SHINYHUNTERS-BRANDED extortion activity is expanding and escalating, with attackers relying on social engineering to compromise cloud environments, according to SecurityWeek. Mandiant cautions that campaigns use evolved vishing and victim-branded credential harvesting to gain access to SSO credentials and enrol unauthorized devices into victim MFA solutions, enabling intrusions into cloud-based SaaS environments.
The activity is linked to infrastructure targeting more than 100 organisations across multiple sectors, including Atlassian, Adyen, Canva, Epic Games, HubSpot, Moderna, ZoomInfo, GameStop, WeWork, Halliburton, Sonos and Telstra, and the group has been seen registering fake domains for credential harvesting. Okta recently warned of attacks in which credentials are intercepted and victims are tricked into aiding MFA bypass, with scripts deployed to control authentication flows in victims’ browsers in real time.
Containment guidance from Mandiant emphasises revoking session tokens, restricting identity and access management operations, disabling compromised accounts, and temporarily downgrading or disabling MFA registration, VPNs, and remote access points while organisations educate users to recognise vishing and phishing attempts.