ShinyHunters-branded extortion attacks are expanding and escalating, relying on effective social engineering tactics to compromise cloud environments, Mandiant cautions.
The warning comes only days after reports that the ShinyHunters group has set up infrastructure to target more than 100 organizations across multiple sectors, including Atlassian, Adyen, Canva, Epic Games, HubSpot, Moderna, ZoomInfo, GameStop, WeWork, Halliburton, Sonos, and Telstra.
A known extortion group, ShinyHunters was seen registering fake domains to target these companies, using specialized phishing kits for credential harvesting.
ShinyHunters-linked actors were seen using vishing to target single sign-on (SSO) authentication and compromise enterprises’ cloud-based software-as-a-service (SaaS) environments, and Mandiant’s alert reinforces the observation.
“These campaigns leverage evolved voice phishing (vishing) and victim-branded credential harvesting to successfully compromise single sign-on (SSO) credentials and enroll unauthorized devices into victim multi-factor authentication (MFA) solutions,” the Google-owned cybersecurity firm notes.
Okta recently warned of such attacks, in which the hackers intercepted credentials and tricked their victims into aiding them bypass MFA, deploying scripts to control authentication flows in the victims’ browsers in real time.
Once an intrusion is detected, organizations should prioritize rapid containment to block the attackers’ access and prevent further data exfiltration, Mandiant says.
“Because these campaigns rely on valid credentials rather than malware, containment must prioritize the revocation of session tokens and the restriction of identity and access management operations,” the company notes.
Advice for organizations
Organizations are advised to identify and disable compromised accounts, revoke active session tokens and OAuth authorizations, disable or heavily restrict public self-service password reset portals, and temporarily disable MFA registration.
Additionally, they should restrict or temporarily disable VPNs, virtual desktop infrastructure (VDI) and similar remote access points, restrict access to identity provider and SaaS applications, and adopt manual, high-assurance verification protocols for account-related requests.
“When appropriate, organizations should also communicate with end-users, HR partners, and other business units to stay on high-alert during the initial containment phase. Always report suspicious activity to internal IT and Security for further investigation,” Mandiant notes.
A hardened verification process should include high-assurance paths such as live video calls, out-of-band approvals from users’ managers, and calls to users’ known good numbers.
Helpdesk employees should not provide access or information during inbound calls and should independently contact the company’s designated account manager for explicit verification of access requests.
Organizations should also educate their users on identifying vishing and phishing attempts, on being cautious of requests to change their passwords, especially during off-business hours, and on not sharing passwords.
“Organizations should implement a layered series of controls to protect all types of identities. Access to cloud identity providers (IdPs), cloud consoles, SaaS applications, document and code repositories should be restricted since these platforms often become the control plane for privilege escalation, data access, and long-term persistence,” Mandiant notes.
Related: Researchers Trap Scattered Lapsus$ Hunters in Honeypot
Related: In Other News: 600k Hit by Healthcare Breaches, Major ShinyHunters Hacks, DeepSeek’s Coding Bias
Related: Security Industry Skeptical of Scattered Spider-ShinyHunters Retirement Claims
