We’ve been tracking what Lapsus$ have been doing and we’ve been analysing the data from the latest breaches. Like most hacking collectives SOS Intelligence has been aware of and tracking the activity of the LAPSUS$ group for some time.

The group has contributed to some high profile and impact breaches in the last few months. They have been utilising what could be considered as fairly “low tech” methods to gain a foothold on their targets. Using our multi-faceted intelligence collection pipelines we are able to keep a track of the groups activities and announcements.

This time, the data included a large amount of GitHub source code that appears to belong to Globant, a major company with over 16000 employees and and $1.2 billion in revenue for 2021. This is with a number of repositories that contain “very sensitive information” such as TLS certificate private keys and chains, Azure keys and API keys for 3rd-party services.

TechCrunch have written about this and we were quoted on their article:

SOS Intelligence, a U.K-based threat intelligence provider that analyzed the leaked data, told TechCrunch that “the leak is legitimate and very significant, as far as Globant and Globant impacted customers are concerned.”

Techcrunch, March 30th 2022

Lapsus$ were only just in the news days ago with an Oxford teen accused of being multi-millionaire cyber-criminal connected with the group. Joe Tidy has an excellent article of what happened and how the teen in question was “doxxed” over on the BBC.

ITPro also cover this with comment from ourselves:

“From the paths I have looked at so far it looks like legitimate source code for mobile apps,” said Amir Hadžipašić, CEO and founder of SOS Intelligence to IT Pro. “It looks like there are internal microsites and data for them too, CVs and other personal information.

“That’s not all, they have full private keys for certs in most of the directories,” he added. “That there would be enough for me to stand up a website and serve their SSL and it be valid.”

IT Pro, 30th March 2022

Last but not least, we spoke to Bleeping Computer who have also covered this:

“In terms of legitimacy, going just by volume alone it’s hard to fabricate that amount of data – however samples of the data have been cross referenced with live systems and other methods that show the leak is legitimate and very significant as far as Globant and Globant’s impacted customers are concerned”.

Bleeping Computer, March 30 2022

For any size organisation, we help you sleep easier by giving you real time alerts of key phrases, emails and domains that appear on the Dark Web. For a demo, click here and we look forward to helping you.

Photo by Clint Patterson on Unsplash.