The hackers group Scattered Lapsus$ Hunters have claimed responsibility for the theft of over 1 billion data records from Salesforce systems globally. This is one of the most serious attacks targeting the cloud computing platform of enterprises, which has caused particular concern among cybersecurity.

1760437028014.png

According to experts, the campaign began when many businesses discovered unusual queries in their Salesforce systems, which often appeared at night. Investigational log shows that the amount of data accessed far exceeded normal threshold, revealing a large-scale data extraction tool that is operating in the background.

The hacker group combined phishing and crowding to make initial intrusion. The victim receives an email that looks like a Salesforce or Microsoft Office legal security update, accompanied by a malicious macro file. When the macro opens, it will silently download a loader written in the Go language, contacting the hacker’s control server.

After the hack, the malware uses PowerShell to activate the download of the main malicious code. The tool checks if it is being analyzed in a sandbox environment, then continues to steal credentials in the Windows Credential Manager and use them to log into the Salesforce API.

Once access is gained, malicious code automatically scans the data structure, creating queries to download partial data, from customer information, revenue forecasts, contracts, business strategies to internal files. All are encoded using the ChaCha20 algorithm before being sent back to the hacker server via HTTPS connection, which helps avoid detection.

Notably, the software also establishes a recurring task name UpdaterSvc to automatically restart data extraction every two hours, ensuring that access to and “clear” the data is maintained without the user or system knowing.

Analysts estimated the data leak rate could be as high as 500GB per hour, indicating that the attack team had very well optimized its infrastructure and techniques. This not only threatens the customer’s personal information but also reveals business strategies, sales plans, and secret negotiation data, the firm’s invaluable assets.

Since Salesforce is the central platform in many business processes, such an infiltrate can cause operational paralysis, reputation damage, and serious distrust.

According to experts, the incident reflects the growing risk in cloud infrastructure security, where a single API account or misconfigurational configuration is sufficient for hackers to infiltrate. To minimize risk, businesses need to:

  • Enable multifactor authentication for all admin accounts and APIs.
  • Check and limit permissions for service accounts.
  • Disable or monitor macros in Office emails, especially for unknown files.
  • Set an unusual warning in the Salesforce journal.
  • Periodic review of unused old APIs and tokens.

The Scatter Lapsus $Shunts case was a cloud security prompt that depended not only on the vendor, but also on how users managed accounts, access and internal processes. As hacker groups become increasingly specialized in API mining and attack automation, businesses are forced to shift from “defensive” to “smart prevention” thinking, before their precious data is “purged” in just a few hours.

WhiteHat