Desorden Group – The Summer 2023 Update

First Published: August 16 2022

Updated September 12 2023

Introduction to the Desorden Group

The financially motivated Desorden (Disorder in Spanish) group, previously known as “chaoscc”, was first observed going by the new name Desorden in 2021 while acting against multiple Asian-based organizations in various sectors. The group mainly targets high-revenue enterprises and supply chains to amass as much profit as possible by extracting sensitive organizational data and demanding a ransom for it. In 2022, Desorden added multiple Thai-based organizations to their victim list in what seems to be a region-based attack.

After a first wave of attacks in the last third of 2021, the group’s second wave of attacks took place in June-July 2022, accompanied by increased activity in the top cybercriminal Darknet forums, and gained fairly good traffic and recognition thanks to their recent results.  Their victim list includes Acer Taiwan, Acer India, SkyNet.com.my Malaysia Logistics, ProTempts, ABX Express Enterprise and multiple high-revenue Thai-based companies.

The group gained an excellent reputation in the cybercriminal communities due to their successful operations and unique data that share and offer for sale. They left a mark during their first wave, yet it seems that the first wave was just the appetizer. Now anything goes.

Desorden Ranhill Utilities Attack

In July 2023 Desorden revealed that they had breached Ranhill Utilities Berhad, a provider of water and power supply in Malaysia. They revealed that the initial breach occurred as far back as 2021 and for 18+months Desorden had been in their systems. However, it was only in July 2023 that they took all databases in the billing system, removed backups and got rid of whole databases.

Presence in Darknet Forums

With remarkable similarity to financially motivated groups, the Desorden group is mainly active in major cybercriminal forums, where they share their recent successful breaches. Cyberint detected nearly 100 posts by the threat group in three months in 2022, which came after a long silence. Most of the posts were published in July.

The group began its activity on multiple major forums. The most well-known forum is the notorious and recently seized RaidForums, on which the group posted their first announcement in late September 2021. Each breach is shared with their brand signature “THIS IS DESORDEN GROUP”.

Communication Methods

In 2022, there are two ways to communicate with the group: The first was via Tox, the second was via private message in the forum. Tox is a distributed instant messaging application that runs without requiring the use of central servers. The bottom line is that the application lets you chat anonymously. This is in sharp contrast to other threat actors, who also used social media platforms such as Telegram etc., to communicate and engage with subscribers and potential buyers.

Victims List

Acer, Malayan Logistics and Philliphine Homebuilder

At the end of September 2021, the threat group hacked two Malayan logistics companies, ABX Express and Skynet Both companies were shared on the Raidforums platform and accompanied by samples of the data. This posting resulted in a massive data compromise followed by a personal customer information leak.

In mid-October, the group’s journey around Asia continued as the technology giant Acer was infected. The group claimed that it had accessed over 60GB of the company’s data. The leak provided the threat group with over 3000 sets of login details of Acer’s retailers and distributors in India.

The next victim was published in early November 2021. The group hacked Philippines’ largest homebuilder, supermarket and convenience stores, AllValue, and stole 300GB of files and data from their compromised servers.

Their most recent victim is Ranhill in 2023.

Singapore Under Attack

The threat group revealed their next victim in mid-November 2021 as well. Same result, different country – the Singaporean recruitment company, Protemps, was hacked, and according to the Desorden group, its entire DB was compromised, and the data was exfiltrated.

In early 2022, the group announced that they hacked OG Singapore Department stores. In this operation, the group accessed sensitive personal information about members. The data included full names, National Registration Identity Card (NRIC), emails, and login credentials. The group also shared that the infected server also hosted other companies, including Shaw Singapore, and was compromised as well.

Thai Blitz Phase 1 – Central Group

One of the group’s primary targets was the Central Group, a Thai-based company that invests in retail, property development, brand management, hospitality, food and beverage sectors, and digital lifestyle.

Desorden’s threat actors attacked the Central Group three times in 2021-2022, two of the attacks occurred in October 2021 as Central Group and its subsidiaries, the Central Restaurants Group (CRG) and Centara Hotel Group suffered a major hit. The Desorden group shared that they negotiated a ransom of $900,000 with the Central Group . The Central Group subsequently reneged after an initial agreement, resulting in the threat actors carrying out a spear attack on the Central Group.

The third attack was also against a major subsidiary of the group, the Central Retail Corporation, a worldwide retail corporation founded in Bangkok and owned by one of the wealthiest families in Thailand.

Thai Blitz Phase 2 – Insurance Companies

During the second attack wave in the past month, the group started sharing information about Thai insurance companies. The data includes residents and agents of Thai insurance company SRIKRUNGBROKER and its subsidiary 724.co.th. According to the post, they stole a total of 1.75TB of personal data, including full names, ID card numbers, ID documents, birthdates, addresses, insurance policy data, etc.

Thai Blitz Phase 3 – Mistine/Saha Group, Frasers and Union Auction

On July 19, the group announced another Thai victim, the Better Way Thailand Company Limited, a personal care products and cosmetics distributor. Mistine is a subsidiary of Saha Group, Thailand’s leading publicly listed consumer products conglomerate.  The group shared that the data breach involved 180 GB of data and 60 GB of files, affecting more than 20 million residents including personal data information of their customers and sales representatives. According to the threat group, 20 of their servers were infected, causing a compromise of over 19.9 million customer records of Mistine Direct Sales across the Flormar, Fairs, Friday, Mistine, MYSS, Yupin and NingNong brands.

On July 26, the Desorden group continued their spear attack and published a post about hacking  Frasers Property. This data breach involved 312,834 personal information of their customers, financial and corporate data. On August 3, a few days after the post, Frasers Property Thailand reported the cyber incident to the Thailand Stock Exchange.

On the same day, 10 minutes later, on a different forum, the group shared another post regarding a new victim, Union Auction Thailand, which led to the extraction of personal information of 30,000 members.

TTPs

• The group launches an attack by first conducting reconnaissance of the target organization’s infrastructure and technologies.
• The group generates Advanced Package Tool (APT) custom scripts to infiltrate the organization based on the recon and their needs. The group also employs Python, PowerShell, and C#.
• The group communicate with the potential buyers using Tox or forum private messages.
• Unlike ransomware, the group does not encrypt a victim’s data. Instead, they steal sensitive information from the victim and threaten to make it public if the company does not pay the ransom.
• The group negotiate quietly with the victims to collect the ransom. If a victim is willing to pay the ransom demanded, the breach or the company’s data is not publicized.
• The group usually upload samples to gofile.io service in order to provide evidence for the potential buyer.

Ransom Builders

In addition to hacking and breaching major corporations, the group also takes care of other threat actors operating in the wild. The group shared the Chaos ransomware builder V4 and Yamsha Ransomware Builder V1.2 for free. The Chaos builder was first identified in 2021 as a customizable ransomware builder and is mainly connected to the Onyx and Yashma ransomware variants.

Conclusions and Recommendations

During the victim analysis, we witnessed a variety of sectors and regions. However, in the second wave of continuous attacks, it became clear that the Thai corporations are under constant attack, led by the Desorden group, with significant success. After declaring itself as deploying attacks to gain profit, the focus of the group is on a specific region, in contrast to other groups whose victim distribution is wider.

Unlike the classic widely used double-extortion procedure, where threat actors exfiltrate a victim’s sensitive data and encrypt it, the Desorden group abandoned the encryption and wiping methods,  focusing instead solely on the exfiltration and this is making waves. This is another reminder about unanswered data exfiltration prevention and the extraordinary value of corporation data, individual data privacy and how it can affect a state or a region.

• Raising employee security awareness followed by dedicated training remains important in helping companies identify and be suspicious of unsolicited emails and phishing campaigns, especially messages with embedded links or file attachments.
• Disable administrative tools and script interpreters, such as PowerShell, to prevent their misuse by malicious payloads.
• Educate users on the common TTP used and reinforce the message that documents encouraging them to ‘Enable Editing’, ‘Enable Content’ or disable any other security setting are almost undoubtedly malicious.
• Multi-factor authentication should be implemented wherever possible to limit the effectiveness of stolen credentials.
• Continuous monitoring of unusual endpoint behaviors, such as excessive requests to specific webhosts using unusual user-agent strings, can provide an early indication of compromise.
• Consider applying deep content inspection to ensure that any downloaded content filetype matches the actual file content, in addition to blocking dangerous filetypes, such as executables, for standard users.