Threat actors known as ALTDOS continue to romp their way through attacks on ASEAN entities, garnering very little media attention as they acquire and dump millions of consumer records and proprietary information on businesses. The majority of the victims whose data they have dumped appear to be from Singapore and Thailand, but they do have victims in other countries as well. While they have tended to fly under the media radar, ALTDOS has not gone unnoticed by Singapore law enforcement. The Singapore government recently issued a joint advisory on ALTDOS. That advisory did not save one of Malaysia’s biggest conglomerates from becoming a victim, however. Sunway Group claims to be one of Malaysia’s largest conglomerates with core interests in real estate, construction, education, healthcare, retail, and hospitality. They have 13 business divisions, more than 50 locations worldwide, and 16,000 employees. On September 15, ALTDOS contacted DataBreaches.net to claim responsibility for a hack of Sunway Group or Sunway Berhad. Due to no-response for the last 72 hours from Sunway Group, we will dump out part of their student data under sunway.edu.my in less than 12 hours time. More data leaks from Sunway Group will be made known. ALTDOS enclosed links to a file-sharing site where they had uploaded two files as proof of acquisition of data. One of the two files was a spread sheet with personal information on 1,000 students and their parents. The fields included what form (grade) the student was in, their name, IC, email address, phone number, state, and school, as well as parental information including the parent’s name, email address, and contact phone number. The data had entry dates of 2021 for the most part. DataBreaches.net did not attempt to contact either students or parents or to test any email addresses or phone numbers, but a simple Google search did find individuals who matched the parents’ names, and Sunway does have an international school that covers the grades in question. The international schools are owned and governed by the Jeffrey Cheah Foundation. On September 17 and 18, DataBreaches.net used Sunway’s on-site contact form to send them inquiries asking Sunway to confirm or deny ALTDOS’s claims. An inquiry was also sent to the Jeffrey Cheah Foundation through their web site yesterday. No response has been received by the time of this publication to any of the inquiries. DataBreaches.net did not find where, if anywhere, ALTDOS has publicly dumped any Sunway data as they had threatened to do, but ALTDOS has a pattern of using different paste sites or forums, not all of which are known or readily discoverable by DataBreaches.net. ALTDOS’s Past Incidents In alphabetical order, ALTDOS’s known/claimed victims: AudioHouse – one of Singapore’s largest electronic retailers Bangladesh Export Import Company Limited(“BEXIMCO”) – multinational conglomerate Country Group Securities (CGSEC) – a Thai securities firm MonoNext and 3BB, subsidiaries of Jasmine International – a Thai media and content conglomerate OrangeTee and OTGroup – Singapore real estate group Unispec Group Singapore – marine industry services Ventura Securities Ltd. – a stock trading/investment management firm in India. This one was never reported publicly at the time (March, 2021) although proof of claim had been sent to DataBreaches.net; Ventura did not respond to inquiries. vHive – Singapore furniture retailer whose online ordering has been nonfunctioning since March. As DataBreaches.net previously reported, some of ALTDOS’s servers were recently taken down. They tell DataBreaches.net that they have no idea what authority was responsible for that, but that the takedown occurred shortly after their communication to OrangeTee. No substantive reply has been received to an inquiry sent to the data protection commissioner’s office asking if they were responsible for the takedown.
It would be great if the good guys had backups as good as the threat actors have. Threat actors who call themselves “ALTDOS” have re-emerged after a brief hiatus that had left this site wondering if something had happened to them following a joint advisory about them. ALTDOS has attacked a number of ASEAN firms, as DataBreaches.net has documented over a series of posts and reports. Most recently, ALTDOS had started disclosing a breach involving OT Group/OrangeTee in Singapore, and had indicated that they would be dumping data. But they suddenly went silent three days after a joint advisory was issued about them by law enforcement, and they did not respond to any inquiries from this site, which has not been their usual pattern. In an email to DataBreaches.net yesterday responding to this site’s inquiries about the joint advisory and the OrangeTee attack, they wrote: The last email we sent to OT Group included many videos of subsequent breaches until 26th August 2021, 2 weeks after OT Group announced the breach publicly. Servers containing some data and the videos were seized shortly after ALTDOS emailed them on 27th August. A copy of that email was provided to DataBreaches.net. It informed OT Group/OrangeTee that there were videos showing continued access and exfiltration up through August 26, weeks after the firm had publicly acknowledged awareness of the hack. A copy of the videos was uploaded to a file-sharing site for OT Group to download. That file was no longer available when DataBreaches.net tried the link in the email. The email also threatened, in part, to distribute the videos to regulators and media, along with data from OrangeTee. That approach — of publicly trying to embarrass companies and notifying media to help increase embarrassment or pressure– has been a consistent element across all of the ALTDOS ASEAN attacks that DataBreaches.net is aware of. But their email to OT Group also gave this site an indication of how much extortion ALTDOS demanded of these victims: ALTDOS shall give your management one last opportunity to save yourself from this mess once we publish the breach videos and databases. ALTDOS will take a step back on the numbers. Instead of initial asking of 10 BTC, OT Group can choose to pay just 1 BTC and ALTDOS will disappear entirely without leaking any videos or data. Three days after the joint advisory, and less than one day after that email to OT Group/OrangeTee, some of their servers were seized, ALTDOS claims. It appears that OT Group did not decide to pay the 1 BTC, as ALTDOS started dumping data. Re-appearing on a popular forum to dump some of it, they noted the seizure as the cause of their delay: We took some time to begin the leak due to technical issues arising from the seizure of some of our servers, which caused partial data corruption during sync. ALTDOS has already recovered our databases. In a statement to DataBreaches.net, the threat actors responded to an inquiry from this site as to who had seized their servers and under what authority: ALTDOS does not know specifically which authority seized the servers, only received emails from the server company that our 3 servers were seized by authorities and requested more information from ALTDOS in the event where ALTDOS wants the data backup. The threat actors wrote that they were not concerned about the seizure: ALTDOS has incremental backups performed across different servers, not a concern in case of seizures. Only require extra time to recover the full data which has already been completed. DataBreaches.net has reached out to CSA Singapore and the PDPC to inquire as to who seized the servers, but no response was immediately forthcoming other than auto-acknowledgements from both agencies. The Singapore Police, who were involved in the joint advisory, do not have any statement on their site that would indicate their involvement in the seizure. It is possible, of course, that the seizure is not related to Singapore authorities but to some other authority related to non-Singapore victims, but the timeframe seems to suggest relationship to the OrangeTee incident. This post will be updated if or when more information becomes available, but DataBreaches.net’s reply email to ALTDOS has bounced back that their email address, which had been working as of several hours ago, no longer exists.
Singapore-based OrangeTee appears to have suffered a massive hack and data exfiltration by ALTDOS threat actors. “Your highly sophisticated work has exhausted us, both energy and financially,” the firm allegedly wrote to the threat actors on August 6. As this site previously reported, ALTDOS claimed responsibility for a recent attack on OrangeTee in Singapore. OrangeTee describes itself as “Singapore’s 1st One-Stop Real Estate Digital Ecosystem for Property Agents.” ALTDOS provided this site with a statement and proof of claim. On August 12, they claimed, in part, that they had been stealing the firm’s databases since June, 2021 “without any detection by OT Group IT management.” The stolen data reportedly include “969 databases from ACSystem, NewOrangeTee, OT_Analytics, OT_Leave, and ProjInfoListing, ranging from corporate / financial records to customer private personal and financial information.” On August 6, OT Group released a statement on their website. Nonpublicly, however, they also allegedly emailed ALTDOS about their negotiations. The email, which OrangeTee neither confirmed nor denied in a statement to DataBreaches.net, said that partners and customers were leaving them, that banks had suspended their transactions, and that the agents were leaving them or would be leaving them. The future of the company and its ability to recover from the attack was described in pessimistic terms, and the company sought more time to come up with a solution. On August 12, they reportedly informed ALTDOS that they would not be paying any ransom as their board had not approved it. As part of the proof of claim provided to this site, ALTDOS included a video showing directory of folders. In a few cases, they showed the contents of the folder or a file, such as one that included more than 3,600 individuals’ names, account numbers, bank name and information. In their August 3 message to OrangeTee depicted in the figure above, ALTDOS referred to a business that was destroyed and reputation ruined. DataBreaches.net asked them what business or businesses were they claiming they had ruined. In response, they pointed out that Vhive’s web site was still not restored for online ordering and sales. Vhive had been attacked on March 23, and that does seem like a long time for them to have been unable to restore their online store. DataBreaches.net emailed Vhive to ask about that, but once again, they did not reply. In their statement to this site, ALTDOS claimed that the data they exfiltrated included “name, national registration number, address, date of birth, giro account, mobile, email, password, transaction details, commission, digital contact tracing, courses, and more.” DataBreaches.net did not see proof of all of the data types mentioned in ALTDOS’s statement, and OrangeTee did not respond to specific questions put to it. In a statement to DataBreaches.net on August 19, OrangeTee’s Data Protection Officer wrote: Please be advised that we are currently working closely with external cyber security experts and law enforcement agencies to investigate the incident. Apart from this, we have no further comments. According to ALTDOS, OrangeTee’s front end is working, but not the backend. As of the time of this publication, ALTDOS has not dumped any data.
In December of 2020, DataBreaches.net reported on a threat actor (or actors) calling themself “ALTDOS” who had attacked a Thai securities trading firm, Country Group Securities (CGSEC) . CGSEC wasn’t the only Thai entity they attacked, and within weeks, they had attacked MonoNext and 3BB, subsidiaries of Jasmine International. Angered by the entities’ response or lack of response to demands, ALTDOS ultimately dumped their data. Less than one month later, this site reported another attack by them, this one involving Bangladesh Export Import Company Limited (“BEXIMCO”). And in March, they attacked Vhive furniture retailer in Singapore. When the retailer allegedly reneged on an agreement to pay them, ALTDOS escalated, taking control of the firm’s email server and sending out emails to customers. They also dumped their customer data. In all of the above cases, ALTDOS dumped customer or personal information, using a variety of dump sites or leak sites to post data. But that wasn’t the end of their activity and attacks. Somewhat stunningly, perhaps, DataBreaches.net discovered this week that ALTDOS appears to still be in control of Vhive’s email server. As proof of claims, ALTDOS provided DataBreaches.net with a screen cap of an email from June 2. DataBreaches.net reached out to Vhive to inquire as to how ALTDOS still has access to their email server, but received no response. In early April, DataBreaches.net had reached out to Singapore’s Data Protection Commission to ask if the Vhive incident had been reported to them. A spokesperson for the PDPC responded that they were aware of the incident and were investigating. Under their procedures, the results of their investigation are confidential, but the commission does publish decisions in cases where it has found a contravention of data protection provisions of the PDPA. At the present time, there is no decision for Vhive listed on the commission’s site, which may mean that the PDPC concluded its investigation and found no violation, or that the investigation is still open. Regardless of what the PDPC does or does not do, if ALTDOS still has access to Vhive’s email server, that is cause for concern. But Vhive was not the last attack by ALTDOS. There have been two more Singapore entities attacked by ALTDOS recently (or at least two that we currently know about). Unispec Group Singapore ALTDOS claimed to have attacked Unispec Group Singapore, which operates in the marine industry, providing services in marine insurance, surveying, cargo, containers, and marine IT software. UniSpec has offices in Singapore, India, Thailand, Malaysia, Indonesia, South Korea and China. In a statement provided to DataBreaches.net, ALTDOS claimed that they had hacked into their intranet servers and stolen all of their coding, files and databases. Data and files include sensitive information pertaining to trade secrets, corporate, employees, customers, projects, financial and more. ALTDOS uploaded some video proof of claims. They tell this site that when the firm did not reply to their emails, ALTDOS began dumping data on May 7. Unlike ALTDOS’s earlier attacks, the UniSpec data dump was not because the target refused to pay any demands. ALTDOS claims that they never even made any specific monetary demand on UniSpec. When the entity did not respond to their emails, they just went into dump or sale mode. “Our current style is to write an email asking for a reply from their management without stating any monetary demands from the victim,” ALTDOS told DataBreaches.net. “Since Unispec did not reply, ALTDOS did not state any demands. The email account that was used to contact Unispec was already deactivated by protonmail.” While they did not reply directly to ALTDOS, UniSpec reportedly filed takedown requests with gofile.io, file.io, pastebin, and some other sites where the threat actors uploaded files. DataBreaches.net did reach out to UniSpec to ask how the attack may have impacted them and whether they have notified employees and the PDPC about the attack, but no reply has been received. AudioHouse ALTDOS also claims to have hacked and stolen more than 290,000 customers’ personal information from AudioHouse, one of Singapore’s largest electronic retailers. The firm has since reported the attack to the authorities and to their local news media. In support of their claims, ALTDOS provided DataBreaches.net with a video recording of what they claim are 320 stolen database and Part 10 of a customer database that they had uploaded. Because AudioHouse did not respond to their emails but went to the authorities and media, ALTDOS listed their data for sale on June 4. What Are They Doing? Since DataBreaches.net first became aware of ALTDOS, it has been somewhat of a puzzle. In the past, they have not asked for the kind of exorbitant ransoms other threat actors have demanded, and in some cases, as we see above, they wind up not making any financial demands at all and just leak the data or advertise it as being for sale. That does not seem like a particularly profitable business model, and DataBreaches.net asked them about it. They replied: Depending on the type of data, ALTDOS usually dump out partial data and proceed to use middleman to sell the data to other groups. As they informed this site last year, they have continued to focus on ASEAN companies. But are any paying them? Their attacks do not seem to get much coverage. Are consumers there less concerned or outraged about breaches involving their consumer data, or is there just a concerted public effort not to reward threat actors by reporting on them or paying them? According to ALTDOS, and DataBreaches.net has no way to confirm this: 70% of the breached companies pay them and then nothing is disclosed publicly about the hacks. For the other 30%, “ALTDOS will either do a full data dump or sell the data to middleman which in both cases, will end up in the hands of other groups capable in extracting more monetary value with use of other methods.” ALTDOS continues to decline to answer any of this site’s questions as to how it gains a foothold in the victims’ systems, saying only […]
The same hacking group that hit Country Group Securities (CGSEC) in Thailand has revealed a recent attack on Mono Next Public Company Limited, a media and content conglomerate in Thailand. As described by Thailand’s Securities and Exchange Commission, Mono Group divides its businesses into 5 business operations MONO29 (Digital TV business), MONOMAX (Video on Demand business providing movies and series as well as being an international movie distributor under the name MONO Streaming3), MONOCyber (Online business on website MThai as well as providing strategic planning and Holistic Communications service for product brands), Master Content Provider: Content acquisition and marketing for Interactive TV business, and 29Shopping (Home shopping business). According to Dun & Bradstreet, Mono Group generated $71.24 million (USD) in 2019. Threat actors calling themselves ALTDOS claim to have hacked 29shopping.com on January 6, mono29.com on January 3, and mono.co.th on December 25. They also claim to have successfully completed other attacks across Mono’s networks since November 2020 that resulted in the exfiltration of hundreds of gigabytes of data. Attempts to negotiate ransom demands with Mono were reportedly unsuccessful, a spokesperson informed DataBreaches.net, leading to them starting to dump data. The first small dump was customer data from 29shopping.com from 2018 to this month. ALTDOS had previously informed this site that they do not use ransomware, but they do exfiltrate data and then try to get entities to pay them not to dump the data they acquired. In addition to the .csv file with 1448 rows, ALTDOS also provided DataBreaches.net with screencaps showing the scope of what else they could access. In response to a question from this site as to how they gained access, the spokesperson for what was described as a team replied: There are many methods which we’ve used to gain initial access to their networks ranging from sniffing, brute force to code injections. Their motives, the spokesperson wrote, are purely financial and not political at all: There is nothing political about our attacks. It’s all about the money. ALTDOS main focus is in ASEAN and we attack many targets ranging from Bangladesh, Philippines, Malaysia to Thailand. Apparently, this is our 2nd Thai attack and Thai companies are hard to negotiate. Perhaps, it is difficult to communicate with the victims due to language barrier? DataBreaches.net reached out to Mono to request a response to ALTDOS’s claims. No reply has been received as yet, but the time difference could contribute to that. This post will be updated if a reply is received. UPDATE: DataBreaches.net has received a statement from MONO. The English version of their statement begins: It is revealed that an attacker (hacker(s)) has claimed to access the company’s data causing data breach of employee’s personal information and extorted money by threatening to expose the information to the public. Due to this unusual circumstance, Mono Next Public Company Limited and subsidiaries would like to announce that the company has a security system to protect the personal information database of all employees and clients. The data is kept on a system located in the Company’s computer center and cloud server with sufficient protection and security measures according to the rights protection enforcement. Moreover, the system has been regularly monitored. The attacker (hacker(s)) has accessed some employee’s data, such as name, last name, and age, and some online customer’s data were leaked. Nevertheless, credit card or financial information and copy of identification card remain safe. As for financial report, the company has already disclosed the information to the public. Therefore, the extortion is considered a cybercrime that defamed the company for the advantage of the attacker (hacker(s)). The attacker also stated that if the company ignores the extortion, the information will be revealed to the public. Consequently, the attacker (hacker(s)) will become recognized and continue to extort other companies, targeting all public companies in the Stock Exchange of Thailand. The remainder of the statement is to basically ask news outlets NOT to report on the attack and any data dumps, as it will encourage further attacks and extortion attempts. It is an argument that we have heard many times before, and while there may be merit to the notion of not reinforcing or assisting criminals by reporting on them, this site has always weighed that against the importance of notifying consumers and patients whose data has already been stolen and may be being misused. MONO’s statement does not seem to state whether they are notifying any employees or customers of data theft. DataBreaches.net has sent them a follow-up inquiry on that point. In exchange for news outlets not reporting, it seems, MONO claims that “when the trial ends” (they seem to be assuming that the attackers will be caught and tried?), ” the company will be pleased to inform news agencies to report the news as a case study in terms of preventive management. Because they have already been attacked and data allegedly exfiltrated, it is not intuitively obvious what “preventive management” they would be describing. MONO’s statement also indicates that they are increasing their security. If MONO responds to the inquiry about whether they are notifying everyone whose data has been stolen, this post will be updated again. In the interim, the attacker’s email account seems to have been killed off.
Aisyah Llewellyn reports: The first that Indonesia heard about the hacker now known as Bjorka came when news broke at the beginning of September of a massive data leak. Some 1.3 billion SIM card registration details were stolen and listed for sale on a dark web online marketplace. The data was harvested in part as a result of a change in policy in 2017, requiring that anyone using an Indonesian SIM card first register it in their name using their identity card, known as a KTP, and their family card, known as a KK. If the leaks had ended there, or if Bjorka – who appears to have taken their name from the Icelandic singer Bjork – had listed more online data seemingly purely for financial gain, perhaps the story would not have gained much traction. But in the weeks after the data leak, Bjorka has attracted something of a cult following online thanks to an intriguing personal backstory and a series of spats with the increasingly frustrated Indonesian government. Read more at The Diplomat. Bjorka’s hacks and in-your-face approach to the government have certainly made more people aware of the unsatisfactory state of data protection in Indonesia. Bjorka wasn’t the first to make that point, obviously. A quick search of DataBreaches.net for “Indonesia” returns 72 results, including a recent listing of attacks on Indonesian government agencies and multiple reports of attacks in other sectors by ALTDOS, DESORDEN, and others. And for a walk down Memory Lane: how many readers remember “Cyb34Sec Crew?” In 2011, Lee J. had reported on his blog (subsequently merged with DataBreaches): Cyb3rSec Crew has been busy the past few days dumping 3 databases from different sites. The websites which are all Indonesia government websites. The data that has been leaked is admin accounts and basic database layouts. https://agroindustri.menlh.go.id/ https://pastebin.com/YqaSx1Uh https://landspatial.bappenas.go.id/ https://pastebin.com/fyv1A0in https://ktm.depnakertrans.go.id/ https://pastebin.com/wHymUfPx This continues the proof that the worlds governments need to fix shit asap and stop this from happening as most of these attacks are from very basic attacks. More than a decade later, it seems not much had changed.
It was a back-handed compliment of sorts: experienced hackers telling DataBreaches that it had gotten noticeably harder for them to successfully attack big corporations in Singapore. “The most difficult country to attack now, are Singapore companies,” they told DataBreaches in a chat. “A lot has changed since 3 years ago. It is hard to even pinpoint a Singapore server with vulnerabilities these days. Just a few years ago, everything was still pretty much unsecured. Now, hackers ae lucky to even find a Singapore server with vulnerabilities…. we can’t pick up things for months.” Given how active DESORDEN Group has been in ASEAN countries, for them to make that comment about Singapore is really interesting. That does not mean that they have been totally unsuccessful, however. They still managed to recently attack a major multi-national shipping and logistics firm headquartered in Singapore — the Ben Line Agencies — although it was their first Singapore hit in about a year. DataBreaches sent email inquiries to Ben Line Agencies’ Singapore office and country manager about the attack, but received no replies, even though DESORDEN indicated that it was evident Ben Line was aware of the breach. DESORDEN noted that the difficulties they experience in successfully hitting a Singapore target as quickly as they used to be able to do might be due to the fact that they are always looking for bigger companies. “Either way,” their spokesperson told DataBreaches, “it is too time consuming to look at Singapore now.” And that is a bit of good news for big businesses in Singapore. While DESORDEN may find its pool of big targets in Singapore being more difficult to attack, the current media frenzy over Indonesian hacks and data leaks has created new business opportunities for them, it seems. DESORDEN says they have been receiving a number of inquiries from people seeking to hire the hackers-for-hire group to hack Indonesian companies, and they have recently taken on more people to help. Has Singapore Improved Its Cybersecurity Significantly? Curious about why large Singapore organizations had become more challenging for DESORDEN to successfully attack, DataBreaches tried to find any data that might shed some light on the topic. While Singapore’s Personal Data Protection Commission (PDPC) authority publishes enforcement actions, undertakings, and guidance papers it issues, DataBreaches could not find any direct reports on how many data security breaches or leaks the regulator had received for 2020, 2021, and 2022 to date. To try to obtain more information, DataBreaches sent inquiries to both the PDPC and Singapore’s Cyber Security Agency (CSA). The former has not replied as yet, but the latter pointed me to a report on the cybersecurity landscape in 2021. According to that paper, 137 cases of ransomware were reported to SingCERT in 2021, which represented a 54% increase from 89 cases in 2020. Figures have not been released for 2022. The report also noted that multiple entities had been hit between March and August 2021 by ALTDOS, a situation that led CSA, the PDPC, and the Singapore Police to issue a joint advisory on ALTDOS. Shortly thereafter, three of ALTDOS’s servers were seized, although no government publicly claimed responsibility for the seizure. Of note, ALTDOS subsequently announced one more hack — of a Malaysian firm — and then disappeared as ALTDOS. Did the advisory or any other measures Singapore took last year have a positive impact on business’s cybersecurity measures? A CSA spokesperson responded to DataBreaches’ inquiry that “it is good to hear that they are finding it increasingly difficult to attack big companies in Singapore. This means that our local companies are getting more aware of the importance of cybersecurity and the need to practise good cyber hygiene.” Last year, PDPC took enforcement action with monetary penalties against two of ALTDOS’s victim companies: Audio House and vHive. And in addition to the regulatory actions, the vHive e-commerce site was down for months following the attack. Were those incidents “wake up” calls for Singapore businesses, or were there some other variables that were more influential? DataBreaches does not know at this point, but it would be great to figure out what made a difference and bottle it for other countries.
For over one year, DataBreaches.net has highlighted some breaches of ASEAN victims by groups such as ALTDOS and DESORDEN. In addition to those two groups, there are also numerous other leaks and breaches, as DataBreaches noted in our recent post about leaks and breaches in Indonesia. But even while DataBreaches was researching and preparing the post on Indonesia, DESORDEN threat actors continued to announce new victims in Thailand and further headaches for earlier Thai victims who had not paid their demands. And then it appeared things might get even worse. Four Breaches of Thai Entities DESORDEN Announced This Week The first was Frasers Property Thailand Public Company Limited. DESORDEN provided DataBreaches with samples of the data and a video suggesting the scope of the breach. They also posted the breach on a popular hacking-related forum with a free sample. Their listing claims the breach involved “312,834 personal data information of their customers, along with their HR, financial and corporate data.” DataBreaches has not spotted any media coverage or notice on Fraser’s website. A request sent to Fraser for a copy of any notification or press release, and a question about who has been notified did not receive an immediate reply. The second DESORDEN victim was Union Auction Public Company Limited. As with Fraser, DESORDEN made a public claim on a hacking-related forum, offered free sample data, and made the rest available for purchase. In this case, they claimed to have acquired 30,000+ personal data information of their victim’s members. Finding no notice on Union Auction’s website nor media coverage, DataBreaches sent an email inquiry requesting a copy of any notification and asking who had been notified of this breach at this point. The email bounced back, undelivered, and an attempt to use their site contact form failed. The third DESORDEN victim is also a publicly listed firm: Srikrung Broker Co., Ltd., an insurance broker company. Srkikrung issued a statement acknowledging the breach. DESORDEN claims it stole more than 369 GB of data with approximately 3.28 million customer records and 462,980 agent records in its public listing on a hacking forum. Then just today, DESORDEN sent an update to DataBreaches, indicating that three days after breaching Srikrung Broker, they breached another business under that company: 724.co.th, an insurance marketplace. This latest breach, they claim, involved 1.75 TB of scanned ID copies and loan documents and has also been posted to a hacking forum. An attempt by DataBreaches to connect to 724’s website this morning timed out. Other Listings Related to Data of Thai Entities DESORDEN isn’t the only source of leaks or breaches affecting Thai entities, of course, with ALTDOS having previously been a significant threat actor in the region. DataBreaches also found other listings by other vendors or threat actors over the past few months on a popular forum where people can sell or acquire data: An April listing offering data from Pruksa Clinic claimed to have 48,303,229 records. Another listing offered 5.9 million citizens’ data with their full name, date of birth, mobile telephone number, and complete address. A listing for “huge data of thailand citizen” claimed to have data from a Thai university with email, address, phone, full name, and other files. A listing with data purportedly from the Royal Thai Police, knowledge management of police partrol platform (KMPPP). Using leaked credentials, someone was reportedly able to scrape data containing the information of 6793 cyber villages across Thailand. A listing about the Thai Ministry of Public Health with a Covid database. Some data allegedly leaked from the Thailand Institute Of Nuclear Technology. NOTE: DataBreaches has not attempted to validate any of the claims in the postings described above, and not all of them are even still available. They are presented here merely to demonstrate an interest in the underground for data from Thailand, and people are more than willing to profit by meeting that need. And Then Things Seemed to Be About to Get Worse In the past few days, DESORDEN started making ransomware builds freely available to members of a hacking-related forum. Because DataBreaches was unaware of any incidents in which DESORDEN had used ransomware in its attacks on entities, DataBreaches asked them whether they had used it and whether their offer of free ransomware builds by others to forum members signaled that they would also be using ransomware more often in their activities. DataBreaches also asked DESORDEN if they had considered that by making these builds freely available to all, some young and inexperienced people might try to use them to attack hospitals or critical infrastructure. DESORDEN responded that they do not use ransomware in most of their attacks — not even during the Acer India attack. But even when they deploy ransomware, they write, they would not use the types offered on the forum or any type or version already hashed by VirusTotal because those are impossible to deploy on systems that have even basic antivirus protection. As to the two specific ransomware builds they offered freely on a forum, they note that CHAOS Ransomware Builder is a wiper, although it is advertised as ransomware, and it doesn’t work with any properly installed AV system. The other offering, Yashma Ransomware Builder, is an upgraded one that has not been detected often in the wild. And here’s where their answer became particularly interesting: We have already submitted it to VirusTotal 12 days ago before we post it for free. In one way, we are helping others to prevent attacks by Yashima ransomware. You can see the data submission here: https://www.virustotal.com/gui/file/f9a5a72ead096594c5d59abe706e3716f6000c3b4ebd7690f2eb114a37d1a7db/detection/f-f9a5a72ead096594c5d59abe706e3716f6000c3b4ebd7690f2eb114a37d1a7db-1652338917 The Yashma was provided to us by a credible source for reverse engineering purposes. We have already submitted to VirusTotal which will be uploaded to majority AV detection. So it is almost impossible for young wannabes to deploy it on basic AV protected systems, as basic as Windows Defender. Also, ransomware is not easily deployed as seen in movies or online news. Deploying it require skills in underlying systems. So that was a bit of a surprise: […]
In December of 2021, Thailand’s National Cyber Security Agency launched after being delayed by the COVID-19 pandemic. In February, it announced that it intended to roll out 40 subordinate regulations of the Cybersecurity Act this year to strengthen the country’s systems. It sounds like an ambitious — but badly needed — update. For the past few years, DataBreaches has been reporting on breaches in Thailand, but it has not always been clear to what extent the breached entities have fully disclosed their breaches to individuals whose personal or sensitive information may have been caught up in a breach. In its analysis of global breach notification laws, DLA Piper summarized the current breach notification obligations in Thailand this way: In the event of a data breach, Data Controllers must report the breach to the Regulator without undue delay, and in any event, if feasible, within 72 hours of becoming aware of it. Data Controllers also have an obligation to notify the data subjects of the breach and the remedial measures if the breach is likely to result in high risks to the rights and freedoms of individuals. Of course, not all incidents result in high risk even if they sound dreadful. In August of 2021, Bob Diachenko discovered the records of 106 million travelers to Thailand were exposed due to a misconfiguration. The exposed database contained each visitor’s full name, sex, passport number, residency status, visa type, Thai arrival card number, and date of arrival in Thailand. The National Cybersecurity Agency confirmed the leak, but said it had found no evidence of any data up for sale and no evidence that the exposed data had been accessed by any unauthorized parties. That was the third leak in as many months. In June, a local blogger had reported that the Bangkok immigration site was leaking passport number, nationality, date of birth, email, telephone number, and visa expiration date. And a Covid vaccination site set up for vaccine registration, Thailandintervac.com, was found to be leaking names, passport numbers and locations, and there were reports that people could edit other people’s information. But in addition to leaks, there were actual cyberattacks. In August 2021, Bangkok Airways revealed it had been the victim of a cyberattack that accessed passengers’ names, nationalities, genders, phone numbers, emails, addresses, contact information, passport information, historical travel information, partial credit card information and special meal information. That attack appeared to be the work of LockBit. Yet other incidents have also put Thai people at increased risk, especially when groups like ALTDOS and DESORDEN start giving away data freely on popular hacking forums. In August 2021, Catalin Cimpanu compiled government advisories and incident reports by DataBreaches on threat actors called ALTDOS, describing the group as wreaking havoc across Southeast Asia, including Thai entities. But it wasn’t just ALTDOS wreaking havoc. In October 2021, DESORDEN hit Centara Hotel Group and Central Restaurant Group. In that case, the entities did issue public statements about the breach, but whether they ever sent individually mailed notifications to guests or any employees affected is not known to DataBreaches. In the past week, DataBreaches became aware of two more breaches that put Thai people at increased risk. The first was a breach of Mistine Better Way Thailand by DESORDEN. As reported previously on this site, DESORDEN claimed to have acquired 180 GB of data and 60 GB of files, including about 20 million records with information on customers and representatives. In reporting on the Mistine incident, DataBreaches provided a screenshot from one of the databases DESORDEN shared with this site. That database included employees’ first and last names, their password, and their display name. Other fields in that database, not viewable in the screencap, included the employees’ addresses and mobile telephone numbers. DESORDEN subsequently posted data from the breach as a free sample on a popular hacking forum. To date, Mistine has not responded to multiple inquiries by DataBreaches asking them to confirm or comment on the breach. There is no notice on their web site and no notice on their Twitter account. DataBreaches can find no press releases or media coverage from Thailand about the claimed hack. Has MISTINE reported the breach to the regulator, as would appear to be required? DataBreaches does not now. But the DESORDEN breach and leak is not the only concern for Thai citizens this week. Another individual also provided a free sample of data, but these data are from what is described as a database of 30 million Thai people. The data fields include: “id”,”name”,”phone_no”,”addr”,”id_card”,”m_s”,”birth”, and “gender:” DataBreaches is attempting to get more details about this second breach, but notes that both this database and the DESORDEN data have mobile phone numbers, which suggests that the two databases might contain a number of overlapping individuals for whom more complete dossiers could now be compiled. Since DataBreaches does not yet know the source of the second data leak, this site does not know whether that entity is already aware of any leak or breach or if they have notified any regulator or notified any consumers. DataBreaches has sent inquiries to both THAI-CERT and Thailand’s NCSA to seek information about the government’s awareness of these latest breaches and to inquire what the government is doing. No replies have been received as yet.
Recent decisions by the Data Protection Commissioner of Singapore include the following: Directions were issued to Crawfort Pte to conduct a security audit of its technical and administrative arrangements for its AWS S3 environment and rectify any security gaps identified in the audit report. This is pursuant to a data breach incident where Crawfort’s customer database was offered for sale on the dark web. The data had been exposed during a one-week period. Read more here. A financial penalty of $10,000 was imposed on Audio House for failing to put in place reasonable security arrangements to protect the personal data in its possession from a ransomware attack. (Note: This incident was an ALTDOS attack reported by DataBreaches). The organization admitted to the breach and its responsibility and cooperated fully. Its internal investigations revealed that PHP files used to develop a web application on its website contained vulnerabilities that allowed the threat actor to carry out a SQL injection attack. Read more of the Commissioner’s decision here. A financial penalty of $67,000 was imposed on Quoine for failing to put in place reasonable security arrangements to protect the personal data in its possession. As a result of social engineering attacks on employees of its domain provider, an employee of the domain provider incorrectly transferred control of Quoine’s domain hosting account to an external actor who accessed and exfiltrated the personal data of 652,564 of its customers. The data elements included: (a) First name and surname; (b) Address; (c) Email address; (d) Telephone number (optional); (e) Photo-image of documents provided by 362,035 customers for KYC purposes before 13 October 2018, namely, NRIC number, passport number or other identification documents, proof of address document, and photograph; (f) Financial information of Japanese customers of Quoine Corporation, a Japanese company related to the organization; (g) Transaction information: fiat deposits and crypto withdrawals, and a 2018 record of balances prior to the launch of the current “Liquid Exchange”; and (h) For customers depositing and withdrawing fiat currencies: Bank account and other information, namely, name of the bank, account number and name of the account holder.