Trantor Security Advisory
Subject: ShinyScatteredLapsus (aka Scattered Lapsus$ Hunters) extortion activity targeting SaaS integrations • Date: Oct 6, 2025 • Classification: Internal – Awareness & Preparedness
Overview
We are tracking an active hybrid extortion campaign attributed to the group styling itself as “Scattered Lapsus$ Hunters,” linked in public reporting to threat clusters UNC6040 and UNC6395. Tactics combine social engineering (notably vishing), abuse of OAuth/connected apps in SaaS ecosystems (e.g., Salesforce), bulk data exports via legitimate APIs, and public pressure via a leak site naming dozens of organizations.
Observed Tactics
- Initial access: voice-phishing calls impersonating IT/help-desk to steer targets into approving access or installing “connected apps.”
- OAuth/Connected-app abuse: attacker-controlled apps granted broad scopes enable persistent API access that can bypass normal MFA checks.
- Data exfiltration: large, legitimate API or “Data Loader” style pulls used for extortion leverage.
- Public coercion: leak-site listings, crowd-sourced OSINT tasks, and media theatrics to pressure executive teams.
Risk Assessment
- High impact for organizations with broad SaaS integrations; exposure can include customer/CRM data and downstream credentials.
- Moderate likelihood of contact/targeting via service-desk or partner channels.
- Secondary risks: regulatory, reputational, and operational (forced resets, investigations).
Recommended Mitigations (actionable)
- Audit connected apps now: enumerate all OAuth/connected apps in Salesforce, Google Workspace, Microsoft 365, etc. Disable or quarantine unknown or over-permissive apps. Favor whitelisting.
- Constrain scopes and tokens: enforce least-privilege scopes; rotate/revoke stale tokens; shorten session lifetimes; require periodic re-consent; disable non-admin authorization of new, uninstalled apps.
- Harden help-desk flows: require out-of-band callbacks on any access/change requests; maintain challenge scripts; log and rate-limit sensitive actions initiated via phone support.
- Monitor for abnormal exports: alert on unusual API/bulk export volumes, new connected apps, or atypical integration behavior and geographies.
- Run vishing/phishing drills: quarterly simulations focused on phone-based social engineering and OAuth approval traps.
- Prep comms playbooks: align Security, Legal, and PR for potential public extortion posts; treat leak-site activity as part of the attack lifecycle.
- Backups & segmentation: ensure recoverability and limit blast radius if data is exfiltrated or abused.
Key References
- FBI/IC3 — UNC6040 & UNC6395: https://www.ic3.gov/CSA/2025/250912.pdf
- Google Threat Intel — vishing → extortion: https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
- Google Threat Intel — Salesforce connected-app abuse: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
- Help Net Security — leak-site campaign: https://www.helpnetsecurity.com/2025/10/06/data-leak-site-extortion-salesforce/
- BankInfoSecurity — group leak-site details: https://www.bankinfosecurity.com/ransomware-group-debuts-salesforce-customer-data-leak-site-a-29636
- Reuters — campaign background: https://www.reuters.com/.../almost-1-billion-salesforce-records-stolen...
- Rapid7 — OAuth compromise guidance: https://www.rapid7.com/blog/post/safeguarding-salesforce-what-you-need-to-know-about-the-oauth-token-compromise/
- SalesforceBen — tightening connected-app policy: https://www.salesforceben.com/salesforce-hardens-connected-apps-security-amid-social-engineering-attacks/
Trantor Security Team • Security Operations & Intelligence • [email protected]
Comments