Data Theft In Malaysia: How Your Personal Information May Be Exploited | Cyber Scammed - Part 2/3

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] it happened over the weekend sometime in late November 2022 so was cing to people and the one that got into my attention was tweeted by sophian that Asia group was allergic hit by ransomware group 5 million unique passenger records as well as employee data were stolen and they were published online that uh quite scary because there's a regional Airline I have flown aan numerous times myself and would I expect that my data was exposed I would think there a good chance it was Data Ty incident in NAIA is getting more serious we are seeing the increase of such incidents both in private sector and government sector basically data typ is an authorized access or unauthorized obtain of data criminals are harvesting data from various organizations so it is a growing underground economy hackers are going after your data and that's going to be the new economy for cyber crime [Music] [Music] [Music] Casey can you help me uh just now the K detector a wish attack on This Server then can you have me have a look on this command line from what I found they are searching for the loow Imp earlier there's one attempts attackers trying to upload a webshell scripts whenever this script is uploaded to the web access servers attackers were able to gain control on the systems and therefore they caness extract out all the datas available inside the websites this is Security operation centers these people are security analyst we are helping companies organizations to monitor all their security Trends in the enironment as attackers their main objective is to extract out data so they came in in various way such as send you mware disg of documents and this mware will out all the data marware is also known as malicious software it is a software that is designed to give unauthorized access for the hackers to the end consumers computers basically data typ is unauthorized access or unauthorized obtain of data data such as personal data your IC number your home address um your birth date if they are dispersed they wouldn't have much value but if you put them together a form of useful information to tell people basically your age your economy status based on the areas that you're living information to certain organizations or to certain people they always worth money criminals are harvesting datas from various organizations so it is a growing underground economy this is a life cber attacks activities ongoing throughout the whole world as you can see in the map there are lines coming from one country shooting across to another country basically they represent the origin of the attacks and the country that is being attacked we also see the lines have different colors it represent the severities of the attack green means the sity the attack is low blue means medium orange refer to high and weight is critical in Malaysia what we saw at foret was on an average 84 million attacks daily detected and defended by foret in 2023 that's 1% of global attacks what we see and when you really look at Malaysian context 25% of Malaysian GDP is going to get digitized by 2025 as you bring in more digitization your data which is getting stored gets more valuable when we look at the magnitude of cyber crime in Malaysian Market it's pretty high where we see close to about 45% of people who reported breaches have reported saying the cost of the breach is more than a million dollars lost today in Malaysia hackers are going after your data and that's going to be the new economy for cyber crime data theft is a global phenomena if you look at asan as an example I'm afraid to say at the top Malaysia ranks number one in terms of data compromise our first reason is of course our data protection act the act itself I would say is immatured in this country we do not have a law that specifically spell out mandatory requirements for disclosure sometimes organizations who got hacked they just keep it under the carpet and also because there's no mandating law the organizations themselves are not accountable for compensation for any kind of damage control if the law mandates accountability meaning that if there's an organizations that are responsible for data league right and then they will be penalized because of the consequences I think this one will change the mentality of many organizations to be more proactive in terms of protection because right now the situation is cyber security is only come in as an [Music] afterthought Asia has acknowledge a Cyber attack but there's no mention on what happens to the person data uh what's the percussions did they inform the affected passengers there's no details on [Music] that about the Air Asia bridge I actually find it out from um this site called Data Bridges capital D and capital B site that Tech J finds very reliable when it comes to data bridge data breaches actually unveiled and reported that the hackers actually approached them and told them that that we have datas from Air Asia there two CSV file data breaches actually posted the screenshots That Dying team the hackers have given them themselves the first file contained information on employee datas with numerous Fields such as personal information so they have death of birth date of joining the company seniority secret questions for each employees secret answer crew portal numbers bir City bird state and next csb file we can see the pure ID name and also the booking number as well as the total cost so yeah it looks pretty legit if this personal details of passengers fall into wrong hands it can be misused for social engineering attacks by hackers and scammers so for example based on the transaction amount they could probably make assumption that uh individual that makes a higher transaction amount is more affluent and perhaps based on that information they can actually narrow down who they want to Target for scam attempts I would say both legs are severe [Music] enough Asia is huge in Malaysia and around region because of their law fairs there's also Asia in Indonesia Philippines Thailand a is a very data rich company any company with that much of data in hand would be a target of Hecker the Asia data Bridge it's quite surprising because I will see the Asia as a digital first company who will probably do this kind of things more securely they are pretty TX heavy in a sense that way before for any companies who working on their digital advancement a was already on it Asia is full of data because of all their flying passengers so with the data in hand they started expanding their super app very gradually starting with book your flight book accommodation and plan your trips abroad within the super app there's also Air Asia ride Services which is typically like the grab services whereby users can book right to any destination that is available including airpods so in that sense when you don't have to leave the app to use any other services that's when an app is a super app but that also gives a very um a very fragile point I know they've got a huge number of users on app [Music] in between of of of their super app growing was when the data Bridge happened we had no idea where did the data Bridge happen exactly was it their backand was it their website or their app Asia group was allergy hit by tying ransomware group if you don't pay the ramoms they will destroy your F your F won't able to Rec cover I have flown Aran numerous times myself maybe my data was exposed I would think there's a good chance of [Music] was so let's say there's been a data breach how do you know what kind of data uh you have exposed so generally they'll come down to understanding the data that is collected about you um we actually have an example here of the Aria app page on the Google Play Store as of 26 December 2023 so if you take a look at the type of data collected by the app it says here collects your personal info such as your name email address user ID address and phone number next the ARA app so collects app interactions this generally refers to the behavior of a consumer within the app itself and behavior can be things like what screens you look at in a sequence what kind of items attract your interest or that you spend more time on that really covers anything and everything in between what you touch and what you see the next type of data that's collected in the arra app uh is location information you can see that it collects both the approximate location and the precise location approximate location uh generally on both uh Android and iOS platforms will refer to um location data that's quite coarse somewhere between 1 to 10 kilm in terms of granularity so this location information it mean it's where the user is uh while they're using the application precise location will generally be pretty accurate GPS information up to 10 m this data is pretty valuable for third party purposes there's a whole supply chain and what can happen to that user data is it gets sent to data Brokers and sell it to other companies data Bookers are companies which collect information about the user including things like user data location what devices they're using um the data Brokers aggregate this information process it at a large scale bundle them up and then they sell them to other companies or put them on the marketplace there's sort of an intermediary between some end user of the user data which tends to be large businesses and the actual developers or Publishers of uh or websites so if you know a user's location history profile information including addresses demographic information like uh their income level their age group this kind of information does allow very targeted marketing and advertising to be performed everything in the supply chain thus far in this example is really completely legitimate the user has probably opted in on the app to agree to provide da information but if anywhere in the supply chain if there is a data breach this is the kind of information that could be exposed about a particular individual good morning team thank you for being in the call today for your information our analyst has found an attack ongoing in one of our client environment we are required to respond to this incident this is considered C rate we'll be having this war room activated 24 by7 until the incident is resolved this is SEC Operation Center where all the actions take place in the Cyber threat landscape that we are monitoring an incident has been detected in one of our clients organization it's a ransomware incident so when this type of incident happen we are going into a firefighting mode incident responder team please help to start quarantine and isolate the machine affected security analyst I would like you to pull out 30 days of locks see what was detected prior to this attack okay track intelligence team I need you to find out who this track actor is what are their tactics techniques and procedures that they are using Marcus is actually doing the investigation on finding out how the attack happened when the attack is being established and why the attack is happening what we have detected so far is actually we found out that the attacker actually uh they utilize zero malities on our client service to get into our client environments every software there could be bug within their quates that will actually give rise to vulnerabilities we coin a term in our industry called zero day it's a vulnerability that hasn't been disclosed or discovered by any other cyber security practitioners or Defenders when it has been discovered by the tractors they use this zero vity to exploit and launch the attack because it's new so that is where the security applications fail to pick up their attack Trad actor started attack fusing mentality that try to avoid being detected and then when they move to their attack point they actually blow off their attack so that is where actually they are open to being seen already because when they have already started to deploy their ransomware they telling you we are already here in your system exploited your system and then we try to firefight from there we look into who is actually attacking what are their motivations what do they really want do they really actually have the data because some attackers they say they do have data but it turns out it's not sensitive information it's public general information if there's more software being developed there will be more zero days if a big software company finds a zero day before it is they patch it [Music] fine but when it comes to when they don't know about it while you can put your robust security system in place the track actors always try to be one step ahead we just got a new project we have to Target one Malaysian entity for the client gaining access into their systems dump and extract any kind of user data from the environment we are engaged to go on offense attack the corporation or the organization or company that engaged us we'll do whatever it takes any kind of techniques any kind of tactics usually it's no whole spot where we hack and hack and hack and hack to get to the objective the objective could be to find flaws in not just the servers and applications but organization as a [Music] whole cyber security n sense it's not just servers or the network or your applications in an organization there is people there policies there processes cyber security is a whole thing so it's our job to find these loopholes it's either we find it first or the Bad actors find it first and use it to their own Advantage so that's why it's always a cat and mouse game between us and the [Music] blackheads so what you see here on the left side is the attacker machine which is what I'm controlling and on the right side you see we call it victim machine so from here I'll try to communicate with the victim server so I know that this server in scope has this IP which is21 168 21171 155 and I am able to Ping or communicate with it after making sure that I can communicate with the victim server what I'll do is I'll start to do a pot scan just to find what are the services or applications that may be running on the server itself so the port scanning is done I can see here that it's actually running a very old and vulnerable version of Windows Server 2008 now it's already 2024 so we still find a lot of organizations big corporations even small uh medium Enterprises they still use end of life oses like this and from here I know to use this particular exploit I will need to set up some configurations in order for my machine to send the exploit over to the server so I'm setting the target which is the victim server and once then done I would do an exploit so now you can see that the exploit is running and it's actually in progress of sending it over to the server and now you see this Vin here we actually have access into the server as you can see here I'm running commands on my machine I'm actually in the server and I'm able to run commands on my own wheel so I just typed the command just to see where am I now in the server and I know that I'm in the system 32 folder but what if I like to move around and try to scout the server and see if I can find anything interesting so I can see here there's a user folder named Kathy thinking from a hacker perspective I would usually Target the users first the users or human in general is the weakest link in cyber security so that there could be potentially something hidden in the users's directory now I can see there are quite a number of directories that I can go to I will always try to go towards the desktop first because I believe everyone keep certain files on the desktop and I'm currently listing out what are the files available on the desktop you can see there are some interesting items on my own machine attacker machine we can see I credentials. text my wallpaper. BMP user database. CSV which is very interesting let's go over to the victim server and see whether this matches up there you can see on the victim server right there is the admin credentials. text my wallpaper and the user database. CSV so it matches Hing that so what I'm going to do now I would download the docum ments so we open up the user database that we have downloaded earlier and this is even more interesting it seems like it's a treasure TR of user data it could be the employees data for example it could be customer data because it seems like there is a first name last name company name address City Country state ZIP phone numbers email and website and these are all personal data technically we have stolen data of the victim by showing this it shows how data T could actually happen as you can see uh when I download the file there are no difference in the victim machine or the server there are no popups there's nothing to show to the victim like there's something going on [Music] here most sophisticated hackers they will infiltrate in an organization conceal the tracks open up a back doors so they can constantly visit and stay resident within an organization there are certain categories of hackers who are more patient who are aimed for long-term benefits uh for several purposes maybe for financial gain or maybe for political purposes now these group of hackers are the scarier ones we do not know what other the information they're stealing from organizations and we have no idea are they imp going to impersonating any of our you know organizations employee to carry out activities on behalf of the organizations so there's a lot of unknown of what these categories of hackers can possibly do we do not know when are they going to strike most of the time when we heard about cyber attacks right a lot of the cyber attacks are related to red somewh [Music] Asia group was allergic hit by tying ransomware group it was a ransomware attack now the dying team is known for their attacks towards Healthcare organizations they have the track record of doing such cyber security incidents they encrypt the files in whole Ransom so if you want your data back you need to pay the ransom money then they'll decrypt it ransomware can C in many forms I will show you how a ransomware attacks coming from the emails nowadays we see a lot of cases where people use companies computers or laptops for personal use which lead to the system being hacked especially downloading fils from an emails you can see here I Reed emails mobile Legends diamonds generator has released a new versions download latest versions to get a free diamonds I'm the mobile Legends user so I feel that free diamonds to upgrade my levels I click downloads as as you can see there's a new file being created over here which is mobile Legend diamonds generator.exe so we will run these files as you can see multiple files have been created in the download folders and as well on the desktops and all our files has been encrypted that's where they will change to another file extension names they start to pop up that all your files has been encrypted previously I can open my files my bilding invoice files so right now let me open my files you can see here all my files in unknown characters you won't able to uh open your original files they create a fear in the users there a ransomware notes has been appear on my PC it says that all your important files are encrypted such as your documents your excels your PDF your views your taxations when they will give you a message you can recover your file safely but there's a time limit you need to act fast please pay us the payments you only have two more days and 23 hours left they will give you an instruction on how to pay you need to pay 300 worth of bitcoin to the Bitcoin wallet address so that's why you need to pay to the ramom so if you don't pay the ramoms they will destroy the decryptor key and your F won't able to recover this is a one cry ransomware which is famous on May 2017 this ransomware is just only pure to encrypt your data right now the ransomware are getting more and more sophisticated basically this is a ransomware groups BL block this block is hosted on the dark web whereby if you try to access this particular URL in your normal browser you would not be able to access it this is where they post a list of their victims ransomware doesn't just encrypt the victim's data they also steal the victim's data they do double extortion we would say whereby the victim loses access to their files and they also have the risk of having their sensitive data exposed or published to the internet they basically just publish some of the screenshots to show the sample datas that they have stolen from the victims these are sensitive documents are containing the financials official letters bank statements even passports these are legitimate data a company won't disclose this data publicly so when this data is published by the ransomware website it shows that they have gained access to the company's data so this list of victims some of them have uh timer so basically this is a remaining time for them to pay the ransom and some of them has published which means that their data has been published because they have not paid the ransom this is not the only ransomware block available on the dark web there are probably more than hundreds of ransomware groups but this is just one of the more prominent ransomware groups this is where the victims or even other hackers they get to see a list of all the successful victims they know how established this ransomware is for the ransomware group in terms of actually hacking the victims this doesn't have to be done by them you can consider them as software developers so the software that they develop are ransomwares basically this ransomware group provides ransomware as a service so they are selling or wenting these softwares to hackers who have gained access to a victim or a company when they run or execute this ransomware that's where uh the developers of this ransomware get paid hackers who want to work with them uh they are working as an affiliate with this ransomware group so these ransomware groups also tell them what are the rules how does this ransomware work and what is the cost when you're working as an affiliate ransomware is a very lucrative business Asia group was allergic hit by tying ransomware group if as failed to negotiate hkers could res selling the database to third parties Ransom rare can be a huge disruptor for Airlines because it can disrupt critical systems it can delay flights and it has happened to several Airlines before and worldwide I believe spice J in India was hit by Ransom way it affected the flights which can cause huge losses for Airlines the D group try to claim that they are ethical so they said they avoid going for the critical system that can affect safety and human lives Asia acknowledged that they were hit by R attack and they claimed that it's only affecting their redundant systems and it does not affect their critical systems and they assured that they've taken all immediate measures to resolve the issue and prevent future incidents from happening again and they also stress again that there's no operational or financial impact to the company at the time and as which you can see uh there's no reported flight delays or disruptions for the period datab be.net who got in touch with ding group reported that H actually responded to tying and they asked how tying will delete the data if they make the payment after that there's no response from Asia a apparently did not even try to negotiate the amount so a sh did not bdch and did not agree to [Music] pay Ransom wear is very predominant today and it's very widely because it's rewarding I hold Ransom on your data if you pay me I release your data if not I sell your data on the dark web obviously as cyber security practitioners we would say it's uh no no to pay because what happens when you do uh it tends to actually create a profile for yourself that you are a good pay master so you will attract more attention radly uh but it depends right the more critical one is Ransom where is locking you from performing your operations you hear of shipping companies around the world which was crippled for 10 days and that's a lot of money in terms of a hospital operations if you are shut down from operating your ICU and everything there are certain lifethreatening circumstances which may make the decision making a little bit different so I basically just pay the ransom to get back to business immediately so quietly I don't lose my reputation I think it goes down to the fact that different track actors have different uh mindsets and uh Motors of run even if I get paid I could choose to sell your data on the that web so here I have some sample data this data that are leaked includes a items name phone number email address and date of birth so how scammers would use this data is first they already have a way to contact you either through phone number or email address so when they start a conversation with you if they know your data and they can tell it to you it will make it more convincing to the victims to say that oh this person may be valid Authority or legitimate uh professional who uh has my data and who has uh something to discuss or talk with me that's when uh they try to gain your trust and start their scam and try to get you to pay them some money data on the dark web I would say it's quite similar to data lck or published on the Internet it's not easy to remove all tracers so on the dark web it's even harder because you can't trace the owners of the websites that are hosted on the dark web I would say it's very difficult to to be able to remove all traces of a specific data on the dark web we actually monitor organizations whether their data has been posted up for sales into the D web this is where we monitor for all the dark web activities we are filtering just to see what's the activity happenings in Malaysia on the month of November 2023 there's more than 20 successful attacks to the malaysias 20 successful data leakage that is related to the data T has been posted into the D [Music] web we are in a uphill battles with the hackers hackers are using Auto solutions to automate the attacks they work 24x7 365 days a year so when you have an automated Solutions and these Solutions are constantly improving themselves to find loopholes within organizations it is a pace that we human is hard to catch up there's a lot of leak username and passwords out there in the dark web criminal groups are also buying these datas from dark web these are useful for attackers for hackers because they can use this to do a more effective password cracking the gain access into an organization in cyber security most of the time we refer to password cracking as a br Force attack meaning that the attackers will be using a very primitive Way by guessing different combination of password and username the moment they manage to guess the correct username and password that's how they gain access into an organization even though the Pro Force attack itself is very primitive but yet it is very [Music] effective what I will demonstrate is how the attacker you use the leak username and password to perform this root forcing attack so these are the example of leak usernames and these are the example of the leak [Music] passwords [Music] if it's not a leak username and password list then the success rate of it will be very low but since it's a leak username and password then the success rate will increase by a lot usually if an organization has been hacked right it could be either customer data or employee data that has been hacked or even both the organization will have informed their employees about it but sometimes if they didn't do that and employees didn't change their password by performing this book foring right I can easily guess the correct username and password loog in then H into their account now I have retrieved the user credentials right here so I will attempt to log in to their account we have successfully entered the user account I previously have prepared a man script and now I will be pasting it into here I put in my man script in there and I update my script into the victim server if the user trigger what I put in my manager script I will have a back door access to their server this pack is called remote code execution so for instance I will trigger in order to gain access to their server as you can see I've successfully entered to their server I can get all the information I want from here if it's a bank you just get the bank details of the users also username password the address their credit card information and also maybe the transaction what they have purchased if it's an airline you'll be able to get their account information and their flight details where they are going to when will they be departing when will they be coming back from their holiday their trade Le details like this they could be used for social engineering attacks against a victim um in one scenario a hacker might pretend to be an authorized representative of the company you know they contact the user since they have some information that no one else should have about the user the user may be loued into thinking they really are a representative of the company they may be able to perform an unauthorized transaction for the user or they may be able to obtain more data about the user that they can use in a future attack we also have seen organized crime group has been investing a lot into their research and they are also buying and selling Trade Secrets zero dat vulnerabilities in the dark web and to give themselves an upper hand to attack others and on top of that we also seeing countries playing a part to sponsor some of the hacking groups to make the hacking group work for the purpose of the country the key point is the landscape is wider today it's not just your computer it's not just your server it's your mobile phone your laptop these are all open for riches in Malaysia especially in the past few years we've seen a lot of data Brides involving not just the private sector but also on government platforms as well in 2022 one of the biggest data Bridges was personal data that allegely came from the national Registration Department as well as the election commission the national reg department is quite huge involved like train2 million records like for example the name I number gender race address religion and also the photos as well that's on IC the next one is the election commission data Bridge involving databases of 800,000 voter personal information you can see here there are lots of photos of Malaysians taking a selfie while holding an IC the IC portal as well as a selfie the online registration process to Res as a voter this is scary because you can use this to open Accounts at various platforms including ewers and various services data custodians hold a very important responsibility and accountability but unfortunately in Malaysia we have a few insufficient factors the law the legal framework itself do not govern the government so meaning that if any government employees deliberately or accidentally cause the data leak no one will be accountable for and that's one of the reason why I think we will expect to constantly see government employees at the agency level still continue to have negligence in terms of data protection usually private sector move much faster when it comes to protection the government as a whole is actually coming up with uh proposing a cyber security bill which is in his draft stage at the moment and probably hopefully by the next Parliament setting they will actually uh present it to Parliament they slowly moving towards having more guidelines so that companies are able to better tread in this new digital realm and that will overtime time help the Cyber hygiene the country in cyber security nothing is 100% secure there's no foolproof method to prevent all of this it's always a cat and mouse game the anti-virus providers Ando protection providers can only do so much to catch up with the hackers so the most important thing is always at the user side we need to be aware of what we are interacting with what we download what we run that is the most important [Music] [Music] [Music] thing [Music]

Info

Channel: CNA Insider

Views: 62,974

Rating: undefined out of 5

Keywords:

Id: Ia4_-fPDoII

Channel Id: undefined

Length: 45min 3sec (2703 seconds)

Published: Fri Apr 05 2024