Impacts of Aviation Disruptions Caused by Random Spider Encounters on Airlines and Transportation Sectors

In a series of cybersecurity concerns, a financially motivated hacking collective known as Scattered Spider has been identified as a significant threat to various industries. The group, also known as UNC3944, Octo Tempest, Scatter Swine, and Star Fraud, has been active since May 2022 and has evolved from SIM-swapping to advanced social engineering, MFA-bombing, and ransomware via affiliates like ALPHV and DragonForce.

One of the vulnerabilities Scattered Spider has been exploiting is CVE-2021-35464, a critical vulnerability in ForgeRock Access Manager. This flaw allows unauthenticated attackers to execute arbitrary code remotely on affected servers, posing a severe risk to organisations using this software. The vulnerability has been listed in the CISA's Known Exploited Vulnerabilities (KEV) Catalog due to active exploitation incidents.

Another vulnerability of concern is CVE-2015-2291, a high-severity vulnerability in Intel Ethernet diagnostics drivers for Windows. This flaw can be exploited by adversaries for deploying malicious drivers using the 'Bring Your Own Vulnerable Driver' (BYOVD) technique, potentially affecting a wide range of systems.

Scattered Spider's activities have also targeted CVE-2024-37085, an authentication bypass vulnerability impacting VMware ESXi and VMware Cloud Foundation. This vulnerability enables attackers with sufficient Active Directory permissions to gain unauthorized full administrative access to an ESXi host, a worrying development for organisations relying on these platforms. CVE-2024-37085 has been widely exploited by ransomware groups, enabling them to achieve mass encryption of virtualized environments.

The threat posed by Scattered Spider is further compounded by the fact that nearly 0.5% of assets were found to be internet-facing with high-risk open ports, increasing their susceptibility to targeted attacks. Moreover, approximately 12% of the assets are running End-of-Life (EOL) or End-of-Support (EOS) software with known vulnerabilities, on average associated with 16 unique CVEs.

To mitigate these risks, organisations can utilise tools such as Qualys' CyberSecurity Asset Management (CSAM) to discover and classify all internet-facing assets and detect misconfigurations and high-risk services. Additionally, Qualys offers VMDR (Vulnerability Management, Detection and Response) to rapidly identify and prioritise vulnerabilities tied to Scattered Spider's known exploits.

The impact of Scattered Spider's activities has been severe, with one high-profile breach resulting in a company losing approximately $100 million, and another company paying a ransom of $15 million. Recent campaigns have involved investigations from the FBI, CISA, and the United Kingdom's National Crime Agency.

Scattered Spider's activities span a vast range of industries and companies, including aviation, hospitality, retail, insurance, finance, technology, entertainment, telecommunications, gaming, and cryptocurrency. The group is led by Thalha Jubair, a 19-year-old British individual, and consists mostly of teenagers and young adults from the US and UK, originating from online gaming communities.

In an analysis of 600,000 assets across anonymized airline-industry customer organisations, Scattered Spider's target CVEs include CVE-2015-2291, CVE-2021-35464, CVE-2024-37085, and their related QIDs. Organisations are urged to take these threats seriously and implement robust cybersecurity measures to protect their assets and data.