Evotor, which specializes in cash registers and business management services, has leaked sensitive credentials that exposed the company to sophisticated cyberattacks, including ransomware.
The Cybernews research team discovered that Evotor, one of the largest IT suppliers for the Russian retail industry, has had leaks in its environment file with sensitive credentials and tokens inside.
By abusing them, threat actors could gain access to sensitive company data and customer communications.
But before we dig into the investigation, let me tell you why Evotor caught our attention in the first place.
A Russian IT firm under the spotlight
Not that long ago, Sberbank, a Russian majority state-owned banking company and the biggest lender in Russia, owned a solid 69% share in Evotor.
In February 2021, when it bought a 29% stake in the company, Lev Khasis, First Deputy Chairman of the Executive Board at Sberbank, said he was satisfied with Evotor’s performance and the speed of evolution: “Evotor is a valuable and strategically important asset for our ecosystem, and we have big plans for it.”
In 2020, with 6.6 billion rubles (approx. $85 million) in revenue, it was the second largest IT supplier in the Russian retail market. In 2021, it increased its revenue by 34.4%, making it to the top 100 of the largest IT companies in Russia list.
Despite Evotor’s success in the market, Sberbank got rid of it last June. It decided to divest some of its no-core assets after being sanctioned by the Treasury following Russia’s full-scale invasion of Ukraine.
Now, Evotor has activated 950,000 cash registers in Russia – restaurants, supermarkets, couriers, transportation firms, car repair shops, and medical clinics, among other clients.
Admin password leak
The exposed environment file contained various databases, Redis, and Zendesk credentials.
Data leaked included:
- The database named “Host Evo3” host, port name and password
- The database “Host Billing” host, port, name and password
- The database “Host Inventory” host, port, name and password
- Zendesk username, subdomain and token
- Redis port and host
By abusing DB and Redis credentials, threat actors could gain unauthorized access to databases. According to our researchers, it would be relatively easy to do so in this case since the database hosts are connected to the internet.
Zendesk, a popular software-as-a-service (SaaS) provider, has credentials that would allow attackers to access data on customer support and other customer communications. Zendesk’s customer relationship management (CRM) platform is a snazzy target for cybercriminals due to the amount and type of data it contains.
What’s at stake?
“The nature and amount of information leaked by Evotor could have been particularly critical because it would make it rather easy for several attacks to be made against the website and its users,” Cybernews researchers said.
Given the treasure trove of credentials leaked, attackers could get their hands on a bulk of the company clients’ data, as well as business-related information like inventory, and financial data.
“All this data exposed could enable threat actors to carry out many kinds of attacks on the Russian IT company including sophisticated social engineering attacks such as phishing and scam marketing campaigns as well as malware and ransomware attacks,” researchers noted.
The credentials are no longer exposed to the public. However, given how fast attackers can scan the internet for vulnerabilities and leaks, we recommend Evotor, and any company with similar issues, not only to secure the data but also change the credentials to avoid a ripple effect.
After the article was published, Evotor sent us the following comment: "We do not confirm the information about a data leak that can be used to gain unauthorized access to Evotor resources, stated in the Cybernews publication. Also, our company doesn't have the public servers and databases mentioned in the article, and the Zendesk service has not been used for a long time. Thus, there is no threat to the security of our customers' data or the operability of Evotor's services".
Your email address will not be published. Required fields are markedmarked