The Daixin Team ransomware group claims it infiltrated the network of popular Malaysian airline AirAsia earlier this month and stole the personal data of about five million passengers and all the company’s employers.
The group has posted a sample of the stolen data on the dark web. AirAsia is yet to comment on the leak and is yet to confirm that its network has been breached.
The leaked data reportedly includes the names of passengers and the names, dates of birth, country of birth, as well as other personal data of AirAsia employees.
AirAsia Didn’t Pay Ransom
Ransomware gangs usually post sensitive information online after victims refuse to pay a ransom. A spokesperson for Daixin told Databreaches.net that AirAsia reached out to request proof of the stolen data and asked how the group would delete the data if the company paid the ransom. However, AirAsia didn’t pay the ransom, and apparently didn’t even try to negotiate.
Law enforcement generally advice against paying ransomware gangs, as this emboldens threat actors and doesn’t guarantee that the stolen data will be wiped.
The spokesperson said during the ransomware attack, which occurred on November 11 and 12, the Daixin Team decided not to encrypt any files associated with systems responsible for controlling flight to avoid putting lives at risk.
The Daixin gang reportedly plans to leak information about vulnerabilities on AirAsia’s network, including “backdoors,” on the dark web. This would allow other hackers to access the company’s systems freely.
The Daixin Team spokesperson said the “chaotic” nature of AirAsia’s network prevented the group from burrowing further and compromising more files.
“The internal network was configured without any rules and as a result worked very poorly. It seemed that every new system administrator “built his shed next to the old building.” At the same time, the network protection was very, very weak,” the spokesperson said.
About the Daixin Team
The Daixin Team is a cybercrime group that has been active since June this year. In October, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) warned that the Daixin group is targeting U.S. businesses, particularly organizations in the healthcare sector.
The joint advisory said Daixin hackers usually gain access to targeted systems by exploiting vulnerabilities in virtual private network servers. The group also uses other techniques, like credential dumping and phishing, to breach networks.
Once they gain access to a victim’s server, Daixin hackers move laterally within the network and deploy ransomware. The joint advisory lays out recommendations for organizations to bolster the security of their systems.
If you suspect your personal information may be part of the leaked data, we recommend reading our article dark web monitoring to learn how to check if your data has been leaked, and what you can do to mitigate any resulting threats.