Cyber Incident Victim: Red Bull Malaysia
Date:
Apr 2018
Location:
Austria
Summary
The energy drink company experienced a cyberattack compromising 30 country-specific subdomains through a Drupal vulnerability, where threat actor Prosox uploaded defacement pages containing 'adminer.php' files. A subsequent attacker named Shade modified these pages to claim responsibility, though no confirmed data theft occurred. The organization removed the malicious content without publicly confirming remediation of the underlying exploit. This incident followed Prosox's earlier breach of celebrity YouTube channels via Vevo accounts, highlighting persistent security weaknesses in the affected infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 22, 2018, the Red Bull energy drink company experienced a cybersecurity breach affecting 30 country-specific subdomains under the energydrink-[country code].redbull.com domain structure. An attacker using the alias "Prosox" compromised these websites by uploading a defacement file named 'adminer.php' to each subdomain. Forensic analysis of the compromised systems indicated all affected subdomains ran on the Drupal content management system. Security researchers hypothesized the attacker may have exploited a recently disclosed remote code execution vulnerability in Drupal, though this attribution was not conclusively verified. The defacement affected websites across multiple regions including Australia, Belgium, Turkey, Qatar, Saudi Arabia, Germany, South Africa, the United Kingdom, Spain, Austria, Mexico, New Zealand, Netherlands, Slovenia, Hong Kong, China, Russia, Taiwan, Romania, Denmark, Ireland, Norway, India, Croatia, Malaysia, Argentina, the United States, Italy, Japan, and Canada. Prosox archived evidence of the compromise on Zone-H, a platform frequently used by hackers to document website defacements. This incident followed another attack attributed to Prosox two weeks earlier involving unauthorized access to Vevo's YouTube channels, which resulted in altered video titles and forced removal of content including Luis Fonsi's "Despacito" music video.
The breach expanded when a second attacker using the alias "Shade" subsequently modified the 'adminer.php' files on Red Bull's servers to display a "Hacked By Shade" message, indicating possible ongoing vulnerability exploitation or inadequate containment measures. While the full scope of data exposure remained unconfirmed, security observers noted concerns about potential sensitive information stored on the compromised servers given the breadth of affected systems. Red Bull's security team eventually removed the malicious files uploaded by both attackers, restoring normal website operations. The company did not publicly disclose whether they patched the underlying Drupal vulnerability or implemented additional security enhancements following the incident. No customer data breaches or financial impacts were formally reported in connection with the attack, though the repeated compromises highlighted systemic security weaknesses across Red Bull's web infrastructure.