Schneider Electric Breach

NHI Mgmt Group

Attacker’s Motive

The main motive behind this incident is financial gain, as the threat actor ‘Grep’ announced his responsibility of the attack on social platform ‘X’ and requested a $125,000 ransom in cryptocurrency ‘baguettes’ to prevent data leakage and he made an offer to the new appointed CEO, Oliver Blum with $62,500 only if the company acknowledged the breach in public.

Impact of the Attack

The attacker made use of the MiniOrange REST API to exfiltrate 400,000 rows of sensitive data, including 75,000 unique email addresses, employee names, and customer details.

Overview

In November 2024, one of the leading companies in energy and automation solutions ‘Schneider Electric’, confirmed a significant cybersecurity incident including unauthorized access to its internal project managment system. The attacker exploited exposed credentials to gain access to Schneider Electric’s Jira server and made use of MiniOrange REST API to extract a 40GB of sensitive data.

Incident Analysis

Root Causes

Credential Exposure: This breach occurred due to the leaked credentials which granted the attacker the unauthorized access to the Jira Server.

Attack Vector

The threat actor called ‘Grep’ and he is one of the members of ‘Hellcat’ ransomware group, he used the exposed credentials to access to the organization’s Jira server and exploited the REST API to exfiltrate 40 GB of data.

Post by threat actor about Schneider Electric - Source BleepingComputer

Sample of the data - Source: SANGFOR

Incident Response

The company contacted the incident response team to investigate and mitigate the breach and assured that its products and services were not affected.

Recommendations

• Implement multi-factor authentication (MFA) to add more security layer.

• Regularly audit and rotate secrets to prevent unauthorized access.

• Enforce the use of strong, unique passwords for each account.

• Encrypt data at rest and in transit to mitigate unauthorized access risks.

• Deploy tools to detect leaked credentials in real-time.

HellCat leak site claims three victims till date - Source: The Cyber Express

About Contact Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is a community focussed solely on helping solve the huge industry challenge around helping organisations manage and secure Non-Human / Machine Identity Risks

Subscribe to our Newsletter

Subscribe

© 2024