Red Hat Hackers Team Up With Scattered Lapsus$ Hunters
Summary
Crimson Collective — a new extortion-focused crime group — claims to have breached a self-managed GitLab instance used by Red Hat Consulting and exfiltrated tens of thousands of repositories and customer engagement reports (CERs). Over the weekend researchers observed Crimson Collective aligning with the Scattered Lapsus$ Hunters collective and using the group’s leak site to post Red Hat as a victim with a ransom deadline.
Rapid7 has also tracked Crimson Collective activity in AWS environments where attackers used leaked long-term credentials (found with tools such as TruffleHog) to create privileged accounts, map environments and exfiltrate data. AWS and security researchers urge use of short‑term credentials, least‑privilege IAM, and proactive secrets scanning.
Key Points
- Crimson Collective claims to have breached a Red Hat Consulting GitLab instance and stolen repository data and customer engagement reports.
- The group has seemingly allied with Scattered Lapsus$ Hunters and is using the collective’s leak site for extortion posts and deadlines.
- Red Hat Consulting used a self‑managed GitLab Community Edition instance; details of protections in place remain unclear.
- Rapid7 observed Crimson Collective exploiting leaked AWS credentials and overly permissive IAM configurations to expand access and exfiltrate data.
- AWS recommends switching from long‑term credentials to short‑lived credentials, applying least‑privilege policies and following account security best practice.
- Organisations should proactively scan code repositories for secrets, limit access to trusted IPs, rotate credentials and monitor for unusual API/permission activity.
Author’s take
Punchy: This is not just another breach story — it signals consolidation among threat actors and an escalation in extortion tactics. When a group that can breach a major vendor teams up with an established leak collective, your risk surface just widened. Read the detail if you look after cloud or supply‑chain security; the technical bits are short but important.
Why should I read this?
Short and blunt: bad actors are teaming up and re‑using high‑profile leak platforms to squeeze bigger ransoms. If you run cloud services, host code repos, or rely on third‑party consultants, this directly affects you. Skim the key points to check your IAM and secrets policies — it could save you a painful incident.