{"id":10539,"date":"2025-10-14T13:28:12","date_gmt":"2025-10-14T06:28:12","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10539"},"modified":"2026-02-05T13:28:19","modified_gmt":"2026-02-05T06:28:19","slug":"scattered-lapsus-hunters-moi-de-doa-moi-cua-khong-gian-mang-2025","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/10\/14\/scattered-lapsus-hunters-moi-de-doa-moi-cua-khong-gian-mang-2025\/","title":{"rendered":"Scattered Lapsus$ Hunters: M\u1ed1i \u0111e d\u1ecda m\u1edbi c\u1ee7a kh\u00f4ng gian m\u1ea1ng 2025"},"content":{"rendered":"<p><b>Scattered Lapsus$ Hunters (hay \u0111\u00f4i khi vi\u1ebft t\u1eaft l\u00e0 SLSH ho\u1eb7c d\u00f9ng bi\u1ec7t hi\u1ec7u li\u00ean quan nh\u01b0 \u201cSP1D3R Hunters\u201d) l\u00e0 m\u1ed9t \u201cli\u00ean minh t\u1ed9i ph\u1ea1m m\u1ea1ng\u201d t\u01b0\u01a1ng \u0111\u1ed1i m\u1edbi. Ch\u00fang l\u00e0 li\u00ean minh t\u1eeb ba nh\u00f3m hacker n\u1ed5i ti\u1ebfng: Scattered Spider, LAPSUS v\u00e0 ShinyHunters.<\/b><\/p>\n<div style=\"text-align: center\"><a class=\"js-lbImage\" style=\"cursor: pointer\" href=\"https:\/\/whitehat.vn\/attachments\/1760436308119-png.17741\/\" target=\"_blank\" rel=\"noopener\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-fancybox=\"lb-thread-18835\" data-caption=\"&lt;h4&gt;1760436308119.png&lt;\/h4&gt;&lt;p&gt;&lt;a href=&quot;https:&amp;#x2F;&amp;#x2F;whitehat.vn&amp;#x2F;threads&amp;#x2F;scattered-lapsus-hunters-moi-de-doa-moi-cua-khong-gian-mang-2025.18835&amp;#x2F;#post-44353&quot; class=&quot;js-lightboxCloser&quot;&gt;WhiteHat Team \u00b7 14&amp;#x2F;10&amp;#x2F;2025 l\u00fac 5:04 PM&lt;\/a&gt;&lt;\/p&gt;\"><img fetchpriority=\"high\" decoding=\"async\" class=\"bbImage \" title=\"1760436308119.png\" src=\"https:\/\/whitehat.vn\/data\/attachments\/18\/18076-0b781e5c8dc364184f73893091a145c5.jpg\" alt=\"1760436308119.png\" width=\"766\" height=\"400\" \/><\/a>\u200b<\/div>\n<p>Tr\u01b0\u1edbc khi \u201ch\u1ee3p nh\u1ea5t\u201d, m\u1ed7i nh\u00f3m k\u1ec3 tr\u00ean \u0111\u00e3 t\u1eebng ho\u1ea1t \u0111\u1ed9ng ri\u00eang bi\u1ec7t v\u1edbi c\u00e1c chi\u1ebfn d\u1ecbch \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u ho\u1eb7c t\u1ed1ng ti\u1ec1n.<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">Scattered Spider: N\u1ed5i l\u00ean kho\u1ea3ng n\u0103m 2022 v\u1edbi c\u00e1ch t\u1ea5n c\u00f4ng ch\u1ee7 y\u1ebfu b\u1eb1ng social engineering (nh\u01b0 gi\u1ea3 danh nh\u00e2n vi\u00ean IT, SIM swap, \u201cm\u1ec7t m\u1ecfi MFA\u201d)<\/li>\n<li data-xf-list-type=\"ul\">LAPSUS$: V\u1ed1n \u0111\u00e3 n\u1ed5i ti\u1ebfng v\u1edbi c\u00e1c v\u1ee5 \u0111\u00e1nh c\u1eafp m\u00e3 ngu\u1ed3n, r\u00f2 r\u1ec9 source code, b\u00ecnh lu\u1eadn n\u1ed9i dung nh\u1ea1y c\u1ea3m, v\u00e0 t\u1ea5n c\u00f4ng tr\u1ef1c ti\u1ebfp v\u00e0o c\u00e1c c\u00f4ng ty l\u1edbn.<\/li>\n<li data-xf-list-type=\"ul\">ShinyHunters: L\u00e0 nh\u00f3m chuy\u00ean theo \u0111u\u1ed5i r\u00f2 r\u1ec9 d\u1eef li\u1ec7u\/ b\u00e1n d\u1eef li\u1ec7u, th\u1ef1c hi\u1ec7n nhi\u1ec1u v\u1ee5 t\u1ea5n c\u00f4ng v\u00e0o c\u00e1c h\u1ec7 th\u1ed1ng doanh nghi\u1ec7p, \u0111\u1eb7c bi\u1ec7t l\u00e0 d\u1eef li\u1ec7u ng\u01b0\u1eddi d\u00f9ng, SaaS v\u00e0 n\u1ec1n t\u1ea3ng \u0111\u00e1m m\u00e2y.<\/li>\n<\/ul>\n<p>C\u00e1c chuy\u00ean gia an ninh m\u1ea1ng cho r\u1eb1ng ba nh\u00f3m tr\u00ean v\u1ed1n \u0111\u00e3 c\u00f3 m\u1ed1i quan h\u1ec7 l\u1ecfng l\u1ebbo qua m\u1ed9t c\u1ed9ng \u0111\u1ed3ng ng\u1ea7m g\u1ecdi l\u00e0 <i>The Com<\/i> ho\u1eb7c <i>The Community<\/i>. Trong m\u1ea1ng l\u01b0\u1edbi n\u00e0y, ch\u1ee7 y\u1ebfu l\u00e0 c\u00e1c hacker tr\u1ebb tu\u1ed5i, n\u00f3i ti\u1ebfng Anh, chuy\u00ean chia s\u1ebb c\u00f4ng c\u1ee5, kinh nghi\u1ec7m v\u00e0 h\u1ee3p t\u00e1c t\u00f9y theo chi\u1ebfn d\u1ecbch. Kh\u00f4ng gi\u1ed1ng ki\u1ec3u c\u1ea5u tr\u00fac c\u1ee9ng nh\u1eafc, li\u00ean minh n\u00e0y v\u1eadn h\u00e0nh r\u1ea5t linh ho\u1ea1t, theo ki\u1ec3u c\u00e1c c\u00e1 nh\u00e2n ho\u1eb7c \u0111\u1ed9i nh\u1ecf l\u00e0m nhi\u1ec7m v\u1ee5 kh\u00e1c nhau, h\u1ee3p t\u00e1c t\u00f9y theo m\u1ee5c ti\u00eau.<\/p>\n<p>Kho\u1ea3ng gi\u1eefa 2025, c\u00e1c s\u1ef1 ki\u1ec7n tr\u00ean Telegram cho th\u1ea5y nh\u00f3m Scattered Lapsus$ Hunters \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 nh\u01b0 m\u1ed9t li\u00ean minh c\u00f4ng khai, c\u00e1c k\u00eanh Telegram mang th\u01b0\u01a1ng hi\u1ec7u k\u1ebft h\u1ee3p, c\u00e1c th\u00f4ng \u0111i\u1ec7p t\u1ed1ng ti\u1ec1n ho\u1eb7c ti\u1ebft l\u1ed9 d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c \u0111\u0103ng d\u01b0\u1edbi t\u00ean chung.<\/p>\n<h3><b>Ho\u1ea1t \u0111\u1ed9ng &amp; ph\u01b0\u01a1ng th\u1ee9c t\u1ea5n c\u00f4ng<\/b>\u200b<\/h3>\n<p>\u0110\u1ec3 hi\u1ec3u m\u1ee9c \u0111\u1ed9 nguy hi\u1ec3m, c\u1ea7n xem c\u00e1ch nh\u00f3m n\u00e0y th\u1ef1c hi\u1ec7n c\u00e1c chi\u1ebfn d\u1ecbch:<\/p>\n<h4>1. Kh\u1edfi \u0111\u1ea7u b\u1eb1ng social engineering\u200b<\/h4>\n<p>Nh\u00f3m kh\u00f4ng \u201cb\u1ebb kh\u00f3a\u201d Salesforce hay h\u1ec7 th\u1ed1ng \u0111\u00e1m m\u00e2y theo c\u00e1ch k\u1ef9 thu\u1eadt cao, h\u1ecd b\u1eaft \u0111\u1ea7u b\u1eb1ng c\u00e1ch l\u1eeba nh\u00e2n vi\u00ean th\u00f4ng qua vishing (g\u1ecdi \u0111i\u1ec7n gi\u1ea3 danh IT), SIM swap ho\u1eb7c \u00e9p bu\u1ed9c ng\u01b0\u1eddi d\u00f9ng c\u00e0i \u1ee9ng d\u1ee5ng \u0111\u1ed9c h\u1ea1i, ch\u1ea5p nh\u1eadn quy\u1ec1n API.<\/p>\n<h4>2. Chi\u1ebfm quy\u1ec1n th\u00f4ng qua OAuth\/ t\u00edch h\u1ee3p b\u00ean th\u1ee9 ba\u200b<\/h4>\n<p>M\u1ed9t v\u1ee5 \u0111i\u1ec3n h\u00ecnh l\u00e0 nh\u00f3m n\u00e0y \u0111\u00e3 t\u1ea5n c\u00f4ng v\u00e0o Salesloft\u2019s GitHub repository, l\u1ea5y c\u00e1c token OAuth \u0111\u00e3 \u0111\u01b0\u1ee3c \u1ee7y quy\u1ec1n \u0111\u1ec3 k\u1ebft n\u1ed1i v\u1edbi Salesforce c\u1ee7a kh\u00e1ch h\u00e0ng. Nh\u1edd token n\u00e0y, hacker duy tr\u00ec truy c\u1eadp h\u1ee3p ph\u00e1p \u201cnh\u01b0 ng\u01b0\u1eddi d\u00f9ng t\u00edch h\u1ee3p\u201d m\u00e0 kh\u00f4ng ph\u00e1t hi\u1ec7n d\u1ec5 d\u00e0ng.<\/p>\n<p>Sau \u0111\u00f3, ch\u00fang c\u00f3 th\u1ec3 t\u1ea1o t\u00e0i kho\u1ea3n m\u1edbi, workflow t\u00f9y ch\u1ec9nh v\u00e0 ti\u1ebfp t\u1ee5c di chuy\u1ec3n ngang gi\u1eefa c\u00e1c t\u1ed5 ch\u1ee9c m\u00e0 kh\u00f4ng c\u1ea7n truy c\u1eadp g\u1ed1c v\u00e0o n\u1ec1n t\u1ea3ng ch\u00ednh c\u1ee7a Salesforce.<\/p>\n<h4>3. Ti\u1ebfp qu\u1ea3n &amp; thu th\u1eadp d\u1eef li\u1ec7u\u200b<\/h4>\n<p>Sau khi \u0111\u00e3 c\u00f3 quy\u1ec1n truy c\u1eadp qua OAuth ho\u1eb7c API, ch\u00fang ti\u1ebfp t\u1ee5c thu th\u1eadp d\u1eef li\u1ec7u ng\u01b0\u1eddi d\u00f9ng, giao d\u1ecbch, h\u1ee3p \u0111\u1ed3ng, th\u00f4ng tin nh\u1ea1y c\u1ea3m t\u1eeb Salesforce v\u00e0 c\u00e1c h\u1ec7 th\u1ed1ng b\u00ean li\u00ean quan.<\/p>\n<p>Nh\u00f3m sau \u0111\u00f3 \u0111\u01b0a d\u1eef li\u1ec7u v\u00e0o trang \u201cleak site\u201d (trang c\u00f4ng b\u1ed1 th\u00f4ng tin b\u1ecb r\u00f2 r\u1ec9) tr\u00ean TOR, k\u00e8m l\u1eddi \u0111e d\u1ecda s\u1ebd c\u00f4ng khai tr\u1eeb khi \u0111\u01b0\u1ee3c tr\u1ea3 ti\u1ec1n chu\u1ed9c.<\/p>\n<h4>4. T\u1ed1ng ti\u1ec1n theo m\u00f4 h\u00ecnh d\u1eef li\u1ec7u l\u00e0m \u0111\u00f2n b\u1ea9y (Data extortion\/ EaaS)\u200b<\/h4>\n<p>Kh\u00e1c v\u1edbi m\u00e3 h\u00f3a to\u00e0n b\u1ed9 h\u1ec7 th\u1ed1ng (ransomware truy\u1ec1n th\u1ed1ng), chi\u1ebfn thu\u1eadt c\u1ee7a nh\u00f3m l\u00e0 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u r\u1ed3i d\u00f9ng n\u00f3 \u0111\u1ec3 t\u1ed1ng ti\u1ec1n. Trong l\u00fac t\u1ed1ng ti\u1ec1n, ch\u00fang c\u00f2n c\u00f4ng b\u1ed1 gi\u1edbi h\u1ea1n th\u1eddi h\u1ea1n \u0111\u1ec3 \u00e9p n\u1ea1n nh\u00e2n quy\u1ebft \u0111\u1ecbnh nhanh. V\u00e0 n\u1ebfu doanh nghi\u1ec7p kh\u00f4ng tr\u1ea3 ti\u1ec1n, d\u1eef li\u1ec7u s\u1ebd b\u1ecb tung c\u00f4ng khai.<\/p>\n<h4>5. Kh\u1ea3 n\u0103ng t\u00e1i xu\u1ea5t &amp; thay \u0111\u1ed5i h\u00ecnh th\u1ee9c\u200b<\/h4>\n<p>T\u1eebng c\u00f3 d\u1ea5u hi\u1ec7u nh\u00f3m tuy\u00ean b\u1ed1 ngh\u1ec9 ho\u1ea1t \u0111\u1ed9ng, nh\u01b0ng c\u00e1c chuy\u00ean gia ho\u00e0i nghi \u0111\u00e2y ch\u1ec9 l\u00e0 chi\u00eau gi\u1eef k\u00edn, t\u00e1i c\u1ea5u tr\u00fac \u0111\u1ec3 ti\u1ebfp t\u1ee5c ho\u1ea1t \u0111\u1ed9ng.<\/p>\n<p>Li\u00ean minh \u201cScattered Lapsus$ Hunters\u201d \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 c\u00f4ng khai v\u00e0o kho\u1ea3ng gi\u1eefa 2025. Sau \u0111\u00f3, ng\u00e0y 03\/10\/2025, nh\u00f3m n\u00e0y \u0111\u00e3 ra m\u1eaft \u201cdata leak site\u201d chuy\u00ean cho chi\u1ebfn d\u1ecbch Salesforce. Tr\u01b0\u1edbc \u0111\u00f3, \u0111\u00e3 c\u00f3 nhi\u1ec1u ho\u1ea1t \u0111\u1ed9ng ph\u1ed1i h\u1ee3p ho\u1eb7c tr\u00f9ng l\u1eb7p tactics gi\u1eefa c\u00e1c nh\u00f3m (ShinyHunters &amp; Scattered Spider) trong c\u00e1c v\u1ee5 x\u00e2m nh\u1eadp d\u1eef li\u1ec7u doanh nghi\u1ec7p l\u1edbn.<\/p>\n<h3><b>M\u1ee9c \u0111\u1ed9 nguy hi\u1ec3m &amp; m\u1ed1i \u0111e d\u1ecda ti\u1ec1m \u1ea9n<\/b>\u200b<\/h3>\n<p>Scattered Lapsus$ Hunters kh\u00f4ng ph\u1ea3i l\u00e0 nh\u00f3m hacker b\u00ecnh th\u01b0\u1eddng, \u0111\u00e2y l\u00e0 li\u00ean minh c\u00f3 kh\u1ea3 n\u0103ng:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">\u1ea8n m\u00ecnh d\u01b0\u1edbi v\u1ecf b\u1ecdc h\u1ee3p l\u1ec7: V\u00ec s\u1eed d\u1ee5ng OAuth token ch\u00ednh th\u1ee9c, nhi\u1ec1u truy c\u1eadp c\u1ee7a h\u1ecd kh\u00f4ng b\u1ecb c\u1ea3nh b\u00e1o l\u00e0 b\u1ea5t th\u01b0\u1eddng.<\/li>\n<li data-xf-list-type=\"ul\">Lan truy\u1ec1n qua chu\u1ed7i cung \u1ee9ng &amp; t\u00edch h\u1ee3p: Ch\u1ec9 c\u1ea7n m\u1ed9t d\u1ecbch v\u1ee5 b\u00ean th\u1ee9 ba b\u1ecb x\u00e2m nh\u1eadp (nh\u01b0 Salesloft) \u0111\u1ec3 t\u1eeb \u0111\u00f3 t\u1ea5n c\u00f4ng nhi\u1ec1u kh\u00e1ch h\u00e0ng c\u00f9ng l\u00fac.<\/li>\n<li data-xf-list-type=\"ul\">T\u1ea5n c\u00f4ng d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m quy m\u00f4 l\u1edbn: C\u00e1c t\u1ed5 ch\u1ee9c l\u1edbn trong l\u0129nh v\u1ef1c th\u1eddi trang cao c\u1ea5p, h\u00e0ng xa x\u1ec9, h\u00e0ng kh\u00f4ng, ng\u00e2n h\u00e0ng, c\u00f4ng ngh\u1ec7 \u0111\u1ec1u b\u1ecb nh\u1eafm.<\/li>\n<li data-xf-list-type=\"ul\">\u00c9p bu\u1ed9c doanh nghi\u1ec7p ch\u1ecbu \u00e1p l\u1ef1c tr\u1ea3 ti\u1ec1n: V\u1edbi m\u1ed1i \u0111e d\u1ecda c\u00f4ng khai d\u1eef li\u1ec7u, m\u1ee9c \u0111\u1ed9 t\u00edn nhi\u1ec7m c\u1ee7a c\u00f4ng ty c\u00f3 th\u1ec3 b\u1ecb ph\u00e1 h\u1ee7y, kh\u1ea3 n\u0103ng ki\u1ec7n t\u1ee5ng, m\u1ea5t kh\u00e1ch h\u00e0ng\u2026<\/li>\n<li data-xf-list-type=\"ul\">T\u00e1i xu\u1ea5t d\u1ea1ng m\u1edbi, kh\u00f3 truy v\u1ebft: N\u1ebfu ngh\u1ec9 ho\u1ea1t \u0111\u1ed9ng t\u1ea1m th\u1eddi, nh\u00f3m c\u00f3 th\u1ec3 \u0111\u1ed5i t\u00ean ho\u1eb7c th\u00e0nh ph\u1ea7n m\u1edbi ti\u1ebfp t\u1ee5c ho\u1ea1t \u0111\u1ed9ng, kh\u00f3 \u0111\u1ecbnh danh l\u00e2u d\u00e0i.<\/li>\n<\/ul>\n<p>M\u1ed1i \u0111e d\u1ecda quanh t\u00ean n\u00e0y kh\u00f4ng ch\u1ec9 d\u1eebng \u1edf Salesforce, khi li\u00ean minh n\u00e0y tr\u1edf n\u00ean m\u1ea1nh h\u01a1n, h\u1ecd c\u00f3 th\u1ec3 m\u1edf r\u1ed9ng t\u1ea5n c\u00f4ng v\u00e0o c\u00e1c n\u1ec1n t\u1ea3ng SaaS quan tr\u1ecdng kh\u00e1c (AWS, h\u1ec7 th\u1ed1ng CRM kh\u00e1c, d\u1eef li\u1ec7u t\u00e0i ch\u00ednh, chu\u1ed7i cung \u1ee9ng).<\/p>\n<div style=\"text-align: right\"><b><i>WhiteHat<\/i><\/b>\u200b<\/div>\n<div style=\"text-align: right;margin-top: 16px\"><i>Theo: <a href=\"https:\/\/whitehat.vn\/threads\/scattered-lapsus-hunters-moi-de-doa-moi-cua-khong-gian-mang-2025.18835\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/whitehat.vn\/threads\/scattered-lapsus-hunters-moi-de-doa-moi-cua-khong-gian-mang-2025.18835\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Scattered Lapsus$ Hunters (hay \u0111\u00f4i khi vi\u1ebft t\u1eaft l\u00e0 SLSH ho\u1eb7c d\u00f9ng bi\u1ec7t hi\u1ec7u li\u00ean quan nh\u01b0 \u201cSP1D3R Hunters\u201d) l\u00e0 m\u1ed9t \u201cli\u00ean minh t\u1ed9i ph\u1ea1m m\u1ea1ng\u201d t\u01b0\u01a1ng \u0111\u1ed1i m\u1edbi. Ch\u00fang l\u00e0 li\u00ean minh t\u1eeb ba nh\u00f3m hacker n\u1ed5i ti\u1ebfng: Scattered Spider, LAPSUS v\u00e0 ShinyHunters. \u200b Tr\u01b0\u1edbc khi \u201ch\u1ee3p nh\u1ea5t\u201d, m\u1ed7i nh\u00f3m k\u1ec3 tr\u00ean \u0111\u00e3 t\u1eebng [&hellip;]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10539","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10539","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10539"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10539\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}