21 May 2021 | Asia Cyber Summary


In the Spotlight This Week:

  • Asian branches of insurer AXA hit by ransomware after dropping support for ransomware payments

  • Insurance company CNA pays USD 40 million in ransom

  • Windows 10 ransomware protection

  • Pakistan-linked hackers employ new windows malware tactics

  • Rapid7 source code breached in supply-chain attack

  • Irish healthcare system taken down by ransomware attack



Asian Branches of Insurer AXA Hit By Ransomware


Branches of insurance giant AXA based in Thailand, Malaysia, Hong Kong, and the Philippines have been struck by a ransomware cyber attack.


As seen by BleepingComputer yesterday, the Avaddon ransomware group claimed on their leak site that they had stolen 3 TB of sensitive data from AXA's Asian operations. Additionally, BleepingComputer observed an ongoing Distributed Denial of Service (DDoS) against AXA's global websites making them inaccessible for some time yesterday.


The compromised data obtained by Avaddon, according to the group, includes customer medical reports (exposing their sexual health diagnosis), copies of ID cards, bank account statements, claim forms, payment records, contracts, and more.


The announcement from the group comes roughly a week after AXA stated that they would be dropping reimbursement for ransomware extortion payments when underwriting cyber-insurance policies in France.



Insurance Company CNA Pays USD 40 Million in Ransom


CNA Financial Corp paid $40 million in late March to regain control of its network after a ransomware attack. The CNA hackers used malware called Phoenix Locker, a variant of ransomware dubbed ‘Hades.’ Hades was created by a Russian cybercrime syndicate known as Evil Corp. The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network.


In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker’s identity with the FBI and the Treasury Department’s Office of Foreign Assets Control. In a security incident update published on May 12, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.



Windows 10 Ransomware Protection


Unbeknownst to many consumer users of Windows, Microsoft offers built-in ransomware protection as part of Windows Defender, found under Virus & Threat Protection.


The basics for turning it on aren’t complicated: type in “Ransomware Protection” in the Windows 10 Cortana search bar (typically in the bottom lower left of the screen) then go to the “Ransomware Protection” screen. You’re given the option to select controlled folder access. Then you have the option to select which folders you want protected.


The goal is to block suspicious software but if an app is blocked that you know is safe, Microsoft gives you the option to build a white list. Use the ontrolled Folder Access for whitelisting apps. You can do this by going to “allow an app through Controlled folder access.



Pakistan-Linked Hackers Employ New Windows Malware Tactics


Cybercriminals with suspected ties to Pakistan continue to rely on social engineering as a crucial component of its operations as part of an evolving espionage campaign against Indian targets, according to new research.


The attacks have been linked to a group called Transparent Tribe, also known as Operation C-Major, APT36, and Mythic Leopard, which has created fraudulent domains mimicking legitimate Indian military and defense organizations, and other fake domains posing as file-sharing sites to host malicious artifacts.


"While military and defense personnel continue to be the group's primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting," researchers from Cisco Talos said on Thursday



Rapid7 Source Code Breached in Supply-Chain Attack


Cybersecurity company Rapid7 on Thursday revealed that unidentified actors improperly managed to get hold of a small portion of its source code repositories in the aftermath of the software supply chain compromise targeting Codecov earlier this year.


"A small subset of our source code repositories for internal tooling for our [Managed Detection and Response] service was accessed by an unauthorized party outside of Rapid7," the Boston-based firm said in a disclosure. "These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers."


On April 15, software auditing startup Codecov alerted customers that its Bash Uploader utility had been infected with a backdoor as early as January 31 by unknown parties to gain access to authentication tokens for various internal software accounts used by developers. The incident didn't come to light until April 1.


As part of its incident response investigation, the security firm said it notified a select number of customers who may have been impacted by the breach. With this development, Rapid7 joins the likes of HashiCorp, Confluent, and Twilio who have publicly confirmed the security event to date



Irish Healthcare System Taken Down by Ransomware Attack


Ireland has shut down most of the major IT systems running its national health care service, leaving doctors unable to access patient records and people unsure of whether they should show up for appointments, following a “very sophisticated” ransomware attack.


Paul Reid, chief executive of Ireland’s Health Service Executive (HSE), told a morning radio show that the decision to shut down the systems was a “precautionary” measure after a cyberattack that impacted national and local systems “involved in all of our core services.”


No group has yet claimed responsibility for the attack, though Reid said on Friday morning that it involved “Conti, human-operated ransomware,” referring to the type of software used. He added that the HSE had not yet been served with a ransom demand.


“We are at the very early stages of fully understanding the threat, the impact, and trying to contain it,” he said, adding that the HSA was receiving assistance from the Irish police force, defense forces, and third-party cyber support teams.



Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.