ShinyHunters has expanded its extortion attacks to various software-as-a-service (SaaS) environments, with multiple threat clusters using voice phishing (vishing) and credential harvesting to compromise targeted organizations This article explores organizations shinyhunters attacks. . Since ShinyHunters' attacks against Salesforce instances last year, which led to the breaches of numerous organizations, Mandiant has been monitoring an evolution in their activity.

According to a recent post on the Google Threat Intelligence blog, researchers linked several threat clusters, identified as UNC6661, UNC6671, and UNC6240, to the infamous cybercrime collective that uses victim-branded credential-harvesting websites and sophisticated vishing to obtain initial access to corporate environments. ShinyHunters members use these attacks to steal single sign-on (SSO) credentials and multifactor authentication (MFA) codes, which they then use as entry to organizations' networks, according to Mandiant.

After gaining access, the threat actors target SaaS apps to steal confidential information and internal communications, which they subsequently utilize as leverage in demands for extortion. In their emails with victims, attackers outlined what data they allegedly stole, specified a payment amount and destination BTC address, and threatened consequences such as distributed denial-of-service (DDoS) attacks if the ransom was not paid within 72 hours — all activity consistent with prior ShinyHunters extortion emails, according to the post. They also provided proof of data theft via samples hosted on Limewire.

UNC6671, another ShinyHunters threat cluster, carried out vishing operations by posing as IT personnel and instructing victims to input their credentials and MFA authentication codes on a credential harvesting website bearing the victim's name.

According to Mandiant, "the credential harvesting domains used the same structure as UNC6661, but were more often registered using [domain name service] Tucows," and UNC6671 also used more aggressive tactics than other threat clusters, "including harassment of victim personnel," in addition to other tactics that went beyond the typical ShinyHunters' typical playbook.