Arzleck

🚨 STRATEGIC CYBER INTELLIGENCE ALERT: ACTIVE INTRANET COMPROMISE AND CREDENTIAL EXPOSURE — REMSA S.A. (ARGENTINA) 🇦🇷 ⚠️ THE "DARK-NOTES" GROUP EXPLOITS THE SALTA ENERGY AND MINING PORTAL USING SQLi EVASION TECHNIQUES Through perimeter monitoring of cybercriminal dissemination channels and data exfiltration linked to the DARK-NOTES campaign, the active intrusion and exposure of the intranet portal of Recursos Energéticos y Mineros de Salta, S.A. (REMSA) (remsa .gob.ar), a publicly traded company with majority state ownership that manages energy and mining resources in the province of Salta, Argentina, was detected on May 27, 2026. The attack has been attributed to the DARK-NOTES campaign threat actor, operating under the alias Azazel_A-01. Unusually and concerningly, the attacker distributed a 7-minute, 10-second demonstration video (approximately 60 MB) documenting the exploitation process step by step. In their communications, the actor describes the compromise in a mocking tone, comparing the security of the state infrastructure to "a Hack The Box (HTB) machine" due to the ease of exploitation via SQL injection (SQLi). 🎯 Affected Entity: Salta Energy and Mining Resources S.A. 👤 Threat Actor: DARK-NOTES 📂 Volume and Evidence Exposed: Screenshot of the "People" table with detailed demographic data. Screenshot of the system's "Users" list with administrative profiles. A 7:10-minute proof-of-concept (PoC) video detailing the technical intrusion. ⚙️ Incident Type: Successful SQL Injection (SQLi), Intranet Compromise, Exposure of Billing and Human Resources Data. 📊 TECHNICAL ANALYSIS AND CRIMINAL TACTICS (TTPs) The video and graphical samples released by the attacker expose severe flaws in the web application's security design and reveal the evasion methodology used: 💻 Web Application Firewall (WAF) Bypass: The attacker indicates having exploited the intranet's input parameter using the automated tool SQLmap, applying advanced signature evasion tactics. Techniques detailed by the actor: Use of tamper scripts such as `--tamper=space2comment` (which replaces whitespace in queries with block comments `//` to confuse the WAF) and the addition of controlled time delays (`--delay`) to avoid automatic blocking based on the rate of suspicious requests. 🗄️ Compromise of the Administrative Panel (REMSA Intranet): "People" Table: Exposes columns with Document Type IDs (IdTipoDoc), Document Numbers (Doc), Supply/Cadastre Identification Number (NIS/Cadastro), Detailed Address, Contact Phone Number, and Email Address of clients, contractors, and citizens. "Users" Table: Exposes the list of accounts with access to the system, including users such as admin, invoices, claims, HR, and specific employee profiles, ready for brute-force attacks or credential stuffing. 🛡️ MITIGATIONS AND PREVENTIVE RECOMMENDATIONS 🔒 Query Sanitization and Code Patching: REMSA developers must implement mandatory parameterized queries (Prepared Statements) in all portal data entries to completely eradicate the SQL injection vulnerability. WAF security signatures must be updated to block requests containing common SQLmap encoding and tamper sequences. ⚠️ General Credential Rotation: Force the immediate reset of all passwords for the accounts listed in the user module (e.g., admin, invoices, HR), and thoroughly audit the financial transfer audit logs in the "Purchases and Payments" module to confirm whether receiving bank accounts have been altered. ⚡ MONITORING AND EVALUATION 🌐 Intelligence System: https://t.co/wk9bZJ2Nli 🛡️ Quickly assess your website's security with: https://t.co/YnDw1QjN9c #CyberSecurity #DataBreach #Argentina #REMSA #MiningSecurity #DARKNOTES #Azazel #SQLi #WAFBypass #FinancialFraud #ThreatIntelligence #CyberAlert #VECERT #Infosec #Unverified