Unfortunately this thread broke in half due to me forgetting to bookmark a toot - here’s the original half https://cyberplace.social/@GossiTheDog/115134898389127599
The lapsus guys continue to go nuts on IRC^H^H^HTelegram https://www.bbc.co.uk/news/articles/c4gqepe5355o
Jaguar Land Rover have contained their network and stopped production after what appears to be a ransomware incident. VPNs and network border in UK all down.
To back up ReliaQuest - this is the exploit LAPSUS guys have running around with on SAP Netweaver, just had a look this evening after acquiring the exploit. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
There’s a metric ton - over 5 figures - of these boxes directly internet facing. Worse; from version printing, less than 5% are patched for the two CVEs being exploited.
Liverpool Echo reports Jaguar Land Rover production still isn't running, with factory staff told to stay at home, and report it impacts all manufacturing locations. https://www.liverpoolecho.co.uk/news/liverpool-news/update-jaguar-land-rover-shut-32411513
Separately, the network border is also still offline (I have monitoring in place to see when they come back online).
If anybody runs into a LAPSUS$ incident at their org hit me up on Signal, I can try to help profile their MO as been there, done that.
They'll frequently not even bother to deploy ransomware, they'll also do crazy things (and like to write about poo, and send people poo packages in the mail). It's basically like fighting Mr Bean, who is also good at computers.
ITV News 6pm lead story on Jaguar Land Rover
Key take away is anonymous source at JLR saying they may need UK government support for motor sector off the back of the incident.
Kevin Beaumont
Rairii 
Alex