[BreachExchange] Massive Supply-Chain Cyberattack Breaches Several Airlines

[Destry Winant]

https://threatpost.com/supply-chain-cyberattack-airlines/164549/

The cyberattack on SITA, a nearly ubiquitous airline service provider,
has compromised frequent-flyer data across many carriers.

A communications and IT vendor for 90 percent of the world’s airlines,
SITA, has been breached, compromising passenger data stored on the
company’s U.S. servers in what the company is calling a “highly
sophisticated attack.”

The affected servers are in Atlanta, and belong to the SITA Passenger
Service System (SITA PSS), company spokeswoman Edna Ayme-Yahil told
Threatpost. SITA PSS operates the systems for processing airline
passenger data and belongs to a group of SITA companies, headquartered
in the E.U.

Malaysia Air and Singapore Airlines have already made headlines in
recent days after alerting their customers they’ve been compromised as
part of the attack.

Yahil declined to say how many users have been affected for
confidentiality reasons, but Singapore Airlines reported more than
580,000 impacted customers alone, meaning the compromise could
ultimately impact millions of users.

“Each affected airline has been provided with the details of the exact
type of data that has been compromised, including details of the
number of data records within each of the relevant data categories,”
Yahil said.

Frequent-Flyer Data Compromised

While the company didn’t comment specifically on the types of data
exposed, “save to say that it does include some personal data of
airline passengers,” Yahil added. “Many airlines have issued public
statements confirming what types of data have been affected in
relation to their passengers.”

Airline members of the Star Alliance, including Luthansa, New Zealand
Air and Singapore Airlines, along with OneWorld members Cathay
Pacific, Finnair, Japan Airlines and  Malaysia Air,  have already
started communicating with its at-risk users, Yahil told Threatpost,
adding that South Korean airline JeJu Air’s passenger data was also
compromised.

“The data security incident occurred at our third-party IT service
provider and not Malaysia Airlines’ computer systems,” the Malaysia
Air’s Twitter account said about the breach earlier this week, without
mentioning SITA by name. “However, the airline is monitoring any
suspicious activity concerning its members’ accounts and in constant
contact with the affected IT service provider to secure Enrich
members’ data and investigate the incident’s scope and causes.”

The systems are linked by SITA PSS so that one airline can recognize
frequent-flyer benefits from other carriers.

“SITA PSS was holding the data of airlines that are not its direct
customers, but are alliance members, because other airlines that are
SITA PSS customers have an obligation to recognize the frequent flyer
status of individual passengers and ensure that such passengers
receive the appropriate privileges when they fly with them,” Yahil
explained to Threatpost. “That obligation arises from the contractual
commitments that the other airline has agreed in its contractual
arrangements with an alliance organization.”

She added, “It is common practice for alliance members to recognize
the frequent-flyer scheme tiers of the passengers they carry. This
mandates the sharing of frequent-flyer data amongst alliance members
and, consequently, the service providers to those alliance members
(such as SITA).”

Airline Supply-Chain Attacks on The Rise

While details on how the attack happened are scant, HackerOne
solutions architect Shlomie Liberow said SITA’s trove of personal data
would be tantalizing for cybercriminals.

“It’s not clear yet what the attack vector was in the SITA breach, but
HackerOne vulnerability data shows that the aviation and aerospace
industry see more privilege escalation and SQL-injection
vulnerabilities than any other industry, accounting for 57 percent of
the vulnerabilities reported to these companies by ethical hackers,”
Liberow explained. “SITA would be an attractive target for criminals
due to the sensitive nature of the information they hold — names,
addresses, passport data.”

Liberow said it’s time for the airlines to dig in on securing their systems.

“We’ve seen the aviation industry particularly hard hit over the past
year, perhaps because criminals know they will be vulnerable and their
focus and priorities on remaining in business. However, traditional
enterprises like airlines have always been an attractive target since
few are digital-first businesses, and therefore have relied on legacy
software, which is more likely to be out-of-date or have existing
vulnerabilities that can be exploited,” Liberow added.

Locking Down the Software Supply Chain

The breach is yet another in a long list of recent brutal attacks on
third-party supply-chain providers to target larger, more secure
organizations. The most well-known recent event is the SolarWinds
breach of the U.S. government; and there’s also the spate of global
zero-day attacks on users of the Accellion legacy File Transfer
Appliance product.

“The proliferated effect of the attack on SITA is yet another example
of how vulnerable organizations can be solely on the basis of their
connections to third-party vendors,” said Ran Nahmias, co-founder of
Cyberpion. “If these kinds of seemingly legitimate connections are not
properly monitored and protected, they can result in damaging breaches
that unleash highly confidential data, as evidenced in this
situation.”

That means it’s up to IT teams to evaluate the security of every
company within their perimeter, Demi Ben-Air from Panorays said.

“You simply cannot know whether your third parties meet your company’s
security controls and risk appetite until you’ve completed a full
vendor security assessment on them,” Den-Air explained. “But through
automated questionnaires, external footprint assessments and taking
into consideration the business impact of the relationship, you can
get a clear, up-to-date picture of supplier security risk. It’s
important to note that the best practice is not a ‘one-and-done’
activity, but through real-time, continuous monitoring.”

David Wheeler, director of open-source supply-chain security at the
Linux Foundation, explained during a recent Threatpost webinar on how
to lock down the supply chain that security-savvy IT pros should start
asking for SBOMs, or a software bill of materials, before using any
third-party solution. This will help ensure that the platform was
written securely and with reliable code.

“Today’s data breaches tell us it’s no longer enough to secure your
perimeter; you also have to secure your third parties, and their third
parties,” Ben-Ari warned.