The ShinyHunters threat group has expanded its extortion operations with sophisticated attack methods targeting cloud-based systems across multiple organizations This article explores google cloud cybercriminals. . These cybercriminals obtain employee login credentials by using voice phishing and phony credential harvesting websites.

Once they gain access, they extract sensitive data from cloud software applications and use this information to demand ransom payments from victim companies. Learn more Security vulnerability reports cybersecurity Software for vulnerability scanning In order to obtain single sign-on credentials and multi-factor authentication codes from gullible employees, the threat group builds realistic-looking phishing websites that imitate corporate login pages. Usually, the attackers pose as IT personnel and call employees, claiming that the company is updating security settings. They then send employees to phony websites that are intended to steal their login information.

This strategy has been successful because it blends technical deception with human manipulation. Google Cloud analysts identified that the threat activity is being tracked under three separate threat clusters named UNC6661, UNC6671, and UNC6240. In order to obtain more valuable data for their extortion schemes, the researchers found that these groups have increased the quantity and variety of cloud platforms they target.

Recent incidents show the attackers are using aggressive tactics including harassment of victim employees and launching denial-of-service attacks against company websites. Diagram of the attack path (Source: Google Cloud) The attacks do not exploit security vulnerabilities in software products or infrastructure. Rather, they are successful by using social engineering strategies that deceive people into voluntarily giving their credentials.

Security experts emphasize that organizations should adopt phishing-resistant authentication methods such as FIDO2 security keys or passkeys, which cannot be bypassed through social engineering tactics like traditional SMS or push-based authentication systems. Data Theft Operations and Attack Mechanisms The threat actors register fake domains that impersonate legitimate corporate portals using patterns like companynamesso.com or companynameinternal.com to make their phishing sites appear authentic. In order to keep ongoing access to victim accounts, the attackers register their own authentication devices after obtaining employee credentials.

Learn more Cybersecurity consulting services Security software for macOS Features of the security author After that, they methodically navigate corporate cloud environments in order to steal data from Slack, DocuSign, Salesforce, SharePoint, and other platforms.

Note of ransom (Source: Google Cloud) Cybercriminals specifically look for documents in cloud applications that contain terms like "confidential," "internal," "proposal," and "vpn." In certain instances, they turned on special tools like ToogleBox Recall in Google Workspace accounts to permanently remove security alert emails, keeping staff members from realizing that their accounts were being accessed by unauthorized devices. Following data theft, the attackers send extortion emails requesting Bitcoin payments within 72 hours.

To support their claims, they offer samples of the stolen data stored on file-sharing websites. Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.