[BreachExchange] Power Company Has Security Breach Due to Downloaded Game

Destry Winant destry at riskbasedsecurity.com
Fri Feb 8 09:07:37 EST 2019


https://www.bleepingcomputer.com/news/security/power-company-has-security-breach-due-to-downloaded-game/

South African energy supplier Eskom Group has been hit with a double
security breach consisting of an unsecured database containing
customer information and a corporate computer infected with the
Azorult information-stealing Trojan.

According to Eskom's web site, they are an energy company based out of
Johannesburg in South Africa that supplies 95% of the electricity used
in South Africa and approximately 45% of the electricity used in
Africa.

Based on information provided to BleepingComputer, these breaches
exposed Eskom's network credentials, customer information, redacted
customer credit card information, and sensitive business information.

It all started when security researcher .sS.! discovered data
belonging to Eskom that was stolen by the Azorult password-stealing
Trojan. .sS.! commonly searches for infected corporate machines and
contacts the affected companies so that they can clean up their
infections.

.sS.! attempted to notify Eskom through Twitter by sending the following tweet:

In their initial reply, Eskom told the researcher that this was not an
account associated with Eskom.

Based on information shared with BleepingComputer by .sS.!, the stolen
data does indicate that it belongs to a user who has access to Eskom's
internal network was compromised by Azorult. This data contains
passwords for logging into the Eskom network, corporate email
accounts, a screenshot of the victim's desktop during the Trojan
install, and other sensitive information.

It is not known if they are a remote user or an internal user at this
time. information from the stolen data indicates that it is an
enterprise computer.

After continued pressure from .sS.!, other security researchers, and
emails from the press, Eskom finally acknowledged the infected
computer and replied that they are investigating the issue.

Infection caused by downloaded game

According to a screenshot created by Azorult when it was installed,
the infection was masquerading as a downloader for The Sims 4 game.

Downloading copyrighted software has always been a common source for
computer infections, but over the last few months has increasingly
become more problematic. Not only are Trojans such as Azorult being
distributed through fake crack and warez sites, but the STOP
Ransomware has also been heavily distributed through them as well.

These warez/crack sites offer adware bundles that supposedly install
the desired software. When executed, though, they also install other
unwanted software such as ransomware, Trojans, adware, and unwanted
browser extensions.

An example of one of these adware bundles disguised as a KMSPico
Windows crack can be seen below. This particular crack was used to
install the STOP Ransomware.

Data breach from unsecured database

To make matters worse, a security researcher by the name of Devin
Stokes found an unsecured database belonging to Eskom that had been
publicly available for weeks.

>From screenshots shared by Stokes, this database contained customer
information, redacted payment information, meter information, and
other sensitive details.

After repeated attempts to contact them in order to disclose the data
breach, Stokes  publicly tweeted a portion of the data to the Eskom
Twitter account in order to get a response.

In response, Eskom finally replied that they were investigating the
matter. In addition, when BleepingComputer contacted Eskom, we
received the following statement:

"Eskom’s Group IT is conducting investigations to determine whether
sensitive Eskom information was compromised as a result of this
incident. We will comment fully once the investigation is concluded."


More information about the BreachExchange mailing list