"ShinyHunters-branded extortion attacks are expanding and escalating, relying on effective social engineering tactics to compromise cloud environments, Mandiant cautions. The warning comes only days after reports that the ShinyHunters group has set up infrastructure to target more than 100 organizations across multiple sectors, including Atlassian, Adyen, Canva, Epic Games, HubSpot, Moderna, ZoomInfo, GameStop, WeWork, Halliburton, Sonos, and Telstra. A known extortion group, ShinyHunters was seen registering fake domains to target these companies, using specialized phishing kits for credential harvesting."
"ShinyHunters-linked actors were seen using vishing to target single sign-on (SSO) authentication and compromise enterprises' cloud-based software-as-a-service (SaaS) environments, and Mandiant's alert reinforces the observation. "These campaigns leverage evolved voice phishing (vishing) and victim-branded credential harvesting to successfully compromise single sign-on (SSO) credentials and enroll unauthorized devices into victim multi-factor authentication (MFA) solutions," the Google-owned cybersecurity firm notes. Okta recently warned of such attacks, in which the hackers intercepted credentials and tricked their victims into aiding them bypass MFA."
ShinyHunters-branded extortion attacks are expanding and escalating, employing effective social engineering to compromise cloud and SaaS environments. The group has registered fake domains and used specialized phishing kits to harvest credentials from more than 100 targeted organizations across multiple sectors. Actors use vishing to target single sign-on (SSO) authentication, enroll unauthorized devices into multi-factor authentication (MFA), and deploy browser scripts to control authentication flows in real time. These campaigns rely on valid credentials rather than malware, making containment actions like revoking session tokens and restricting identity and access management operations critical. Organizations should identify and disable compromised accounts and revoke active session tokens and OAuth authorizations.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]