Share this article on:
Powered by MOMENTUMMEDIA
For breaking news and daily updates,
subscribe to our newsletter.
Notorious hacking group ShinyHunters has confirmed that it is working with infamous hacking collective Scattered Spider, alongside Lapsus$, and has teased a massive number of leaks following its major Salesforce hacking campaign.
ShinyHunters revealed over the weekend that it was working with two other threat actors - Scattered Spider and Lapsus$, confirming Cyber Daily’s suspicion that there was overlap between ShinyHunters and Scattered Spider.
"They provide us with initial access and we conduct the dump and exfiltration of the Salesforce CRM instances. Just like we did with Snowflake," said ShinyHunters regarding Scattered Spider.
The groups formed a telegram channel named "ScatteredLapsuSp1d3rHunters", in which they taunted cyber professionals, law enforcement and journalists, while also teasing leaks for a number or major organisations.
While the Telegram has been taken down, FalconFeeds.io observed that Cartier, Chanel, Gucci, Subaru, Qantas, WestJet, Victoria’s Secret, Zomato, Royal Dutch Airlines, Coinbase, Alfac, Erie Insurance, Banco Santander and many more would be potentially leaked. Based on screenshotted messages, the group says it has 91 victims.
The group also said it had breached several governments and government agencies, including the US Department of Homeland Security, the UK Ministry of Justice and a number of agencies in France, Brazil, India and England.
Lapsus$ specifically threatened the Ministry of Justice, demanding the release of “Jared Antwon and all the other fallen soldiers of Lapsus$”, and that it would otherwise “leak all the github repositories and the legal aid…database”.
The group also leaked a database of Allianz Life which it said was already available for free online.
“This is a public database that’s available for free online via searching the internet, this is not private records, the meaning of ‘leak’ in this context is to give a download link to make it accessible,” the group wrote.
According to BleepingComputer, the files contained database tables for Allianz Life ‘Accounts’ and ‘Contacts’ and together contained 2.8 million records pertaining to customers and business partners.
Within this were names, addresses, dates of birth, phone numbers, Tax ID numbers as well as other business information and professional data. BleepingComputer says it has verified the data as accurate.
Similarly, the group leaked a Salesforce database of Coca Cola’s Europacific partners, which once again it said was already publicly accessible and free.
A new ransomware supergroup
The mass leak ShinyHunters, now Scattered Lapsu$ Hunters, has performed is nothing new for the former threat actor, having performed similar mass leaks during a Snowflake cyber campaign.
The group also told BleepingComputer that the Salesforce campaign is ongoing, meaning new victims not yet known about are likely to appear, just as many were revealed in the Telegram channel.
A number of these victims were believed to have been breached by Scattered Spider, before experts began attributing the attacks to Scattered Spider, leading to Cyber Daily suspecting that a connection had been established between the two, particularly as the companies breached had not been publicly disclosed by the threat actor, a staple of both organisations.
The group also appears to be taking the cross threat actor alliance to a new level, now advertising a new Ransomware-as-a-Service (RaaS) called “SHINYSP1D3R”, which it claims to be better than rival RaaS offerings.
The group specifically called out LockBit and DragonForce, and heavily pushed their claimed access to an inventory of 0-day and 1-day vulnerabilities.
“DRAGONFORCE AND LOCKBIT IS NOTHING COMPARED TO SHINYSP1D3R UPCOMING RAAS!!!!!!!!!!!!!,” the group said.
In just a few days, Scattered Lapsu$ Hunters has captured the media and made a huge impact on the current cybercrime market, showing off the massive power it has and the huge list of victims it has already affected. They have marketed themselves as the new powerhouse in ransomware and cybercrime, and seem to be able to back that up.
However, with all this gloating and marketing comes major interest in law enforcement, and their failure to keep laying low may see global law enforcement forces gear up to take on the new big bad wolf.
All three organisations have had members arrested for their activity, most notably being ShinyHunters, which had a key member from notorious hacking forum BreachForums arrested in June.
Be the first to hear the latest developments in the cyber industry.