One would think that a hacking group would lay low after seven of its alleged members, or at least those affiliated with them, are arrested for cybercriminal activities. Not Lapsus$, though, who have claimed yet another victim- technology services provider Globant- by breaching, stealing, and leaking their data.
Apparently, Lapsus$, a cyber extortionist group with possible origins in South America, was on â€œvacation.â€ And now they are â€œofficially back.â€
It is unclear when the breach and data exfiltration occurred, but the leak comes right on the heels of the seven arrests, including that of a 16-year-old in Oxford, made by the City of London Police in the U.K.
The leak was confirmed by the IT giant Globant, which counts Google, Apple, Meta, Rockwell Automation, Electronic Arts, and others among its clients, on Wednesday, March 31. â€œWe have recently detected that a limited section of our company’s code repository has been subject to unauthorized access,â€ statedOpens a new window Globant, a Luxembourg-based tech services company.
â€œAccording to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients. To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected.â€
Security researcher Dominic Alvieri shared a screenshot of what appear to be folders containing data of multiple organizations such as Facebook, Apple (â€œapple-health-appâ€) Abbott, BNP Paribas, DHL, etc., with the caption: â€œWe are officially back from a vacation (spoiler above).â€
The cybercriminal entity published 70 GB of Globant data through a torrent file shared on its Telegram channel. Globant has over 23,500 employees operating across 18 countries.
Source: vx-undergroundOpens a new window
SOS Intelligence told BleepingComputerOpens a new window , â€œIn terms of legitimacy, going just by volume alone it’s hard to fabricate that amount of data â€“ however samples of the data have been cross referenced with live systems and other methods that show the leak is legitimate and very significant as far as Globant and Globant’s impacted customers are concerned.â€
Besides the source code of Globant and its clients, the leaked data also includes administrator passwords that Globant uses. These include code repository GitHub, code review platform Crucible, project management platform Jira, and collaboration platform Confluence.
vx-underground posted a redacted screenshot of a Lapsus$ member taunting Globant about its â€œpoor security practices.â€
LAPSUS$ also threw their System Admins under the bus exposing their passwords to confluence (among other things). We have censored the passwords they displayed. However, it should be noted these passwords are very easily guessable and used multiple timesâ€¦ pic.twitter.com/gT7skg9mDwOpens a new window
â€” vx-underground (@vxunderground) March 30, 2022Opens a new window
It almost seems that Lapsus$’s motive is to punish Globant for having weak passwords. Globant didn’t mention if Lapsus$ demanded anything before leaking the data. Lapsus$’s previous ransom demands have been erratic. The end game for the cybercriminal group remains ambiguous even as their modus operandi becomes more evident with each passing attack and leak.
Lapsus$ has been branded as immature by cybercrime and security researchers but has proven to be highly effective in spreading malice. The group’s victims include Okta, Microsoft, NVIDIA, Samsung, Ubisoft, the government of Brazil, Impresa, possibly Electronic Arts, and more.
Bill Demirkapi, a security engineer at Zoom who was the first to identify the Microsoft breach by Lapsus$, obtained leaked documents of Mandiant’s report on the Okta breach. The records indicate that Lapsus$ doesn’t use fancy tools or exploit any zero-day vulnerabilities. It instead relies on simple techniques, including MFA prompt bombing.
New documents for the Okta breach: I have obtained copies of the Mandiant report detailing the embarrassing Sitel/SYKES breach timeline and the methodology of the LAPSUS$ group. 1/N pic.twitter.com/e0T4EdWPxTOpens a new window
â€” Bill Demirkapi (@BillDemirkapi) March 28, 2022Opens a new window
In essence, the relatively new group exploits inadequate security controls implemented by organizations to target them. Lapsus$ also relies on stolen credentials or cookies, SIM-swapping, and social engineering that encompasses bribing employees, suppliers, or business partners.
The FBI is also gunningOpens a new window for Lapsus$ members’ heads. Before the City of London police arrested seven gang members in the U.K., the FBI asked for public assistance for any information regarding the cybercriminal group.