The group identified as ‘Lapsus$’, which on Friday attacked the Ministry of Health and 23 other government agencies, published at 4 pm today on its Telegram account a post claiming that it has access to and control of an unspecified number of Brazilian government cloud installations on AWS (Amazon Web Services). In the post, the group claims not only to have managed to hack more instances on the night of Saturday 11th, but also to have deleted several backups. The attack, the group adds, would include privileged access to vCenter Server, the centralized management utility for VMware, which is used to manage virtual machines, multiple ESXi hosts, and all dependent components – all from a single, centralized location.
According to a UOL statement, at dawn today – Sunday, December 12, 2021 – the Ministry had to turn off its network “after government technicians detected an attempt by hackers to access the folder’s website”. The previous attack would have been on the data that the agency hosts on AWS, the statement said.
The group published in the post an image of a vCenter Server screen supposedly in the domain of the Ministry of Health. According to specialist Ricardo Maganhati Junior, editor of the portal “Hacker channel“, having access to this environment the user has control over several VMware servers. What is highlighted, he explains, is the virtual machine (VM) of a database server. According to Ricardo, “having access to an environment like this is practically having control of everything! It may not have the password to access a certain virtualized operating system, but having a vCenter under control can really do just about anything,” he explains.
Hi folks, this is an official statement from the Lapsus$ Team.
In the last few days, we managed to get into the Ministry of Health’s systems, we got access to AWS (Amazon Web Services) with various data, and then we downloaded all this data, we deleted various stored contents, starting our first ransom, after the first attempt to ransom, some news sites lied about such a feat, claiming to everyone that “nothing was obtained, no data”. We can’t submit hard evidence because we don’t want to lose our current access, last night we managed to get more AWS hits (excluding multiple backups), we also gained vCenter access, this gave us a hole to the SisReg database, totaling 4 terabytes of data (and we own that data). We deleted all vCenter machines and +100TB of data is gone (the dead data graveyard is filling up).
Let’s clear up personal doubts, starting with the EterMerda group, if it had just been a “DNS Hijacking” the Ministry of Health servers would not have been brought down for so long (so this reinforces the idea that we have access), we don’t understand your reason for which you want to defame us. I say and repeat, the only thing we want is monetization of the act, that is, speaking in the “common” way, we want money, just pay us.