Close Menu
Cybercrime and Ransomware

Lapsus$ Hackers Threaten Victims, Demand Salesforce Negotiation

Staff WriterBy No Comments4 Mins Read1 Views

Quick Takeaways

  1. The Scattered Lapsus$ Hunters cybercriminal group, initially claiming to have shut down, reemerged with a major data leak threatening to release nearly 1 billion files stolen from companies like Salesforce, Cisco, and Disney.
  2. The group exploited poor security measures at Salesforce, including weak two-factor authentication and OAuth protections, to conduct their attacks, which relied heavily on social engineering rather than platform vulnerabilities.
  3. Salesforce denied any platform breaches, attributing the attacks to social engineering tactics and compromised third-party OAuth tokens, though they face multiple lawsuits for alleged security oversights.
  4. The group targets high-profile organizations with large sensitive data, using a division of roles—initial access, data theft, and extortion—to maximize impact and facilitate downstream attacks or sales.

Problem Explained

The purported retirement of the cybercrime coalition known as Scattered Lapsus$ Hunters, which includes notorious hacking groups like Scattered Spider, Shinyhunters, and Lapsus$, was short-lived. Initially announcing their disbandment last month via Telegram and BreachForums, many cybersecurity experts, including Casey Ellis of Bugcrowd, regarded this claim skeptically, viewing it as a PR stunt. However, the group quickly contradicted these doubts by resurging, this time unleashing a torrent of theft and extortion centered on Salesforce, a major SaaS provider. They claimed to have stolen nearly a billion data files from well-known companies such as Cisco, Ikea, and Disney, threatening to leak sensitive personal information—like Social Security numbers and driver’s licenses—unless Salesforce negotiated by October 10. The attackers exploited what they described as Salesforce’s weak security measures, including inadequate two-factor authentication and OAuth safeguards, although Salesforce maintained it was not hacked, attributing the breach instead to social engineering tactics like vishing and compromised third-party OAuth tokens.

This resurgence underscores the dangerous, organized nature of the hacker alliance, which mainly targets high-profile organizations with extensive customer data and weak security controls. Their operations involve shrewd social engineering, exploitation of third-party integrations, and internal division of labor—where different groups handle initial access, data theft, and extortion—making them a persistent threat. Salesforce, facing at least 14 lawsuits from affected individuals, insists it was not compromised directly, emphasizing shared responsibility with customers in cybersecurity. Nonetheless, the incident highlights how these groups leverage social engineering and insider vulnerabilities to execute large-scale data breaches, fueling extortion, leaks, and potential downstream attacks across various sectors, including technology, retail, and finance.

Potential Risks

The brief retreat of the Scattered Lapsus$ Hunters extortion group was a false alarm; their return underscores the persistent cyber risks posed by highly organized threat groups that exploit social engineering, weak security measures, and compromised third-party integrations to target large, data-rich organizations across sectors like technology, retail, and finance. Their attacks—ranging from vishing schemes impersonating IT support to exploiting OAuth token vulnerabilities—result in massive data breaches involving sensitive personal and corporate information, fueling extortion, public leaks, and supply chain disruptions. Despite claims from companies like Salesforce that no platform vulnerabilities were exploited, the reliance on social engineering highlights a shared cybersecurity responsibility, while the criminal ecosystems’ collaboration and division of labor enhance their operational effectiveness, increasing the potential impact and complexity of these threats.

Possible Next Steps

Promptly addressing incidents like "Scattered Lapsus$ Hunters Extorts Victims, Demands Salesforce Negotiate" is critical to minimizing damage, restoring security, and maintaining trust within the organization and its clients. Delay can exacerbate vulnerabilities, increase financial and reputational harm, and give malicious actors more leverage.

Assessment and Detection

  • Conduct thorough forensic analysis to identify scope and methods.
  • Use intrusion detection systems; monitor for unusual activity.

Containment

  • Isolate affected systems to prevent further spread.
  • Disable compromised accounts and revoke suspicious access.

Communication

  • Inform relevant stakeholders and internal teams promptly.
  • Coordinate with legal and cybersecurity authorities if necessary.

Mitigation

  • Apply security patches and updates to fix vulnerabilities.
  • Enforce multi-factor authentication and strengthen password policies.

Recovery

  • Restore systems from secure backups.
  • Validate system integrity before reactivation.

Prevention

  • Implement ongoing security training for staff.
  • Regularly review and update security protocols and incident response plans.

Advance Your Cyber Knowledge

Stay informed on the latest Threat Intelligence and Cyberattacks.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.