At a glance.
- Daixin Team publishes AirAsia data.
- Facebook scam tricks victims into handing over their 2FA codes.
- Apps leak Algolia API Keys.
Daixin Team publishes AirAsia data.
Just over a week after suffering a ransomware attack, Malaysia’s leading airline AirAsia has experienced a data leak at the hands of the Daixin Team cybergang. The hackers claim to be in possession of the personal data of five million unique passengers and all of the airline’s employees, and to prove it they’ve published a sample of two spreadsheets on the gang’s leak site. The Hacker News reports that the data include passenger information and booking IDs, as well personal staff information. Daixin Team says it shared a sample of the data with AirAsia after encrypting its database, demanding a ransom in exchange for decryption. As Tech Monitor notes, the thoughtful cybercriminals also claim they avoided encrypting or destroying any data that could be life-threatening, such as flight equipment details.
Adding insult to injury, the hackers also said AirAsia’s system infrastructure was so “chaotic” that they were unable to lock up or gather as much data as they might otherwise have. “The internal network was configured without any rules and as a result worked very poorly. It seemed that every new system administrator “built his shed next to the old building.” At the same time, the network protection was very, very weak,” they said. After it became clear AirAsia would not be paying the ransom, Daixin announced plans to publish further details about the AirAsia network that could inform other hackers about backdoors in the airline’s systems. It’s worth noting that the US Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency recently released a joint Cybersecurity Advisory notice warning that Daixin Team has been actively targeting US businesses, especially the health and public care sectors.
Almog Apirion, CEO and Co-Founder of Cyolo, commented on the threat actor thought to be behind the attack:
“The Daixin Team was recently the subject of a combined Cybersecurity Advisory notice issued by the FBI, CISA, and HHS, which indicated that the ransomware gang has been actively targeting U.S. businesses in the past few months. AirAsia is the latest victim of a significant attack, with the personal data of over 5 million passengers and workers exposed as a result. However, it has been stated that the aviation corporation had extremely inadequate network security and unorganized networks, which – if managed correctly - may have saved the company from greater damage.
"The rising targeting of larger organizations, as well as cybercriminals' growing financial demands, have made it evident that businesses must act to safeguard themselves, internal, and external, third parties, their customers, as well as their business partners. Once again, identity-based access becomes one of the handicaps for organizations. When leveraged correctly, it extends current security protections, which are often reserved for the cloud, to on-premises and legacy systems and applications. MFA, continuous verification, network masking, and continuous auditing are all solutions that mitigate risks on critical infrastructure and OT systems, regardless of infrastructure type. This means that businesses may benefit from an improved security posture as well as gain visibility and control over their systems, and in cases such as AirAsia, build a unified and structured network that can’t be broken as easily.”
Added, 6:45 PM, November 22nd, 2022.
Stephan Chenette, Co-Founder and CTO at AttackIQ, offered comment on the AirAsia incident as an instance of the larger global threat to infrastructure.
“Following last month’s large-scale distributed denial-of-service (DDoS) attack on U.S. airport websites, AirAsia has unfortunately become the most recent target for air travel-related attacks. The ransomware attack on AirAsia serves as a sobering reminder of the growing threat to critical infrastructure globally. In this case, the most significant result of the attack was the exposure of more than 5 million customer and staff records online. The exposure of personally identifiable information (PII) creates additional barriers to restoring the well-being and safety of customers and staff; access to sensitive information makes victims vulnerable to future fraud and scams.
"To better prepare against the Daixin Team and other ransomware attacks, organizations must adopt a threat-informed cyber strategy using the MITRE ATT&CK framework. The framework’s catalog helps organizations understand common techniques and tactics used by the Daixin team and other common threat actors. Knowing the procedures used by the adversary helps inform organizations’ security programs and assists in building a more resilient proactive defensive and responsive security program. Using automated security solutions that safely validate organizations’ defensive controls against ransomware campaigns and threat actors will help the transportation industry combat the next ransomware threat.”
Facebook scam tricks victims into handing over their 2FA codes.
Naked Security discusses a sophisticated phishing scam that aims to circumvent the security provided by password managers and two-factor authentication (2FA). The cybercriminals use such protections against the target by tricking victims into revealing their passwords and their 2FA codes. The scheme begins with an email claiming the victim’s Facebook account is in danger of being canceled because it violates Facebook’s terms of use. The user is lured to a fraudulent help site where they can supposedly appeal the cancellation, but in order to submit the appeal, they must first enter both their password and their 2FA code for authentication. In an extremely crafty move, the crooks then tell the target they need to wait five minutes for verification, giving the scammers a safe window to log into and take over the victim’s account. After the five minutes are up, the victim lands on a seemingly innocuous Facebook Help Center page, giving them the impression their appeal has gone through. To avoid falling prey to such a scam, Facebook users are advised to avoid clicking on links sent in an email from a social media platform, instead visiting the site directly from the web whenever possible.
Apps leak Algolia API Keys.
Using their mobile app search engine BeVigil, researchers at AI tech firm CloudSEK have identified over fifteen hundred apps that are leaking Algolia API Keys. CloudSEK explains that more than 11 thousand companies – including big names like Lacoste, Medium, and Slack – use Algolia’s API to incorporate search, discovery, and recommendations into their voice, mobile, and website applications. Of the leaky apps discovered, thirty-two have hardcoded keys that can be exploited by threat actors to harvest user data. These thirty-two apps have been downloaded by millions, exposing them to potential data theft.
Jeff Williams, co-founder and CTO at Contrast Security, sees the error as a frustrating one: obvious, yet easy to commit:
“Accidentally disclosing secrets is such a frustrating mistake. On the one hand, it’s completely obvious that you shouldn’t share your credentials, access tokens, keys, certificates, passwords, and other secrets. On the other, it’s such an easy mistake for development teams to make that it happens shockingly often. There are safe ways to store these secrets, but they’re not very standardized and they require extra steps to use. So it’s easy to understand why teams might accidentally disclose their secrets. With enough effort, you can set up automated scanning of your projects for these secrets and respond when one is accidentally disclosed. But organizations should do everything possible to make this process easier for development teams to minimize the likelihood that this happens. You want a culture where secrets are like your knowledge of Star Trek trivia answers – it’s best to never ever reveal them in public.”