A new Telegram channel that combined the names of well-known threat actor organizations Shiny Hunters, Scattered Spider, and Lapsus$ emerged on Friday afternoon in a daring uptick in cyberthreat activity.
This platform, potentially short-lived due to Telegram’s moderation policies, has rapidly disseminated evidence of multiple data breaches, partial data leaks, and extortion demands within its first 24 hours.
Unlike traditional leak channels that offer succinct breach announcements followed by data dumps or sales links, this channel intersperses partial disclosures with memes, commentary, and direct threats, creating a chaotic yet revealing narrative of ongoing cyber intrusions.
Rapid Emergence of Extortion Threats
The threat actors have leaked sensitive legal documents, including court filings from Qantas and the Legal Aid Agency injunctions against Shiny Hunters, a subpoena served on Google, and a mutual legal assistance request from France to Moldova, alongside Shiny Hunters’ responses to extortion-related communications.
Technical analysis of the posts reveals a focus on previously disclosed incidents, now explicitly attributed to Scattered Spider’s operations.
For instance, a screenshot from Victoria’s Secret’s administrative console confirms the group’s involvement in the May breach, previously unattributed, with customer data offered for sale.
Similarly, a sample dataset from Gucci, encompassing 100 records with personally identifiable information (PII) such as names, age ranges, birthdates, email addresses, and mobile numbers, marks a novel exposure for the Kering-owned luxury brand.
According to the report, the channel also advertises a complete Neiman Marcus database from the 2024 Snowflake campaign for 1 BTC, featuring CSV file listings indicative of extensive exfiltration.
Additional posts reference breaches at Chanel, with negotiation screenshots tied to the recent Salesforce campaign, alongside mentions of Disney, AirFrance, Archive.org, S&P Global, T-Mobile, Nvidia, Otelier, Coinbase, Burger King Brazil, Adidas, and Cisco many linked to prior Salesforce and Snowflake exploit chains.
Government Targets
Extending beyond corporate victims, the channel highlights intrusions into governmental entities, including the governments of England, France, Brazil, and India, as well as Brazilian police and judicial systems.
A particularly aggressive stance targets the U.S. Department of Homeland Security (DHS), with posted proofs-of-claim suggesting repeated compromises, including a message claiming “@chinahunterz just popped the DHS again.”
Scattered Spider has issued ultimatums, threatening to release all data from the U.K. Ministry of Justice’s Legal Aid Agency unless arrested member Jared Antwon is freed, amid frustration over recent U.K. arrests.
The group also teases advanced malware development, proclaiming an upcoming kernel-level ESXi locker under a ShinySp1d3r ransomware-as-a-service (RaaS) model, dismissing competitors like DragonForce and LockBit as inferior.
In a nod to future campaigns, references to “Snowflake 3.0” echo Shiny Hunters’ statements about launching more sophisticated attacks, targeting Fortune 500 sectors such as retail, insurance, aviation, finance, and hospitality.
A direct extortion message to Salesforce CEO Marc Benioff demands 20 BTC to withhold leaks from 91 organizations, leveraging the executive’s wealth against the threat of widespread data exposure.
This impulsive barrage portrays the actors as defiant juveniles challenging global entities, yet their technical prowess evidenced by unchallenged breaches underscores a persistent cybersecurity vulnerability.
As the channel persists, further disclosures could amplify risks, urging enhanced threat intelligence and incident response protocols across affected industries.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
