[Security Weekly] Airport Services Giant Swissport Struck by AlphV/BlackCat Ransomware

swissport ransomware thumbnail

February 2022, Issue II


1. Airport services giant Swissport struck by AlphV/BlackCat ransomware

Zurich-based airport services giant Swissport was attacked by the AlphV (a.k.a BlackCat) ransomware gang on February 3, leading to service disruptions, flight delays, and sensitive data exposure. Swissport provides check-in, security, baggage handling, aircraft refueling and deicing, and lounge hospitality at 310 airports in 50 countries, serving nearly 300 million passengers and 5 million tons of freight every year.

The ransomware incident was first reported by Swissport on February 4, stating that parts of its IT system were struck and that affected devices had been taken offline. It had switched to manual operations and a full system cleanup and restoration was expected. At the same time, Zurich Airport reported that 22 flights were delayed due to ground service disruptions. It is unclear how many other airports were affected.

Soon later, the AlphV ransomware gang claimed responsibility for the attack and posted samples of stolen files from Swissport on its leak site. The sample contained business documents and scanned passports, as well as the personal data of job candidates. The ransomware gang also posted an ad offering to sell the entire 1.6 TB of stolen data, signaling that ransom negotiations had no success.

Sources: Infosecurity, Bleeping Computer


2. Ukraine’s Ministry of Defence and major banks knocked offline in DDoS attack

On February 15, the Ukrainian Ministry of Defence and several state-funded banks suffered several waves of massive distributed-denial-of-service (DDoS) attacks that disrupted services and paralyzed operations.

The attack was first observed in the early morning, showing several waves of elevated web traffic between 12 and 3 a.m. The most critical wave came at about 3 p.m., causing the total internet traffic in Ukraine to increase twofold. 

At the time, the Ministry of Defence’s website was down, while services at some of the largest banks were disrupted, including the State Savings Bank, Oschadbank, and PrivatBank. Customers reported troubles processing payments online and at ATMs. The banks confirmed the DDoS attack and reassured their customers that no financial information was compromised.

DDoS attacks can lead to devastating impacts when launched during crucial times like elections, natural disasters, sports events, and military conflicts. Learn how to protect against them here: How to Prepare for the Rise of Ransom DDos Attacks.

Sources: CyberScoop, Reuters


3. San Francisco 49ers attacked by BlackByte ransomware before Super Bowl

American football team San Francisco 49ers was attacked by the BlackByte ransomware on February 12 – only one day prior to Super Bowl Sunday. One of the highest valued NFL teams, the 49ers reported that its corporate IT systems were disrupted and encrypted.

The BlackByte ransomware gang later posted on its leak site 292 MB of sample data stolen from the team. The files contained financial information including invoices from 2020. The full scale of the data breach and the ransom figure remains unclear.

The attack occurred only days before the FBI and US Secret Service issued a joint alert on February 11 on the increasing threat of BlackByte. The ransomware-as-a-service (RaaS) scheme became active in 2021 and has been known to purposely avoid targeting IT systems in Russian and former-Soviet languages.

Sources: ZDNet, Threatpost


4. Phishing campaign uses Microsoft Teams to distribute system takeover Trojan

Researchers at email security firm Avanan discovered a phishing campaign where attackers use Microsoft Teams chats to distribute malware that could take over the end-user device. Microsoft Teams has nearly 300 million monthly users, making it a potential threat to businesses.

The campaign was first discovered in January, where hackers attached a malicious file named “User Centric” via Microsoft Teams chats. Once clicked, the file would be automatically executed, writing data into the system registry to install DLLs on Microsoft operating systems, eventually taking over the machine.

It appears that the hackers gained access to Teams accounts by using stolen credentials from prior attacks.

Sources: Bleeping Computer, PCMag


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security