Researchers warn that the ShinyHunters threat group is expanding on an existing extortion campaign by targeting varying types of cloud platforms, which could suggest that the attackers are evolving their operations to gather more sensitive data to use for extortion. 

Google Mandiant researchers on Friday said the campaign has successfully used voice phishing and credential harvesting sites to pilfer both single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. The threat actors then use these to gain initial access and steal sensitive data from cloud-based SaaS applications, which they use to extort victims.

“While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion, the breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion,” researchers said in a Friday analysis. “Further, they appear to be escalating their extortion tactics with recent incidents including harassment of victim personnel, among other tactics.”

The series of incidents started in early to mid-January, and included a previously disclosed campaign involving Okta customers. As part of this campaign, attackers used custom phishing kits that included voice-based social engineering capabilities, in order to target accounts belonging to Okta customers, as well as users of Google, Microsoft, and a number of cryptocurrency providers.

Threat actors were specifically pretending to be IT staff and calling employees at targeted companies, saying that they needed to update their MFA settings and directing them to custom phishing sites. These sites asked for their SSO credentials and MFA codes, registered a new MFA device, and used domains that typically used the format <companyname>sso.com or <companyname>internal.com, according to Google Mandiant.

In certain incidents, the threat actor enabled ToogleBox Recall to the victim’s Google Workspace account, an add-on tool that allows users to search for and permanently delete emails. They used this to delete a notification email that a new Okta security method had been enrolled, in an attempt to prevent employees from figuring out their accounts were compromised. 

Threat actors then moved laterally to exfiltrate company data.

“While the targeting of specific organizations and user identities is deliberate, analysis suggests that the subsequent access to these platforms is likely opportunistic, determined by the specific permissions and applications accessible via the individual compromised SSO session,” according to Google Mandiant researchers. “These compromises did not result from security vulnerabilities in the vendors' products or infrastructure.”

ShinyHunters has previously launched various extortion campaigns, including one in September that used social engineering against users’ Salesforce instances. These incidents underscore the success rate of social engineering and show the need for organizations to adopt protections like phishing-resistant MFA.

While this more recent activity is similar to these prior operations, researchers said it also represents “an expansion in the number and type of targeted cloud platforms.” 

“Further, the use of a compromised account to send phishing emails to cryptocurrency-related entities suggests that associated threat actors may be building relationships with potential victims to expand their access or engage in other follow-on operations,” according to Google Mandiant researchers. “Notably, this portion of the activity appears operationally distinct, given that it appears to target individuals instead of organizations.”

  • Recent Posts

  • Recent Comments

    No comments to show.