On Friday, Google-owned Mandiant announced that it had discovered a "expansion in threat activity" that employs tradecraft typical of extortion-themed attacks carried out by ShinyHunters, a financially motivated hacker collective This article explores shinyhunters branded extortion. . By gathering sign-on (SSO) credentials and multi-factor authentication (MFA) codes, the attacks use sophisticated voice phishing, also known as vishing, and phony credential harvesting websites that impersonate targeted businesses to obtain unauthorized access to victim environments.

The attacks' ultimate objective is to target cloud-based software-as-a-service (SaaS) applications in order to extort victims and steal confidential information and internal communications.

The threat intelligence team of the tech giant stated that it is monitoring the activity under several clusters, such as UNC6661, UNC6671, and UNC6240 (also known as ShinyHunters), in order to take into consideration the possibility that these groups may be changing their methods or imitating previously noted strategies. "While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion, the breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion," Mandiant noted.

"Further, with recent incidents, they seem to be intensifying their extortion tactics, including harassing victim personnel, among other tactics." Details of the vishing and credential theft activity are as follows Google has provided a comprehensive list of hardening, logging, and detection recommendations to counter the threat to SaaS platforms. - Enhance help desk procedures, such as mandating that staff members make a live video call to confirm their identity.

Enforce strong passwords, restrict access to physical locations and trusted egress points, and do away with email, phone calls, and SMS as authentication methods. Restrict management-plane access, audit for exposed secrets and enforce device access controls Increase visibility into identity actions, authorizations, and SaaS export behaviors by implementing logging. Determine the MFA life cycle and device enrollment changes; search for identity events that take place outside of regular business hours or OAuth/app authorization events that point to mailbox manipulation activity using tools like ToogleBox Email Recall. "This activity is not the result of a security vulnerability in vendors' products or infrastructure," Google stated.

Instead, it emphasizes how successful social engineering is and how crucial it is for businesses to switch to phishing-resistant MFA whenever feasible. Push-based or SMS authentication are not as resistant to social engineering as techniques like FIDO2 security keys or passkeys.