CrowdStrike fires an insider accused of sharing internal screen images

Texas-based American cybersecurity firm CrowdStrike has reportedly fired an employee accused of leaking internal information to a cybercrime collective that has recently claimed responsibility for corporate breaches involving Salesforce-connected systems. 

The security firm dismissed the “insider” after it found that they worked with the group known as Scattered Lapsus$ Hunters, who began publishing alleged internal screenshots late Thursday and Friday morning on its Telegram channel.

Scattered Lapsus$ released several images showing dashboards linked to company resources, including Okta panels used by employees to access internal applications. The hackers claimed the screenshots came from the compromised employee and were evidence that they had successfully infiltrated CrowdStrike after hacking Gainsight earlier this week.

CrowdStrike and Gainsight still investigating stolen information

According to CrowdStrike, the assertions from the hacking group and the images on Telegram only belonged to an employee who had shared unauthorized photos of his screen with external parties, and it insists there were no breaches on its systems. 

“Our systems were never compromised and customers remained protected throughout,”  spokesperson Kevin Benacci told news publication TechCrunch. He added that the company “turned the case over to relevant law enforcement agencies” after terminating the insider’s access.

CrowdStrike claimed it packed the desk of the worker as soon as it was confirmed he “shared pictures of his computer screen externally,” and the claims circulating in hacker channels were “false.”

Salesforce confirms breach of customer data

On Friday morning, Salesforce updated its incident page saying a breach was affecting some of its customers by causing “connection failures.” Unauthorized actors had accessed “certain customers’ Salesforce data,” though it did not identify which organizations were affected. 

Salesforce said the intrusion occurred through applications developed by customer support and analytics service provider Gainsight.

Later in the day, Google’s Threat Intelligence Group’s Austin Larsen, a principal threat analyst at its cybersecurity division, said the company “is aware of more than 200 potentially affected Salesforce instances.” 

Scattered Lapsus$ Hunters publicly claimed responsibility for accessing data through Gainsight’s integrations and used stolen information to target other corporate customers.

A spokesperson for ShinyHunters, one of the groups within the collective, boasted that “Gainsight was a customer of Salesloft Drift, they were affected and therefore compromised entirely by us.” 

Gainsight has been issuing updates on its incident page since the attack became public. On Friday, the company said it had engaged Mandiant, Google’s incident response unit, to help investigate the breach. 

Salesforce also temporarily revoked active access tokens for Gainsight-connected apps as a precautionary measure, alongside notifying customers whose data was stolen, according to the firm’s public updates. 

“Customers using Hubspot might find that the Gainsight app has been temporarily pulled from the Hubspot Marketplace as a precautionary measure. This may also impact OAuth access for customer connections while the review is taking place. We will work with Hubspot on re-listing after thorough review,” noted one progress report published on Thursday.

Scattered Lapsus$ family is responsible for several high-profile breaches

Scattered Lapsus$ Hunters is a collaboration formed by several English-speaking cybercrime groups, including ShinyHunters, Scattered Spider, and Lapsus$. The collective became popular for using social engineering techniques to trick employees into revealing login details, granting remote access, or approving authentication prompts. 

In their list of “conquests,” the group has previously targeted MGM Resorts, Coinbase, DoorDash, Workday, Aflac Insurance, and other large companies. Back in October, Scattered Lapsus$ Hunters claimed to have stolen more than one billion records from enterprises using Salesforce to manage customer information. 

They published a leaked directory listing data from insurance provider Allianz Life, airline Qantas, carmaker Stellantis, TransUnion, employee management platform Workday, and more.

Over the last year and a half, the Scattered Lapsus$ family has also claimed responsibility for incidents on Atlassian, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon. 

The hackers said on their Telegram channel that they plan to launch a new extortion website next week for the companies hit in their latest operation. 

“The next data leak site will contain the data of the Salesloft and GainSight campaigns,” the hackers shared their plans with DataBreaches.net.

Sharpen your strategy with mentorship + daily ideas - 30 days free access to our trading program