Bangkok Airways Hack: LockBit ransomware strikes again

In cybersecurity things can escalate very quickly. Any breach of system by a malicious actor is often not always just as it appears and can often go from bad to worse in a matter of hours. For Bangkok Airways, what started out as a devastating data breach quickly was revealed to also be a ransomware attack by the infamous LockBit ransomware group. 

The LockBit group, with their recent launch of LockBit 2.0, are a ransomware-as-a-service group. They develop the ransomware and rent it out, often advertising millions to recruit malicious company insiders like in the seeming case of the recent Accenture ransomware attack they were responsible for. If proving successful, affiliates receive roughly 70-80 percent of the profits from the ransom, while the LockBit developers take the rest as commission.  

When malicious actors gain access to systems, they are a threat to the confidentiality, the integrity and availability of that system. Often, they can achieve more than one aim once they are in a corporate network. LockBit 2.0 makes this easier for threat actors by having an inbuilt data exfiltration trojan variant tool called StealBit, which helps threat actors to utilise data breaches as a further pressuring technique on companies for the ransoms. 

Bangkok Airways is the latest in a long line of victims as the LockBit group escalates their efforts. It’s been revealed the LockBit Group threatened to publish 103 gigabytes of Air Customer Data if the ransom wasn’t paid by the 30th August, although there are claims that it is actually up to 200 gigabytes they stole. 

The Initial Data Breach 

When Bangkok Airways admitted they had discovered a data breach, there were already devastating consequences for the confidentiality of their systems and their customers’ data. While mainly business documents were exposed, so was customer data, with a lot of Personally Identifiable Information (PIIs) falling into the hands of cybercriminals. 

The PIIs included details like:  

• The names of victims. 
• Their nationalities. 
• Passport information. 
• Travel history. 
• Partial credit card numbers. 
• Gender of victim.  
• Phone numbers.  
• Email address. 
• Meal preferences. 

All of these details can be utilised to perform fraud and identity theft, as well as for malicious actors to perform highly-effective phishing attacks, on those who have been affected. Armed with this information, a hacker could trick the majority of the people into giving out even more sensitive information by impersonating trusted entities like airlines or even banks. 

As customers are becoming more and more aware of how their data can be used to attack by malicious actors, many companies who have suffered recent data breaches like T-Mobile are now facing lawsuits due to damages and security measures being publicly perceived as knowingly inadequate. 

What is Lockbit 2.0 ransomware and how was Bangkok Airways affected? 

Following the breach, Bangkok Airways released a statement on the 26th August clarifying the situation for customers and saying they were “deeply sorry” for the data breach. Around the same time, the LockBit group announced on their dark web portal that they had installed their ransomware on the organisation’s system and would leak data if the company didn’t pay up. 

It remains unclear if the ransomware itself had managed to encrypt any high-value assets, although the airline maintains that no operational or aeronautical security systems were affected by the attackers. 

One of the newer ransomware variants and one of the best-designed lockers on the market, Lockbit 2.0 ransomware exploits systems via existing vulnerabilities in the Fortinet FortiOS and FortiProxy products identified as CVE-2018-13379. It leverages these vulnerabilities to gain access to victim networks. 

It can also gain access to systems and networks via social engineering techniques like phishing, by being uploaded onto systems directly by recruited insiders, or by being delivered by threat actors who simply have bought Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) remote access in order to get into the system. 

ACSC released an advisory in early August telling organisations how to better safeguard their systems against this ransomware variant’s routine attack vectors. 

Recommendations 

Bangkok Airways had the list of following recommendations for passengers to avoid potential phishing attempts that could be utilised from the data breach, these include:  

• Passengers should contact their bank or credit-card provider and change any compromised passwords immediately.  
• Passengers should be vigilant with suspicious or unsolicited calls, texts, messages and emails that could be phishing attempts. 
• Bangkok Airways said they won’t contact customers to ask for card details or other sensitive data. So, if a sender claiming to be from Bangkok Airways does, it’s a phishing attempt by malicious actors. 

Bangkok Airways advised passengers who suspect someone is trying to phish them to report it to law enforcement and the airlines as soon as possible.  

Customers can contact the airline via [email protected]. 

Customers can also call them on the numbers listed below: 

• If you reside in Thailand, call 1-800-010-171. This is a Toll-free number and operating hours are between 8am and 5.30pm (UTC+07:00 Thai Local Time). 
• For overseas calls, there is a Toll number 800-8100-6688, which operates between 8am and 5.30pm (UTC+07:00 Thai Local Time).