The recently disclosed attack aimed at two websites pertaining to the San Francisco International Airport (SFO) is the work of Russian hackers, ESET claims.
In March, two SFO websites were found to have been compromised by hackers and injected with code designed to steal visitors’ Windows login credentials. The websites, SFOConnect.com and SFOConstruction.com, contain information on various airport-related topics but enjoy low traffic.
The code discovered on the websites, SFO revealed, was targeting only those visiting from outside the airport network, via Internet Explorer from Windows-based machines.
To contain the attack, SFO took down the websites and also prompted a reset of all SFO-related email and network passwords on March 23.
Some researchers noted at the time that the attack resembled that of a Magecart group, which usually injects malicious code into ecommerce websites to steal users’ credit card data.
However, ESET’s security researchers took it to Twitter to point out that the attack was targeting Windows credentials and that it should not be linked to Magecart stealers.
“Contrary to what several people reported, #ESETresearch assesses that this attack has no link with any Magecart credential stealer. The targeted information was NOT the visitor’s credentials to the compromised websites, but rather the visitor’s own Windows credentials,” ESET noted.
The security firm also pointed out that the compromise carries the marks of the Russia-based advanced persistent threat (APT) actor tracked as Dragonfly.
Also known as Crouching Yeti and Energetic Bear, the threat actor has been active since at least 2010, mainly targeting the energy sector in the United States and Europe.
“The recently reported breach of #SFO airport websites is in line with the TTPs of an APT group known as Dragonfly/Energetic Bear. The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,” ESET said.
The code would employ the file:// path to load an image from a remote server, causing Internet Explorer to load the image using the SMB (Server Message Block) protocol, which results in the victim’s Windows credentials (username and hashed password) being sent to the remote server.
Modern browsers are likely protected from such attacks, but older versions of Internet Explorer will likely fall victim to the credential theft attempt.
ESET security researcher Matthieu Faou noted in a tweet on April 14 that SFO was informed of Dragonfly’s attack in March, and that the issue was addressed immediately after that.
Related: San Francisco International Airport Discloses Data Breach
Related: Russian Cyberspies Hacked Routers in Energy Sector Attacks
More from Ionut Arghire
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
Latest News
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
