering their target(s) with news-themed spear-phishing attacks related to the Russia/Ukraine conflict. CTIX continues to monitor threat groups worldwide and reminds users to ensure the integrity of any digital communications prior to visiting embedded URLs or downloading attachments.
Vulnerabilities
Critical Vulnerability in FortiNAC Network Access Control Solution Gets Patched
Fortinet has patched a critical vulnerability impacting multiple versions of its network access control solution. The flaw tracked as CVE-2023-33299 received a CVSS score of 9.6/10 and is a Java deserialization of untrusted data vulnerability in FortiNAC that could be exploited by threat actors to conduct remote code execution (RCE). A remote unauthenticated attacker could exploit this vulnerability by sending maliciously crafted requests to the FortiNAC service running on TCP port 1050. Alongside this vulnerability, a medium severity flaw was also patched. This vulnerability is tracked as CVE-2023-33300 (CVSS 4.8/10) and is a command injection vulnerability caused by improper neutralization of special elements used in commands. It affects a smaller subset of versions of FortiNAC allowing an unauthenticated attacker to copy files stored locally on the device. However, it does not allow the attacker to access the files without first compromising a privileged user account or escalating their privileges. Both flaws were disclosed to Fortinet by a security researcher named Florian Hauser with CODE WHITE GmbH, who was inspired by the disclosure of a February 2023 FortiNAC vulnerability that was actively exploited in the wild. Both vulnerabilities have been patched, and CTIX analysts recommend that any administrators responsible for FortiNAC devices patch the flaws immediately.
- The Hacker News: CVE-2023-33299 & CVE-2023-33300 Article
- Fortinet: CVE-2023-33299 & CVE-2023-33300 Advisory
Honorable Mention
Europol's EncroChat Bust Leads to 2,600 Arrests, $979 Million Seized, Along with Drugs, Planes, Boats, & Explosives
Europol announced today, June 27, 2023, that the takedown of EncroChat in July 2020 has led to 6,558 arrests, the seizure of $979 million in illicit funds, and 7,134 years of sentenced imprisonment. EncroChat phones offered a means of communicating securely, using a hardened version of Android that assured users unbreakable encryption, anonymity, and no traceability. The platform was valued by criminals, most of whom were either members of organized crime (34.8%) or involved in drug trafficking (33.3%). Another 14% engaged in money laundering, 11.5% in murders, and 6.4% in firearms trafficking. Beyond the confidentiality it advertised, EncroChat offered message self-destruction features, panic device wipe, tamper-proof booting, and a brute force resistant FIPS 140-2 certified hardware cryptographic engine. The combined features that provided secure communication were valued by criminals of the sort who used the platform for their nefarious pursuits. Users paid $1,635 for a six-month subscription with global coverage and 24/7 support, or $1,090 for a one-time payment to obtain an EncroChat phone that was remotely erasable. Back in 2020, Europol was able to break EncroChat's encryption algorithm, effectively gaining access to millions of messages shared between users. Europol analyzed the data of 115 million conversations between almost 60,000 users, using their findings to coordinate efforts with local law enforcement agencies and police units. This led to the seizure of two hundred seventy (270) tons of drugs, nine hundred seventy-one (971) vehicles, two hundred seventy-one (271) properties, nine hundred twenty-three (923) weapons, sixty-eight (68) explosives, forty (40) planes, and eighty-three (83) boats. Law enforcement agents were also able to seize $807 million in cash while freezing another $168 million and arrested 6,558 EncroChat users, one hundred ninety-seven (197) of which were high-value targets.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
