S2E17: AirAsia (Capital A) breach

00:00

Just the end of November, there were multiple reports on AirAsia, a huge aviation group airlines in Malaysia that got attacked by this ransomware group called the shin. And in as little as two days, personal data of 5 million unique passengers were leaked, and that includes all the employees.

00:46

Ladies and gentlemen, welcome to security law podcast.

01:04

Now, this is very surprising, because from what we know, in the past, this group actively targeting us businesses, especially health care and public health sector. So this seems to be an interesting turn of attacks. There are at least two things that I would like to be key, I'd be keen to know more about the number one, whether AirAsia has responded to this, and what are the details available to us? And another thing particularly is that it is said that one of the main issues that were highlighted is the these organizers organization of its Netzwerk. Which I've got no idea why no and what that means, perhaps we can discuss this a little bit and shed some light on this. I think this whole year,

02:04

we as theme security law has looked at breach again and again and again. And it's like, you know, if it's not now, when and and it's just a matter of time, and a lot of organizations are still woefully ignorant, whether they are breached or not. So for them, it's like, okay, so there's no news anywhere. So we are safe. Right, so this is one of the things that that, you know, probably appeared. And, you know, I gotta say, I mean, Asia is quite a big group,

02:37

all over Asia. Right. And, of course, it goes with the theme of security law being a pan Asian Security Podcast. So obviously, this would be an incident that we have to cover. So the first thing that that I like to share is a quote by the threat actor group themselves, which was published in data breaches.net, I will read the code of what the ransomware group said, the chaotic organization of the network, the absence of any standards, cause the irritation of the group and complete unwillingness to repeat the attack. While the group is literally saying, I do not want to own this organization anymore. The spokesperson for dicin team said, the group refused to pick through the garbage for a long time, oh, my God, they describe the organization as garbage, as a pen tester said, Let the newcomer sought this trash. They have a lot of time. Wow. You know, for for a group to tell this. They are literally saying that anyone. I mean, anyone can own this organization. So they continue saying that the internal network was configured without any rules, and as a result, worked very poorly. It seems that every new system administrator built his shed next to the old building. At the same time, network protection was very, very weak. I mean, let's let's just put things into context. This is a publicly listed airline. They are listed in Malaysia. They run operations throughout Asia, Singapore, Indonesia, India, I know there's all of the Indian operations and a few other countries, right. I'm just I'm just going very, very little about Asia. So to be it's like, flabbergasted with I mean, you usually don't get comments from attackers. You know, I but but to be honest, we did get something similar. We had an episode on Unocal. Remember, when we were

05:00

I was able to interview the attacker and get his view. And you know what? surprisingly similar comments, you realize, right? Yes, yeah, I'm just, you know, there, there are some things which you say, which actually caught my caught my attention caught me by surprise as well, the first one being Dyson has spokesperson. That's why.

05:24

The second thing is

05:26

usually the thing about the chaotic network deterring for the attack from this ransomware group, but usually it's chaotic networks, they are tend to be more prone to mistakes and breaches and attacks. Right? So what happened here? I mean, if, Doc, I think you're the perfect person to ask this question. As the cyber defender you have most probably put had to put yourself in the shoes of cyber criminals, you know, try to understand your mindset and when they are attacking, what they what they should be looking for, and how they exploit vulnerabilities and things like that. So actually isn't a chaotic network advantages to cyber criminals, I think it became too advantageous to the point where they were like, this is like a walk in the park, I can just walk in, waltz right in, take whatever I want, do whatever I want to without having to sweat it out. So the first thing they mentioned here is that, you know, the internal network is configured without any rules. Basically, what that means is, once I'm in the internal network, I can go from

06:40

Mr. Tony Fernandez laptop or iPad, into the CFO or the finance person and do anything and everything. That's why I say this, this breach really reminds me of what happened, you neacail, right? It's like, I guess the only reason why this could have happened. And I'm theorizing, again, I'm theorizing because I've been in networks that are hardened. And I've also been networks that have very little protection. And usually, it's because they want to make their life easy. So for example, the airport will have terminals, right when you go to the gate. So that has to link back into the airline so that they can give you the passenger details, the flight numbers and all that. So I mean, imagine if it goes through like three to four layers of firewall with IPS, and whatever not protection, it's going to make things difficult, in a way difficult. The reason why I say difficult was because you know, you have to open the firewall, you have to open the rules, you have to have access through the most likely either the IT team or the management team would have just directed the instruction to the security, you guys need to work sohara you you're here, we pay your salary, you you chill up, just make sure everything runs. If nothing runs, I, I will fire you, you know. So the approach my DC, unfortunately, to me, that's what comes to my mind, like, you know, make sure everything works, make sure things are easy. And unfortunately, that played to the advantage of the attacker where he's now waltzing into the whole organization is he's probably saying I work in organizations this law, you know, why am I even wasting time going into this organization? And to be honest, if if ransom group tells you that, you have a very, very serious problem for you to solve. Okay, but

08:37

I would like to get your your opinion as well immediate from profit. So they will think the ransomware group has gotten all the information, which are all the data which they set out to, to steal, do you think they they manage, they were successful in getting that? I'm sure they got that and more, because if you looked at it, they didn't just look at the passenger information, they also get the employee information. Now usually your employee information will not be in the same system as your customer information, right? You have an HR system that where your payroll, salary, your leaves, and everything else is managed, usually a separate system. I'm assuming, again, again, I'm assuming flight booking system and everything else will be in a separate system. The reason being is because you don't want someone uploading a huge file and the HR system causing a delay on the passenger or the flight booking system. You want you want to be able to do whatever work you want to do, you know, without having these issues. And usually the systems are separate. What I guess is happened here is that, like what they say on the network is most likely flat. They've had access to everything, finance, HR. In these kinds of scenarios, what they have released, may well be just a small subset of what they need.

10:00

actually have, oh gosh.

10:04

For them, they may, they might have more information. But you know, at this point, we're just working with what the ransomware guys are telling us, they actually have access, they may not share, because for example, they may have a full dump, I'm assuming, again, that say, for example, if I just using Active Directory, they may already have a dump of all the hashes. in Active Directory, they're probably cracking it offline, or just spinning about 12, GPUs on Amazon, let it run for 20 minutes. And they probably have everybody's password, including the domain admin, forest admin and everyone else. And they're just probably not sharing that out. Because they may say, Okay, I need a free flight from, say, California to Bali. And they might just go in and buh, buh, buh, buh buh booking all done. And that's it, you know, because ransomware groups, if you notice the modus operandi, whenever ransomware group attacks, a victim, usually they'll offer the victim said, Okay, fine, you pay me, I'll give you the keys. And, you know, you can go and decrypt, do whatever you need to do, most often, or if not, never ransomware groups will never tell you what are the other backdoors they have into your organization. So most likely, right now, Asia would have, um, things uncountable number of backdoors, or back lane access into their networks, which

11:32

God knows who actually knows, besides Dyson Group, you know, or maybe there may be other groups that have already been inside Asia who's never publicly declared it. Because when you when you when you get these kind of attacks, and they're saying they're letting all the newcomers to go and have a go at it, literally anyone and everyone is going to go for open game. Today, you're gonna go and wreck because they know a ransomware group say this easy target, let me go and wreck. I mean, you have access to flight booking you have access to passenger information, there's a whole lot of things that you could do, you know, yeah. And you know, the sky's the limit lot to your creativity as to what you want to do. And you have access to such organization, this is going to be the kind of attack, which just keeps on giving and giving to the ransomware group or groups.

12:24

Because I was thinking,

12:27

it seems to me a little, I still say interesting, because from what we have discussed so far, it seems to me that it's just too easy for them. They've gotten everything, assuming that they've gotten access to everything. And yet for them to issue a statement, which says they will not repeat it because of this organized network. But the purpose of the ransomware gang is to gain access to data or whatever access, that's a goal there. And now, it's obvious that it's too easy for them to get it.

13:06

And yet you issue a statement, which says that it's too easy, therefore, I'm not going to do it.

13:12

Doesn't that sounds a bit contradictory?

13:16

Well, if you look at the news at data breaches.net, you will find that they reached out to the organization

13:24

to Asia about the breach, Asia requested for a sample of the data that was breached, which they then give. And then as usual, just like any other Asian centric organizations, they just went ghosting, or they just went silent. What is more satisfying than to actually humiliate your victim publicly by saying that you guys are not even worth my time. You know, and me saying the group of friends of my group posted, quote unquote, no, no, the ransomware didn't ghost. It was in Asia,

14:03

somewhere groups. They were that means as in you know, they couldn't get what they want. And therefore,

14:11

therefore, they made one step further and made such an announcement and revealed that you know, this, there's such a problem that this

14:20

organization, and by doing that, number one you humiliate them. And number two, do you think that would also attract a lot more different parties who want to try to gain access into them?

14:38

And join the show sofa. Subscribe now so that you don't miss out on the latest episode. We are available on Spotify, Apple podcasts, Google podcasts, and many other platforms. Visit podcast dot security lock dot Aisha to get the links to subscribe

14:57

definitely, I mean, as I said earlier, it's up

15:00

win game for anyone. With that kind of announcement, I can bet so many other groups for whatever reason, it may be maybe ransomware, maybe whatever other reasons, would definitely have a go at it. I mean, if I was an attacker, I would say, Ah, okay, good, I got this nice, juicy organization for me to work. And they're gonna go ahead, you know, that's going to be an interesting thing. To see what he is going to do so far. I mean, when I, when I looked at the response from Asia, initially, through my other social media, I posted about the news, there was literally no response from Asia, back them, they just kept quiet. And after a while, they issued a public a PR message to say that their systems are intact. So the the message was worded as such that their systems are intact. Yes, your system gets hacked, it can still run, it's just that you no longer have exclusive control over your own systems. It does not give me any comfort to say that my data is protected. Right? I've taken Asia many times, and I'm sure both of you would have at some point of your life. But you know, that's that's the real question. How is Asia going to look at this from a customer perspective? Or are they going to look at it just like any other Asian organization that's just going to think about the strategy of, if I keep quiet long enough, they might just forget about it. And hop on the next big news, which is what we've seen happening again, and again, right? Okay. So the way I look at it, the two possibilities, number one, they are faced with a situation whereby if they were to pay, then there is no guarantee that there won't be a repeated attack. We've seen a lot of this in the past. But if they don't pay, then now as what happens now is that they have their vulnerabilities revealed to the whole world. And by and along with that they could be having to face with more attackers. That's one. On the other hand, as what you have said, so is to give the silent treatment until they figure out

17:32

how to react to this situation, which I believe is very common. And we have also talked about that in many of our past episodes, any organizations, when they have a breach, they will try to cover it up, or at the same or even maybe watered down the impact of this by issuing statements. So here is an interesting observation that I've made. I've looked at all the US companies and whenever they have a breach, the first thing you will notice is either on LinkedIn, or any of the other platforms that the first advertisement will go out. We are currently looking for a chief information security officer to you know, come on board, or the whole security might be you know, we need to refresh, we need to get new blood we need to get people who are in much higher caliber to actually manage the security. Surprisingly, nothing of this was ever advertised. I mean, I'm looking at LinkedIn and JobStreet and seek Asia. And I didn't find any of this advertisement coming out.

18:43

It's kind of funny, isn't it? Yeah. It tends not to happen with organizations in this part of the world. Yeah. Yeah. Because usually, the first thing you do is okay, we may not have put enough focus on security. So let's do something about it. That's usually the stance. But, you know, surprisingly, they I mean, Asia, in this case, chose to just leave it as it is, because that's the first thing that I was actually looking for, to see if Okay, Asia group's their new opening for Chief Information Security Officer. Nope. Because one of the challenges you'll have justifying the regulators and everyone else is that, how are you taking this seriously? And one of the first answers you will give, and here I'm actually helping Asia or indirectly is to say that we are in the mode of looking for a chief information security officer who is experienced in the industry, who will spearhead or digitize or transform our cybersecurity posture, and all that kind of stuff. You know.

19:53

I'm trying to help Asia here, right?

19:57

You You don't do that how you're going to save

20:00

People that your serious end of the day, if you look at it, even organizations, they may just hire one seaso and say you just dunk it out. I don't care, you know, that's not happening. So to me doesn't seem like Asia is taking the right stance. Of course, heads have to roll for something this huge if you ask me, right. And this one is to the point where ransomware group dissing you, I don't know Allah, you know, of course, it's, if you look at it on the other side of the fence,

20:35

even if they open However, I'm not sure if anyone wants to go and work for Asia now going to be a difficult stance, because it's like, are you going to put your reputation on the line because you have ransomware, a group that has publicly dissed this particular organization, and you know, and, to be honest, a proper, full recovery of ransomware literally means rebuilding the whole IT infrastructure, looking at how the networks are. And it's not something that you could just walk into an organization and have a target of six months, go up to the board, spew some nice PowerPoint slides, and then say, Yeah, after six months, we are secure. Ah, if the board buys that, I will just tell Tony, fire your freaking board.

21:26

You know, the reality of the point is, it's going to take you at least three to five years, before you can get back to that point. And mind you because your network is weak right now, you still have to run your business, you are still going to be attacked, and you have no clue what angle they're going to come from. So

21:47

I feel sorry for Asia right now, I seriously do. They have a long and tiring road up ahead. The CIO, or the CTO and the seaso is going to have a long, long day ahead. And you know, the thing is that this is what I don't like about Malaysian organizations is that they don't take things like this seriously. And whether you're a publicly listed company or not. And it's partially or fully because there is no reporting requirements. Right. If you're a publicly listed company in Malaysia, there is no requirement for you to declare if you've been breached either ransom, or whatever, as compared to if you're listed in the US, sec makes it mandatory for you to file these things. So one of the things that I would suggest and and I've made this suggestion before, to the new government coming in, and hopefully to kick ad,

22:51

come in three and communica. See, Dan digital, yeah, to seriously look into laws to make it mandatory for organizations at least have the stature to have breach reporting as a mandatory requirement. Moving forward. And you know, if you want to look at how it's done, you can look at how US has done it before. You don't have to reinvent the wheel, people have done it. So it's, it's just a matter of taking that step forward. So that organization seeds this very, very seriously. I have got one more last thing for you, if we were to compare this breach with

23:35

past incidents like the airline breaches, other airline breaches, and also as you mentioned, just now unique al what would be what are some of the lessons that we could have learned from them? I guess the first thing is ignorance towards cybersecurity and why and I when I say ignorance to cybersecurity, it doesn't mean to say that, Oh, I don't know cybersecurity exists. Everyone knows today, it's well, everyone knows cybersecurity exists. The ignorant comes in from the point to say that nobody's gonna target me. Why would anyone be remotely interested with me? The bigger ignorance is that, oh, I have firewalls in my network, my network is secure. No one can hack into me. You know, and it's like, okay, if I got a firewall, I'm secure.

24:26

And these are the kind of ignorance that comes into play. When you have large organizations that are more focused on driving business, then assuring business. So the difference is, you are spending to make money. So if you're spending to make 10 US dollars, everyone's focused on spending to make the 10 US dollars. Nobody is spending to also make sure that you get to keep that 10 US dollars, right

25:00

Today, if you ask me, of course, Asia as an organization, to me, has other issues with your operations right now coupled with this breach, I will not want to do business with them. They have simply lost me as a customer, I would really don't want to do with them because I don't see them taking my data seriously. As an organization, right? You can always argue to say that, yeah, there's so many breaches out there true. So I just gonna continue to stop doing businesses with organizations that don't take my data seriously. I'm not going to give you my data, you can say whatever you want, in your PDPA, your privacy policy, and we all know that just

25:42

cover your behind kind of a statement, rather than actually showing commitment to privacy and security. All right, so it's just cya kind of statements, which people in the industry know. Right? It's nothing new. There's nothing out of the ordinary that we're talking about. It is what it is, right? So what's important is, you know, if you're not going to take my data seriously, I'm not going to do business with you. You've just lost revenue from me, I will happily go to anyone else. Yes, fine, you can offer the cheapest and the greatest deals. But I feel betrayed. As a customer, I feel betrayed, I feel that you have taken my trust for granted. And as such, I'm sorry, I'm not just just not going to do business with you, you can have whatever best price in front of me, I realized that the low cost is because you stingy on everything else. And that's why you're able to offer that. Whereas everyone else is offering slightly more higher, because they're putting all the necessary protection, they're putting all the necessary safeguards and controls, so that I get a better experience. So yes, you can go for something really cheap, you know, and you know, they have this equation. So something really cheap doesn't have to be something good. And something good is not necessarily cheap. So, you know, I've come to a point where, you know, I feel that my datum statement.

27:10

It is what it is, right? I mean, as as, as an informed customer, as an informed individual, I have to make a decision. Whenever I buy two services, I look at the price difference. Yeah, that's just one option. But, you know, am I getting that comfort that my data is going to be protected?

27:29

You're going to get more people who's very data centric, especially the younger generations, they are very particular about how the data is being used. Yes, they like to share a lot of things. But we are looking at how they are, they are they also very control savvy, they know who they can share that information with. And they're, they're very well informed. So it's not just like, Gen X or Gen Y or millennials. But you know, you will see different people having these kinds of different requirements moving forward. The same thing with any other businesses. What makes my choice be from one provider to another provider will be how will they take care of my data?

28:12

That's my two cents of this. Okay. Well,

28:18

I think that pretty much sums it up.

28:21

Yes, they did. Yes.

28:24

Okay, so

28:26

we just hope, I mean, insecurity, law, we hope. We don't have to talk about breaches. But when it does, it's a lesson learned, not just for the organization that's going through breach, but also other organizations. And sometimes, we are not just people who are running the show running security teams, we are also customers. And I don't think and I don't see enough voice being put out to say, Hey, we are frustrated with all this lack of security that our organizations are playing just because you want to make a cut out of it. Right. And this has to change. If not, as I said, you know, you're just gonna lose business. So yeah, so hopefully no more breaches. Next year. Let's hope we see much less breach or this year. Let's hope we see less breaches and you know, more secure, and we see success stories on how organizations have thwarted, abt or even cyber attacks, and what are the things that they have done in the right manner so that everyone could benefit out of it?

29:37

Thanks for joining us this week on security lab. Make sure to visit our website at security lab Asia, where you can subscribe to the show on iTunes, Spotify, or RSS so you'll never miss the show.