For the past two years, Cisco has detected a targeted phishing campaign aimed at the aviation industry, which was likely organised by cyber threat actor(s) based in Nigeria.
For the past two years, the actor(s) have been focusing on the aviation business while also managing other initiatives. They don’t appear to be technically sophisticated, according to researchers, because they’ve been utilising off-the-shelf malware since the beginning of their activities rather than developing their own.
Commenting on the targeted attacks, Fady Younes, Cybersecurity Director at Cisco Middle East and Africa said: “Many operators can have limited technical knowledge but still be able to operate RATs or information-stealers – posing a significant risk to large corporations given the right conditions. In this case, what appeared to be a simple campaign was, in fact, a continuous operation that has been active for years – targeting a whole industry with commodity malware hidden with different crypters.”
“Even though cybersecurity is not a threat specific to aviation, in the last few years the sector has been at the forefront of several cyber attacks. It is crucial to be careful with weak links that could lead to flawed conclusions. The weak links shouldn’t be discarded — it would be wise to view them as one more piece of information that, together with other links, can yield to a much stronger relationship between two pieces of information,” Younes added.
The operators also purchased crypters, which allow them to use malware without being detected. They employed a variety of cryptors over the years, largely purchased on online forums, and are thought to have been active since 2013.
Emails containing specific lure documents centered on the aviation or cargo industries that appear to be PDF files but link to a VBScript file, which ultimately leads to the delivery of remote access trojans (RATs), leaving organizations vulnerable to a variety of security risks, are being used in the cyber attacks.
Actors who perform little occurrences can do so for a long time while remaining undetected. Their actions, on the other hand, have the potential to cause catastrophic incidents in large corporations. These are the businesses that supply credentials and cookies to the underground market, which can then be used by larger organizations for operations.
