Monday, November 4, 2024
HomeCVE/vulnerabilityAkira Ransomware Attacking Airline Industry With Legitimate Tools

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Published on

Malware protection

Airlines often become the target of hackers as they contain sensitive personal and financial details of passengers as well as travel schedules and loyalty programs.

Since airlines are attractive to threat actors, disrupting their operations can be quite damaging to their economic and reputational statuses.

Cybersecurity researchers at BlackBerry discovered that in Latin America, an Akira ransomware attack targeted an airline in June 2024 by using SSH to gain initial access reconnaissance and persistence through legitimate tools and LOLBAS.

- Advertisement - SIEM as a Service

Akira Ransomware Attacking Airline

Before employing the ransomware, the Linux-based attacker had exfiltrated critical data.

AKIRA is also known as Storm-1567 RaaS group (aka Punk Spider and GOLD SAHARA), which embraces the double-extortion method and often abuses legitimate software.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

This group began its activities in March 2023 and has already received over $42 million in ransoms from more than 250 organizations worldwide, operating across different sectors of the economy.

Akira not only focuses on Windows systems but also has Linux variants, such as one for VMware ESXi virtual machines, which shows how versatile it can be for any IT environment.

Attack chain (Source – BlackBerry)

The attack on Latin American airlines by Akira ransomware was executed by exploiting an unpatched Veeam backup server via CVE-2023-27532.

Previously, the operators of Akira gained access by utilizing CVE-2020-3259 and CVE-2023-20269.

SSH was used to gain entry into the system by attackers who created an admin user and employed legitimate tools such as Advanced IP Scanner for their recon. In 133 minutes, they were able to exfiltrate some data through WinSCP.

Antivirus protection was turned off the following day, and the network was infected with Akira ransomware (w.exe). Shadow copies were deleted to restrict recovery.

This attack used different sound programs and LOLBAS methodologies like smbexec from Impacket, NetScan, and AnyDesk for persistence.

This incident involved sophisticated tactics aimed at making maximum impacts both in terms of consequential damages and ransom amounts that could be paid to secure the release of affected files, BlackBerry researchers said.

This Latin American airline was hit by Akira ransomware using the endpoint logs, which showed that Remmina was used, and this suggests that the attackers were likely Linux-based.

Data exfiltration occurred via IP 77.247.126.158. Within UTC working hours for two days, the attack indicates actors may be from a timezone close to or in UTC, possibly Western Europe.

Akira is a Ransomware-as-a-Service operation that normally targets small and medium-sized businesses but has also attacked some large companies in North America and Europe.

The occurrence underlines the critical nature of immediate patching and software updates within corporate networks in order to block such sophisticated cyber threats and highlight the expansion of this group into Latin America, among other things.

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Threat Actors Allegedly Claiming Leak of Dell Partner Portal Data

A well-known dark web forum threat actor allegedly claimed responsibility for leaking data from...

Securing Your SaaS Application Security

The rapid growth of cloud computing has made SaaS applications indispensable across industries. While...

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to...

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...

Hackers Use Fog Ransomware To Attack SonicWall VPNs And Breach Corporate Networks

Recent cyberattacks involving Akira and Fog threat actors have targeted various industries, exploiting a...