Hello, Habr!

We want to share a small selection of information security incidents for June 2020. We make a reservation right away that it does not pretend to complete the picture of all the world in the field of information security. We bring to your attention only those that seemed to Rexoft specialists the most interesting.

ITKarma picture

Gas stations in St. Petersburg

Fraudsters hacked gas station servers in St. Petersburg and stole fuel.

In total, they managed to complete 417 free gas stations at 15 gas stations
and steal more than 2 million rubles. To carry out illegal activities, a malicious program was used that destabilized the operation of servers at gas stations. As a result, immediately after refueling the required amount of fuel, the paid funds were automatically returned to the bank card of one of the criminals.

Attackers stolen the stolen fuel into a Gazelle truck with a 1,000-liter tank, and then resold it in heavy truck parking lots.


LG Electronics

Hacker group Maze reports successful attack on LG Electronics.

In a published press release, cybercriminals warned that the company would not try to recover lost data. To prove the hack, screenshots with a list of firmware files and source codes and a sql dump of one of the company's databases are attached to the press release.

ITKarma picture

ITKarma picture

Source: https://cybleinc.com/2020/06/25/maze-ransomware-operators-claims-to-breach-lg-electronics-a-renowned-south-korean- multinational-electronics-company-data-leak/


Honda said it was the victim of a cyber attack using ransomware software. The incident affected some of the company's operations, including production systems outside of Japan.

ITKarma picture

According to preliminary data, one of the company's internal servers was infected by Snake ransomware. This program blocks General Electric Control Systems used in industrial plants.

Researchers have found a sample of Snake software on VirusTotal that checks Honda's mds.honda.com domain name. If the domain name cannot be resolved (to determine the IP address), the ransomware ends without encrypting any files. According to researchers, this may indicate targeted actions by attackers.



A database has appeared on the network with the data of several million users of the Telegram messenger, its volume is approximately 900 MB.

The Telegram press service confirmed the existence of the database, explaining that information is collected through the built-in contact import feature even when the user is registered. Representatives of the company added that not a single service that allows users to communicate with contacts from their phone book can completely eliminate this sorting.

Press officers also emphasized that most of the “merged” accounts are no longer relevant, and the measures taken by the company in 2019 help not to “shine” your number.



REvil cybercriminals published on their page confidential data from the electricity company Elexon, stolen during a cyber attack on May 14, 2020. Published data includes 1,280 files, including Elexon employee passports and company confidential information.

Attackers exploited vulnerability CVE-2019-11510 in an outdated version of SSL VPN server Pulse Secure, which was used by the company. Presumably, the company refused to comply with the ransomware requirements and restored the IT infrastructure from backups. After that, the attackers published confidential company information.



As a result of the actions of an insider who stole a master key in one of the data centers, Post African South African will have to replace more than 12 million bank cards. Behind what happened are the bank’s own employees.

Postbank will be forced to reissue all customer cards ever generated with this master key. The bank believes that it will cost about $ 58 million. You will have to replace both regular payment cards and social cards to receive state social benefits.


Claire and Intersport

A hacker group that deals with web-skimming (also known as Magecart) hacked online retailers-stores Claire and Intersport and introduced a malicious code that recorded payment card details entered into cash forms.

ITKarma picture

The code built-in by cybercriminals intercepted all user data entered into forms and sent it to the server claires-assets (.) Com. The domain was registered four weeks before the start of attacks specifically for this malicious campaign.


And what do you remember from June ?.