Full Report
Understand what happened in the recent Endesa data breach, with expert insight from Outpost24’s threat intelligence team. The post New attack analysis: What you need to know about the Endesa data breach appeared first on Outpost24.
Analysis Summary
# Incident Report: Endesa Data Breach via Credential Compromise
## Executive Summary
In late 2024, the Spanish energy giant Endesa suffered a significant data breach involving the exfiltration of personal information belonging to over 5 million customers. The incident was facilitated by the use of compromised credentials to access an internal Salesforce environment. This breach highlights the critical risk posed by identity-based attacks on third-party SaaS platforms and the speed at which threat actors can operationalize leaked credentials.
## Incident Details
- **Discovery Date:** November 2024
- **Incident Date:** Mid-to-late 2024
- **Affected Organization:** Endesa (subsidiary of Enel)
- **Sector:** Energy / Utilities
- **Geography:** Spain
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately November 2024
- **Vector:** Valid Credential Usage
- **Details:** Threat actors utilized compromised administrative or high-privilege service account credentials to log into Endesa’s Salesforce customer relationship management (CRM) instance.
### Lateral Movement
- **Details:** While traditional lateral movement across a network was not the primary focus, the attackers moved vertically within the Salesforce environment, leveraging integration or analytics privileges to access broad datasets across different customer modules.
### Data Exfiltration/Impact
- **Details:** Attackers accessed and exported databases containing personal identifiable information (PII). The exfiltrated data included names, National ID numbers (DNI), addresses, contact information (phone numbers/emails), and bank account details (IBANs). The data was subsequently offered for sale on underground cybercrime forums.
### Detection & Response
- **How it was discovered:** Initial detection likely occurred through monitoring of underground forums where the dataset was advertised, followed by internal audits of Salesforce access logs.
- **Response actions taken:** Endesa initiated a password reset for affected users, revoked active tokens, and notified the Spanish Data Protection Agency (AEPD) and law enforcement.
## Attack Methodology
- **Initial Access:** Use of valid accounts (compromised credentials).
- **Persistence:** Not explicitly specified, though the use of API tokens or integration accounts often provides long-term access until revoked.
- **Privilege Escalation:** Attacker utilized accounts with high-level access to the CRM's reporting/exporting features.
- **Defense Evasion:** Use of legitimate credentials to blend in with normal administrative or automated traffic.
- **Credential Access:** Likely obtained via previous infostealer malware infections or third-party data leaks sold on the dark web.
- **Discovery:** Exploration of Salesforce objects and data export capabilities.
- **Lateral Movement:** Movement across SaaS modules and integrated data silos.
- **Collection:** Bulk export of customer records via CRM reporting tools.
- **Exfiltration:** Data transferred directly from the SaaS provider to attacker-controlled infrastructure.
- **Impact:** Massive data breach involving PII of millions of individuals.
## Impact Assessment
- **Financial:** Potential for significant GDPR fines from the AEPD and costs associated with customer notification and identity monitoring.
- **Data Breach:** Over 5.2 million records containing PII and banking information.
- **Operational:** No direct disruption to energy supply reported; impact centered on data privacy and IT security operations.
- **Reputational:** High public visibility due to the sensitivity of the sector and the volume of Spanish citizens affected.
## Indicators of Compromise
- **Network indicators:** Logins from atypical geographical locations or known VPN/proxy exit nodes (IPs not provided in source).
- **Behavioral indicators:**
- Unusual volumes of data exported from Salesforce via API or manual reports.
- Administrative logins during non-standard working hours.
- Access to sensitive customer tables by service accounts that typically perform automated tasks.
## Response Actions
- **Containment measures:** Forced password resets for internal staff and revocation of integration tokens.
- **Eradication steps:** Audit of Salesforce permissions to ensure the principle of least privilege.
- **Recovery actions:** Notification of affected customers and coordination with national cybersecurity authorities.
## Lessons Learned
- **SaaS Visibility Gap:** Organizations often lack the same level of logging and alerting for SaaS platforms (like Salesforce) as they do for on-premise infrastructure.
- **Service Account Risks:** High-privilege service or integration accounts are prime targets because they often bypass Multi-Factor Authentication (MFA) and have broad data access.
- **Credential Proactivity:** Monitoring the dark web for leaked company credentials can prevent a breach before the adversary uses the access.
## Recommendations
- **Enforce MFA:** Implement strict Multi-Factor Authentication for all users, including third-party contractors and, where possible, programmatic access.
- **Leaked Credential Monitoring:** Utilize threat intelligence services to monitor for exposed corporate credentials on the dark web.
- **Least Privilege:** Limit the data export capabilities of CRM users and service accounts to the absolute minimum required for their roles.
- **SaaS Security Posture Management (SSPM):** Implement tools to audit SaaS configurations and detect anomalous data access patterns.