RAT Campaign Targeting Aviation and Travel Organizations
A malware campaign is targeting aviation and travel companies an infecting IT systems with remote access trojans (RATs). The campaign is using spear-phishing emails to gain an initial foothold in the systems. The malware harvests screenshots, keystrokes, browser data, and other information.
As things start to open up, and users are starting to plan travel and vacations, we need to double down on both awareness training and implementation of technical controls. Beyond reminding users to be careful with unknown attachments and links, think twice about unusual requests received via email. Also, make sure that your anti-phishing tools are enabled and working, and add tools to check attachments and URLs before they get to the end-user. If you don’t have these tools, make sure that you don’t have existing options which can be enabled/licensed before looking to external sources.
I feel like it is time for two high level reminders: (1) damaging malware attacks that steal information without trying for a ransom payment are still active, even though the press coverage focuses largely on the “exciting” ransomware attacks; and (2) the front end of both “OG” malware and ransomware attacks use the same initial phishing to exploit reusable credentials, similar malware insertion, etc. steps and require the same essential security controls to reduce risk. Use the hype to get backing to make changes that protect information overall.
If an enterprise is a "target of choice," strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) may not be sufficient protection but it may well be enough to remove the enterprise from the "target of opportunity" population. While it cannot prevent users from clicking on bait, it does resist reuse of passwords. The almost universal use of mobiles has reduced both its cost and its inconvenience. It is effective, efficient, and broadly applicable.