Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Shell. Show all posts

Shell Data Breach: Hacker Group 888 Claims Responsibility

 



A hacker group known as 888 has claimed responsibility for a data breach targeting Shell, the British multinational oil and gas company. The breach, allegedly impacting around 80,000 individuals across multiple countries, has raised significant concerns about data security within the organisation.

The compromised data includes sensitive information such as shopper codes, names, email addresses, mobile numbers, postcodes, site addresses, and transaction details. This information reportedly pertains to Australian users, specifically linked to transactions at Reddy Express (formerly Coles Express) locations in Australia. The hacker, using the pseudonym Kingpin, shared samples of the data on a popular hacking forum, indicating that the breach occurred in May 2024.

The breach affects individuals in several countries, including the United States, United Kingdom, Australia, France, India, Singapore, the Philippines, the Netherlands, Malaysia, and Canada. The extensive range of affected regions stresses upon the potential severity and widespread implications of the breach for Shell’s customers and stakeholders.

At present, there has been no official statement from Shell confirming the breach. The Cyber Express reached out to Shell for verification, but no response has been received. This lack of confirmation leaves the authenticity of the claims uncertain, though the potential risks to those involved are considerable.


This is not the first time Shell has faced cyberattacks. In the past, the company experienced a ransomware attack and a security incident involving Accellion’s File Transfer Appliance. These past events highlight the persistent threat cybercriminals pose to the energy sector.


In response to previous incidents, Shell emphasised its commitment to cybersecurity and data privacy. The company has initiated investigations into the recent claims and is working to address any potential risks. Shell has also engaged with relevant regulators and authorities to ensure compliance with data protection regulations and to mitigate the impact of any breaches.


The situation is still unfolding, and The Cyber Express continues to monitor the developments closely. 


The alleged Shell data breach by hacker group 888 serves as a reminder of the vulnerabilities that even large multinational corporations face in the digital age. As investigations continue, the importance of robust cybersecurity measures and vigilant monitoring cannot be overstated.


Effluence Backdoor: A Lingering Menace in Atlassian Confluence Servers

According to current cybersecurity developments, despite intensive efforts to patch vulnerabilities in Atlassian Confluence servers, the infamous Effluence backdoor remains a persistent danger. Because of this online shell's invisibility and the possible threats it poses to companies, security experts and researchers have expressed alarm.

Effluence, a covert backdoor identified in Atlassian Confluence servers, has been a focal point in the cybersecurity community due to its ability to evade detection and persist even after patching. Reports from prominent sources like The Hacker News and OPP Today reveal that despite efforts to secure Confluence servers, the Effluence backdoor remains active, allowing unauthorized access and potential exploitation.

TS2 Space, a cybersecurity platform, sheds light on the clandestine nature of the Effluence backdoor, emphasizing its stealthy capabilities. The backdoor's ability to operate without authentication makes it a formidable threat, enabling hackers to infiltrate systems undetected. This characteristic poses a significant challenge for organizations relying on Atlassian Confluence for collaborative work, as the backdoor can potentially compromise sensitive data and lead to severe security breaches.

Aon Cyber Labs has been at the forefront of efforts to detect and mitigate the Effluence backdoor. Their insights into unauthenticated Confluence web shell attacks provide valuable information for organizations looking to fortify their cybersecurity defenses. The challenge lies not only in patching known vulnerabilities but also in actively identifying and eliminating instances of the Effluence backdoor that may have already infiltrated systems.

Concerns have been raised by cybersecurity specialists regarding a possible link between ransomware attacks and Effluence. Effluence poses increased threats, since hackers may use it as a doorway to spread ransomware and extort businesses for money. This rise in risks emphasizes how urgent it is for businesses to take comprehensive and quick action against the Effluence backdoor.

The Effluence backdoor's continued existence is a sobering reminder of the difficulties businesses confront in protecting their digital infrastructure as the cybersecurity scene changes. Proactive patching, ongoing monitoring, and strong detection methods are just a few of the many strategies needed to combat this danger. Preventing possible breaches is crucial for preserving the security and integrity of organizational data in an era where cyber threats are growing more complex.


Shell Confirms MOVEit-based Hack After the Threat Group Leaks Data


The CIOp ransomware gang has targeted a zero-day vulnerability in the MOVEit managed file transfer (MFT) product, acquiring data of at least 130 companies that had been utilizing the solution. At least 15 million people are thought to have been affected as of now.

CIOp , the Russia-based cybercrime gang has now started to expose its victim organizations that have refused to negotiate with its demands. Apparently, the victims’ names have been exposed on its leak website, will Shell being the first company to be revealed.

Following the leak, Shell confirmed being affected by the MOVEit attack. In a statement published on Wednesday, the company clarified that the MFT software was “used by a small number of Shell employees and customers.”

“Some personal information relating to employees of the BG Group has been accessed without authorization,” it added.

Shell confirmed the incident only after the Cl0p hacking gang disclosed files allegedly taken from the company. The fact that the group made 23 archive files with the label "part1" public may indicate that they have access to more information.

Following this discloser, the ransomware gang added that they did so since the company refused to negotiate.

However, it is yet not particularly clear of what information has been compromised. Although, the firm confirmed to have informed the affected victims.

Moreover, toll-free phone numbers have been made available to employees in in Malaysia, South Africa, Singapore, Philippines, UK, Canada, Australia, Oman, Indonesia, Kazakhstan, and Netherlands. Thus, indicating that the affected individuals are more likely to be from these countries.

Since no file-encrypting software was used in the attack, Shell noted that "this was not a ransomware event" and that there is no proof that any other IT systems were impacted.

It is worth mentioning that this was not the first time that Shell has been targeted by the CIOs group, since in 2020 the threat actors targeted the company’s Accellion file transfer service. The company noted that during this hack the hackers stole their personal and corporate data.

Some of the other notable companies targeted by the latest MOVEit exploit includes Siemens Energy, Schneider Electric, UCLA, and EY.

It has also been confirmed by some government organizations that they as well were impacted by the hack, while the ransomware group claims to have deleted all the data acquired from such entities.  

Oil Industry Giant Shell Under Siege: Clop Group's Ransomware Attack Exposes Vulnerabilities

 


A zero-day vulnerability in MOVEit software has been exploited by the Clop ransomware attack that targets Oil and Gas giant Shell and has been used to mount the attack. Threat actors have been actively exploiting the vulnerability, identified as CVE-2023-34362, to steal data from organizations throughout the world. This is to gain access to sensitive information. Shell is investigating this security breach to determine whether it affected the company's core information technology systems or not. 

The Clop gang has targeted Shell's file transfer service for the second time since being infiltrated by the Clop gang in 2013. They broke into the company's global network of more than 80,000 employees and reported revenues of $381 billion.

It has been reported that Shell US spokesperson Anna Arata has been informed that a cyber security incident has affected a third-party software program from Progress called MOVEit Transfer, which is used by some Shell employees and customers. Arata stated that "so far, there has been no evidence that damage has occurred to Shell's core information systems." In addition, she mentioned that Shell's IT teams are trying to identify any risks and take the appropriate action to manage them.

In Rapid7's investigation undertaken on May 31, the experts discovered that approximately 2,500 instances of MOVEit Transfer were publicly accessible online. A large number of them were located in the United States. Currently, there are 127 installations in the UK, and the number is rising. 

Hundreds of people in the United Kingdom have been affected by Clop's MOVEit hack. There are many victims in this attack, including the international broadcaster BBC, the airlines British Airways and Aer Lingus, the retail pharmacy Boots, and even the agency that regulates the country's communication system, Ofcom. 

Even though Shell and Ofcom appear to use limited settings of the MOVEit tool, they do seem to be significantly less affected by the breach. 

As a result of the attack, Ofcom has announced that a certain amount of confidential information about companies whose activities it regulates has been downloaded, but some of it is confidential. The Ofcom also performed a data download on 412 Ofcom employees who had been affected by the breach. 

In another episode of Clop's ongoing ransomware campaign, the UK's regulator for communication, Ofcom, has been targeted by the attack. The hack of payroll services provider Zellis is known to have caused yet another data breach to make the headlines in recent months. 

As part of its payroll processing services provided by Zellis, the company used a personalized MOVEit Transfer instance to exchange files with tens of different companies via the payroll processor. Accordingly, a lot of companies would likely be affected by this change.

The Daily Telegraph reported that Transport for London had warned up to 13,000 drivers that their data had been stolen in the incident. It said that up to half of the drivers' data may have been breached. Several contractors in the city operated the city's congestion charges and parking charges schemes as a consequence of the incident. 

A BBC report stated that professional services firm EY was also impacted by the crisis. The exact nature of the Zellis account can not be ascertained, or if EY used MOVEit Transfer directly instead of Zellis. Two Zellis users - the BBC and British Airways - have confirmed to me that their whole payroll systems may have been compromised as their data may have been hacked. 

A gang of hackers called Clop targeted Shell for the first time in 2021 when they hacked Accellion's file transfer appliance. This was part of a scheme to extort companies using the appliance. Threatening the leak of sensitive information that had been stolen was the method used to achieve this. 

There was a widespread impact on more than 100 organizations worldwide as a result of the attack on Accellion, including numerous American universities and Bombardier, a Canadian aerospace company. 

In April of this year, Clop exploited a vulnerability in the Fortra product GoAnywhere file transfer product, which could be exploited by third parties. According to the group, the system enabled them to steal data from more than 130 companies, governments, and organizations for extortion. They used the stolen data to extort money.

There has been a second vulnerability in Progress' operating system affecting the popular MOVEit tool. This vulnerability was announced last week by the company that develops the software. There have been several announcements recently about breaches caused by program problems.

In an attempt to extort ransom money from Shell, a prominent name in the oil industry, a ransomware attack was recently launched by Clop, a group that is associated with the NSA. The incident has brought to light the vulnerability that exists within the company's information security infrastructure and has exposed several vulnerabilities.

Regardless of how big or how well-known an organization is, cyber threats can pose an existential threat to any organization regardless of size or reputation. As a result of the attack, the oil industry needs to strengthen its cybersecurity procedures and develop proactive risk management strategies that will protect them from potential threats. This incident can be seen as a lesson for Shell and the rest of the industry to strengthen their digital defenses. This will prevent future cyberattacks from affecting critical operations.

Shell’s Employees’ Visas Dumped Online as part of Extortion Attempt

 



Royal Dutch Shell became the latest corporation to witness an attack by the Clop ransomware group. The compromised servers were rebuilt and brought into service with a new Accellion security patch; the security patch eliminates the vulnerabilities and enhances security controls to detect new attacks and threats. 

"A cyber incident impacted a third-party, Accellion, software tool called the File Transfer Appliance (FTA) which is used within Shell," stated Shell spinner. In a statement last week, Shell confirmed that it too was affected by the security incident but it has only affected the Accellion FTA appliance which is used to transfer large data files securely by the company. 

In an attempt to bribe the company into paying a ransom, the criminals behind the malware have siphoned sensitive documents from a software system used by Shell and leaked some of the data online, including a set of employees' passports and visa scans. The idea being that once the ransom is paid, no further information will be released into the public domain. 

As stated by Shell, the data accessed during a “limited window of time” contained some personal data together with data from Shell companies and some of their stakeholders. The company to downplay the impact stated that “there is no evidence of any impact to Shell’s core IT systems,” and the server accessed was “isolated from the rest of Shell’s digital infrastructure.” But it did acknowledge that the crooks had probably grabbed “some personal data and data from Shell companies and some of their stakeholders.” 

Previously this month, files from infosec outfit Qualys, including purchase orders, appliance scan results, and quotations also surfaced on the extortionists' hidden site. Other victims include Canadian aerospace firm Bombardier, which had details of a military-grade radar leaked, London ad agency The7stars, and German giant Software AG.

The group has now posted several documents to its Tor-hidden website, including scans of supposed Shell employees' US visas, a passport page, and files from its American and Hungarian offices, in order to persuade Shell to compensate the hackers and prevent more stolen data from leaking. 

According to BleepingComputer, to stack up the pressure, the Clop gang now e-mails its victims' to warn them that the data is stolen and will be leaked if a ransom is not paid.