Updated Extortion gang Lapsus$ may to be back at work, despite the arrest of seven alleged operatives.

VX-Underground – an organization that analyzes malware samples and trends – has shared evidence it states was sourced from security researcher Dominic Alvieri, detailing an intrusion of Luxembourg-based software development consultancy Globant. The consultancy boasts of working for over thirty major clients across the public and private sectors.

LAPSUS$ also threw their System Admins under the bus exposing their passwords to confluence (among other things). We have censored the passwords they displayed. However, it should be noted these passwords are very easily guessable and used multiple times… pic.twitter.com/gT7skg9mDw

— vx-underground (@vxunderground) March 30, 2022

The screenshots in the tweets above depict folders titled “Facebook”, “apple-health-app”, and others naming mega-corps DHL, Citibank, and BNP Paribas. Whether the folders are evidence of client data or source code being exposed is unknown, but the mere fact that internal files appear to have been exposed is embarrassing. Another depicted folder is titled “Arcserve” – perhaps indicating work for the data management vendor of the same name, or possibly just Globant’s backups.

The Register has sought comment from Globant.

Okta still under the microscope

Lapsus$, meanwhile, continues to cause trouble for single-sign-on-as-a-service outfit Okta, as new information about the gang’s attack has emerged.

Security researcher Bill Demirkapi, who revealed some evidence of Lapsus$’s heist of Nvidia data, has revealed what he claims is a Mandiant-prepared incident report detailing the attack on Sitel – the outsourced tech support provider engaged by Okta, and which was the entity breached by Lapsus$.

New documents for the Okta breach: I have obtained copies of the Mandiant report detailing the embarrassing Sitel/SYKES breach timeline and the methodology of the LAPSUS$ group. 1/N https://t.co/z05uQYclg9 pic.twitter.com/e0T4EdWPxT

— Bill Demirkapi (@BillDemirkapi) March 28, 2022

The document above contains a log of what looks like the attack on Sitel, and detail a login over RDP followed by a Bing search for “Privilege escalation tools on GitHub” from a compromised machine. There’s also evidence of malware downloads, termination of security software processes, and further skulduggery.

The researcher appears also to have shared this info with the media. One report claims Demirkapi provided documents that detail the attack on Sitel, and that among that dossier is analysis suggesting a file named “DomAdmins-LastPass.xlsx” was accessed by Lapsus$.

LastPass is a popular password management application, and “DomAdmins” could be shorthand for “Domain Administrators”. Sitel says the file did not contain passwords. Other information seemingly unearthed by Demirkapi mention superuser access to files which is alarming.

The Register asked Okta about the documents Demirkapi published.

“We are aware of the public disclosure of what appears to be a portion of a report Sitel prepared regarding its incident,” a spokesperson told us. “This report is not specific to the services Sitel provides to Okta. Its content is consistent with the chronology we have disclosed regarding the January 2022 compromise at Sitel.”

The response adds that “Okta is fiercely committed to our customers’ security” – but not so fierce that it went to code red once it learned of the Lapsus$ attack.

Indeed, Okta first stated the attack posed no threat to customers, then later admitted some customers’ data “may have been viewed or acted upon”. The company later issued advice that no customer credentials could have been compromised by the attack, and an apology for not taking the incident seriously enough in the days after its discovery by Sitel.

Okta has stated it first saw a version of the report commissioned by Sitel on March 17, but did not communicate the attack to clients. Lapsus$ disclosed its attack on March 22, and Okta acknowledged it on March 23.

Okta continues to apologize for that lack of urgency. “Once we received this summary report from Sitel on March 17, we should have moved more swiftly to understand its implications. We are determined to learn from and improve following this incident,” the company today told The Register.

One thing to learn seems obvious: let your customers know about potential danger sooner rather than later. Which sounds like the kind of fierce commitment Okta preaches, but did not practice. ®

Updated to add

In a statement, Globant said it has “detected that a limited section of our company’s code repository has been subject to unauthorized access,” adding: