30 July 2021 | Asia Cyber Summary

In the spotlight this week:

  • Indonesia's BRI Life probes reported data leak of two million users

  • LINE accounts of 100 Taiwan officials hacked in mass breach

  • IBM: Cost of data breaches hit 17-year high

  • Apple releases iOS 14.7.1 to fix Apple Watch zero-day exploit

  • Iranian hackers build elaborate online profile to fool targets into downloading malware

  • 'Praying Mantis' threat actor targeting Windows internet-facing servers with malware

Indonesia's BRI Life Probes Reported Data Leak Of Two Million Users

BRI Life, the insurance arm of Indonesia's Bank Rakyat Indonesia, said on Tuesday it was investigating claims that the personal details of over two million of its customers had been advertised for sale by unidentified hackers. Hudson Rock, a cybercrime monitoring firm, told Reuters that it had found evidence which showed that multiple computers belonging to BRI and BRI Life employees had been compromised. "We are checking with the team and will provide an update as soon as the investigation is done," BRI Life CEO Iwan Pasila has said. In a post on the RaidForums website, an unnamed user said they were selling a collection of 460,000 documents compiled from the user data of over two million BRI Life clients for USD $7,000. The post was accompanied by a 30 minute video of the documents, which included bank account details, as well as copies of Indonesian identification cards and taxpayer details.

LINE Accounts Of 100 Taiwan Officials Hacked In Mass Breach

Hackers have breached LINE messaging accounts belonging to more than 100 officials and political figures in Taiwan. The hacked accounts include those of bureaucrats, senior party administrators and military officers. The Taiwanese government has confirmed the breach and has initiated an investigation. The hack disabled a default privacy setting called Letter Sealing, which provides end-to-end encryption of messages. Japan-based LINE is a popular messaging app in Taiwan, and the personal data breach potentially affected a multitude of people. The hackers are suspected of using the military-grade spyware called Pegasus developed by the Israel-based NSO Group, according to reports. The technology can infect a phone just by having the victim receive a message, with no need to click on a link. Pegasus has been known to intercept phone calls and monitor the movements of infected smartphone users around the clock.

IBM: Cost Of Data Breaches Hit 17-Year High

Data breaches cost companies an estimated $4.24 million per incident on average — a 17-year high, according to a Wednesday report from IBM. The global figure represents the highest cost-per-data-breach incident in the 17-year history of IBM's annual "Cost of a Data Breach" report. "Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic," Chris McCurdy, vice president and general manager of IBM Security, said in a Wednesday statement. He added, however, that "while data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics, such as AI, automation and the adoption of a zero trust approach – which may pay off in reducing the cost of these incidents further down the line." It also took companies longer on average to detect and contain breaches. Organizations, on average, took 212 days to detect breaches and 75 to contain them.

Apple Releases iOS 14.7.1 To Fix Apple Watch Zero-Day Exploit

Last week iOS 14.7 was released, adding features including support for Apple’s magnetic battery pack. Unfortunately, the update also interrupted the “Unlock with iPhone” feature that Apple Watch wearers used for easy access to their wrist-wear. A patch is now under development to amend this. If you don’t have an Apple Watch, it is advisable that you still install iOS 14.7.1 (and for Mac owners, macOS 11.5.1) as soon as you can. Security notes from Apple reveal that the two updates it pushed today fix flaws that are already being exploited in the wild. The memory corruption issues in Apple’s desktop and mobile operating systems have been assigned the same vulnerability ID and attributed to an anonymous researcher.

Iranian Hackers Build An Elaborate Online Profile To Fool Targets Into Downloading Malware

A cyber-espionage campaign linked to the Iranian military drew victims in with fake social media profiles and messages in an attempt to steal usernames, passwords and other sensitive information. Iranian hackers spent 18 months masquerading as an aerobics instructor in a cyber-espionage campaign designed to infect employees and contractors working in defence and aerospace with malware in order to steal usernames, passwords and other information which could be exploited. Active since at least 2019, the campaign used Facebook, Instagram and emails to pose as the fake persona "Marcella Flores". The attackers spent months building up a rapport with targets via messages and emails before distributing malware after the trust was gained. Marcella's public-facing Facebook profile claimed she was an aerobics instructor in Liverpool, England -- and her friends' list contained several people identifying as defence contractors on their profiles.

'Praying Mantis' Threat Actor Targeting Windows Internet-Facing Servers With Malware

Windows internet-facing servers are being targeted by a new threat actor operating "almost completely in-memory," according to a new report from the Sygnia Incident Response team. The report said that the advanced and persistent threat actor -- which they have named "Praying Mantis" or "TG1021" -- mostly used deserialization attacks to load a completely volatile, custom malware platform tailored for the Windows IIS environment. "TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine's memory and leaves little-to-no trace on infected targets," the researchers wrote. "Praying Mantis" managed to compromise their networks by exploiting internet-facing servers, and the report notes that the activity observed suggests that the threat actor is highly familiar with the Windows IIS platform and is equipped with 0-day exploits.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.