Serviceteam IT Security News

Access to Pakistan International Airlines’ network is being offered for sale on the cyber underground, according to threat researchers in Israel. 

A team at dark net threat intelligence firm KELA spotted a threat actor touting domain admin access to the airline for $4,000 on two Russian-speaking illegal online forums and one English-speaking forum that they had been monitoring. 

From their headquarters in Tel Aviv, the team had been tracking ransomware trends, exploring how initial access brokers in the cybercrime community play a role in the supply chain of this popularly deployed malware.

On November 9, a KELA spokesperson told Infosecurity Magazine: “We’ve been tracking a threat actor that just last week published domain access for sale to Pakistan International Airlines’ network. 

“Most of the time we’re seeing cyber-criminals purchase these initial accesses to gain an initial foothold into the victim’s network, from which they can then perform lateral movement to advance their access privileges and potentially employ ransomware or some other type of attack.”

A week after putting access to the airline’s network on the black market, the cyber-criminal announced that they were also selling all the databases that exist in the airline’s network. 

The threat actor published a sample of the allegedly stolen data, which they claim contains “all people information who use Pakistan Airline includ[ing] name, last name, phone number, passport.”

“The actor mentions that what he is selling includes around 15 databases all with different amounts of records—some around 500k records and some around 60k–50k records—but that all records stored in their network are included,” said KELA.

If the threat actor’s claims are genuine, then they have hit the same victim twice, leveraging the network access that they obtained to the airline’s network to exfiltrate the company’s data. 

“What’s interesting is that this actor takes two different approaches to try and monetize,” said KELA.

KELA’s researchers have been tracking the threat actor since July 2020, during which time the actor has offered 38 accesses for sale at a cumulative price of at least $118,700.

“We know he has more accesses that he offers in private,” said KELA.

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!