Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label LAPSUS$. Show all posts
Salesforce
Airways Data Breach Data Leaked Identity Theft LAPSUS$ Qantas Salesforce

Qantas Faces Scrutiny After Massive Data Leak Exposes Millions of Customer Records

 



Qantas Airways is under investigation after personal data belonging to millions of its customers appeared online following a major cyberattack. The breach, which originated from an offshore call centre using Salesforce software, is believed to have exposed information from around 5.7 million individuals.

According to cybersecurity reports, the data was released after a criminal group known as Scattered LAPSUS$ Hunters followed through on a ransom threat. The leaked files reportedly include customers’ full names, email addresses, Frequent Flyer membership numbers, phone numbers, home and business addresses, dates of birth, and gender details. In some cases, even meal preferences were among the stolen data.

Although Qantas had outsourced customer support operations to an external provider, Australian officials emphasized that responsibility for data protection remains with the airline. “Outsourcing does not remove a company’s cybersecurity obligations,” warned Cyber Security Minister Tony Burke, who added that serious penalties may apply if organisations fail to meet legal requirements for safeguarding personal data.

Experts have cautioned customers not to search for the leaked information online, particularly on dark web platforms, to avoid scams or exposure to malicious content.

Cybersecurity researcher Troy Hunt explained that while the stolen data may not include financial details, it still poses serious risks of identity theft. “The information provides multiple points of verification that can be exploited for impersonation attacks,” he noted. Hunt added that Qantas would likely face substantial legal and financial repercussions from the incident, including class-action lawsuits.

RMIT University’s Professor Matthew Warren described the event as the beginning of a “second wave of scams,” predicting that fraudsters could impersonate Qantas representatives to trick customers into disclosing more information. “Attackers may contact victims, claiming to offer compensation or refunds, and request bank or card details,” he said. With most Qantas passengers being Australian, he warned, “a quarter of the population could be at risk.”

In response, Qantas has established a dedicated helpline and identity protection support for affected customers. The airline also secured a court injunction from the New South Wales Supreme Court to block access to the stolen data. However, this order only applies within Australia, leaving the information still accessible on some foreign websites where the databases were leaked alongside data from other companies, including Vietnam Airlines, GAP, and Fujifilm.

Legal experts have already lodged a complaint with the Office of the Australian Information Commissioner, alleging that Qantas failed to take sufficient steps to protect personal information. Similar to previous high-profile breaches involving Optus and Medibank in 2022, the case may lead to compensation claims and regulatory fines.

Professor Warren emphasised that low conviction rates for cybercrimes continue to embolden hackers. “When attackers see few consequences, it reinforces the idea that cyber laws are not a real deterrent,” he said.


Read more »
Salesforce
BreachForums Cyber Attacks Data Leak FBI LAPSUS$ Salesforce

BreachForums Taken Down by FBI and French Authorities as LAPSUS$-Linked Group Threatens Salesforce Data Leak

 



U.S. and French law enforcement agencies have seized the latest version of BreachForums, a cybercrime platform known for hosting stolen databases and leaked information. The takedown was carried out by the Federal Bureau of Investigation (FBI), the U.S. Department of Justice, and French cybercrime authorities, who placed an official seizure notice on the site on October 9.

This development comes just hours before an extortion deadline announced by a threat group calling itself Scattered LAPSUS$ Hunters, which had threatened to leak data allegedly stolen from Salesforce and Salesloft if ransom demands were not met by October 10.

The seizure was first noticed on Telegram before it became official. A threat actor using the alias “emo” had observed that BreachForums’ domain was using Cloudflare name servers associated with previously seized FBI sites, suggesting law enforcement action was imminent.

Following the seizure, Scattered LAPSUS$ Hunters confirmed the action on its Telegram channel through a PGP-signed message, claiming that all their BreachForums-related domains and backend infrastructure were taken offline and destroyed. The group, however, asserted that its members had not been arrested and that their Tor-based data leak site remained active.

“The era of forums is over,” the message read, warning members to maintain operational security and avoid new BreachForums clones, which the group claimed could be “honeypots” operated by law enforcement.


Compromised Infrastructure and Data

The group stated that during the seizure, all BreachForums database backups dating from 2023 to the present were compromised, along with escrow and server systems. They also alleged that their onion hidden service was affected because the underlying infrastructure had been seized and destroyed.

Despite this, Scattered LAPSUS$ Hunters insisted that the takedown would not affect their planned Salesforce data leak campaign. The group reiterated that the October 10 deadline for victims to comply with their ransom demands remained unchanged.

This marks the fourth major seizure in the history of BreachForums and its predecessors, including the earlier RaidForums. Both forums have been repeatedly targeted by global law enforcement operations and linked to several high-profile arrests over the years.

The group also revealed that the widely known administrator “pompompurin,” believed to have launched BreachForums after RaidForums’ closure, had merely been a “front,” suggesting that the forum’s operations were coordinated by a wider network of individuals from the start.


What Lies Ahead

While the seizure has temporarily disrupted the group’s clearnet operations, cyber experts caution that criminal forums often migrate to the dark web or encrypted channels to continue their activities. Authorities are expected to pursue further investigations in the coming weeks to identify and apprehend those involved.

For cybersecurity professionals and enterprises, it's high time to give importance to monitoring data exposure risks and staying alert to potential secondary leaks, especially when extortion groups remain active through alternate platforms.



Read more »
User Security
Cyber Crime LAPSUS$ Teen Hackers Threat Landscape User Security

Advanced Persistent Teenagers: A Rising Security Threat

 

If you ask some of the field's top cybersecurity executives what their biggest concerns are, you might not expect bored teenagers to come up. However, in recent years, this totally new generation of money-motivated hackers has carried out some of the biggest hacks in history and shows no signs of slowing. 

Meet the "advanced persistent teenagers," as stated by the security community. These are skilled, financially motivated attackers, such as Lapsus$ and Scattered Spider, who have proven capable of digitally breaching into hotel companies, casinos, and tech behemoths.

The hackers can deceive unsuspecting employees into giving over their company passwords or network access by using strategies such as believable email lures and convincing phone calls posing as a company's support desk. 

These attacks are extremely effective, have resulted in massive data breaches impacting millions of individuals, and have resulted in large ransoms paid to make the hackers vanish. By displaying hacking capabilities previously limited to only a few nation states, the threat from idle teenagers has forced numerous companies to confront the reality that they don't know if the personnel on their networks are who they say they are, and not a sneaky hacker. Has the threat posed by idle teens been understated, according to two respected security veterans? 

“Maybe not for much longer,” noted Darren Gruber, technical advisor in the Office of Security and Trust at database giant MongoDB, during an onstage panel at TechCrunch Disrupt. “They don’t feel as threatened, they may not be in U.S. jurisdictions, and they tend to be very technical and learn these things in different venues.”

Plus, a key automatic advantage is that these threat groups also have a lot of time on their hands. “It’s a different motivation than the traditional adversaries that enterprises see.” Gruber has dealt with a few of these threats directly. There was no evidence of access to client systems or databases, however an intrusion at the end of 2023 in MongoDB resulted in the theft of certain metadata, such as customer contact information. 

According to Gruber, the attack mirrored Scattered Spider's strategies, and the vulnerability was reportedly minimal. "The attackers posed to be employees and used a phishing lure to get into MongoDB's internal network," he claimed.
Read more »
Sensitive Information
British Cyber Laws Data Breach GamePlayerFramework Gaming Community LAPSUS$ Online Gaming Sensitive Information

GTA 6 Hacker: Life in Secure Hospital for Cybercrime Intent

The teenage hacker who leaked details about Grand Theft Auto 6 (GTA 6) is now facing a life sentence in a guarded institution, which is a surprise development. The person, identified as Lapsus, was placed under an indefinite hospital order because of worries that he would quickly return to his cybercrime operations.

The 18-year-old hacker gained notoriety for infiltrating Rockstar Games' highly anticipated GTA 6, leaking sensitive information and gameplay details to the public. His actions sparked a global uproar among gaming enthusiasts and raised questions about the vulnerability of major gaming studios to cyber threats.

Lapsus's fate took a unique twist as the court deemed him a significant cybersecurity threat, deciding to confine him to a secure hospital for an indefinite period. The severity of this sentence underscores the gravity of cybercrimes and the potential harm they can inflict on individuals and industries.

The court's decision was fueled by Lapsus's explicit intent to resume cybercriminal activities as soon as possible, as revealed during the trial. This alarming revelation highlights the challenges authorities face in deterring individuals with advanced hacking skills from engaging in illegal activities, especially when they show a clear determination to persist.

Many well-known media outlets reported on the case, highlighting the gravity of the hacker's misdeeds and providing details about the court procedures. For example, it was pointed out that the hacker's declared intention to immediately return to cybercrime is closely correlated with the decision to house him in a secure facility for the rest of his life. nevertheless, emphasized the temporary nature of the hospital order and the serious danger that Lapsus posed.

The case's implications stretch beyond the gaming community and serve as a sobering reminder of the continuous fight against cybercrime on a worldwide scale. highlighted the incident's worldwide ramifications in particular, drawing attention to the British juvenile hacker's acts and the eventual imposition of a life sentence in a guarded institution.

As The Verge pointed out, Lapsus's sentencing blurs the line between traditional imprisonment and confinement in a secure hospital, reflecting the unique challenges posed by hackers with the potential to cause significant digital harm. Security Affairs further delved into the case's specifics, providing insights into the legal aspects and the implications for future cybercrime prosecutions.

The GTA 6 hacker's sentence serves as an urgent alert regarding the evolving nature of cyber threats and the steps law enforcement must take to protect the public from those seeking to take advantage of technological weaknesses. The life sentence in a secure facility emphasizes how dangerous people who possess sophisticated hacking abilities and a strong desire to commit cybercrime again pose.


Read more »
youth crime
Cyber Crime FBI hacking ring LAPSUS$ The Com The Community youth crime

The Com: Youth Hacking Ring Executing High-profile Cybercrimes


A new threat actor community recently came to light. carrying out some malicious cyberattacks.

The online community, labelled as ‘the Com,’ apparently consist of young skilled hackers who are carrying out sophisticated campaigns and high-profile breaches. 

The hackers, who are primarily teenagers and young adults are not only executing malicious attacks but also bragging about their operations in a language filled with racist and misogynistic slurs. 

The cybersecurity researchers, who have been studying and monitoring the Com activities have urged policymakers and the cybersecurity community to confront the issue more seriously and take strong actions against the youth-led cybercrime group. While, in comparison to cybercriminal networks, state-backed hackers build a more high-profile case, recent instances of breaches led by new-generation hackers shall not be underestimated. 

One of the instances being the high-profile breach that recently shook the operations of Las Vegas resorts, including Caesars Entertainment and MGM Resorts is believed to be the doing of threat actors called “Star Fraud,” one of the subgroups of the Com. These assaults show how dangerous and serious the larger Com ecosystem is. 

The Caesars and MGM attacks were attributed to ALPHV, a Russian-based ransomware-as-a-service organization related to other attacks. The moniker "Scattered Spider," which has been linked to the attacks, is inaccurate, according to the researchers at the LABScon conference, as it combines a number of competing organizations from the Com ecosystem. Despite having similar strategies, these groups are different and might even face off against one another.

However, this does not stop here. In the past two years, some members of the threat group behind cyberattacks in corporate giants like Nvidia, Samsung, and Microsoft – Lapsus$ – are believed to have originated from the Com ecosystem. 

This incident further highlighted the reach of cybercrime on young minds. In August 2023, a Cyber Safety Review Board report on Lapsus$ suggested an investigation to Congress to explore funding programs in order to prevent juvenile cybercrime. 

In regards to the issue, the FBI has also conducted an investigation on the individuals linked with the Com for alleged cybercrime activities. 

The Com has been connected to a number of illegal activities, including swatting, SIM swapping, bitcoin theft, and even real-world assault. These young cybercriminals are skilled at social engineering, taking advantage of their fluency in English to trick IT support desks and steal crucial company credentials.

The researchers also caution that these young hackers are now working together with international ransomware syndicates, which have a history of extorting millions of dollars globally. The question of how harmful online communities can radicalize children is comparable to how Com plays a role in luring young hackers into a life of cybercrime. The researchers contend that the radicalization these hackers experience is focused on cybercrime and evolving into their worst selves.  

Read more »
uber
Data Breach Data Theft LAPSUS$ New Technology Online crimes uber

Former Uber CSO Convicted for Covering up 2016 Data Breach

 

Uber's former chief security officer, Joe Sullivan, has been found guilty of illegally trying to cover up a 2016 data breach in which threat actors accessed 57 million Uber drivers' and customers' sensitive credentials. 

Sullivan is a former cybercrime prosecutor officer of the US Department of Justice. A federal jury in San Francisco convicted him of obstructing justice and misprision – concealing a felony from law enforcement. 

On November 21, 2017, Uber CEO Dara Khosrowshahi released a statement in which he acknowledged that miscreants had broken into the app giant's infrastructure and made off with 57 million customer and driver records. As a result of it Sullivan, along with legal director of security and law enforcement Craig Clark was fired. 

"Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber," the U.S. attorney's office said. 

Sullivan’s trial began days before when the news broke that Uber had been hacked again. Uber said the group of hackers LAPSUS$  is running a campaign against Uber. 

The group accessed and stole data of an employee’s login credential to gain wide-ranging access to Uber’s internal systems including the company’s Amazon Web Services console, Google Workspace admin dashboard for managing the Uber email accounts, VMware vSphere/ESXi virtual machines, Slack server, and bug bounty program portal. However, Uber confirmed that the hackers did not gain access to the sensitive data of customers. 

In the case of the 2016 data breach, Uber had to make two $50,000 payments to the intruders in December 2016. A month later, after managing to identify one of the attackers from the group, an Uber representative met the man in Florida and had him sign a confidentiality agreement. 

"Technology companies in the Northern District of California collect and store vast amounts of data from users. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users,” U.S. Attorney Stephanie M. Hinds said in a statement.
Read more »
User Privacy
Cyber Crime Flashpoint LAPSUS$ Online Gaming uber United Kingdom User Privacy

Teen Hacking Suspect Arrested by London Police for GTA 6 and Uber Breach

A 17-year-old Oxfordshire kid was detained on suspicion of hacking, according to information released by the City of London Police on Friday.

According to experts, the recent security breaches at Uber and Rockstar Games may have something to do with the arrest.

On September 18, a cyber threat actor identified as the 'teapotuberhacker' claimed to have hacked Rockstar Games, the company behind the well-known and contentious Grand Theft Auto (GTA) franchise, in a post on GTAForums.com. Teapotuberhacker claimed to have taken 90 movies of alpha material and the source code for Grand Theft Auto VI and its predecessor GTA V from Rockstar in that post, which has since been removed.

Notably, a 17-year-old Oxford boy was among the seven minors who were detained. The Oxford teenager was detained after other hackers posted his name and address online. The boy had two internet aliases: 'Breachbase' and 'White'. According to the reports, the boy had earned about $14 million via data theft. 

Further information concerning the inquiry was kept under wraps by the UK authorities. 

Seven adolescents were detained and later freed by City of London police in connection with a probe into the Lapsus$ hacking organization this spring.

Uber released more information regarding the latest security breach earlier this week. According to the firm, the threat actor responsible for the intrusion is connected to the LAPSUS$ hacker organization.

Flashpoint, a security company, presented a report of the Grand Theft Auto VI data breach this week and disclosed that the name of the hacker responsible for the two attacks had been made public on a dark web forum.

The forum administrator claimed that teapotuberhacker was the same guy who had allegedly hacked Microsoft and owned Doxbin in the debate, which was titled 'The Person Who Hacked GTA 6 and Uber is Arion,' according to the story that was published by FlashPoint.

If these claims are true, which is not entirely apparent, it will assist in explaining the most recent incident that law police conducted.
Read more »
VPN
Cisco Data Breach LAPSUS$ MFA Russian Hackers Supply Chain Attack VPN

Ransomware Exposed Stolen Data From Cisco on Dark Web

Yanluowang ransomware Gang has published Cisco Systems' stolen data on the dark web and following the data leak, Cisco confirmed that the data was stolen from its network during an intrusion that took place in May. 

Cisco Security Incident Response (CSIRT) conducted an investigation wherein it was found that the attackers acquired control of a personal Google account that had the credentials saved in the browser. The threat actors compromised these credentials to launch voice phishing attacks. The idea behind the attacks was to lure the targeted employee into accepting the MFA notification. 

Cisco revealed in a report published in August that the firm's networks had been infiltrated by the Yanluowang ransomware after hackers gained access to an employee's VPN account. The company further asserted that the only information taken was employee login information from Active Directory and non-sensitive files saved in a Box account.

Once the threat actors obtained the employee's Cisco credentials, the hackers employed social engineering and other techniques to get beyond multi-factor authentication (MFA) and gather more data.

After gaining initial access, the hackers registered a list of new devices for MFA, authenticated effectively to the Cisco VPN, and dropped multiple tools in the victim network including RATs such as LogMeIn, TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket, as per Security Affairs. 

Over the weekend, Cisco said in an update that "the content of these files matched what we have detected and released.  We continue to see no effect on the business, including Cisco goods or services, confidential customer data or sensitive employee data, copyrights, or supply chain activities, which is consistent with our previous examination of this incident."

The researchers at the cybersecurity firm eSentire linked Yanluowang with "Evil Corp" (UNC2165), the Lapsus$ gang, and FiveHands malware (UNC2447).

The hacked Google account of an employee that had enabled password synchronization through Google Chrome and saved their Cisco details in the browser allowed the thieves to initially access the Cisco VPN.

The leader of Yanluowang ransomware told BleepingComputer that they had stolen thousands of files totaling 55GB from a cache that contained sensitive information including technical schematics and source code. The hacker did not offer any evidence. The only thing they provided was a screenshot showing access to what seemed like a development system. 

Erich Kron, security awareness advocate at security awareness training company KnowBe4 implies that it goes unsaid that Cisco decided against paying the ransom demanded by the ransomware group, which resulted in the stolen data being posted. 


Read more »
Subscribe to: Comments (Atom)