On November 29, the LDLC Group released a press release about a “cyber security incident.” The newsletter is not accessible today, but is mentioned in the episode Series report Act released on December 13, 2021. According to it, the incident “Detected” And “caused unauthorized access to company data”. However, according to LDLC, the incident “did not have any impact on the group’s business operations”. According to the attackers, The Rockner Locker GroupThat was right.
Many terabytes of data were stolen
During the attack on Dassault Falcon Jet, We had a personal exchange with the group. The latter continued to liaise with LeMagIT following a cyber attack against LDLC.
During this new exchange, Rockner Locker contacted us and told us that he had been “reading and downloading data on the LDLC network for several months.” About 4 TB of data was collected. Models of important ESXi virtual machines have been uploaded, including those listed as “uncompromised” by LDLC in its public relations.
The e-commerce team previously acknowledged that it could “consult some personal data” but promised that “this is by no means about important information about the customers of the group’s business websites.”
On December 9, cybercriminals made nearly 2 TB of compressed data available for download from the French e-Commerce Group’s information system. What says that no ransom has been paid.
But now, the attackers, with their own consent, seem to have been detected before they could even begin their fatal blow and trigger the encryption: “We did not encrypt their data, we downloaded it. As soon as their security team detected our activity – you can see from the screenshots – we left the computer. Screen shots released by cybercriminals during the events had nothing to do with a snap, they were almost a privilege.
But in the absence of encryption, after the ransomware explosion, no recovery note will automatically appear: “One of our team members should have left the notes, but he did not. We phoned their offices and sent emails, but for media reasons or some other reason – we do not know exactly – all the staff were disconnected without responding to the emails.
Theft of browser credentials
The attackers told us that they had used the initial access they had obtained to the LDLC Group’s VPN server: “One of the staff’s workstations. The thief [malware permettant notamment de voler des données d’authentification, N.D.L.R.] We also retrieved passwords stored in his web browser. ” From there, they elevated their privileges as Active Directory domain administrators. They used the opportunity to access the virtualized environment through VMware vSphere.
Previously, the Rockner Locker Group Observed Use Cobalt Strike Beacons and RDP services to access its victims’ information system, as well as HandyBackup for data extraction. As the case of LDLC once again shows, the amount of stolen data can be substantial.
The The thief Used is not mentioned to us, but there is no shortage of offers for such malware, marketed in service mode. Red line Or Raccoon thiefNot to forget Azorult, which has been on distribution even recently Leaning Analyst Max Gerston.
We asked the LDLC team to try to find out more about how the attackers’ presence was detected in the information system and to get its version on the question of the duration of the intrusion. But to date there has been no positive response to our demands.
Professional bacon fanatic. Explorer. Avid pop culture expert. Introvert. Amateur web evangelist.
More Stories
Acrylic Nails for the Modern Professional: Balancing Style and Practicality
The Majestic Journey of the African Spurred Tortoise: A Guide to Care and Habitat
Choosing Between a Russian and a Greek Tortoise: What You Need to Know