The ransomware group LAPSUS$, now well-known as the hackers responsible for the recent Okta breach, has returned from what they refer to as a \u201cvacation,\u201d this time with a leak impacting Globant, a large software company based in Luxembourg.The group, who, according to media reports is largely comprised of teens in the United Kingdom, broadcast the announcement to the 50,000 members of their Telegram channel. Known for stealing data from large organizations then and threatening to publish it if ransom demands are not met, the group leaked 70GB of material from Globant that consisted of extracted data and credentials from the company's DevOps infrastructure. Some of the stolen data includes administrator passwords found in the firm's Atlassian suite, including Confluence and Jira, and the Crucible code review tool.\u201cLAPSUS$ also threw their System Admins under the bus exposing their passwords to Confluence (among other things). We have censored the passwords they displayed. However, it should be noted these passwords are very easily guessable and used multiple times,\u201d malware research group VX-Underground (@vxunderground) tweeted about the latest breach.Low-tech tactics and two types of EDRLAPSUS$ first emerged in December 2021 and made recent news for hacks on other large companies, including Samsung, Impresa, NVIDIA, Vodafone, and Ubisoft. And a recent revelation now includes Apple Inc. and Meta Platforms Inc., the parent company of Facebook, as LAPSUS$ victims as the companies were also tricked into providing customer data to the hackers. In a detailed\u00a0blog post, security researcher Brian Krebs outlines how LAPSUS$ is using what he refers to as \u201clow-tech but high-impact methods\u201d to gain access to targeted organizations.It involves abuse of emergency data requests (EDR). The criminals accomplish this by compromising and obtaining credentials that belong to law enforcement officials. Once they have access to these credentials, they can send unauthorized requests for subscriber data to phone companies, internet service providers, and social media sites under the guise that the that the requested information is urgent and related to a matter of life and death that cannot wait for a court order\u2014therefore bypassing the usual legal review process and prompting an immediate issue of the sensitive data.\u201cIt is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate,\u201d Krebs writes. \u201cUsing their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.\u201dInfluencers in the industry are also pointing to questions surrounding the other type of EDR: endpoint detection and response. Analysis of the Okta breached reveals that LAPSUS$ infiltrated Okta's network through the compromised laptop of a support engineer working with Sitel, a third-party customer support firm. The access was accomplished through remote desktop protocol (RDP), an increasingly common way for criminals to access systems.LAPSUS$, according to a tweet from researcher Bill Demirkapi (@BillDemirkapi) \u201cused off-the-shelf tooling from GitHub for the majority of their attacks. After downloading Process Explorer and Process Hacker, LAPSUS$ bypassed the FireEye endpoint agent by simply terminating it.\u201dInfosec researcher Greg Linares, who goes by the Twitter handle @Laughing_Mantis weighed in with this advice:\u201c#BlueTeams I am gonna need you to stop what you are doing today and do this one homework assignment for me in light of LAPSUS$. What happens when your EDR on a client gets terminated unexpectedly: - Does it restart? - Do you get alerts. - Do you lock down the system & start IR?\u201d he tweeted. \u201cIf someone can terminate your EDR client in its current config and you do not get an alert, it doesn\u2019t attempt to restart automatically, and this doesn\u2019t trigger a lock down or IR response. IT IS MISCONFIGURED.\u201dSecurity researcher Joe Helle (@joehelle) also tweeted that the Okta breach is a spotlight on EDR technologies:\u201cLAPSUS$ installed Process Explorer and Process Hacker and terminated FireEye. I hope the decision makers are paying attention to this, and that the shiny EDR you just paid for isn't all you need to secure your environments.\u201dTeens in troubleIn late March, the City of London Police arrested and released\u00a0seven alleged LAPSUS$ members between ages 16 and 21. However, the arrests appear not to have slowed their activity, and despite their age, they should not be underestimated, according to sec experts.\u201cLAPSUS$ is no joke,\u201d tweeted TrustedSec founder Dave Kennedy, who goes by the handle @HackingDave. \u201cOkta, Microsoft, LG and others. Seeing a number of orgs hit and ones that are pretty far along sec maturity wise. They are taking advantage of gaps in detection, EDRs + more. Cloud visibility and understanding baseline behavior is critical. Red alert.\u201d\u201cIt's tempting to dismiss LAPSUS$ as childish and fame-seeking. That may be true. But everyone in charge of security should know that this level of social engineering to steal access is the new norm,\u201d noted security author Brian Krebs (@briankrebs).Security researcher Jake Williams (@MalwareJake) agrees.\u201cI've seen some otherwise smart cybersecurity people throwing shade as Lapsus$ like \u2018they're just a bunch of disorganized kids.\u2019 Um, okay, but whoever they are, they're pretty darn effective. Like it doesn't really matter who they are if they're beating your security controls.\u201dLinares says he expects their recent success will likely prompt further growth.\u201cIt would be really interesting to see the latest LAPSUS$ leaks & IOCs. I am strongly guessing other members of the group are stepping up and forming this newer rag tag LAPSUS$ group. Releasing data post bust to show a group is still active is classic recruitment strategy.\u201dRead more on LAPSUS$:LAPSUS$ ransomware group claims Okta breachThe ransomware group claims that it has had access to customer records since January 2022; Okta says there is no evidence of ongoing malicious activity.Extortion group teases 190GB of stolen data as Samsung confirms security breachLAPSUS$ data extortion group claims to have a huge collection of confidential data stolen from Samsung Electronics, which has confirmed a security breach.Nvidia hackers release code-signing certificates that malware can abuseResearchers have already found example of malicious files signed with the stolen certificates.Why authentication is still the CISO\u2019s biggest headacheAuthenticate continues to vex security leaders as businesses become more digitized, agile and dependent on remote employees.