AirAsia has apparently fallen victim to a major ransomware attack by the Daixin Team gang that has seen more than five million records, alleged to be from customers and staff, exposed online.
AirAsia is the largest airline in Malaysia, it has some 22,000 employees from 60 nationalities and is based out of Kuala Lumpur where it operates both domestically and to more than 165 destinations worldwide.
Details of AirAsia ransomware attack revealed
The attack was first reported on Twitter by security researchers Soufiane Tahiri, who shared screenshots taken from a listing on the website of Daixin Team on the dark web. The claim has not been verified or confirmed by AirAsia. Tech Monitor has approached the company for comment.
The attack is said to have happened on the 11 and 12 November, and the Daixin Team has shared two spreadsheets showing what appears to be personal information from passengers and staff of the airline, including date of birth, country of birth, where that person is from, when employed for employees and the “secret question and answer” used to secure accounts.
The group says it shared a sample of the data with AirAsia after encrypting its database and demanding an undisclosed fee to unlock it and explain how it was able to get into the network.
Daixin Team said it has avoided locking up critical files related to flying equipment as part of its avoidance of encrypting or destroying anything that could be life-threatening, but did completely lock out access to staff and passenger records until payment is made.
A spokesperson for the ransomware gang told DataBreaches that they would typically have locked more of the network and gathered more data but the AirAsia data infrastructure was “chaotic” and would require too much time to sift through.
“The internal network was configured without any rules and as a result worked very poorly. It seemed that every new system administrator “built his shed next to the old building.” At the same time, the network protection was very, very weak,” they said.
Daixin Team could launch future attacks
As well as leaking the passenger and employee data on its dark web website, Daixin says it plans to publish details on the AirAsia network including backdoors that would allow other hackers to access the network. It made this decision after it became clear AirAsia wasn’t planning to pay the ransom.
Providing access to and details of flaws in the network on open hacker forums would potentially leave it open for more malicious groups who may not leave flight hardware untouched. The spokesperson added that the group claimed full responsibility for any future negative consequences caused from their actions.
Daixin Team was the subject of a joint Cybersecurity Advisory notice by the FBI and CISA in the US, saying it has been actively targeting US businesses in the past few months including in the health and public care sectors.
According to the CISA “The Daixin Team has deployed ransomware to encrypt servers responsible for healthcare services – including electronic health records services, diagnostics services, imaging services, and intranet services, and exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid.”
They gain access through a VPN and exploit unpatched vulnerabilities to take a hold of the network and then move laterally via Secure Shell and Remote Desktop Protocol through the network.