Hackers who appear to be part of the Scattered Spider cybercrime gang have launched attacks on airlines and potentially other industries after moving on from the retail and insurance industries, according to multiple threat researchers.
The researchers’ warnings, which did not identify specific victims, come at a time of heightened concern about the safety and resilience of commercial aviation. Scattered Spider has been on a tear since April, targeting American and British retailers, and then insurers earlier this month.
“Mandiant is aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider,” Charles Carmakal, CTO at Mandiant Consulting-Google Cloud, said via email.
Mandiant is still working on attribution and analysis, but Carmakal said the tactics, techniques and procedures are consistent with the group’s past attacks.
Organizations can train help desk staff to use phishing-resistant multifactor authentication and robust identity-verification measures, Carmakal said. Scattered Spider has historically tricked help desk workers into resetting passwords or bypassing MFA safeguards.
Researchers at Palo Alto Networks have also observed the same threat group, which it tracks as Muddled Libra, targeting the aviation sector.
“Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests,” Sam Rubin, senior vice president of consulting and threat intelligence at the company, said via email.
The FBI said it has seen Scattered Spider expand its targeting to the aviation industry, in a statement.
Scattered Spider often impersonates employees or contractors to deceiveIT help desks to grant access to systems, and often add unauthorized devices to compromised accounts as part of bypassing MFA.
“They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk,” according to the FBI. “Once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware.”
While not commenting on any specific cases, the FBI said it is actively working with aviation and industry partners on the investigation and urged prompt reporting of any suspicious activity to help authorities intelligence and prevent further compromise.
Hawaiian Airlines hacked
The warnings follow an attack on Hawaiian Airlines, which the airline disclosed on Thursday. The attacks disrupted some of its IT systems, but the airline has not attributed it to any group.
Hawaiian Airlines said it continues to operate safely, and that it as notified authorities and is working with third-party experts to investigate the intrusion and restore regular network operations.
American Airlines said a “technology issue impacted connectivity” for some of its systems, according to a statement from the carrier. After working with partners it was able to resolve the issue and restored full operations. The carrier said no flights were canceled, but confirmed earlier flight delays.
The airline did not comment on what led to the disruption.
Researchers at Halcyon confirmed on Friday that Scattered Spider had shifted towards the transportation sector, including aviation. The company warned that Scattered Spider is also targeting the food and manufacturing sectors.
Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center, told Cybersecurity Dive that organizations should audit any use of remote management tools for signs of abuse.
Researchers previously warned that the aviation and airline industries were at risk of hacks due to aging infrastructure and major cuts at their federal agency partners.
The Cybersecurity and Infrastructure Security Agency, which works with the Transportation Security Administration to help protect U.S. airlines, did not respond to a request for comment. Federal Aviation Administration officials were not immediately available.
(Updates with comment from the FBI and American Airlines.)
Click Here For The Original Source.
