LockBit Pre-Empts Its Countdown & Publishes Bangkok Air Files!

LockBit Pre-Empts Its Countdown & Publishes Bangkok Air Files!

The ransomware gang LockBit claims to have carried out successful attacks against 2 airlines & 1 airport with help from its Accenture attack.

After Bangkok Airways disclosed that it had been hit by a cyber-attack last week, the LockBit 2.0 ransomware gang abandoned its own countdown, & went ahead & published what it claims are the airline’s encrypted files on its leak site.

Demanded Extortion

Bleeping Computer posted an image of LockBit’s “Encrypted Files Are Published” post, dated Sat., Aug. 28, 19:37:00. That’s 3 days earlier than its original timetable: In that post, the ransomware-as-a-service (RaaS) gang threatened that encrypted files would be published Tues. if the airline didn’t pay the ransom. The sum of the demanded extortion hasn’t been reported

Sat.’s LockBit post reads:

“Bangkok Airways. We Have More Files (Extra +200GB) To Show & Many More Things To Say … They said : We protect our customers privacy” But with P@ssw0rd for all system & domain admins Extra :”

The post included some withheld links.

Ethiopian Airlines

The news outlet, which has been talking with the gang, reported that before LockBit went after Bangkok Airways on Aug. 23, the group also published encrypted files from another airline: Ethiopian Airlines.

The threat player stated that the Accenture breach from earlier this month provided the credentials used in both of the airline attacks. LockBit also claimed to have encrypted the systems of an unnamed airport using Accenture software.

Accenture later reached out to deny LockBit’s claims. It’s statement:

“We have completed a thorough forensic review of documents on the attacked Accenture systems. This claim is false. As we have stated, there was no impact on Accenture’s operations, or on our client’s systems. As soon as we detected the presence of this threat actor, we isolated the affected servers.”

Bangkok Airways Breach

Bangkok Airways announced the breach last week, on Thur., & LockBit 2.0 started a countdown the next day. In its initial post, the gang claimed to have stolen 103GB worth of compressed files that it would release yesterday, on Tues., & that they had a lot more – those +200Gb of files it mentioned again in Sat.’s post – that they could add.

Bangkok Airways revealed at the time it disclosed the Aug. 23 attack that it’s working to improve its defences.

Personal Data

The breach involved various personal data belonging to passengers, including:

  • Passenger name
  • Family name
  • Nationality
  • Gender
  • Phone number
  • Email address
  • Other contact information
  • Passport information
  • Historical travel information
  • Partial credit-card information
  • Special meal information

The attackers evidently didn’t manage to access Bangkok Airway’s operational or aeronautical security systems, the company outlined in its public disclosure.

Countdowns

Ivan Righi, Cyber Threat Intelligence Analyst at digital risk protection provider Digital Shadows, pointed out that this is not the 1st time that LockBit has ignored its own countdown.

The gang repeatedly delayed its own threats in the Accenture breach, Righi noted, possibly because of its use of a clearweb site – Mega.nz, a cloud storage & file hosting service that’s known for offering the largest fully featured free cloud storage in the world, at 20Gb. “The threat actor’s account on Mega was banned & the files are no longer accessible,” Righi noted.

With regard to LockBit’s premature release of Bangkok Airways’ files, Righi suggested that  the group may have chosen to expose data earlier than scheduled “due to the risks of the files being taken down from Mega.”

Digital Shadows has identified 131 victims of LockBit 2.0 since the creation of the website in July 2021.

Public Disclosure

Oliver Tavakoli, CTO at AI cybersecurity company Vectra, observed that LockBit may have been motivated by Bangkok Airways’ public disclosure, given that attackers generally prefer for the attack not to be made public until after a ransom is paid.

The delaying tactic provides more pressure to ensure that victims capitulate. “Victims naturally want to assert as much control as possible, and disclosing the attack is a means to that end,” he explained.

Accenture Breach Could Spread

Earlier this month, LockBit attacked Accenture, a global business consulting firm with an insider track on some of the world’s biggest, most powerful companies.

It’s not surprising that airlines (& also by what LockBit claimed, at least 1 airport) have apparently fallen victim to LockBit, given the range of credentials the gang presumably stole from Accenture – a claim that, again, Accenture has denied.

Accenture’s clients include 91 of the US Fortune Global 100 & more than three-quarters of the US Fortune Global 500. According to its 2020 annual report, that includes e-commerce giant Alibaba, Cisco & Google. Valued at $44.3b, Accenture is one of the world’s largest tech consultancy firms & employs around 569,000 people across 50 countries.

Potentially Compromising

Depending on whether Accenture’s customers believe their security provider or LockBit, they might be concerned. The threat player is claiming to have ‘drained’ their  security provider (a claim denied by Accenture), thus potentially compromising a huge number of its customers (if LockBit’s claims are true).

Hopefully, LockBit is exaggerating, & Accenture’s right about the threat player not really getting anywhere: Explains a report released recently by Trend Micro, attacks in July & Aug. have employed LockBit 2.0 ransomware that use an improved encryption method: just 1 of many times it did this.

Stealing Credentials

Just because credentials supposedly stolen in the Accenture attack could potentially be used in future attacks shouldn’t be seen as meaning future attacks would be successful, Tavakoli explained. “Stealing credentials is often just the opening salvo to such an attack,” he stated.

“Organisations need to be more resilient to the next steps in these human-operated attacks. The move from a purely preventive mindset & to one of visibility, detection & response is a critical step in that journey.”

https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/

 

SHARE ARTICLE