Sambal ke Kari - On Nevernding Data leaks.

Sotong masak sambal yang dikeluarkan oleh Ali Nasi Kandar Bukit Mertajam
Photo by Hazim Abd Halim / Unsplash

For the past few days, I was contacted by few industry players to "politely " ask some of my colleges to tone down their news on the latest "largest data leak news in Malaysia". From the industry perspective the issues are known to them and they are in the process on identifying the root cause and don't want any public tension or unwanted publicity. At this moment https://breached.vc/ is inaccessible from Malaysia directly. Typically data leak occurred when the malice actor are not use it as a ransom (lock your data with super encrpted key a.k.a  ransomware).

What is my right on this can I sue these entity?

The Personal Data Protection Act (PDPA) is a law in Malaysia that regulates the collection, use, and disclosure of personal data. If a company has violated the PDPA or other laws related to data protection, you may be able to take legal action against the company.

To determine whether you have a case, you will need to consider several factors, such as the nature of the data breach, the harm that you have suffered as a result of the breach, and whether the company was negligent in protecting your personal data. You should also consider whether you have suffered any financial losses or other damages as a result of the breach.

If you believe that you have a valid legal claim against a company for a data breach, you should consult with a lawyer who is experienced in this area of law. They can advise you on your legal options and help you to pursue your claim. It is also a good idea to report the data breach to the relevant authorities, such as the Personal Data Protection Department (PDPD) in Malaysia.

What is the root cause for data leak? Is it negligence? Software/Hardware vulns?

Determining the root cause of any data leak is always a challenge.  Although most of the mentioned industry are heavily regulated and to be fair have spend a significant amount of budget to keep things  secure (Dunno about MBOT). Modern protection includes:

  • KMS backed by HSM
  • EDR combined with AMSI
  • Disabling USB Devices
  • Encrypted DB and Endpoints
  • Transparent Proxy or Transport Solutions
  • Event Log Monitoring 24/7

So if they have spent a bunch of money to secure both from infra and people. Why does it failed?

Now this is the most challenging part of it. For most of the time vendors usually upsell their products by selling Intel's that got nothing to do with the organization, or certified testers who's only concern is to breach AD or becoming root or global/domain admin or bypass AV etcx3.

Now I'm not saying those approach or implementation are not important but bare in mind the goal of a malicious actor is to gain/access your data. Therefore the skilled actor will prioritize on exploiting functionality instead of vulnerability. It sounds crazy and  too good to be true. But as Apache tagline  "It Works!"

Supposed a malicious actor goal is to obtain data from a database  and dump it somewhere to a private server. The actor does not require meterpreter/sliver/cobalt-strike/beacon to do that in all actuality.

An abused function would be

  • Use current creds to access DB
  • Extract the Data
  • Upload to a private server

By focusing on functionality we can craft and be creative a bit either by making it proxy aware etcx3. And yes EDR would not be able to determine this act as malice. Because for human we know this is a risk due to the "intend of the actor" while EDR are focus on what API are being invoked by this program

Solution?

It's not free. Happy New Year 2023.