Threat Research

Cyble – Aviation Industry Facing Ransomware Headwinds

Securonix

The aviation sector in Southeast Asia faced multiple ransomware incidents targeting airlines in Malaysia, Thailand, Portugal, and Kuwait, linked to several threat actors including Daixin Team, ALPHVM (BlackCat), Ragnar Locker, and LockBit. The report outlines attacker methods, data breaches, and the broader implications for aviation security, along with recommended defensive measures. #DaixinTeam #ALPHVM #RagnarLocker #LockBit #MalaysiaAirline #ThaiLowCostCarrier #PortugueseCarrier #KuwaitAirline

Keypoints

  • Daixin Team infiltrated a Malaysia-based airline, allegedly stealing data from about 5 million passengers; initial access involved vulnerable VPNs and credential theft via phishing and stealer malware.
  • ALPHVM (AlphaVM/BlackCat) claimed to compromise a Thailand-based airline, exfiltrating over 500GB of data; the group uses Rust ransomware and gains access with compromised credentials, escalating privileges through Active Directory.
  • Ragnar Locker attacked a Portugal-based airline, stealing about 581GB of data; the group uses double extortion with Salsa20 and RSA-2048 for encryption.
  • LockBit (LockBit 2.0/3.0) targeted a Kuwait-based airline, leaking over 150GB of data including HR and government/aircraft data; the group has expanded rapidly since 2020.
  • Impacts include leaked personal and corporate data, risk of targeted phishing, legal and reputational damage, and potential safety concerns if flight-related systems are affected.
  • Recommendations emphasize email monitoring, isolated backups with BC/BCP, regular audits and pentesting, VPN enforcement, security awareness training, and behavior-based defenses against ransomware.

MITRE Techniques

  • [T1133] External Remote Services – Initial access gained via vulnerable VPN servers. “leverage initial access via vulnerable VPN servers as well as compromised credentials obtained through phishing emails and stealer malware.”
  • [T1566.001] Phishing – Credential theft and access obtained through phishing emails. “compromised credentials obtained through phishing emails and stealer malware.”
  • [T1078] Valid Accounts – Use of compromised credentials and domain-level privilege escalation. “gains access using previously compromised user credentials, and once malware establishes, it compromises Active Directory and administrator account for privilege escalation.”
  • [T1486] Data Encrypted for Impact – Ransomware encrypts data to disrupt operations. “Salsa20 encryption, and RSA-2048 to encrypt file keys.”
  • [T1041] Exfiltration – Data exfiltration and leakage from victims. “leaked over 581 GB of the company’s data” and related data theft references.

Indicators of Compromise

  • [File] Daixin Team IOCs – rclone-v1.59.2-windows-amd64git-log.txt, rclone-v1.59.2-windows-amd64rclone.1
  • [Hash] Daixin Team IOCs – 9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238, 19ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BD
  • and 3 more hashes

Read more: https://blog.cyble.com/2022/11/23/aviation-industry-facing-ransomware-headwinds/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint