A threat actor supposedly formed of members of known hacking groups has claimed the theft of large amounts of data from dozens of Salesforce customers.
Calling themselves Scattered LAPSUS$ Hunters, the miscreants appear to be members of the notorious Lapsus$, Scattered Spider, and ShinyHunters groups.
Lapsus$ has been inactive since 2022, when Scattered Spider emerged. ShinyHunters first appeared in 2020 and joined forces with Scattered Spider earlier this year. They jointly announced their retirement last month.
On a new Tor-based leak site, Scattered LAPSUS$ Hunters has listed 39 organizations targeted in their recent Salesforce campaign, claiming the theft of their data from Salesforce instances and threatening to leak it unless the CRM provider pays a ransom.
The list includes known brands such as Adidas, Air France/KLM, Allianz Life, Cisco, Dior, Disney, FedEx, Google, Home Depot, Kering, Louis Vuitton, Qantas, Stellantis, Toyota, TransUnion, UPS, and Workday.
The hackers, who claim the theft of a total of roughly 1 billion records from the affected organizations’ Salesforce instances, told DataBreaches that other businesses have been hit as well, but are not listed on the site.
In a notice on its website, Salesforce said it had no indication that its platform might have been hacked, and that the group’s claims do not appear related to vulnerabilities in its platform.
“We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” Salesforce said.
As AppOmni co-founder and CTO Brian Soby points out, the Scattered Spider and ShinyHunters’ retirement was short lived, as the group is now not only trying to extort victim organizations, but also Salesforce.
“They claim they will collaborate with plaintiffs in ongoing lawsuits against Salesforce over recent breaches unless Salesforce pays them directly,” Soby said.
“This tactic is unusual. To our knowledge, it is the first time an attacker has threatened to participate in or leverage existing litigation against the vendor of a compromised platform and its native security tools as part of an extortion campaign,” he added.
Soby also pointed out that the hackers likely compromised the Salesforce instances using social engineering and stolen credentials, which shows that many organizations have not implemented the necessary tools and practices to effectively meet their Shared Responsibility obligations.
“What is novel here is the attempt to frame alleged negligence not just against customers, but against the vendor and its native, first-party security tools,” Soby added.
Related: Beer Giant Asahi Says Data Stolen in Ransomware Attack
Related: Oracle E-Business Suite Zero-Day Exploited in Cl0p Attacks
Related: In Other News: PQC Adoption, New Android Spyware, FEMA Data Breach
Related: Russian Member of Karakurt Cyber Extortion Gang Charged in US
