RL Blog
|

The Week in Security: Third-party compromise lands pilot data from American, Southwest airlines

Carolynn van Arsdale
Blog Author

Carolynn van Arsdale, Writer, ReversingLabs. Read More...

3rd-Party-Compromise-Lands-Pilot-Data

Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: The hack of a 3rd party recruiting vendor lands pilot data from American Airlines and Southwest. Also: A trojanized Super Mario installer is targeting gamer data. 

This Week’s Top Story

Attack on Third Party Recruiting Vendor Leaves Airlines Hacked

On April 30, hackers breached a database maintained by a recruiting company, Pilot Credentials, which services American Airlines and Southwest Airlines. As a result of the hack, the personal and sensitive information of more than 8,000 applicants for both airlines was compromised. The airlines were made aware of the hack just a few days after it occurred. The stolen data includes names, birth dates, social security and passport numbers, driver’s and pilot’s license numbers, as well as pilot and cadet job applications. This kind of data is extremely valuable to cybercriminals, who can use it to steal the identity of these applicants, taking advantage of their finances, insurance, and much more. 

Despite neither airline being attacked directly, both are currently picking up the pieces as a result of the Pilot Credentials breach. The two airlines have moved their recruitment processes to internal platforms, in an effort to shore up the cybersecurity of their recruiting process. American Airlines said that the company has found no evidence of identity theft and other fraudulent activity to date, and is offering all of their impacted applicants two years of identity theft protection. 

The incident underscores the growing cyber risk presented by third party firms. Both regulators and industry experts have called for more and better vetting of third party cybersecurity efforts - including capabilities such as provenance checking and timely incident response - before inking deals and commencing engagements. 

ReversingLabs recently announced a new partnership with PwC UK to assist clients in third party risk management (TPRM), which will allow organizations who rely on third party vendors to be better protected against threats like ransomware and software supply chain attacks. 

News Roundup

Here are the stories we’re paying attention to this week…    

Trojanized Super Mario Installer Goes After Gamer Data (Dark Reading)

Attackers have trojanized a legitimate installer for a popular Super Mario Bros game. The corrupted installer spreads various malware — including a cryptocurrency miner and infostealer — across Windows machines.

New Mockingjay Process Injection Technique Could Let Malware Evade Detection (The Hacker News)

A new process injection technique dubbed Mockingjay could be exploited by threat actors to bypass security solutions, allowing them to execute malicious code on compromised systems. A traditional process injection is an attack method that allows adversaries to inject code into processes in order to evade process-based defenses and elevate privileges. Mockingjay takes this a step further by removing the need to use Windows APIs, effectively circumventing many security measures resulting in actors evading detection. 

8Base ransomware gang escalates double extortion attacks in June (Bleeping Computer)

The 8Base ransomware gang is targeting organizations worldwide using double-extortion attacks, with a steady stream of new victims since the beginning of June. So far the gang has claimed 35 victims, a notable increase compared to March and April. 

'Muddled Libra' Uses Oktapus-Related Smishing to Target Outsourcing Firms (Dark Reading)

A new, unusually tenacious threat group dubbed "Muddled Libra" is targeting large outsourcing firms with multi-layered, repetitive attacks that start with smishing (SMS phishing) and end with data theft, affecting both firms and customers. Smishing is a form of phishing that uses text messages to get the victims to click a link, making the victim susceptible to malicious activity. 

How Generative AI Can Dupe SaaS Authentication Protocols — And Effective Ways To Prevent Other Key AI Risks in SaaS (The Hacker News)

Security and risk teams are already overwhelmed protecting their SaaS (Software-as-a-Service) solutions from common vulnerabilities. This leaves little bandwidth to assess the AI tool threat landscape. But with unsanctioned AI tools currently in use, the implications for SaaS security are significant. The Hacker News breaks down some of the key risks of AI to the SaaS system, and how to mitigate them. 

Why the FDA's SBOM Mandate Changes the Game for OSS Security  (Dark Reading)

New rules from the U.S. Federal Drug Administration (FDA) could impact open source security (OSS) more than any government rule to date. The agency is now mandating that all medical device makers must generate and maintain software bills of materials (SBOMs) for the software they produce. The new policy addresses growing concerns that critical software-powered components of healthcare devices are not properly secured, with many running on outdated operating systems, or open source software that can be vulnerable to attacks. The rule goes into effect on Oct. 1, 2023.



Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts

Do More With Your SOAR

Do More With Your SOAR

Running an SOC is complex — and running without the best tools makes it more difficult. Learn how RL File Enrichment can automate and bolster your SOC.
Read More