Texas-based American cybersecurity company CrowdStrike has reportedly fired an employee who was accused of leaking inside information to a cybercrime group that recently claimed responsibility for a corporate breach involving systems connected to Salesforce.
The security firm fired the “insider” after it was discovered that he was working with a group known as the Scattered Lapsus$ Hunters. The group began publishing alleged internal screenshots on its Telegram channel late Thursday and Friday morning.
Scattered Lapsus$ published several images showing dashboards linked to company resources, including the Okta panel that employees use to access internal applications. The hackers claimed the screenshots were from a compromised employee and were evidence of their successful infiltration of CrowdStrike after hacking Gainsight earlier this week.
CrowdStrike and Gainsight are still investigating the stolen information
CrowdStrike says the hacking group’s claims and images on Telegram are of an employee who shared an unauthorized screen photo with an outside party, and that there was no compromise of its systems.
“Our systems were never compromised and our customers remained protected at all times,” said spokesperson Kevin Benacci. said News publication TechCrunch. He added that after the company blocked insider access, it “handed over the incident to the relevant law enforcement agencies.”
CrowdStrike quickly filled its desks with employees after it was confirmed that they had “shared photos of their computer screens externally” and claimed that the claims circulating on hacker channels were “false.”
Salesforce confirms customer data breach
On Friday morning, Salesforce updated its incident page to announce that the breach had caused “connectivity failures” affecting some customers. The fraudster had accessed “Salesforce data for specific customers,” but it was not specified which organizations were affected.
Salesforce said the breach occurred through an application developed by Gainsight, which provides customer support and analytics services.
Later that day, Austin Larsen, lead threat analyst for cybersecurity in Google’s Threat Intelligence Group, said the company was “aware of more than 200 Salesforce instances that may be affected.”
Scattered Lapsus$ Hunters publicly claimed responsibility for accessing data through Gainsight’s integration and used the stolen information to target other business customers.
A spokesperson for ShinyHunters, one of the groups within the group, boasted that “Gainsight is a customer of Salesloft Drift and they were affected and therefore completely compromised by us.”
Gainsight has published updates on its incident page since the attack became public. The company announced Friday that it has asked Mandiant, Google’s incident response arm, to help investigate the breach.
Salesforce also notified customers whose data was stolen and temporarily revoked active access tokens for apps connected to Gainsight as a precaution, according to the company’s public update.
“Customers using Hubspot may notice that the Gainsight app has been temporarily removed from the Hubspot Marketplace as a precautionary measure. This may also impact OAuth access for customer connections while a review is conducted. After a thorough review, we will work with Hubspot towards relisting,” said one progress report published Thursday.
The scattered Lapsus$ family is responsible for several high-profile breaches
Scattered Lapsus$ Hunters is a collaboration formed by several English-speaking cybercrime groups, including ShinyHunters, Scattered Spider, and Lapsus$. The group has become notorious for using social engineering techniques to trick employees into revealing login details, granting remote access, and approving authentication prompts.
Among its list of “conquests,” the group has so far included MGM Resorts, Coinbase, DoorDash, Workday, Aflac insuranceand other large companies. Back in October, Scattered Lapsus$ Hunters claimed to have stolen over 1 billion records from companies that use Salesforce to manage customer information.
They disclosed that they had leaked directory listing data from insurance company Allianz Life, airline Qantas, car manufacturer Stellantis, TransUnion, employee management platform Workday, and others.
Over the past year and a half, the Scattered Lapsus$ family has also claimed responsibility for incidents at Atlassian, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
The hackers said on their Telegram channel that they plan to launch a new extortion website next week for companies affected by the operation.
“The next data breach site will include data from Salesloft and GainSight campaigns,” the hackers shared their plans with DataBreaches.net.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
