3 September 2021 | Asia Cyber Summary

In the spotlight this week:

  • Singapore government expands bug hunt with hacker rewards scheme

  • Indonesia probes suspected data breach on Covid-19 app

  • Bangkok Airways hit by LockBit ransomware attack, loses data after refusing to pay

  • Chinese developers expose data belonging to Android gamers

  • Hack exposes personal data of entire Swiss town: report

  • Atlassian warns of critical Confluence flaw

Singapore Government Expands Bug Hunt With Hacker Rewards Scheme

Singapore is offering payouts of up to $5,000 for ethical hackers to uncover security vulnerabilities in systems used by the public sector. The new scheme is the latest in the government's efforts to involve the community in assessing its ICT infrastructure. The Government Technology Agency (GovTech) said its new Vulnerability Rewards Programme was the third crowdsourced initiative it has adopted to enhance the security of its ICT systems. In addition, a special bounty of up to $150,000 could be awarded for vulnerabilities identified to potentially cause "exceptional impact" on selected systems and data. Details outlining such vulnerabilities would be provided to registered hackers and would apply only to selected government systems. The new rewards scheme would initially encompass three public-sector systems, namely, SingPass and CorpPass; member e-services under the Manpower Ministry and Central Provident Fund Board; and WorkPass Integrated System 2, which is operated by the Manpower Ministry.

Indonesia Probes Suspected Data Breach On Covid-19 App

Indonesia is investigating a suspected security flaw in Covid-19 test-and-trace app that exposed personal information and the health status of 1.3 million people. Researchers said personal information in the Indonesia Health Alert Card (eHAC) app, often required to be used by travellers, was accessible "due to the lack of protocols put in place by the app's developers". Mr. Anas Ma'ruf, a Health Ministry official overseeing data, said the government was looking into the potential breach, but that the potential flaw was in an earlier version of the app, which has not been used since July. Mr. Anas urged people to delete the old app and said the breach might have originated from a partner, without elaborating. Researchers said the flaw could expose people to phishing or hacking, as well as discourage people from using a Covid-19 tracing app. Experts say such data breaches point to Indonesia's weak cyber-security infrastructure. In May, the authorities also launched an investigation into an alleged breach of social security data from the country's state insurer.

Bangkok Airways Hit By LockBit Ransomware Attack, Loses Data After Refusing To Pay

Bangkok Airways has revealed it was the victim of a cyberattack from ransomware group LockBit on August 23rd, resulting in the publishing of stolen data. The airline was given five days to sort payment, but instead of paying, it disclosed the breach. LockBit responded by publishing all stolen data. Competing claims about the size of the resulting data dump range between 103GB and over 200GB. The data mostly contained business-related documents, but there was passenger personal data in the mix. The personal data may have included names, nationalities, gender, phone number, email, address, passport information, travel history, partial credit card numbers and even meal preferences. The airline said it is investigating the incident and has informed law enforcement agencies and customers. The latter group was advised to beware of scammers – especially anyone posing as Bangkok Airways asking for information like credit card details. "For primary prevention measures, the company highly recommends passengers to contact their bank or credit card provider and follow their advice and change any compromised passwords as soon as possible", reads the company's statement.

Chinese Developers Expose Data Belonging to Android Gamers

Chinese developers of popular Android gaming apps exposed information belonging to users through an unsecured server. A report revealed a 134GB server which was exposed and made public online to belong to EskyFun - the developer of Android games including Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M. The team said that users of the following games were involved in the data leak: Rainbow Story: Fantasy MMORPG, Metamorph M, and Dynasty Heroes: Legends of Samkok. Together, they have been downloaded over 1.6 million times. In total, the team said that an alleged 365,630,387 records contained data from June 2021 onward, leaking user data collected on a seven-day rolling system. The team says that the developers impose "aggressive and deeply troubling tracking, analytics, and permissions settings" when their software is downloaded and installed, and as a result, the variety of data collected was, perhaps, far more than you would expect mobile games to require. The records included IP and IMEI numbers, device information, phone numbers, the OS in use, mobile device event logs, whether or not a handset was rooted; game purchase and transaction reports, email addresses, EskyFun account passwords stored in plaintext, and support requests, among other data. In the end, Hong Kong CERT was contacted in an attempt to resolve the security issue.

Hack Exposes Personal Data of Entire Swiss Town

Late on Wednesday, a small Swiss town acknowledged that it had underestimated the severity of a cyberattack, following reports that the personal data of its entire population was exposed online. The small and picturesque town of Rolle, on the shores of Lake Geneva, acknowledged that it had been the victim of ransomware attack, and that data on some administrative servers had been compromised. The documents, "are personal and extraordinarily sensitive”. Rolle municipality, which has filed a criminal complaint in the case, acknowledged in a statement that it "underestimated the severity of the attack (and) the potential uses of the data”. The town said it "admits with humility a certain naivete towards the stakes when dealing with the dark web and malicious hacks", and that it has set up a taskforce to deal with the crisis. The data leaked included names, addresses, dates of birth, social security numbers and residency permit information for non-Swiss nationals. In some cases, religious affiliation was also listed. School records have also been found, with students' grades, as well as information on children who had contracted COVID-19. Forms used to evaluate the performance of communal employees were also stolen in the attack, as were some criminal records, according to the paper.

Atlassian Warns of Critical Confluence Flaw

The Australian Cyber Security Centre (ACSC) has put out a warning for certain self-hosted versions of Atlassian Confluence which contain an exploit that allows hackers to execute arbitrary code and take control of servers. According to Atlassian, which provided a warning of the exploit after it was identified through the enterprise software vendor’s public bug bounty program, both Confluence Server and Data Centre are affected by the CVE-2021-26084 vulnerability. The ASCS flagged this exploit with a high alert level and claimed it can lead to hackers gaining full control of vulnerable servers. As such, it also said it is aware of scanning and attempted exploitation of the vulnerability. Users that upgraded to versions 6.13.23, 7.11.6, 7.12.5, 7.13.0, and 7.4.11 are not affected, as the exploit has been fixed in these versions. Confluence Cloud users are also unaffected. To stop the exploit, Atlassian recommends users to upgrade to the latest Long Term Support release. If Confluence is unable to be upgraded, the enterprise software vendor also provides temporary mitigation scripts for Confluence Servers and Data Centre Nodes for Microsoft Windows and Linux-based operating systems.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.