Andrey Popov - stock.adobe.com
The arrests of seven people in connection with the Lapsus$ cyber crime group by UK law enforcement seems to have done little to dent the gang’s ability to conduct high-level cyber attacks, as a fresh data breach at software company Globant drags in many prominent customers of the firm, including Meta, Alphabet and Apple.
Lapsus$, which it is important to remember is not a ransomware gang in the traditional sense, has shot to prominence in the past two months thanks to a series of high-profile attacks on tech companies including Nvidia, Samsung, Ubisoft, Okta and Microsoft, resulting in data exfiltration, extortion and leakage.
The group’s operation against Globant, which was founded in Argentina in 2003 but is now based in Luxembourg, has supposedly seen up to 70GB of customer data leaked. According to reports, the leak includes credentials used by Globant admins to access various development platforms including Confluence, Jira and GitHub.
The dump also appears to include source code folders relating to multiple Globant customers, although Computer Weekly has not determined the data’s veracity.
Globant confirmed the breach on Wednesday 30 March. A spokesperson said: “We have recently detected that a limited section of our company’s code repository has been subject to unauthorised access. We have activated our security protocols and are conducting an exhaustive investigation.
“According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients. To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected. We are taking strict measures to prevent further incidents.”
Computer Weekly reached out to both Alphabet and Meta to confirm the extent of the breach, but neither organisation had responded at the time of writing.
Ambitious, chaotic, reckless
Searchlight Security analysts have been tracking Lapsus$ extensively in recent weeks. They describe the group as a new generation of threat actor: ambitious and apparently somewhat chaotic, and reckless, in its organising and attitudes, as well as inclined to sow animosity in the cyber criminal underground.
These factors would appear to track with the group’s apparent ability to shrug off and perhaps even recover from last week’s police operations. A Searchlight analyst, speaking on condition of anonymity, said: “We are monitoring for further developments but all I can say is that it’s not surprising the group has continued its high-stakes hacks even after arrests in London given its likely international membership, as well as having a ready-made talent pool of wannabe hackers eager to earn respect in its Telegram group.
“It’s tough to predict law enforcement’s next move, as some of the currently active Lapsus$ members are thought to reside in countries with underdeveloped cyber security laws, patchy enforcement, and which aren’t signed up to international cyber crime agreements. Outreach for inter-agency collaboration may occur, as well as efforts to dismantle Lapsus$’s infrastructure making it harder for them to carry out attacks,” they said.
Read more about Lapsus$
- SearchSecurity’s Risk & Repeat podcast examines two high-profile breaches by emerging threat group Lapsus$ and how Microsoft and Okta responded to these attacks.
Given its latest activity, and its track record of breaches of third parties such as Sitel, which it used to get to Okta, the group is clearly aware of how the corporate world seems to struggle with supply chain security, giving security teams and risk managers fresh impetus if needed to address these problems.
Joseph Carson, chief security scientist at Delinea, a newly formed cyber company comprising predecessors Thycotic and Centrify, said the Globant breach showed that any organisation’s security was only as good as the company it keeps.
“For large organisations, that is their supply chain,” he said. “Lapsus$ appear to have gone after major supply chain organisations and have shown that no organisation has 100% protection, which means it is all about reducing the risks and early detection. The technique that appears to be used by Lapsus$ is going after privileged users which should be a top priority to protect, and I highly recommend organisations apply the principle of least privilege.”
Callum Roxan, head of threat intel at WithSecure, the freshly-spun out enterprise business of F-Secure, added: “The high-profile intrusions by Lapsus$ show the challenges of securing data and systems in the modern IT architectures. The management of authentication and authorisation is a complex challenge when it spans across multiple platforms, technologies, and through supplier relationships.
“The cyber security industry definitely has not reached maturity in the detection of these attacks. I would expect these types of attacks to continue by Lapsus$ and that more actors may look to mimic them after seeing this success.”