Application security, Cloud Security, Phishing

ShinyHunters-branded SaaS data theft attacks ramp up

Internet infrastructure concept. Abstract technology background. 3D rendering.

Threat operations UNC6661, UNC6671, and UNC6240 have escalated extortion-themed cyber intrusions with the ShinyHunters branding that involved voice phishing and fake credential harvesting sites against cloud-based software-as-a-service apps last month, The Hacker News reports.

Targeted firms' employees have been initially targeted by UNC6661, who masqueraded IT staff to lure them to visit multi-factor authentication setting update links that harvest credentials, according to Google Mandiant researchers. Obtained credentials were then used by attackers to register their device for subsequent lateral movement ahead of extortion by UNC6240 or ShinyHunters. Similar IT staff impersonation has been done by UNC6671 to procure targets' credentials and MFA authentication codes since earlier last month, with OneDrive and SharePoint data pilfered using PowerShell.

"This activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, it continues to highlight the effectiveness of social engineering and underscores the importance of organizations moving towards phishing-resistant MFA where possible," said Google.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds