A hail of major recent cyberattacks have one thing in common – hackers call employees to ask for access. Google alerts about “a significant expansion and escalation in the operations” of ShinyHunters.
A threat actor known as ShinyHunters has recently claimed breaches at Bumble, Match Group, operating Hinge, Match, and OkCupid services, Crunchbase, and some other major companies.
Google Threat Intelligence Group (GTIG) warns that a wave of recent cyberattacks relies on sophisticated voice phishing – phone calls that trick employees to visit malicious credential harvesting sites and grant access.
“They appear to be escalating their extortion tactics with recent incidents including harassment of victim personnel, among other tactics,” reads the report on ShinyHunters’ data theft tactics by GTIG/Mandiant.
During this type of cyberattack, also known as vishing, hackers identify employees with access to sensitive IT systems or internal tools and call them pretending to be internal IT staff.
In the incidents this year, the cybercriminals were fraudulently claiming that the targeted company was updating MFA (multi-factor authentication) settings.
During the phone call, hackers directed their victims to visit malicious sites, branded after the targeted company. The websites were designed to capture credentials, such as single sign-on (SSO) or MFA, enabling attackers to register their own devices and gain access.
The security researchers noted that the attackers are using convincing domains, such as sso.com or internal.com.
The hackers are using voice-based social engineering kits and adapt the context on the fly, including what pages are presented in the victims’ browsers. The kits are designed to target identity providers, such as Okta, but also cryptocurrency and other software-as-a-service (SaaS) platforms.
“Once inside, the threat actors target cloud-based SaaS applications to exfiltrate sensitive data and internal communications for use in subsequent extortion demands,” Google’s Mandiant explains.
“The subsequent access to these platforms is likely opportunistic, determined by the specific permissions and applications accessible via the individual compromised SSO session.”
Multiple threat clusters associated with ShinyHunters are scouring the compromised instances for specific keywords, such as “poc,” “confidential,” “internal,” “proposal,” “salesforce,” “vpn” or personally identifiable information (PII) stored in Salesforce. GTIG tracks these clusters as UNC6661, UNC6671, and UNC6240.
To hide their tracks, hackers added tools to compromised Google Workspace accounts that delete emails alerting about added new devices and other suspicious activity.
Compromised email accounts are also used to send additional phishing emails to contacts.
One compromised company received demands with a specified payment amount and destination BTC address. The hackers threatened “consequences if the ransom was not paid within 72 hours.”
GTIG said it also observed extortion text messages sent to employees and received reports of victim websites being targeted with distributed denial-of-service (DDoS) attacks. ShinyHunters-branded operations also abuse commercial VPN services or residential proxy networks to hide IP addresses.
The tactics used by ShinyHunters resemble those previously used to target Salesforce instances and compromise dozens of high-profile companies.
Google urges removing SMS, phone calls, notifications, and emails as authentication controls
GTIG also released another post detailing guidance for companies to strengthen defenses against ShinyHunters.
One of the main recommendations is to adopt phishing-resistant MFA such as FIDO2 passkeys and security keys.
Google suggests organizations should remove authentication controls based on SMS, phone calls, push notifications, or emails.
“Because these campaigns often target human-driven workflows through social engineering, vishing, and phishing, organizations should implement stronger, layered identity verification processes for support interactions, especially for requests involving account changes such as password resets or MFA modifications,” the report reads.
The long list of recommended defenses even suggests using live video calls where the user holds a physical government ID next to their face.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked