Anonymous Targets German Branch of Rosneft, Steals 20TB of Data
Read also: Israel hit with a large-scale DDoS attack, hundreds of GoDaddy-hosted websites infected with a backdoor, and more.
Anonymous targets German branch of Rosneft, steals 20TB of data
The German unit of Russian oil giant Rosneft was hit by a cyberattack on March 11, which impacted the company’s systems, but did not affect its business or supply situation.
The attack appears to be the work of the German branch of the international hacktivist collective Anonymous, who claim they have stolen 20TB of data from Rosneft Deutschland’s servers, including hard disk images of employee laptops and computers, hard disk images of a mail server, archive files, software packages, manuals, and license keys for software.
As proof of the intrusion the cyber actors posted screenshots that show corporate virtual machines and wiped iPhones. According to Anonymous, they don’t have any intention of leaking the stolen data.
Ubisoft, Denso disclose cyberattacks
French video-game publisher Ubisoft confirmed it was hit by a cyberattack, which temporarily disrupted some of its services. The company said it found no evidence that customers’ personal information was affected due to the incident.
While Ubisoft didn’t share any details regarding the culprit behind the hack, the Lapsus$ data extortion group (known for their previous leaks of data stolen from Samsung and Nvidia) hinted on what is believed to be their Telegram channel that they may be behind the incident.
Japanese automotive components manufacturer Denso also disclosed a cyber incident this week, in which malicious actors compromised systems of its German subsidiary. In a short statement the company gave little details regarding the intrusion, but said that the attack did not affect production activities.
Some media outlets reported that Denso may have been the victim of a new ransomware gang known as Pandora. Earlier in the week, the ransomware operators began leaking 1.4TB of data allegedly stolen from the automotive giant.
Cybersecurity Compliance
Prevent data breaches and meet regulatory requirements
Israeli government websites disrupted by massive DDoS attack
Numerous Israeli websites, including several sites belonging to the country’s government, were hit by a massive cyberattack, which has already been described as a largest cyberattack ever to be carried out against Israel.
The affected websites include those of Israel’s Prime Minister’s Office and its interior, health, justice and welfare ministries. The Israel National Cyber Directorate (INCD) has acknowledged the incident on Twitter, without providing any additional details.
The attack targeted websites with the .gov.il domain used for all government websites, except for those relating to defense. Israeli news website Haaretz reported that following the attack the INCD and the Ministry of Defence declared a state of emergency to assess the extent of damage to critical Israeli websites and government infrastructure, such as Israel's power and water providers.
A backdoor found on hundreds of GoDaddy-hosted websites
Hundreds of WordPress websites hosted on GoDaddy's Managed WordPress platform have been infected with a nearly identical backdoor payloads injected in the wp-config.php. The backdoor is a SEO-poisoning tool, which has been circulating in the wild since at least 2015. It generates spammy Google search results and includes resources customized to the infected site.
A rise in the malicious activity was observed by Wordfence researchers on March 11, with 298 websites infected by the backdoor within 24 hours. At least 281 of the infected websites were hosted on GoDaddy, including MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites.
U.S. warns of Russian state-backed hackers exploiting MFA and PrintNightmare flaw
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint security advisory to warn organizations that Russian threat actors are using a combination of vulnerabilities to gain network access.
The advisory describes an attack carried out by an unnamed threat actor against a non-governmental organization (NGO) in “as early as May 2021,” in which the intruders used a misconfigured account set to default MFA protocols to access the target’s network.
The malicious actors then exploited the PrintNightmare flaw (CVE-2021-34527) to execute arbitrary code with system privileges. The goal of the attackers was apparently to obtain information from cloud storage and email accounts.
What’s next:
- Follow ImmuniWeb on Twitter and LinkedIn
- Subscribe to newsletter to get the next post automatically
- Explore 18 use cases how ImmuniWeb can help
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter