It took a little time, but Thai news outlets or blogs are starting to headline some of the Thai hacks that previously were only being reported on DataBreaches.net. There have been new developments in the past 24 hours to note.
Background
On December 10, DataBreaches.net reported a hack and ransom demand by ALTDOS on Country Group Securities. The hackers demanded 170 BTC (approximately USD $3,000,000.00 at the time). CGS allegedly never responded to their demands at all, so ALTDOS provided some data as proof that they dumped publicly. To date, the attackers do not appear to have followed up on that attack, but recently informed DataBreaches.net that they intend to follow up.
CGS wasn’t the only Thai entity attacked by ALTDOS. They also attacked MonoNext and 3BB, subsidiaries of Jasmine International. The MonoNext attack was initially reported by DataBreaches.net here, but the firm’s statement in response to the attack so irritated the hackers that they released more information about the hacks and more proof that DataBreaches.net reported.
And that’s where things stayed for a few days until this site’s reporting became more widely known and Thai outlets and bloggers started covering the news and linking to this site’s coverage.
Regulator wants answers, and more data dumped today
In the last 24 hours, there appear to have been more developments. First, IsraNews.org reports that the Office of the Broadcasting Commission. Television Business and the National Telecommunications Commission (NBTC) called the executives of Jasmine (JAS) and asked them to report within three days what happened in terms of the hacks reported by this site — and what the company is going to do to mitigate harm to customers.
Second, as of an hour ago, ALTDOS has dumped what they claim are 100,000 records from 3BB wifi customers. ALTDOS informs DataBreaches.net that they removed the column for card ID number for now before dumping multiple copies of the dump across various file-sharing sites.
DataBreaches.net sent inquiries to 12 customer email addresses that are in the data dump with timestamps from March, 2019. Only two of the emails bounced back as account does not exist, so it appears that at the very least, there are real email accounts in the database. The 100,000 records do not represent 100,000 unique customers, as there are multiple entries for some email addresses.
In communications to DataBreaches.net today, ALTDOS indicates that this is just the first batch of 100,000 and that there will be more. But they do confirm 3BB’s claim that they did not get credit card or payment card numbers. What they did get, they say, are payment histories and details of millions of customers.
ALTDOS also disputed the firm’s claims that they did not get login credentials (passwords) because they were “encrypted.” An ALTDOS spokesperson claims that the “encryption” was simply MD5 and easy to crack, adding:
ALTDOS or any evil actors can use GPU systems to reverse these “encrypted” passwords easily. The modern standard of password encryption is to add Salting to Hashing, which is way more secure than simply MD5 hash a password.
The login information has been extracted. The SSO user list contains the login information and it is the main database containing all of 3BB’s 5+ million customer information. ALTDOS has verified that.
It seems clear that some of the protections the firm claims to have to secure the data were not particularly secure at all by today’s standards.
TIP: If you were a 3BB customer and you reused passwords across sites or businesses, DataBreaches.net strongly recommends you change all of your passwords to use unique passwords for every site.
Was reporting on these breaches suppressed?
So why weren’t Thai news outlets reporting on these attacks, even after the threat actors let them know about them? DataBreaches.net can think of a few possible explanations;
1. News outlets may be concerned that if they report on hacks and ransom demands, they will encourage more attacks or put more pressure on firms to pay ransom. That is an often-heard concern. In this case, 3BB even tried that tack in their first press release, writing that if outlets were to report on the hack of 3BB, ALTDOS would begin “targeting all public companies in the Stock Exchange of Thailand.” In response to that claim about the financial sector, ALTDOS sent the following to DataBreaches.net:
ALTDOS has never made a statement on any planned attacks against “all listed companies in the stock exchange market of Thailand”. This is a disgusting move by Jasmine executives to use corporate sentiments to prevent media / news coverage in Thailand. ALTDOS hereby challenge Jasmine management to release proof of the mentioned “conversation”.
Thai news outlets were leaving the public at risk and in the dark. Hopefully they will now start informing the public of the true scope of these attacks. But there may be other reasons they have not reported or might not report:
2. News outlets may be under pressure from big corporations who may have relationships with owners of news outlets or political influence over them. When one Thai news outlet tried to actually report on the CGS breach — linking to this site’s reporting and the proof the attackers had sent — the news outlet’s reporting mysteriously disappeared.
That some news outlets in Thailand may have been pressured or co-opted seems likely given that the victim firms were able to get the threat actors’ email accounts and data leaks removed. They likely found out that info from Thai reporters or news outlets that the threat actors had contacted.
Today, 3BB issued another statement. Thanks to a Thai source who wishes to remain anonymous but who provided us with an English translation, the newest statement acknowledges a breach, defends its security, and says the firm will be sending SMS to customers. The statement says, in part:
“The company is very sorry about this incident, which made customers concerned about the security of their personal information. We would like to confirm that the company has security protection systems, firewall equipment, anti-virus systems, and security monitoring. But there is still a chance that a skilled hacker or hacker will succeed in attacking and accessing information systems using a variety of techniques. The company was not complacent about what happened. The management and engineering team of the company are aware of the problem and take corrective action, blocking all access to customer data as soon as it is detected. In addition, we have added security controls to block unauthorized access from foreign IP addresses, as well as improving the information security system. We also have procured software and hired external security consultants to check the security system. Customers can change their password at the 3BB website or the 3BB Member application to increase the security of using the website or application. At the same time, the Company’s Legal Department has proceeded to notify the police and coordinate for cooperation from the Technology Crime Suppression Division (TCSD).”
DataBreaches.net will update this story as more information becomes available.