Mandiant and Google Threat Intelligence have identified an expansion in ShinyHunters-branded extortion activity targeting corporate software-as-a-service (SaaS) environments. The threat actors, tracked under clusters such as UNC6661 and UNC6671, utilize sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to obtain single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. Once access is established, the attackers exfiltrate sensitive data from platforms like SharePoint, Salesforce, and Docusign for extortion purposes.
To maintain persistence and evade detection, attackers have been observed using tools like ToogleBox Recall to delete security notification emails within victim environments. The group has also escalated tactics to include harassment of personnel and DDoS attacks. Security researchers emphasize that these incidents are not the result of software vulnerabilities but rather effective social engineering, highlighting the critical need for organizations to transition to phishing-resistant MFA solutions like FIDO2 security keys.
Top comments (0)