3rd Party Risk Management , Cybercrime , Cybercrime as-a-service
Update: Globant Says System Accessed by Unauthorized ActorOn Wednesday, Lapsus$ Claimed to Have Leaked 70GB of Globant Data
On Wednesday, days after the U.K. police initiated a crackdown with arrests of alleged members of the hacker group Lapsus$, the group said it has returned from a "vacation" to leak more critical data.
This time Lapsus$ has leaked on its Telegram channel 70GB of data associated with the Luxembourg-based software development company Globant. It also appears to have leaked credentials of several DevOps platforms belonging to the company, including Jira, Confluence, Crucible and GitHub.
The threat group shared screenshots of a file directory that contains names of several companies, including tech giants Facebook, the Apple Health app, DHL, Citibank and BNP Paribas Cardiff, among others.
Putting to rest debate on the content in the folders, Globant on Thursday confirmed that an undisclosed actor has illegally accessed the company's code repository, containing source code associated with some of its clients.
"We have recently detected that a limited section of our company's code repository has been subject to unauthorized access. We have activated our security protocols and are conducting an exhaustive investigation," Globant says.
"According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients. To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected," it adds.
Globant says it is "taking strict measures to prevent further incidents," but did not immediately respond to Information Security Media Group's request for details on the measures taken and whether outside investigators were involved at this point.
In a follow-up post on Lapsus$'s Telegram channel on Wednesday, its operators attached a 718.8 KB torrent file that allegedly contains the claimed data. The post says: "Leak of some customers source code from Globant[.]com corp GHE and GHE." This suggests that Globant's source code may not be directly affected, but the source code of the software provided to its customers might still be at risk.
Globant has listed 28 high-profile clients, from sectors including the Metropolitan Police, EA, Santander, Argentina's Health Ministry and Royal Caribbean, among others, on its website. None of them has confirmed a breach or offered additional details to Information Security Media Group at the time of this writing.
Kevin Beaumont, a former Microsoft threat analyst who now heads the security operations center for Arcadia Group, also confirmed the leak in a tweet. He says: "LAPSUS are back doing attacks. This time releasing some source code for Alphabet, Apple, Facebook, etc. via a supplier."
DevOps Credentials Also Leaked
Instances of Lapsus$ claiming the leak of alleged source code are not new. Recently, the group has claimed to have compromised and posted the source code of Microsoft, Samsung, Nvidia and - the latest - Okta.
But the threat actor did not previously directly post credentials of any of the accounts it claims to have breached. This latest incident seems to show a change in direction, as the group claims to have leaked admin credentials used by Globant for its DevOps platforms.
VX-Underground, an organization that analyzes malware samples and trends, citing information from Dominic Alvieri, a security researcher, tweets that Lapsus$ seems to have thrown the system admins of Globant under the bus by exposing their passwords to Confluence and other DevOps platforms, among others. Alvieri says these passwords are "very easily guessable and used multiple times."
Despite a series of arrests from UK authorities LAPSUS$ extortion group continues operations.— vx-underground (@vxunderground) March 30, 2022
LAPSUS$ has leaked 70GB of material from @Globant, a large software development company based in Luxembourg
Intel and photos courtesy of @AlvieriD pic.twitter.com/We9Jcm57iE
ISMG reviewed the Telegram post that displays the credentials and found that a similar-looking password has been reused for the Confluence and Jira platforms, and the one used in GitHub appears similar to ones on the list of 200 most commonly used passwords.
The Colombian Connection
Lapsus$ is popularly known to use compromised employee accounts for leaking sensitive data and the victim's source code, based on the previous instances. Soufiane Tahiri, an independent cybersecurity researcher, tweeted that data analyzed from the Globant leak suggests that the leak may have started through a compromised employee account from Bogota, the capital city of Colombia, where Globant has an office.
Most of what I'm seeing for now, from this #Globant leak, points toward Colombia. If this leak comes from a compromised employee account (as #Lapsus tended to use) I bet on Globant offices in Bogota. pic.twitter.com/5GA7r2dzDW— Soufiane Tahiri (@S0ufi4n3) March 30, 2022
The time stamp seen in most of the code that Tahiri highlights contains the "America/Bogota" time zone, and the default city option is set to "Bogota."
FBI Seeks Info on Lapsus$
Considering the recent spate of data and source code leak incidents linked to the Lapsus$ group and its focus on high-profile tech companies in the U.S., the FBI is seeking information on the identities of the individuals in the threat group.
The notice says: "The Federal Bureau of Investigation (FBI) is asking the public for assistance in an investigation involving the compromise of computer networks belonging to United States-based technology companies."
Citing the Okta and LG Electronics leaks, the FBI adds, "On March 21, 2022, individuals from a group identifying themselves as Lapsus$ posted on a social media platform and alleged to have stolen source code from a number of United States-based technology companies. These unidentified individuals took credit for both the theft and dissemination of proprietary data that they claim to have illegally obtained. The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions."
Tips can be provided to officers at the FBI's local area field office or the nearest American embassy or consulate.
This is a developing story. Further updates will be published as they become available.