SHINYHUNTERS has expanded its extortion campaigns to encompass a wider array of software-as-a-service environments, employing voice phishing and credential harvesting to breach organisations. Following its Salesforce-targeted attacks last year, the group’s activity has broadened in scope and aggressiveness, with threat clusters UNC6661, UNC6671 and UNC6240 linked to the activity.
The group uses victim-branded credential-harvesting sites to capture SSO credentials and MFA codes, enabling initial access to cloud environments and subsequent exfiltration from SaaS apps for extortion leveraging. In some cases, attackers registered MFA for their own devices to maintain persistence, and have targeted Okta customer accounts, SharePoint and OneDrive using PowerShell to download data, according to Mandiant.
The extortion communications often name a ransom amount and BTC destination, and threaten DDoS consequences if payments are delayed, with samples hosted on Limewire to prove data theft. The post notes that the attackers have extended beyond Salesforce to Microsoft 365, SharePoint, Slack and other popular SaaS services, indicating an expansion in both number and type of targeted cloud platforms, according to a Google Threat Intelligence blog post.