Le Journal

Un attaquant peut provoquer une erreur fatale de net.minidev:json-smart, du 16/04/2025, afin de mener un déni de service. Voir en ligne : https://vigilance.fr/vulnerabilite/...

Several vulnerabilities were announced in Oracle products. View online : https://vigilance.fr/vulnerability/...

An attacker can use several vulnerabilities of Oracle Database, dated 16/04/2025. View online : https://vigilance.fr/vulnerability/...

Un attaquant peut employer plusieurs vulnérabilités de Oracle Database, du 16/04/2025. Voir en ligne : https://vigilance.fr/vulnerabilite/...

Following the recent cyberattack on Endesa, one of Spain's largest electricity and gas providers, Outpost24's threat intelligence team has compiled a comprehensive analysis of the incident based on publicly available evidence from underground forums, leaked dataset listings, and the threat actor's own statements. The analysis examines the likely initial access vector, the probable origin of the data, and the broader security implications associated with compromised credentials and privileged access. What we know about the Endesa data breach In early January 2026, a threat actor began advertising the sale of a database allegedly belonging to Endesa. According to the seller, who uses the aliases "glock" and "spain", the database contains personal and financial information relating to more than 20 million individuals and offered it for sale on underground forums specializing in database trading. On January 11, 2026, Endesa confirmed in a statement that it had detected evidence of unauthorized and illegitimate access to certain personal data of customers related to their energy contracts. The company stated that password data was not compromised and that, at the time of disclosure, there was no evidence of the exposed data being used fraudulently. Endesa did, however, urge impacted customers to remain vigilant against potential phishing or spam campaigns. Endesa reported that the attackers accessed and likely exfiltrated basic customer identification information, contact details, national identity numbers, contractual information, and payment details, including IBANs. To date, the company has not reported operational outages or system disruption beyond the unauthorized extraction of data. Affected individuals have been notified, including customers of Endesa's gas distributor, Energía XXI. At the time of this analysis, no threat actor has been formally attributed to the incident. How the breach likely occurred The analysis below reflects Outpost24's threat intelligence team's assessment of the most likely attack path, based on observed threat actor behavior, leaked datasets, and technical indicators consistent with credential-based access and backend data extraction. Initial access vector via compromised legitimate credentials: The threat actor's own statements, specifically "I also do cracking as a service" and "Don't blame me for my work; blame your employees for not doing theirs," strongly suggest that initial access was obtained through compromised credentials. This would have enabled the attacker to perform lateral movement across internal systems with minimal resistance and potentially access privileged information directly. Data exfiltration without encryption or operational disruption: Although there are references to attempted negotiations and implied pressure tactics regarding the potential sale or disclosure of the data, there is no evidence of encryption, ransomware deployment, or destructive activity. All signs indicate this was a breach focused exclusively on exfiltration rather than disruption or extortion through encryption. Salesforce Customer Relationship Management (CRM) platform likely involved: Based on the files listed in the threat actor's publications, it is possible that the data was exfiltrated using a Salesforce backend data extraction mechanism, most likely accessible via compromised employee or service credentials with elevated Application Programming Interfaces (API) and integration privileges. The inclusion of Change Event objects, Data Lake model tables, and enriched datasets indicates access beyond standard CRM usage, pointing to integration and analytics roles. Threat actor behavior and analysis Analysis of underground activity and observed behavior provides insight into the likely characteristics, intent, and capabilities of the individual behind the data sale. Endesa data breach DarkForums post Threat actor profile: Several indicators suggest the activity is attributable to a lone,…