IT and software development company Globant said in a statement on Wednesday that there had been a network breach. The statement appeared to confirm claims made by Lapsus$, a group that has successfully compromised Microsoft, Nvidia, Okta, and other victims over the past few weeks.
Lapsus$ is a relative newcomer to the data extortion scene. While the group’s tactics and procedures lack sophistication, its members, who are largely viewed as young and technically immature, make up for it with persistence. Gang members were rumored to be among seven people arrested last week by the London Police.
Not dead yet
A leak Tuesday on the Lapsus$ Telegram channel included data the group said came from a recent hack on Globant, raising questions about the suspects’, aged 16 to 21, relationship with Lapsus, exactly had $. Recently the FBI sought public help when tracking the group.
London Police do not appear to have specifically said the suspects were members of Lapsus$, “but assuming [the suspects] we still don’t know how many other individuals may be connected to the operation or where they may be based,” Brett Callow, a threat analyst at security firm Emsisoft, wrote in a private message. “For example, at least one of their members appears to be native speakers — or more accurately, writers — of Brazilian Portuguese.”
The Telegram post included a screenshot of data allegedly from Luxembourg-based Globant, which operates in 18 countries and has more than 23,500 employees. Folders for one of the allegedly stolen data caches had names like “Apple Health App”, “Facebook”, “C-SPAN” and “DHL”. Another post on the same channel purported to show credentials, many with weak passwords, for some of the servers where Globant stored the data.
A torrent link in the post indicated that the source code leaked cache was around 70 GB.
Script kiddies code repository violated
“We recently discovered that a limited portion of our company’s code repository was exposed to unauthorized access,” company officials wrote in a expression. “We have activated our security logs and are conducting a full investigation.”
So far, the statement said, investigators believe the stolen data was “limited to specific source code and project-related documentation for a very limited number of clients.” The current investigation has yet to find evidence that other data or systems were breached.
Company officials declined to answer questions asking when the breach occurred, whether the leaked data was genuine, and whether anyone had contacted Globant to demand a ransom.
Last week, CancerOnSecurity and Bloomberg reported that a core member of Lapsus$ is a 16-year-old living in Oxford, England. A day later, London police said at least one of the arrested hacker suspects was 16 years old.
Lapsus$ uses a variety of simple methods to successfully harm its victims. For example, to bypass the multifactor authentication protections of some targets, members who had obtained passwords would regularly attempt to log into the affected accounts, a technique known as MFA prompt bombing. In many cases, prompts can be delivered through a standard telephone call.
“There is no limit to the number of calls that can be made,” a Lapsus$ member recently wrote. “Call the employee 100 times at 1am while they are trying to sleep and they will most likely take it. Once the agent answers the first call, you can access the MFA enrollment portal and enroll another device.”
Other techniques included SIM swaps and social engineering. Lapsus$ isn’t above bribery either; Once an organization is targeted, the group pursues its customers and employees of its contractors.
Lapsus$’s continued activity is further evidence of the group’s resilience. While organizations often focus on defending against zero-day exploits and other types of advanced threats, Lapsus$ should serve as a reminder that less esoteric hacking methods are often simpler and just as effective.