Today’s Topics:
- CISA Responds to Controversial ‘Airport Security Bypass’ Vulnerability
- U.S. Offers $10 Million for Info on Russian Cadet Blizzard Hackers Behind Major Attacks
- How can Netizen help?
CISA Responds to Controversial ‘Airport Security Bypass’ Vulnerability
In late August 2024, cybersecurity researchers Ian Carroll and Sam Curry revealed a potentially alarming security flaw within FlyCASS, a third-party web-based application utilized by smaller airlines as part of the Cockpit Access Security System (CASS) and Known Crewmember (KCM) programs. These programs play a critical role in enabling Transportation Security Administration (TSA) security officers to verify the identity and employment status of airline crewmembers, allowing pilots and flight attendants to bypass regular security screening procedures.
The disclosed vulnerability, an SQL injection flaw, could allegedly allow malicious actors to gain unauthorized access to the application’s administrative functions. With this access, attackers could manipulate the list of pilots and flight attendants associated with a participating airline. According to Carroll and Curry, they successfully added a fictitious employee to the database, highlighting the severity of the issue.
“Surprisingly, there is no further check or authentication to add a new employee to the airline. As the administrator of the airline, we were able to add anyone as an authorized user for KCM and CASS,” the researchers stated. They further warned that with basic knowledge of SQL injection, an attacker could theoretically bypass airport security screening and access the cockpits of commercial airliners.
The vulnerabilities were reported in April 2024 to several agencies, including the Federal Aviation Administration (FAA), ARINC (which operates the KCM system), and the Cybersecurity and Infrastructure Security Agency (CISA). In response, the FlyCASS service was swiftly disabled within the KCM and CASS systems, and the identified issues were patched.
However, the researchers expressed dissatisfaction with the disclosure process. While CISA acknowledged the issue initially, the researchers allege that communication from the agency abruptly ceased, leaving them without further updates. Additionally, they criticized the TSA for issuing what they described as “dangerously incorrect statements” regarding the vulnerability, denying the severity of the findings.
The TSA responded to the situation by downplaying the potential impact of the FlyCASS vulnerability. A TSA spokesperson emphasized that the flaw was not present in a TSA system and did not connect to any government infrastructure. The spokesperson assured that there was no impact on transportation security, and that the vulnerability had been promptly resolved by the third party responsible for the software.
“In April, TSA became aware of a report that a vulnerability in a third party’s database containing airline crewmember information was discovered and that through testing of the vulnerability, an unverified name was added to a list of crewmembers in the database. No government data or systems were compromised and there are no transportation security impacts related to the activities,” the spokesperson said.
Furthermore, the TSA clarified that they do not solely rely on the database in question for crewmember verification and have additional procedures in place to ensure security.
Initially silent on the matter, CISA has now issued a statement in response to inquiries. While the statement did not provide specific details about the potential impact of the vulnerabilities, CISA confirmed its awareness and involvement in addressing the issue.
“CISA is aware of vulnerabilities affecting software used in the FlyCASS system. We are working with researchers, government agencies, and vendors to understand the vulnerabilities in the system, as well as appropriate mitigation measures,” a CISA spokesperson stated. The agency also noted that it is actively monitoring for any signs of exploitation, though none have been observed to date.
The disclosure of the FlyCASS vulnerability has sparked a debate over the extent of its impact and the effectiveness of the response from the involved agencies. While the researchers who discovered the flaw warn of significant security risks, the TSA maintains that the vulnerability posed no immediate threat to transportation security. As CISA and other stakeholders continue to investigate, this incident serves as a reminder of the ongoing challenges in securing critical infrastructure against evolving cyber threats.
U.S. Offers $10 Million for Info on Russian Cadet Blizzard Hackers Behind Major Attacks
The U.S. government, along with a coalition of international partners, has officially linked a Russian hacking group known as Cadet Blizzard to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).
“These cyber actors have been responsible for network operations targeting global entities for espionage, sabotage, and reputational damage since at least 2020,” the authorities said in a statement. “Since early 2022, their focus appears to be on disrupting efforts to provide aid to Ukraine.”
The attacks have primarily targeted critical infrastructure and key resource sectors, including government services, financial services, transportation, energy, and healthcare sectors across NATO member states, the European Union, Central America, and Asia.
The advisory, released last week as part of Operation Toy Soldier, is a coordinated effort involving cybersecurity and intelligence agencies from the U.S., the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia, and the U.K.
Cadet Blizzard, also known as Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589, first gained attention in January 2022 for deploying the destructive WhisperGate (also known as PAYWIPE) malware against multiple Ukrainian organizations in the lead-up to Russia’s full-scale invasion.
In June 2024, Amin Timovich Stigal, a 22-year-old Russian national, was indicted in the U.S. for his role in carrying out destructive cyberattacks on Ukraine using wiper malware. However, WhisperGate is not exclusive to this group alone.
The U.S. Department of Justice (DoJ) has also charged five officers associated with Unit 29155 with conspiracy to commit computer intrusions and wire fraud conspiracy. These charges cover a wide range of targets, including Ukraine, the U.S., and 25 other NATO nations.
The five officers charged are:
- Yuriy Denisov (Юрий Денисов), a colonel in the Russian military and commanding officer of Cyber Operations for Unit 29155
- Vladislav Borovkov (Владислав Боровков), Denis Denisenko (Денис Денисенко), Dmitriy Goloshubov (Дима Голошубов), and Nikolay Korchagin (Николай Корчагин), all lieutenants in the Russian military assigned to Unit 29155 for cyber operations.
“The defendants acted to create panic among Ukrainian citizens regarding the security of their government systems and personal data,” according to the DoJ. “Their targets included systems and data with no military or defense roles. Later, they expanded to target countries providing aid to Ukraine.”
In conjunction with the indictment, the U.S. Department of State’s Rewards for Justice program has announced a reward of up to $10 million for information leading to the defendants’ locations or information about their cyber activities.
Unit 29155 has been implicated in numerous destabilizing activities across Europe, including attempted coups, sabotage, influence operations, and assassination plots. Since 2020, they have extended these efforts to offensive cyber operations aimed at espionage, reputational damage, and destruction of valuable systems.
According to the advisory, Unit 29155 is composed of junior GRU officers who collaborate with known cybercriminals and civilian enablers like Stigal to execute their missions. Their operations include website defacements, infrastructure scanning, data exfiltration, and leaking or selling sensitive data.
Their attack methods typically begin with scanning for known vulnerabilities in platforms like Atlassian Confluence Server and Data Center, Dahua Security, and Sophos’ firewall systems. After breaching a victim’s environment, they use tools like Impacket to facilitate post-exploitation and lateral movement, ultimately exfiltrating data to designated servers.
The advisory also mentioned that the group may have used the Raspberry Robin malware as an access broker. Another tactic involved targeting Microsoft Outlook Web Access (OWA) infrastructure with password spraying techniques to steal valid credentials.
Organizations are urged to take immediate action to reduce their vulnerability to such attacks. Recommendations include regular system updates, prompt remediation of known vulnerabilities, network segmentation to limit the spread of malicious activity, and implementing phishing-resistant multi-factor authentication (MFA) for all externally facing account services.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
