The Daixin ransomware gang claimed AirAsia Group as its victim, stealing data of over five million passengers and employees.
Daixin shared a data sample as proof of its treasure and hinted it would leak the data in two batches. AirAsia Group is a low-cost Malaysian airline with nearly 15,000 employees.
According to databreaches.net, Daixin encrypted a lot of resources and deleted backups. Still, they didn't do as much as they might typically do due to poor organization on AirAsia Group's network: "The chaotic organization of the network, the absence of any standards, caused the irritation of the group and a complete unwillingness to repeat the attack."
Cybercriminal gang calling themselves the "Daixin Team" has been actively targeting US businesses, predominantly the healthcare sector, since at least June 2022.
According to the joint advisory by CISA, Federal Bureau of Investigation (FBI), and Department of Health and Human Services, the Daixin Team deploys ransomware and encrypts health records, diagnostic, imaging, and intranet services.
It has also been observed to exfiltrate personal identifiable information (PII) and patient health information (PHI) and use it for blackmail, threatening to release the data if the demands were not met.
Daixin gang gains initial access through virtual private network (VPN) servers. Threat actors exploit unpatched vulnerabilities and previously compromised credentials.
"In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization's VPN server. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server that did not have multifactor authentication (MFA) enabled."
According to Adi Peretz, cybersecurity director at Cyrebro, an online managed Security Operations Center (SOC) infrastructure provider, gangs like Daixin capitalize on poor IT hygiene, and the AirAsia hack appears to be the case.
"Daixin leverages known VPN exploits and phishing to gain access to their victim's network. Once access is gained, they escalate privileges and use RDP and SSH to move laterally inside their victim network. While the Daixin ransomware gang targeted the healthcare sector earlier this year, this recent hack suggests they are opportunistic by nature, seeking any target with low investment in cybersecurity," Peretz said.
The Daixin Team's ransomware is based on leaked Babuk Locker source code, which was leaked following the Washington DC Metro Police attack. In May 2021, the Babuk group released thousands of sensitive police documents on the dark web. In September 2021, the Babuk source code was leaked on a Russian-language cybercrime forum.
"Daixin's Babuk use suggests they lack the skill and capability to build their own tools and opt to use ones that are publicly available," Peretz added.
More from Cybernews:
Subscribe to our newsletter