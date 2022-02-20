Last update 14:25

The Lapsus group returned to attack Americanas’ internet operations, forcing the company to temporarily suspend its e-commerce operations in the Americanas and Submarino domains. The incident took place early this morning. Exactly at 00:47 the group published on its Telegram channel the phrase “kkkkkkkkkkkk round 2 Americanas” and then “this time we hacked the PCI (payment) environment also LOL” (this time we hacked the PCI payments environment).

Lapsus Group announces attack on Submarino and Americanas

Submarino Viagens and CVC also communicate attack

The group’s post contains a chat screen of a messaging service, which took place between experts talking about the incident. The dialogue includes a response from the Lapsus group, indicating that he could read what everyone was saying. In one of the dialogues someone asks “Do they use hashicorp vault?” Lapsus takes the initiative to respond by saying “Yes! Let me even provide the root token!” (Yes! Let me even provide the root token) and adding a link and a supposed token (see image below).

consulted by CISO Advisor, researcher Felipe Jordão Silva is of the opinion that the link displayed by Lapsus on the screen is from the Americanas intranet (the structure still contains references to the name B2W, the company that was the holding company of Americanas and Submarino). According to the expert, “this type of vault is a form of access control, where an individual via the web would connect to the company’s intranet. As it is a Hashicorp vault, in order to consume the information, clients (users or applications) need to establish their identity”.

HashiCorp Vault is a secrets management tool specifically designed to control access to sensitive credentials in a low-trust environment. It can be used to store sensitive data while dynamically generating access to specific services/applications.

in contact with the CISO Advisor, the Americanas press office informed that it is gathering information, and there may be a statement later. At 2:05 pm the organization sent the following statement: “Americanas informs that it proactively suspended part of the servers of the e-commerce environment at dawn this Sunday (20/02) and promptly triggered its response protocols as soon as it identified unauthorized access. The company works with technical resources and specialists to assess the extent of the event and safely normalize the e-commerce environment as quickly as possible. The company reiterates that it works with strict protocols to prevent and mitigate risks. The physical stores have not had their activities interrupted and remain operating”.