Can you believe they're back? The hacker group Scattered Lapsus$ Hunters are back once again after retiring. This time, they claim to have stolen a significant amount of data from Salesforce customers. Crazy, right?
I've been following these guys for a while, and it feels like it's too crazy to be true right now. Let's take a look at what's actually going on, and why it matters, even for those who are not Salesforce customers!
The Group that Said Bye... To Come Back Again Recently, the Scattered Lapsus$ Hunters group said they were retiring. They are a hybrid group of Scattered Spider, LAPSUS$ and ShinyHunters, all of which previously gained notoriety from large-scale data . They have now selected to create a dark web leak site that appears to be Salesforce customer data.
They claim to have about a billion records (the word "billion" is significant here), and they have publicly named 39 companies as victims. They are warning Salesforce to cough up by October 10 or they will "leak the data to the public." Salesforce maintains that the "actual" Salesforce customers who had their data exposed/were affected, did not have their accounts hacked and the data very well could be old or unrelated breaches.
The group used vishing, or voice phishing, to call employees and impersonate IT support or vendors to try to obtain their login credentials.
Here's what they did:
• They posed as company personnel or IT support
• Impersonated Salesforce to get employees to approve fake linked apps in Salesforce.
• Used a bad copy of a data uploader program called Data Loader to exfiltrate the files.
They did not hack their way in via code, they hacked their way in via human error.
There was another related campaign whereby hackers stole OAuth tokens from third-party apps such as Salesloft and Drift to extract data out of Salesforce. It is about leveraging trust against you.
Organizations should consider:
• Limiting the amount of people who can approve connected apps.
• Training your teams on how to recognize false calls or "vishing."
• Monitoring OAuth Tokens and integrations.
When a hacker group says they are "gone", do not buy it; they can come back anytime.
Ask yourself:
• Who has the ability to approve application permissions in the organization?
• Would anyone in IT recognize a fraudulent inquiry on the phone?
• How quickly will you limit access if something feels wrong?
I've been following these guys for a while, and it feels like it's too crazy to be true right now. Let's take a look at what's actually going on, and why it matters, even for those who are not Salesforce customers!
The Group that Said Bye... To Come Back Again Recently, the Scattered Lapsus$ Hunters group said they were retiring. They are a hybrid group of Scattered Spider, LAPSUS$ and ShinyHunters, all of which previously gained notoriety from large-scale data . They have now selected to create a dark web leak site that appears to be Salesforce customer data.
They claim to have about a billion records (the word "billion" is significant here), and they have publicly named 39 companies as victims. They are warning Salesforce to cough up by October 10 or they will "leak the data to the public." Salesforce maintains that the "actual" Salesforce customers who had their data exposed/were affected, did not have their accounts hacked and the data very well could be old or unrelated breaches.
How Did They Do It? (Note: It's a Social Engineering Attack)
What a twist - they didn't rely on some sort of new hack. They relied on tricking people.The group used vishing, or voice phishing, to call employees and impersonate IT support or vendors to try to obtain their login credentials.
Here's what they did:
• They posed as company personnel or IT support
• Impersonated Salesforce to get employees to approve fake linked apps in Salesforce.
• Used a bad copy of a data uploader program called Data Loader to exfiltrate the files.
They did not hack their way in via code, they hacked their way in via human error.
There was another related campaign whereby hackers stole OAuth tokens from third-party apps such as Salesloft and Drift to extract data out of Salesforce. It is about leveraging trust against you.
Why Should You Care?
Sorry, but whether Salesforce relates to your work or not, this story has a big message: hackers target people and aren't targeting only systems.Organizations should consider:
• Limiting the amount of people who can approve connected apps.
• Training your teams on how to recognize false calls or "vishing."
• Monitoring OAuth Tokens and integrations.
When a hacker group says they are "gone", do not buy it; they can come back anytime.
Conclusion
This unfortunate return of The Scattered Lapsus$ Hunters, is a reminder that the fastest way an attacker gets access to an organization is not through the code, but through people.Ask yourself:
• Who has the ability to approve application permissions in the organization?
• Would anyone in IT recognize a fraudulent inquiry on the phone?
• How quickly will you limit access if something feels wrong?
