Mandiant has reported a significant expansion in data theft campaigns associated with ShinyHunters-branded extortion. These threat actors utilize sophisticated voice phishing (vishing) and credential harvesting to compromise Single Sign-On (SSO) accounts and enroll unauthorized devices into Multi-Factor Authentication (MFA) solutions. Rather than exploiting technical vulnerabilities, these attacks rely on social engineering to bypass identity controls and pivot into SaaS environments like Google Workspace, Salesforce, and Microsoft 365.
To counter these threats, the article outlines a multi-layered defense strategy focusing on rapid containment, rigorous help desk verification processes, and the adoption of phishing-resistant MFA like FIDO2 security keys. Additionally, the guide provides specific logging recommendations for various platforms and YARA-L detection rules to identify suspicious MFA changes, administrative configuration shifts, and scripted data exfiltration attempts. Security teams are encouraged to transition to workload identity federation and maintain high visibility into identity lifecycle events to disrupt these campaigns before data exfiltration occurs.
Top comments (0)