Background

In December 2022, it seemed like Christmas arrived early for the now-seized cybercrime forum “Breached.”

A relatively unknown threat actor who goes by the alias “USDoD” posted a thread in which they offered the database of the FBI’s sharing system, “InfraGard,” for sale.

Due to the sensitive nature of “InfraGard,” the leak piqued the curiosity of numerous researchers and garnered attention on various cybersecurity blogs and articles.”

After the law enforcement shutdown of “Breached” forum, cybercriminals, including “USDoD,” scrambled to find alternative platforms to sell stolen data. This scramble led to the emergence of a new cybercrime forum called “BreachForums.”

Fast forward to September 2023, and “USDoD” posted two threads on this new forum, with only minutes between them.

In the first thread, the threat actor announced their official membership in the notorious ransomware group known as “Ransomed.”

“Ransomed” is a relatively new ransomware group that is rapidly gaining prominence, proudly claiming on Twitter to have targeted a majority of companies with ransomware attacks during September 2023.

In the second, far more alarming thread, “USDoD” exposed the personal information of 3,200 sensitive Airbus vendors, with contact details such as names, addresses, phone numbers, and email addresses, all while claiming Lockheed Martin and Raytheon might be the next targets.

This leak is highly sensitive given the types of companies implicated.

An Avoidable Breach

Threat actors typically refrain from revealing their intrusion techniques, however in this exceptionally rare leak, “USDoD” revealed they gained access to Airbus’s data by exploiting “employee access from a Turkish Airline”.

Using this information, Hudson Rock researchers succeeded to trace the mentioned employee access — a Turkish computer infected with an info-stealing malware in August 2023.

As depicted in the images, the computer belongs to an employee of Turkish Airlines and contains third-party login credential details for Airbus.

The victim likely attempted to download a pirated version of the Microsoft .NET framework, as indicated in the malware path.

Consequently, they fell victim to a threat actor utilizing the commonly employed RedLine info-stealing family.

Credentials obtained from info-stealer infections, which have become the primary initial attack vector in recent years, provide threat actors with easy entry points into companies, facilitating data breaches and ransomware attacks.

It’s crucial to underscore that Hudson Rock had the data of this employee’s compromised data on the very day of the infection, highlighting a missed opportunity for Turkish Airlines and Airbus to preemptively safeguard against this incident by utilizing Hudson Rock’s services.

UPDATE: Airbus's CERT team was able to determine that the hack originated from the infected computer Hudson Rock identified

Info-stealer infections as a cybercrime trend surged by an incredible 6000% since 2018, positioning them as the primary initial attack vector used by threat actors to infiltrate organizations and execute cyberattacks, including ransomware, data breaches, account overtakes, and corporate espionage.

To learn more about how Hudson Rock protects companies from imminent intrusions caused by info-stealer infections of employees, partners, and users, as well as how we enrich existing cybersecurity solutions with our cybercrime intelligence API, please schedule a call with us, here: https://www.hudsonrock.com/schedule-demo

We also provide access to various free cybercrime intelligence tools that you can find here: www.hudsonrock.com/free-tools

Thanks for reading, Rock Hudson Rock!

Follow us on LinkedIn: https://www.linkedin.com/company/hudson-rock

Follow us on Twitter: https://www.twitter.com/RockHudsonRock

‍