MANDIANT has identified ShinyHunters-style vishing attacks that aim to steal MFA codes to breach SaaS platforms, with activity linked to multiple clusters tracked as UNC6661, UNC6671, and UNC6240 (aka ShinyHunters). The campaign involves impersonating IT staff on calls to guide victims to credential harvesting sites, then using stolen sign-ins and MFA codes to enrol devices and move laterally to exfiltrate data, followed by extortion activity.
UNC6661 and UNC6671 show differences in domain registrars—NICENIC and Tucows respectively—and in some cases, the intruders gained access to Okta customer accounts and used PowerShell to download data from SharePoint and OneDrive. Google has outlined a long list of hardening and detection recommendations, emphasising phishing-resistant MFA such as FIDO2 security keys, and noting that the activity is driven by social engineering rather than a vulnerability in vendor products.
According to Google, the breadth of targeting continues to expand as threat actors pursue more sensitive data for extortion, while claiming the groups may involve different people and evolving tactics.