Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Scattered Lapsus$ Hunters and account takeover: what teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Scattered Lapsus$ Hunters and related crews have repeatedly bypassed endpoint-first defenses by starting with account takeover, then using stolen credentials, social engineering, OAuth abuse, and help desk manipulation to reach SaaS, SSO, and ransomware-impacting systems, according to Push Security. The control problem is not malware resistance but identity governance that still assumes access paths are stable, reviewable, and contained.

NHIMG editorial — based on content published by Push Security: Scattered Lapsus$ Hunters breaches and the evolution of identity-led attack TTPs

By the numbers:

  • The MGM hack resulted in a 36-hour outage, a $100M hit to its Q3 results, one-time cyber consulting fees in the region of $10M, and a class-action lawsuit later settled for $45M.
  • Attackers claim to have stolen over 1.5 billion records from 1000+ companies across multiple verticals, including heavyweights like Google, Cloudflare, Workday, Adidas, FedEx, Disney, LVMH, and many more.

Questions worth separating out

Q: What breaks when attackers use stolen credentials instead of malware to start a breach?

A: When attackers begin with valid credentials, traditional endpoint and perimeter controls lose much of their value because the login looks legitimate.

Q: Why do stolen sessions and OAuth grants increase breach risk so quickly?

A: Stolen sessions and delegated app grants let an attacker operate inside normal workflows without repeatedly proving identity.

Q: What do security teams get wrong about help desk identity resets?

A: They often treat support resets as routine service rather than privileged security events.

Practitioner guidance

  • Harden identity recovery paths Require separate verification and approval for MFA resets, device registration, federation changes, and privileged account recovery.
  • Audit delegated app access Review OAuth grants, connected apps, and session persistence for excessive scope, stale consent, and ghost logins.
  • Unify cloud and identity monitoring Correlate SaaS login events, browser session signals, support desk changes, and downstream data exports so suspicious legitimate access can be investigated as one chain.

What's in the full article

Push Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • Named breach-by-breach breakdown of Scattered Lapsus$ Hunters tactics across Caesars, MGM, Snowflake, and Salesforce.
  • Detailed attack-path mapping from phishing and help desk abuse to cloud exfiltration and ransomware deployment.
  • Specific examples of how session cookies, OAuth grants, and compromised support workflows were used in practice.
  • The article's commentary on how the broader criminal ecosystem is interlinked across groups and service providers.

👉 Read Push Security's analysis of Scattered Lapsus$ Hunters breach patterns →

Scattered Lapsus$ Hunters and account takeover: what teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Account takeover has become the universal breach primitive for modern SaaS crime. Scattered Lapsus$ Hunters are not succeeding because they are more sophisticated in exploitation. They are succeeding because enterprise identity controls still leave room for valid sessions, delegated apps, and recovery workflows to be turned against the organisation. For IAM leaders, the relevant question is no longer whether identity is part of the attack path. It is whether the programme can detect malicious use of legitimate identity before data movement begins.

A few things that frame the scale:

  • The MGM hack resulted in a 36-hour outage, a $100M hit to its Q3 results, one-time cyber consulting fees in the region of $10M, and a class-action lawsuit later settled for $45M, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • Attackers claim to have stolen over 1.5 billion records from 1000+ companies across multiple verticals, showing how account takeover can scale into industrialised exfiltration.

A question worth separating out:

Q: Who is accountable when identity support workflows are abused in a breach?

A: Accountability sits with the organisation that allowed recovery and federation workflows to be too easy to exploit. The relevant control owners are IAM, IAM operations, help desk leadership, and security governance. Frameworks such as NIST CSF and identity governance policies expect high-risk access changes to be controlled, logged, and reviewable.

👉 Read our full editorial: Account takeover now drives the Scattered Lapsus$ Hunters playbook



   
ReplyQuote
Share: