On Friday, Google-owned Mandiant announced that it had discovered a "expansion in threat activity" that employs tradecraft typical of extortion-themed attacks carried out by ShinyHunters, a financially motivated hacker collective This article explores threat saas platforms. . The attacks leverage advanced voice phishing (aka vishing) and bogus credential harvesting sites mimicking targeted companies to gain unauthorized access to victim environments by collecting sign-on (SSO) credentials and multi-factor authentication (MFA) codes.

The attacks' ultimate objective is to target cloud-based software-as-a-service (SaaS) applications in order to extort victims and steal confidential information and internal communications.

The threat intelligence team of the tech giant stated that it is monitoring the activity under several clusters, such as UNC6661, UNC6671, and UNC6240 (also known as ShinyHunters), in order to take into consideration the possibility that these groups may be changing their methods or imitating previously noted strategies. Mandiant stated, "The scope of targeted cloud platforms keeps growing as these threat actors seek more sensitive data for extortion, even though this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion."

"Further, with recent incidents, they seem to be intensifying their extortion tactics, including harassing victim personnel, among other tactics." The following are specifics of the credential theft and vishing activity: Google has provided a comprehensive list of hardening, logging, and detection recommendations to counter the threat to SaaS platforms. - Enhance help desk procedures, such as mandating that staff members make a live video call to confirm their identity.

Enforce strong passwords, restrict access to physical locations and trusted egress points, and do away with email, phone calls, and SMS as authentication methods. Limit access to the management plane, check for exposed secrets, and implement device access controls. Increase visibility into identity actions, authorizations, and SaaS export behaviors by implementing logging. Determine the MFA life cycle and device enrollment changes; search for identity events that take place outside of regular business hours or OAuth/app authorization events that point to mailbox manipulation activity using tools like ToogleBox Email Recall.

"This activity is not the result of a security vulnerability in vendors' products or infrastructure," Google stated.

Instead, it emphasizes how successful social engineering is and how crucial it is for businesses to switch to phishing-resistant MFA whenever feasible. Methods such as FIDO2 security keys or passkeys are resistant to social engineering in ways that push-based, or SMS authentication are not."