Programming code flowing showing Lapsus$ hackers stole source code in data breach

Lapsus$ Hackers Published 70GB of Source Code Stolen in the Globant Data Breach

Globant confirmed a data breach after Lapsus$ hackers claimed to have stolen 70GB of source code from the company. In the United States Securities and Exchange Commission (SEC) filing, the company said it detected authorized access to a “limited section” of its code repository for a “very limited number of clients.”

Screenshots shared by the Lapsus$ hacking group suggested that the leaked customer source code belonged to companies like Apple and Facebook, DHL, Fortune, CSpan, and Arcserve.

Founded in Argentina, Globant has over 23,000 employees in 18 countries, including the US, the UK, Canada, France, Germany, India, Brazil, and Belarus. With its global headquarters are in Luxembourg City, Luxembourg, the company earned revenue of $1.2 billion in 2021, a 63% year-on-year increase. Its customers include Electronic Arts, Google, Rockwell Automation, Autodesk, Santander, Interbank, and Metropolitan Police.

Lapsus$ hackers stole security tokens, third-party API and Azure keys in the Globant hack

Lapsus$ hackers published 70GB of source code that was allegedly stolen from Globant customers.

Additionally, the group published usernames and passwords for various Globant software development, review, and collaboration platforms such as GitHub, Jira, Confluence, and Crucible. The data breach also exposed 7,000 resumes and leaked 150 SQL databases, according to SOS Intelligence. The UK-based threat intelligence firm also says the Globant data breach exposed “TLS certificate private keys and chains, Azure keys and API keys for 3rd-party services.”

“For anyone who is interested about the poor security practices in use at i will expose the admin credentials for ALL there DevOps platforms below,” the hackers posted after the Globant data breach.

SOS Intelligence also confirmed the authenticity of the leaked source code, describing the data stolen by Lapsus$ hackers as “very sensitive information.”

Globant confirms a Lapsus$ data breach affecting a “limited number of customers”

Globant has confirmed that its code repositories were accessed by third parties, thus validating Lapsus$ hackers’ claims.

“We have recently detected that a limited section of our company’s code repository has been subject to unauthorized access.”

The company added that it activated its security protocols and commenced an exhaustive investigation.

However, the company clarified that the information “accessed was limited to certain source code and project-related documentation for a very limited number of clients.”

Additionally, Globant did not have evidence that other areas of its infrastructure systems or those of its clients were affected.

It’s unclear how Lapsus$ hackers breached software giant Globant SAS. However, cybersecurity expert Soufiane Tahiri claimed that the data breach originated from an official employee’s account in Bogota, Colombia.

Neil Jones, director of cybersecurity evangelism at Egnyte, said that Globant’s data breach was a stark reminder that “your data protection is only as good as the business partner(s) you choose.” Jones advised companies to protect their clients’ sensitive information, such as source code, as theirs.

“Data exfiltration incidents appear to be surpassing ransomware attacks as the primary cyberattack vector in 2022,” Jones added. “Although it’s reassuring that Lapsus$ has been added to the FBI’s Most Wanted List, utilization of Multi-Factor Authentication (MFA) technology and implementation of technology that detects suspicious log-ins from unanticipated geographical regions can significantly reduce the risk of such attacks.”

Recently, Lapsus$ hackers claimed several victims, including Microsoft, Samsung, Vodafone, Okta, Ubisoft, and Nvidia. The sloppy juvenile extortion group was also suspected in the Electronic Arts (EA) FIFA 2021 source code data leak.

With a high affinity for source code, the hacking group targets major tech companies and rarely deploys ransomware. It relies on social engineering tactics, SIM card swapping, and paying insiders.

Known for making unusual demands, Lapsus$ hackers rely on naming and shaming their victims to force ransom payment or revenge.

The attention-seeking group operates a telegram channel for communication, public recruitment, and data breach announcements. In March, it announced the recruitment of insiders to assist in compromising major technology and telecommunication companies, server hosts, and call center operators.

Meanwhile, authorities in the UK announced the arrest and release of seven individuals between 16 and 21 suspected of association with the group. Similarly, the FBI added the group to its list of the “Most Wanted” and requested the public to help identify the suspects.

The group announced that some of its members were on a holiday after the London arrests and reported their return after they were released. Similarly, the Globant data breach coincided with their return from “holiday.”

“It’s not surprising Lapsus$ resurfaced so quickly after going on a short hiatus,” Ken Westin, Director, Security Strategy at Cybereason. “While London police arrested seven members of Lapsus$ last week, all were released as their investigation into reported hacks against Okta, Samsung, Microsoft, Nvidia, amongst others were making headlines.”

Once believed to be a Portuguese-speaking cybercrime gang, Lapsus$ has expanded globally and recruited many affiliates. It currently consists of Russian, English, Turkish, and German speakers.

“Cybercrime groups, like hacktivist groups, often work in a decentralized fashion, with many members not even knowing each other’s true identities,” Westin added. “The fact this group is made up of members in many different countries presents challenges for law enforcement as they will need to collaborate with different countries with varying levels of capabilities to go after the perpetrators.”

During the Russian invasion of Ukraine, the group clarified that global geopolitics do not influence its activities. Similarly, many security experts believe the mostly-teenage hacking gang is driven by notoriety and fame.