San Francisco Airport hacked. Network credentials leaked

Although some industries are partially operating, threat actors do not miss the opportunity to generate havoc. According to specialists in a hacking course, a group of cybercriminals successfully managed to attack San Francisco International Airport, extracting access credentials to one of the employees’ Windows system during the attack. Under normal conditions, this is the seventh largest airport with the largest influx of users in the United States. Airport administration is in the process of notifying all potentially exposed users during the incident.

The attack was completed last March by compromising two websites operated by the airport (SFOConnect.com and SFOConstruction.com), mentioning the data breach alert issued by the administration. According to the report, threat actors managed to inject malicious code into the attacked sites to extract the access credentials of the administrators.

The websites involved in the attack are used to distribute information about construction projects to members of the San Francisco airport workforce. The hacking course specialists point out that these sites were not the initial target of the attack, but are likely to actually seek to extract the login credentials to the airport’s Windows devices.  

In the report, the researchers claim that the affected users are those who access compromised websites from outside the airport networks, via Internet Explorer on devices with Windows systems or from any device not managed by the airport. It appears that the personal information leaked include details such as usernames and passwords for accessing such sites.

As a security measure, the administration disconnected the compromised sites to complete the removal of the malicious code, plus a link was added that redirects visitors to a PDF document about the data breach. In addition, a reset of all access credentials to the compromised sites was forced. Finally, hacking course specialists recommend that users who have accessed these sites using Internet Explorer reset their device access credentials as well.

According to the International Institute of Cyber Security (IICS), the airport administration should not terminate the incident, as this information could be circulating in hacking forums on dark web, which could put at risk the thousands of employees who use these websites as a reliable source of communication regarding their work.