A cybercriminal group identifying themselves as Scattered LAPSUS$ Hunters has reportedly stolen substantial data from numerous Salesforce clients. This group is believed to comprise members from the infamous Lapsus$, Scattered Spider, and ShinyHunters hacking collectives.
Background on the Hacker Groups
Lapsus$ ceased operations in 2022, coinciding with the emergence of Scattered Spider. ShinyHunters, active since 2020, collaborated with Scattered Spider earlier this year, and both groups announced their retirement last month.
Details of the Data Breach
Operating through a new Tor-based leak site, Scattered LAPSUS$ Hunters has listed 39 organizations targeted in their recent campaign against Salesforce. They claim to have exfiltrated data from these companies’ Salesforce instances and are threatening to release it unless Salesforce pays a ransom.
Notable Affected Companies
The list of impacted organizations includes prominent brands such as Adidas, Air France/KLM, Allianz Life, Cisco, Dior, Disney, FedEx, Google, Home Depot, Kering, Louis Vuitton, Qantas, Stellantis, Toyota, TransUnion, UPS, and Workday.
Scope of the Data Theft
The hackers allege they have stolen approximately 1 billion records from the affected organizations’ Salesforce instances. They also indicated to DataBreaches that additional businesses have been compromised but are not listed on their site.
Salesforce’s Response
In a notice on its website, Salesforce stated that there is no evidence suggesting its platform was breached. The company emphasized that the extortion attempts appear to be related to past or unsubstantiated incidents and not to any vulnerabilities within its platform.
Unusual Extortion Tactics
Brian Soby, co-founder and CTO of AppOmni, highlighted the novelty of the hackers’ approach. They are not only attempting to extort the victim organizations but also targeting Salesforce directly. The group has threatened to collaborate with plaintiffs in ongoing lawsuits against Salesforce over recent breaches unless the company pays them directly.
Implications for Cybersecurity
This tactic is unprecedented. It marks the first known instance where attackers have threatened to leverage existing litigation against the vendor of a compromised platform and its native security tools as part of an extortion campaign.
Potential Methods of Compromise
Soby also noted that the hackers likely gained access to the Salesforce instances through social engineering and stolen credentials. This underscores the importance of organizations implementing robust tools and practices to fulfill their shared responsibility obligations effectively.
Broader Context of Cyber Threats
This incident is part of a larger trend of cyberattacks targeting major corporations. For instance, beer giant Asahi recently reported data theft in a ransomware attack, and Oracle disclosed that known vulnerabilities might have been exploited in recent extortion attacks.
Conclusion
The Scattered LAPSUS$ Hunters’ extortion attempts against Salesforce and its customers highlight the evolving and increasingly sophisticated nature of cyber threats. Organizations must remain vigilant, continuously update their security protocols, and foster a culture of cybersecurity awareness to mitigate such risks.
