DESORDEN Group’s attacks on ASEAN businesses continue. This week, they disclosed a hack of The Icon Group in Thailand. In a statement on a popular hacking forum, DESORDEN writes: This data breach involved 161 GB of databases and files, including personal information of 264,128 customers, with their full name, ID card number, bank account number, address, phone, email, etc, along with KYC images of their customers such as ID card copy, bank book copy and KYC docs. In addition, we have also stolen their company corporate and financial data. As is their usual practice, DESORDEN provided samples from various .csv files, but they also leaked some KYC image files. Know Your Client (KYC) image files showed individuals’ faces and photocopies of identity information about the individual. Redacted by DataBreaches.net. When asked, DESORDEN informed DataBreaches that they did not have KYC images for all 264,000 customers but estimated they had about 70,000 such sets. According to them, The Icon Group did not respond to any of their communications. DataBreaches sent an email inquiry to The Icon Group, asking for their comments on DESORDEN’s claims and whether they were notifying any regulator or customers whose personal information had been accessed or acquired. No reply has been received. DESORDEN claims that they have had access to The Icon Group since approximately July and still have access to it. If they still have access, customers, employees, and regulators may want an explanation from the firm as to what they did when they first discovered a breach.
On September 19, DESORDEN Group claims to have hit redONE Network Sdn Bhd. redONE is a telecom in Malaysia with more than 1.2 million subscribers. redONE also offers financial services via bank partnership (its redCARD program) and insurance services via insurer partnership (its redCARE program). According to statements made to DataBreaches by DESORDEN, when redONE didn’t respond to DESORDEN’s demands, DESORDEN launched a second attack on or about September 21, hitting their redCARD and redCARE programs. As DESORDEN wrote on a popular hacking forum: This data breach involved both redONE databases and source coding. Personal data include full name, NRIC (national identification number), address, phone, email, etc. As is their usual pattern, DESORDEN provided samples of data. In this case, there were samples from redONE, redCARD, and redCARE. All three samples included personal information on customers, and all three samples had fields for NRIC. DataBreaches ran some of the sample data through redONE’s site and confirmed that individuals whose NRIC appeared in the sample data from redONE do have or did have accounts with redONE. The ID checker page has since been taken offline by redONE, but an archived copy of the form as it appeared last year appears below. To verify that the data in DESORDEN’s sample were real, DataBreaches picked some random entries in the redONE sample, entered the NRIC in the “Identification No” field, and entered the captcha. For each NRIC tested, the redONE checker returned information on the customer’s Account ID, when the account was activated and when it terminated. Although DESORDEN has been just leaking some data recently rather than trying to sell it, they claimed that if they did not hear from redOne within 48 hours of their last email, the data will be posted for sale publicly. It has been about 24 hours or so since their last email. DataBreaches sent email inquiries to redONE yesterday to ask them if they would confirm or deny DESORDEN’S claims about the breach but has received no reply.
The DESORDEN group recently announced that due to the flood of personal information on Indonesians, they were giving up on attacking Indonesian entities. But they also noted that they already had some attacks in progress that they would still be leaking. Today, they announced one of those attacks on a popular hacking-related forum where data are shared, traded, or sold: We take responsibilities for the hack and data breach of PT CARE TECHNOLOGIES (https://www.care.co.id), an insurance software and IT vendor for all 60+ major insurance and healthcare companies in Indonesia, including clients such as AIG, Allianz, MNC, BRI Insurance, etc. In total, we have stolen 2.2 GB of databases from their network. DESORDEN then provided links to the full data leak, including .csv files with client data and employee data. According to DESORDEN, they acquired the logins of the clients to PT Care Technologies. More significantly, perhaps, they claim that the clients use the same version of the software that they obtained from PT Care: Their clients deploy the same software version developed by PT Care Technologies as the one we breached, so for those who want to explore further, can try exploring the vulnerabilities of their clients. If need more information, pm @post to ask for the vulnerabilities In a subsequent chat with DataBreaches. DESORDEN indicated that they had not attempted to access any of the clients but did not need logins for the clients. “Just needed to use the same vulnerability to access the clients self hosted version,” they explained. But they also indicated that the vulnerability would likely be fixed within a few days as they had already informed the company about it. The fact that the firm had taken its servers down suggests that they working on addressing the vulnerability and informing clients, they said. While the leaked data will be of some concern to PT Care Technologies and its clients, it was pretty much just a wasted effort for DESORDEN. “No one wants to buy Indonesia data,” they tell DataBreaches. “People are selling hundreds of millions for few hundred bucks — the supply of Indonesia data has already dumped the value of its data.” “Indo data is officially worthless. In the past, we could still sell 0.005 USD per record. Nowadays, 0.0002 USD per record and no one wants to buy.” Will the market flood make other Indonesian firms less attractive as targets for other adversaries? Time will tell, but in light of all the leaks and data dumps we have already seen, Indonesian entities might take advantage of any lull and seriously address data protection, and now, not in two years.
Hackers known as DESORDEN have hit another big Indonesian business. This time, their victim was BOGA Group, which operates more than 200 restaurants and outlets across Indonesia and Malaysia under brand names including Bakerzin, Pepper Lunch, Paradise Dynasty, Paradise Inn, Shaburi, Kintan Buffet, Onokabe, Putu Made, Kimukatsu, Yakiniku Like, Ocean 8, Sushi Kaiyo, and Boga Kitchen. Boga Group also operates Boga Catering, a premium catering service. More than 400,000 customer records and 16,000 employee records were acquired by the hackers. As is their usual style, DESORDEN provided proof in the form of samples drawn from the corporation’s .csv files. They also created a recording showing directories, opened files, documents and spreadsheets. The recording includes a message to their target: The highlighted portion of the recording reads: “To prove that DESORDEN has breached your servers, we have deleted the databases from your server after downloading them. In total, we have stolen over 31 GB of data and files from your network of servers. Check the facts with your IT department. These data include 409,168 information of your customers, with their name, phone, and email as well as 16,476 employees data, financial, and corporate data.” The numbers correspond to the rows displayed in the .csv files shown in the recording. When asked about the deletion of databases mentioned in their recording, DESORDEN replied, “They have backups. Delete is only for them to know we breached.” DataBreaches sent an email inquiry to BOGA Group about the attack. No reply has been received. In discussing this attack with DESORDEN in an online chat, DataBreaches pointed them to an article from The Jakarta Post about all the leaks and breaches appearing online. DESORDEN commented that the report did make a point. They say it is easy to go after smaller companies in Indonesia because most small companies have little or no security (an observation that applies to small companies worldwide). But DESORDEN also notes that these countries often have weak or no regulations imposing security standards or requiring notification in the event of breaches. “Countries like India, Malaysia, Indonesia, Thailand. We do not really expect responses from them. Informing them is only for courtesy,” DESORDEN told DataBreaches. “Selling their data is also as profitable. While it doesn’t fetch as much as victim paying, but a single job data can profit as much as $20,000 USD in sales of data easily.” DESORDEN has also recently been telling DataBreaches to expect more breaches in South Korea, Taiwan, Vietnam, and Japan and continuing interest in data from Thailand. The current market is looking for personal information from these countries, DESORDEN states, from “mostly Chinese buyers.”
DESORDEN has hit another big business in Thailand. This time it is the largest cinema chain and its subsidiary property development company. As DESORDEN informs DataBreaches, the Major Development PCL was breached during the first week of August and contacted by DESORDEN on August 17. “The management refused to respond and we attacked their main cineplex business (Major Cineplex) on 19th August and informed them on 28th August 2022.” Both breaches reportedly involved the acquisition of corporate, financial, employee, and customer data as well as personal information of buyers of properties. As is their usual practice, they assert that they did not deploy any encryption and did not delete any files or backups during the attack. According to DESORDEN, they acquired hundreds of thousands of Major Cineplex’s MPass members. DataBreaches is as yet unable to verify that estimate. As of publication, they have not yet posted anything on the popular hacking forum where they generally announce any leaks or sales offerings. As proof of acquisition of customer and property buyer data, DESORDEN provided DataBreaches with two Excel files, each with 1,000 records. One was for MPass members from Cineplex, and the other was for the Major Development CSProfile database. The Mpass member data included membership ID number, first and last name, mobile phone number, email address, username, and birthdate. DataBreaches was able to validate the data by using MPass’s website where members can enter their email address to access their membership information. The results of a sample of searches produced corresponding member data. In each case, the records were partially redacted as they appeared on MPass’s site, but they matched the unredacted fields in the spreadsheet. DataBreaches has provided additional redaction, below: The second data set was from the Major Development CSProfile data set. Those records included fields that include first and last name, nickname, mobile phone number, gender, email address, birthdate, citizen ID, and member password, with some other fields. DataBreaches does not know whether these are all property buyers or just leads to potential buyers, or both. DataBreaches made no attempt to verify the data in this second spreadsheet at this time. DataBreaches reached out to both Major Development PCL by email and Multiplex Cinema by contact form yesterday to inquire about DESORDEN’s claims and their response to any hack. No replies have been received and nothing appears posted on their websites at this time.
On August 23, DESORDEN alerted DataBreaches to another one of their attacks. This one involved the PT JASAMARGA TOLLROAD OPERATOR, Indonesia’s largest major tollway and highway operator. According to DESORDEN’s statement: This data breach involved 252 GB of data, coding and documents, across 5 of their servers. The data breach involves their users, customers, employees, corporate and financial data. As they always do, they provided proof of claims. In this case, the proof pack consisted of some individual files and a screencap showing properties of a drive they accessed. The claims and links to proof were also posted on a popular hacking forum. Since then, the Jasamarga Tollroad Operator (JMTO) has responded to the claims. Tempo.co reports their statement that the data acquired is only internal data and company-related information — but not customer data in the JMTO app [SEE UPDATE AT BOTTOM OF THIS STORY]: “It has been confirmed that it is not related to customer data in the JMTO app,” said JMTO corporate communication community Lisye Octaviana in a statement on Thursday, August 25, 2022. Lisye said that PT JMTO has now disabled the servers affected by the attack. Lisye added that the company is in the process of recovering the data and moving the system to a more secure server, and closing the security vulnerabilities. “We are cooperating with competent people in conducting cyber security assessments in the system at PT JMTO,” Lisye said. DataBreaches was unable to connect to JMTO’s website today. After earlier attempts timed out, later attempts returned an error message that the name had not resolved. As one result, DataBreaches was unable to to try to send them any updated inquiries. This site was able to reach DESORDEN, however, to ask them to respond to JMTO’s claims that no customer data from the JMTO app had been compromised. DESORDEN informs DataBreaches that they are aware of JMTO’s statement and are checking all the 200+ GB of data to determine if JMTO is correct or not about customer data in the app. They anticipate it will take a few days to check through all the data. In response to other questions from this site, DESORDEN confirmed that no ransomware had been involved in the incident. Of special note, they wanted JMTO to know that there were still open vulnerabilities for JMTO to be aware of, even though they say that JMTO has already addressed two vulnerabilities. DESORDEN seemed well aware of what steps JMTO has taken and is taking. Last check, they shut down public access to most servers in JMTO network, but there are other networks like jasamarga.com There are still open vulnerabilities and if wanted, we can still access other parts of their network,” DESORDEN told DataBreaches. “We have been inside their network since early August. They have a huge network of servers. Vulns are something they really need to look at,” they added. For now, then, it’s unclear whether customer data from the JMTO app was involved — JMTO says it wasn’t, and DESORDEN is attempting to confirm or refute that but it will take some time. Eventually, though, after they sort through and organize all the data, DESORDEN will be putting it up for sale. Update and Correction of September 13: In light of Jasamarga’s claims that no customer data was involved, DESORDEN did review the data they had acquired. They inform DataBreaches that there was no customer data — only corporate information and employee information.
Yesterday, this site reported that Desorden Group hit Central Restaurants Group (CRG) in Thailand. A Desorden spokesperson had told this site that there would be more details to be revealed, and now there are. It appears that Centara Hotel Group is part of the Central Group that had been breached. Centara has now issued a statement on their site confirming that there has been a breach and what they did after first becoming aware on October 14 of a problem. CRG has also issued a statement (in Thai) on its site that attempts to reassure people that no credit card or financial information was stolen. Desorden Group responded to some of Centara’s statements in an email to DataBreaches.net. “In the announcement,” Desorden writes, “they managed (sic) that they have engaged a reputable consultant to deploy investigation immediately after we notified them. We notified them. The management tried to recover their data and started negotiation with us on 16th October 2021. On 17th Oct, they managed to recover part of the system and asked for proof that we breached them. The same day, within 10 minutes, we breached the exact same network of 5 servers and compromise it to show them that we have immediate access to their servers again. Reputable consultant, we will leave it for the public to think about it.” Desorden also disputes Centara’s claim that the breach impacted “a limited section of our network, with the general personal data of some of our customers.” “We basically brought down their entire backend, which consists of 5 servers,” Desorden responds. “In total, over 400 GB of files and data was stolen over a course of 10 days.” Desorden claims that the exfiltrated data includes millions of customers from many countries: “Basically, anyone who have ever stayed at any of their 70 luxury hotels between 2003 to 2021 has been compromised and we mean luxury first class hotel guests,” Desorden writes, adding: “In the chat, we have sent them proof of the data by exporting any dataset which they requested and they have verified the hotel guest leaks. Also, 400 GB of data included all financial data, corporate data, employee data, etc. Basically, we wiped their network of 5 servers in the heist.” According to Desorden, hotel guest data included name, passport number, id number, phone, email, (some had address of residence), check-in/departure time, etc. “Many millions of them, even those who booked in advance until December 2021 are affected, “Desorden claims. Desorden informed DataBreaches.net that they have gone public with these details and additional attacks on Central Group because after reaching a deal to reportedly pay Desorden $900,000.00 USD on October 26, Central Group management broke the agreement to pay. In addition to attacking Centara, Desorden then also attacked other (additional) Central Group companies and claims that they will be publishing the hotel data in a few days. A selection of files were provided to this site as proof of claims. DataBreaches.net reached out to both Central Restaurants Group and Centara Hotel to request a response to Desorden’s claims, but no responses have been received, possibly due to the late hour there. This post will be updated if a reply is received.
The Desorden threat actors have been busy, it seems, as they have announced an attack on Central Restaurants Group (CRG) in Thailand. The attack, with proof of claim, was posted on a popular hacking forum and sent to DataBreaches.net. The proof of claim files included membership card details of Mister Donut, employee details, daily sales records of what they describe as thousands of restaurant outlets, and vendor purchase order details. The employee-related spreadsheet contained more than 2000 records with fields that included: emp_id, perface_id, thai_fname, thai_lname, eng_fname, eng_lname, username, nickname, email, and phone number, as well as other details. CRG is linked to a number of popular restaurant brands, including Mister Donut, Kentucky Fried Chicken, Auntie Anne’s, ColdStone Creamery, and others. An email sent to the firm’s data protection office this morning asking them whether they would confirm the claimed attack was not immediately returned. This post will be updated if or when a reply is received.
DataBreaches.net has been contacted by a threat actor or group calling themselves “Desorden Group” (“Desorden”). The group claims to have hacked ABX Express Enterprise servers in Malaysia on September 23. We have stolen more than 200 gigabytes of files and databases, tens of millions of customers personal data from their servers, wiped their drives and left a note about the data breach on their servers. [ABX] took down their services entirely, informing their customers that they were performing system maintenance, instead of announcing the data breach. By the time DataBreaches.net checked ABX’s web site today, there was no evidence of any maintenance notice. As proof of their claims, Desorden uploaded two files to a file-sharing service for journalists to download. One showed directories of folders and files on drives C, D, and E. There was also a file with a report that dealt with shipping orders. ABX Express is a subsidiary of Kerry Logistics. Desorden claims the breach involves millions of Malaysian customers’ personal data, with the airway bill database containing more than 15 million records that each contain information on both sender and receiver. Other databases reportedly include financial information, customer, and corporate records. Due to the fact that ecommerce platforms share their shopper personal data with logistic companies for delivery, this data breach also involved customer personal data from their partners (Lazada, Shopee, etc.). Their source code files of apps and individual web services have also been stolen by us. When DataBreaches.net’s email to ABX bounced back as rejected due to possible spam, and their web site contact form did not work, DataBreaches.net sent a contact form inquiry to Kerry Logistics to ask them about the claimed breach. An acknowledgement was received but no response has been received as of the time of this publication. In addition to contacting journalists, Desorden Group also created a listing on a popular forum for buying, trading, or selling data. In that listing, they also offered 100,000 airway bills, and said they would be uploading more data. When asked how they were able to gain access to ABX, Desorden answered: We breached their intranet servers through their front-facing server and maintained APT on servers. They recovered most of their source codes with backups, and are still recovering databases. The threat actors also told DataBreaches.net that their victim did not respond at all to their notes. Who is Desorden Group? In follow-up communications with DataBreaches.net, Desorden described themselves as former associates of Chaos. They: Reformed ourselves as Desorden Group which stands for Chaos & Disorder. You might previously know us as ChaosCC but today we no longer have associations with ChaosCC. As they describe themselves, their targets are supply chain networks and public services, “the name chaos & disorder.” Desorden attacks on supply chains create higher level of disorder & chaos affecting many parties rather than the victim itself. If victim fails to pay, Desorden sells the data on black market in a few days. We have another automotive supply chain victim in Italy under negotiation. We will update if it fails. This post will be updated if a reply is received from Kerry Logistics or more information becomes available.