Airlines are often targeted by hackers due to the sensitive personal and financial information they store, as well as travel schedules and loyalty programs. The disruption of airline operations can have severe economic and reputational consequences, making them attractive targets for threat actors.
Recently, cybersecurity researchers at BlackBerry uncovered a disturbing trend in Latin America. In June 2024, an airline in the region fell victim to an Akira ransomware attack. The attackers used SSH to gain initial access, conducted reconnaissance, and established persistence using legitimate tools and LOLBAS.
The Akira ransomware group, also known as Storm-1567 RaaS, is notorious for its use of the double-extortion method and exploitation of legitimate software. Since its inception in March 2023, the group has extorted over $42 million from more than 250 organizations worldwide, spanning various sectors of the economy.
Akira’s reach extends beyond Windows systems, with Linux variants designed for platforms like VMware ESXi virtual machines. This versatility allows the group to target a wide range of IT environments, making them a formidable threat to organizations of all sizes.
The attack on the Latin American airline exploited an unpatched Veeam backup server, demonstrating the importance of timely software updates and vulnerability patches. Prior to this attack, the Akira operators used other vulnerabilities such as CVE-2020-3259 and CVE-2023-20269 to gain access to systems.
The attackers employed SSH to infiltrate the airline’s network, creating an admin user and utilizing tools like Advanced IP Scanner for reconnaissance. Within minutes, they were able to exfiltrate critical data using WinSCP. Subsequently, the antivirus protection was disabled, paving the way for the deployment of the Akira ransomware.
To ensure the success of the attack, the threat actors used sophisticated techniques including the deletion of shadow copies for data recovery prevention. They also leveraged sound programs and LOLBAS methodologies like smbexec from Impacket and AnyDesk for persistence within the network.
The incident underscores the need for organizations to prioritize cybersecurity measures such as regular patching and software updates to thwart attacks of this nature. The Akira ransomware attack on the Latin American airline highlights the expanding reach of cybercriminal groups into new regions, posing significant challenges to cybersecurity professionals worldwide.
As the threat landscape continues to evolve, it is imperative for businesses to remain vigilant and proactive in safeguarding their systems and data from malicious actors. The Akira ransomware attack serves as a stark reminder of the ever-present danger posed by cyber threats and the importance of implementing robust cybersecurity defenses to mitigate risks effectively.
In conclusion, the Akira ransomware attack on the Latin American airline serves as a wake-up call for organizations to bolster their cybersecurity defenses and stay ahead of emerging threats. By investing in robust security measures and staying informed about the evolving threat landscape, businesses can better protect themselves against cyber attacks and safeguard their valuable assets and sensitive information.