US aerospace services provider breached by Maze Ransomware

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
The Maze Ransomware gang breached and successfully encrypted the systems of VT San Antonio Aerospace, as well as stole and leaked unencrypted files from the company's compromised devices in April 2020.

VT San Antonio Aerospace (VT SAA) is a leading North American aircraft MRO (maintenance, repair, and overhaul) service provider specialized in airframe maintenance repair and overhaul, line maintenance, aircraft modifications, and aircraft engineering services.

VT SAA is a subsidiary of ST Engineering (part of ST Aerospace, its aerospace arm), one of the largest firms listed on the Singapore Exchange and an engineering group with customers in the defense, government, and commercial segments in over 100 countries, and roughly 23,000 people across Asia, Europe, Middle East, and the United States.

ST Aerospace provides repair and overhaul services for more than 25,000 mechanical and avionics component types fitted on various Airbus and Boeing aircraft and helicopters.
.. ...
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
The ransomware is fine, but this particular instance must be used quickly (preferably targeted) as the decision to use the artifact kit of Cobalt Strike to build the malware is questionable as most security products will now seek anything (dll's and exe's) that used it and then flag the entire file as malware. In this way a pretty code can be wasted with a bad obfuscation routine.

Also once again the authors were nice enough to add a Rule to WF (netsh advfirewall firewall set rule group="remote desktop" new enable=Y ) to allow a connection to our friends (Hi Katya!) in Moscow.
 

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
The ransomware is fine, but this particular instance must be used quickly (preferably targeted) as the decision to use the artifact kit of Cobalt Strike to build the malware is questionable as most security products will now seek anything (dll's and exe's) that used it and then flag the entire file as malware. In this way a pretty code can be wasted with a bad obfuscation routine.

Also once again the authors were nice enough to add a Rule to WF (netsh advfirewall firewall set rule group="remote desktop" new enable=Y ) to allow a connection to our friends (Hi Katya!) in Moscow.
If you have time can you test now maze samples in your videos ?
And raise security awareness.
And what is the hash of this sample?
 

avstor

Level 1
Jun 6, 2020
17
the decision to use the artifact kit of Cobalt Strike to build the malware is questionable

the malicious actors more than likely were fully aware of this and yet they still managed to get what they wanted
or they could have just paid someone to do their dirt coding and whomever did it did not do anything about it if they were aware of it at all
point is there are a billon roads to pwn even the slow and sloppy ones work
being high and tight with your operation is wasted effort and money when it is so easy to pwn your adversary or target

the real issue in this entire case, like the never ending stream of others, is that enterprise\institutional security on the whole is atrociously bad
that fact can be attributed to one single factor in the vast majority of cases
they refuse to change for the sake of security
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top