Airlines often become the target of hackers as they contain sensitive personal and financial details of passengers as well as travel schedules and loyalty programs.
Since airlines are attractive to threat actors, disrupting their operations can be quite damaging to their economic and reputational statuses.
Cybersecurity researchers at BlackBerry discovered that in Latin America, an Akira ransomware attack targeted an airline in June 2024 by using SSH to gain initial access reconnaissance and persistence through legitimate tools and LOLBAS.
Akira Ransomware Attacking Airline
Before employing the ransomware, the Linux-based attacker had exfiltrated critical data.
AKIRA is also known as Storm-1567 RaaS group (aka Punk Spider and GOLD SAHARA), which embraces the double-extortion method and often abuses legitimate software.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
This group began its activities in March 2023 and has already received over $42 million in ransoms from more than 250 organizations worldwide, operating across different sectors of the economy.
Akira not only focuses on Windows systems but also has Linux variants, such as one for VMware ESXi virtual machines, which shows how versatile it can be for any IT environment.
The attack on Latin American airlines by Akira ransomware was executed by exploiting an unpatched Veeam backup server via CVE-2023-27532.
Previously, the operators of Akira gained access by utilizing CVE-2020-3259 and CVE-2023-20269.
SSH was used to gain entry into the system by attackers who created an admin user and employed legitimate tools such as Advanced IP Scanner for their recon. In 133 minutes, they were able to exfiltrate some data through WinSCP.
Antivirus protection was turned off the following day, and the network was infected with Akira ransomware (w.exe). Shadow copies were deleted to restrict recovery.
This attack used different sound programs and LOLBAS methodologies like smbexec from Impacket, NetScan, and AnyDesk for persistence.
This incident involved sophisticated tactics aimed at making maximum impacts both in terms of consequential damages and ransom amounts that could be paid to secure the release of affected files, BlackBerry researchers said.
This Latin American airline was hit by Akira ransomware using the endpoint logs, which showed that Remmina was used, and this suggests that the attackers were likely Linux-based.
Data exfiltration occurred via IP 77.247.126.158. Within UTC working hours for two days, the attack indicates actors may be from a timezone close to or in UTC, possibly Western Europe.
Akira is a Ransomware-as-a-Service operation that normally targets small and medium-sized businesses but has also attacked some large companies in North America and Europe.
The occurrence underlines the critical nature of immediate patching and software updates within corporate networks in order to block such sophisticated cyber threats and highlight the expansion of this group into Latin America, among other things.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo