According to the FBI, several airlines have been the subject of security breaches from a cybercrime organization known as “Scattered Spider.” Multiple news outlets, including The Hill, are reporting the FBI’s alert issued last week. The alert reads, in part, “They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.”
The FBI warns that Scattered Spider consists of a group of hackers that, last year, targeted casinos and appears to be branching out to new victims, such as the airline industry. According to the alert, “These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access. These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts.”
Once they achieve access to accounts, the culprits will install ransomware to compromise the victim’s software and demand payment. Targeted airlines, including Canada’s WestJet and Hawaiian Airlines, say they have been in contact with cybersecurity services and assure that they are monitoring their systems and “assessing the impacts.” A Delta Air Lines spokesperson said, “As we do occasionally, out of an abundance of caution, we reset credentials for accounts and ask that customers verify them with us to maintain security of the accounts.” The spokesperson also confirmed that its customers’ SkyMiles loyalty accounts “are secure.”
The FBI has also recommended that software developers take specific actions to assist in preventing attacks.
Don’t be worry, everybody happy, give us your money.
[snort] The last time corporate computer systems were “secure” was in the 1950’s when a dedicated piece of coax directly connected a computer to a terminal in a locked room. As soon as the dial-up ASR teletype came on the scene, there was really no way to ensure that access was secure (Passwords? Hah.)
I have an old and dear colleague who makes a handsome living teaching SANS security courses to computer professionals around the globe. He says that there is no such thing as a “secure computer system”, just a slew of people like his students doing the Hans Brinker “Boy and Dike” scramble.
You want to stop this? Catch a few of them and sentence them to 25 years without parole. Publicize it. Everywhere.