Focus Mode
Threat Research

Telefonica Breach: Infostealer Malware Opens Door for Social Engineering Tactics

admin
Telefonica Breach: Infostealer Malware Opens Door for Social Engineering Tactics
Telefonica has confirmed a significant data breach involving unauthorized access to its internal ticketing system, resulting in the extraction of sensitive employee and operational data. The breach was facilitated by infostealer malware and social engineering tactics, compromising over 15 employees and exposing 24,000 email addresses, 500,000 JIRA issues, and 5,000 internal documents. Affected: Telefonica

Keypoints :

  • Telefonica confirmed a breach in their internal ticketing system.
  • Unauthorized access led to a significant data leak of sensitive information.
  • The breach involved infostealer malware and social engineering tactics.
  • Over 15 employees were compromised, providing critical credentials to attackers.
  • Attackers used compromised employee accounts to gain access to the JIRA platform.
  • The Hellcat group employed social engineering to expand their access.
  • 24,000 employee emails and names were exposed.
  • 500,000 JIRA issues and summaries were scraped and exfiltrated.
  • 5,000 internal documents were stolen, containing confidential information.
  • Over 531 employee computers were infected by infostealers in 2024 alone.
  • Approximately 66% of passwords found were weak, indicating poor cyber hygiene.
  • There were 4,200 instances of third-party credential infections.

MITRE Techniques :

  • Credential Dumping (T1003): Attackers used infostealer malware to extract credentials from infected employee computers.
  • Phishing (T1566): Social engineering tactics were employed to trick employees into revealing sensitive information.
  • Exploitation of Public-Facing Applications (T1190): Initial access was gained through a compromised JIRA platform.
  • Brute Force (T1110): Attackers attempted to brute-force SSH access after obtaining server information from targeted employees.

Indicator of Compromise :

  • [url] https://jira.globalsap.telefonica.com
  • [ip address] 190.237.119.41
  • [others ioc] 24,000 employee emails and names
  • [others ioc] 500,000 JIRA issues and summaries
  • [others ioc] 5,000 internal documents
  • Check the article for all found IoCs.

Full Research: https://www.infostealers.com/article/telefonica-breach-infostealer-malware-opens-door-for-social-engineering-tactics/

Tags: INITIAL ACCESS, LEARN, ACTIVE DIRECTORY, EXPLOIT, SOCIAL ENGINEERING, EMAIL, CREDENTIAL, CLOUD