Background
In December 2022, it seemed like Christmas arrived early for the now-seized cybercrime forum “Breached.”
A relatively unknown threat actor who goes by the alias “USDoD” posted a thread in which they offered the database of the FBI’s sharing system, “InfraGard,” for sale.
Due to the sensitive nature of “InfraGard,” the leak piqued the curiosity of numerous researchers and garnered attention on various cybersecurity blogs and articles.”
KrebsOnSecurity’s blog about the InfraGard hack.
After the law enforcement shutdown of “Breached” forum, cybercriminals, including “USDoD,” scrambled to find alternative platforms to sell stolen data. This scramble led to the emergence of a new cybercrime forum called “BreachForums.”
Fast forward to September 2023, and “USDoD” posted two threads on this new forum, with only minutes between them.
In the first thread, the threat actor announced their official membership in the notorious ransomware group known as “Ransomed.”
“USDoD” announces they join “Ransomed” ransomware group.
“Ransomed” is a relatively new ransomware group that is rapidly gaining prominence, proudly claiming on Twitter to have targeted a majority of companies with ransomware attacks during September 2023.
Taken from ransomwatch.telemetry.ltd
In the second, far more alarming thread, “USDoD” exposed the personal information of 3,200 sensitive Airbus vendors, with contact details such as names, addresses, phone numbers, and email addresses, all while claiming Lockheed Martin and Raytheon might be the next targets.
This leak is highly sensitive given the types of companies implicated.
Sample from the leak, showing vendors of Airbus such as Rockwell Collins, Thales Group, and others.
An Avoidable Breach
Threat actors typically refrain from revealing their intrusion techniques, however in this exceptionally rare leak, “USDoD” revealed they gained access to Airbus’s data by exploiting “employee access from a Turkish Airline”.
Using this information, Hudson Rock researchers succeeded to trace the mentioned employee access — a Turkish computer infected with an info-stealing malware in August 2023.
Credentials of the infected employee, discovered in Hudson Rock’s database.
Technical information from the infected computer.
As depicted in the images, the computer belongs to an employee of Turkish Airlines and contains third-party login credential details for Airbus.
The victim likely attempted to download a pirated version of the Microsoft .NET framework, as indicated in the malware path.
Consequently, they fell victim to a threat actor utilizing the commonly employed RedLine info-stealing family.
Credentials obtained from info-stealer infections, which have become the primary initial attack vector in recent years, provide threat actors with easy entry points into companies, facilitating data breaches and ransomware attacks.
It’s crucial to underscore that Hudson Rock had the data of this employee’s compromised data on the very day of the infection, highlighting a missed opportunity for Turkish Airlines and Airbus to preemptively safeguard against this incident by utilizing Hudson Rock’s services.
UPDATE: Airbus’s CERT team was able to determine that the hack originated from the infected computer Hudson Rock identified
Info-stealer infections as a cybercrime trend surged by an incredible 6000% since 2018, positioning them as the primary initial attack vector used by threat actors to infiltrate organizations and execute cyberattacks, including ransomware, data breaches, account overtakes, and corporate espionage.
To learn more about how Hudson Rock protects companies from imminent intrusions caused by info-stealer infections of employees, partners, and users, as well as how we enrich existing cybersecurity solutions with our cybercrime intelligence API, please schedule a call with us, here: https://www.hudsonrock.com/schedule-demo
Hudson Rock provides access to various free cybercrime intelligence tools that you can find here: www.hudsonrock.com/free-tools