Lapsus$ is back in action after what it describes as a “week-long vacation”, and appears to have released 70GB of data obtained in a new hack on IT firm Globant. It shows the hacking gang may prove difficult to stop, despite recent arrests of alleged group members.
The data extortion gang, which has become infamous during a high-profile crime spree of attacks on major tech companies including Nvidia, Samsung and Microsoft , has posted screenshots of data and credentials belonging to software development consultancy Globant to its Telegram channel.
The images show a folder that seems to hold files of data on global companies like BNP Parabas, Facebook, healthcare giant Abbot, Stifel and DHL, all of which are Globant clients. Also posted to the channel was a torrent file containing “around 70GB” of what purports to be the IT firm’s source code and some administrator passwords.
“We are officially back from vacation,” wrote Lapsus$ in a message to its more than 54,000 Telegram subscribers.
How did Lapsus$ breach Globant?
Malware research group VX-Underground has highlighted the fact that the password hygiene in the leaked admin information is particularly poor, making it easy for Lapsus$ operatives to gain access to Globant’s data.
“Globant’s password management appears to have allowed this attack to succeed far more easily than expected by the perpetrators,” agrees Brian Higgins, security specialist at security platform Comparitech. “[Lapsus$] is clearly happy to highlight this as a cautionary tale for future potential targets.”
Businesses should see this as a warning and tighten their defences, continues Higgins. “Businesses should target harden their cybersecurity protocols and learn from the attack vectors and methodologies already used by Lapsus$,” he says. “There is no guarantee that this will provide ultimate protection, but the Globant breach is an indication that the group are content to target low-hanging fruit where available.”
As reported by Tech Monitor, most of the Lapsus$ attacks to date have not been complex in nature. Allan Liska, senior security architect at Recorded Future, says the gang “appears to be highly opportunistic”. He says: “Their techniques for gaining initial access are not sophisticated, but they are effective because they move fast, once they are in they can often stay ahead of security teams trying to stop them.”
Is Lapsus$ back for good after Globant breach?
Many analysts believe Lapsus$ originated in South America, with the gang having first targeted companies in Brazil and other Portuguese-speaking countries.
However, last week City of London Police arrested seven British teenagers in connection to the group, while a report from Bloomberg claimed the mastermind behind Lapsus$ was a 16-year-old boy from the UK.
The Globant breach suggests the arrests have not disrupted the gang’s activities, and Lotem Finkelstein, head of threat intelligence and research at Check Point Software, said he expects it will continue to pose a threat. “Significant functions of the Lapsus$ hacking group originate from Brazil,” Finkelstein says. “So, while there has been news of suspected members being arrested in the UK, it doesn’t mean that all have been caught. Unfortunately, there will still be members able to operate and inflict further harm and attacks.”
The Okta breach may have been mishandled
Meanwhile the shockwaves from a previous Lapsus$ breach are continuing to shake Okta, which was hit earlier this month. The secure identity platform initially denied there was “any evidence of ongoing malicious activity” after Okta got hold of information from its systems, but later had to admit that up to 366 companies using its platform may have been impacted by the breach.
Okta has now apologised and put the blame on its customer experience management provider Sitel, which it says provided insufficient information at the time of the initial breach, in January. “We want to acknowledge that we made a mistake, Sitel is our service provider for which we are ultimately responsible,” Okta said in a post about the incident.
According to a leaked report, as well as the published timeline, it appears that Okta noticed an indicator of the attack but did not investigate it thoroughly enough. On January 20, Okta detected a password reset attempt using a Sitel employee’s Okta account, which Okta blocked, before notifying Sitel of the intrusion attempt. Okta claims that outside of this attempt there were no other indicators of foul play.
This is where Okta acknowledges its mistake, in that after the company reset the oddly behaving account, it simply waited for the investigation that Sitel had commissioned, rather than pressing the company for more information.
“In January we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt,” Okta said. “At the time we didn’t recognise that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel… In light of the evidence that we have gathered in the last week, it is clear we would have made a different decision if we had been in possession of all the facts we have today.”
This route into the company’s system must be patched and quickly, explains Comparitech’s Higgins. “By its own admission Okta has said that they didn’t engage well enough with their third-party MSP Site. The company must inform the affected customers and engage with relevant competent authorities to ensure the methodology used cannot be repeated.”
Read more: Is Lapsus$ targeting big tech?
Homepage image of StarMeUp, one of Globant’s apps by Bloomberg / Contributor at Getty Images