Major Airport Malware Attack Shines a Light on OT Security

airport cryptomining attack

A cryptomining infection spread to half of the workstations at a major international airport.

A cryptomining infection managed to spread to half of all workstations at a major international airport in Europe – shining a spotlight on security for operational tech and IT convergence.

Researchers at Cyberbit found the XMRig Monero mining malware, which was a known strain called “Playerz,” but which skated by antivirus solutions on the endpoints by adding a new tweak.

The malware “was modified just enough to evade the vast majority of existing signatures for it” according to Meir Brown, head of research at Cyberbit, adding that it was detected by only 16 out of 73 detection products on VirusTotal.

“The modification was really simple: the MD5 was modified, however, the attacker kept the use of the original tools and even the original file names…which is an indication of simple modification, nevertheless this was sufficient to evade most AV products,” he told Threatpost.

The malicious mining activity also raised no red flags with airport personnel, according to an analysis posted this week by the firm.

“Its business impact was relatively minor, limited to performance degradations leading to quality of service and service interruptions, as well as a significant increase in power consumption throughout the airport,” the analysis noted. “The malware may have been used for months.”

This is the advantage of cryptomining for financially motivated threat actors, according to Brown: Persistence.

“We see growing usage of cryptominers in recent attacks and we see a trend to switch from ransomware to mining,” he told Threatpost. “Since ransomware attacks are more visible by nature they tend to ‘burn down’ faster. In this specific attack the malware was active for months without any indication.”

Cyberbit was tipped off to the presence of the malware while installing a security solution at the location. It observed the PAExec tool being used, which is a legitimate service used for running Windows programs on remote systems without having to physically install software on those systems. The suspicious part was that it was used several times in a short period to launch an application named player.exe.

Further, once up and running, player.exe was seen using reflective DLL loading, which the firm said is a technique for remotely injecting a DLL library into a process without using the Windows loader, thus avoiding having to access the hard drive. In short, it was clear that a remote user was attempting to stealthily access the network – multiple times.

Further digging uncovered that PAExec was being used to escalate privileges and execute the coinminer in system mode, so the miner would take priority over any other application for the use of workstation resources. Then, the reflective DLL technique was employed to load additional DLLs from memory for the cryptocurrency miner, meaning that “the file is not fetched from the hard drive and would not go through file-based detection systems like AV and most NGAV systems,” according to Cyberbit.

While in this case the attackers were looking to mine Monero cryptocurrency, the fact they were able to infiltrate the network remotely and spread laterally to 50 percent of all workstations – while remaining hidden – is alarming, Brown said – especially given the unique security issues and threat surfaces present at airports.

“This likely indicates a sophisticated threat actor, as well as subpar state of security,” he told Threatpost. He added that airports tend to be specifically vulnerable thanks to the common presence of legacy technology and industry-specific software.

“First, they focus traditionally on physical security and often deploy a blend of outdated software,” he told Threatpost. “Furthermore, airports rely on multiple third-party services such as ticketing systems and external maintenance systems and are vulnerable to supply-chain attacks.”

But more importantly, this is of particular concern given that airports run multiple OT systems that are controlled from IT architecture — including baggage handling, air trains, HVAC systems, runway lights, jet bridges and more.

“Once an attacker penetrates the IT network the airport is not only vulnerable to traditional IT risks like ransomware and cryptominers, but also to the attacker moving into the OT network and damaging these physical systems,” Brown told Threatpost. “Because airports often lack proper segmentation of IT and OT networks, attackers can often find their way into the OT network via IT/OT touchpoints.”

Cyberbit identified the malware post-infection and thus was unable to determine the original attack vector nor the system where the attackers gained their initial foothold. It also didn’t see any command-and-control (C2) activity that would indicate anything about the identity of the attackers. However, the situation should be a warning bell for any airport, according to researchers.

“With the increased convergence of IT and OT networks, we strongly urge airports to also ramp up the protection of their OT network, which is used to control physical airport systems,” the firm concluded. “By penetrating OT networks attackers can cause catastrophic physical damage and this should, therefore, be a strategic cyberdefense priority.”

What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles