Trantor Security Advisory

Subject: ShinyScatteredLapsus (aka Scattered Lapsus$ Hunters) extortion activity targeting SaaS integrations • Date: Oct 6, 2025 • Classification: Internal – Awareness & Preparedness

Overview

We are tracking an active hybrid extortion campaign attributed to the group styling itself as “Scattered Lapsus$ Hunters,” linked in public reporting to threat clusters UNC6040 and UNC6395. Tactics combine social engineering (notably vishing), abuse of OAuth/connected apps in SaaS ecosystems (e.g., Salesforce), bulk data exports via legitimate APIs, and public pressure via a leak site naming dozens of organizations.

Observed Tactics

  • Initial access: voice-phishing calls impersonating IT/help-desk to steer targets into approving access or installing “connected apps.”
  • OAuth/Connected-app abuse: attacker-controlled apps granted broad scopes enable persistent API access that can bypass normal MFA checks.
  • Data exfiltration: large, legitimate API or “Data Loader” style pulls used for extortion leverage.
  • Public coercion: leak-site listings, crowd-sourced OSINT tasks, and media theatrics to pressure executive teams.

Risk Assessment

  • High impact for organizations with broad SaaS integrations; exposure can include customer/CRM data and downstream credentials.
  • Moderate likelihood of contact/targeting via service-desk or partner channels.
  • Secondary risks: regulatory, reputational, and operational (forced resets, investigations).

Recommended Mitigations (actionable)

  1. Audit connected apps now: enumerate all OAuth/connected apps in Salesforce, Google Workspace, Microsoft 365, etc. Disable or quarantine unknown or over-permissive apps. Favor whitelisting.
  2. Constrain scopes and tokens: enforce least-privilege scopes; rotate/revoke stale tokens; shorten session lifetimes; require periodic re-consent; disable non-admin authorization of new, uninstalled apps.
  3. Harden help-desk flows: require out-of-band callbacks on any access/change requests; maintain challenge scripts; log and rate-limit sensitive actions initiated via phone support.
  4. Monitor for abnormal exports: alert on unusual API/bulk export volumes, new connected apps, or atypical integration behavior and geographies.
  5. Run vishing/phishing drills: quarterly simulations focused on phone-based social engineering and OAuth approval traps.
  6. Prep comms playbooks: align Security, Legal, and PR for potential public extortion posts; treat leak-site activity as part of the attack lifecycle.
  7. Backups & segmentation: ensure recoverability and limit blast radius if data is exfiltrated or abused.

Key References

Trantor Security Team • Security Operations & Intelligence • [email protected]

Comments

Popular posts from this blog

AI is Climbing the Wall -- Fast

Javascript webp to png converter

Core Rights Draft