Mandiant says a wave of current ShinyHunters SaaS data-theft assaults is being fueled by focused voice phishing (vishing) assaults and company-branded phishing websites that steal single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.
As first reported by BleepingComputer, menace actors are impersonating company IT and helpdesk employees and calling staff straight, claiming that MFA settings have to be up to date. Throughout the name, the focused worker is directed to a phishing website that resembles their firm’s login portal.
In accordance with Okta, these websites are utilizing superior phishing kits that permit menace actors to show interactive dialogs whereas on the cellphone with a sufferer.
Whereas nonetheless speaking to a focused worker, the attacker relays stolen credentials in actual time, triggers authentic MFA challenges, and tells the goal easy methods to reply, together with approving push notifications or getting into one-time passcodes.
This permits attackers to efficiently authenticate with stolen credentials and enroll their very own units in MFA.
As soon as they achieve entry to an account, they log in to a corporation’s Okta, Microsoft Entra, or Google SSO dashboard, which acts as a centralized hub itemizing all SaaS functions the consumer has permission to entry.
These functions embrace Salesforce, a main goal of ShinyHunters, Microsoft 365, SharePoint, DocuSign, Slack, Atlassian, Dropbox, Google Drive, and lots of different inner and third-party platforms.
For menace actors targeted on information theft and extortion, the SSO dashboard turns into a springboard to an organization’s cloud information, permitting them to entry a number of companies from a single compromised account.
The ShinyHunters extortion group confirmed to BleepingComputer that they and a few of their associates are behind these assaults. The extortion group additionally claims that different menace actors have since carried out related assaults.
Quickly after the details about these assaults grew to become public, the ShinyHunters extortion gang launched a data-leak website, the place it started leaking information related to these assaults.
At the moment, Google Menace Intelligence Group/Mandiant launched a report saying it’s monitoring this exercise throughout totally different menace clusters tracked as UNC6661, UNC6671, and UNC6240 (ShinyHunters).
A number of menace actors are conducting assaults
Mandiant says UNC6661 poses as IT employees when calling focused staff and directs them to company-branded phishing domains used to seize SSO credentials and MFA codes. After logging in, the attackers registered their very own MFA gadget to retain entry.
They used this entry to steal information from cloud functions primarily based on no matter permissions had been accessible via the compromised SSO session. Mandiant believes this exercise is opportunistic, with the menace actors focusing on no matter SaaS functions can be found.
Nonetheless, it needs to be famous that ShinyHunters has instructed BleepingComputer up to now that their main focus is Salesforce information.
Supply: Mandiant
Mandiant shared examples of logs that had been created throughout the information theft assaults:
- Microsoft 365 and SharePoint occasions exhibiting file downloads the place the Person-Agent identifies PowerShell, indicating scripts or instruments had been used to obtain information.
- Salesforce login exercise originating from IP addresses later recognized as utilized by the menace actors.
- DocuSign audit logs exhibiting bulk doc downloads tied to the identical IOCs.
In a single breach involving an Okta buyer, Mandiant says the attackers enabled a Google Workspace add-on referred to as “ToogleBox Recall,” a instrument they used to seek for and delete emails to cover their exercise.
“In at the very least one incident the place the menace actor gained entry to an Okta buyer account, UNC6661 enabled the ToogleBox Recall add-on for the sufferer’s Google Workspace account, a instrument designed to seek for and completely delete emails,” explains Mandiant.
“They then deleted a “Safety methodology enrolled” e mail from Okta, virtually actually to stop the worker from figuring out that their account was related to a brand new MFA gadget.
Mandiant says that web domains used within the UNC6661 assaults had been registered via NICENIC and generally used the format
Whereas the preliminary intrusion and information theft assaults are attributed to UNC6661, Mandiant says the extortion calls for had been despatched by ShinyHunters, aka UNC6240, and included a Tox messenger ID utilized by them in previous extortion makes an attempt.
Supply: Mandiant
Mandiant says one other menace cluster tracked as UNC6671 is utilizing related vishing methods, however with their phishing domains registered via Tucows as an alternative.
Not like UNC6661, UNC6671’s extortion calls for weren’t despatched beneath the ShinyHunters identify, used a special Tox ID for negotiation, and used aggressive strain ways, together with harassing firm personnel.
Mandiant says the phishing domains utilized in these assaults observe widespread naming patterns designed to impersonate company portals.
- Company SSO portals:
sso[.]com, my sso[.]com, and my- sso[.]com - Inside portals:
inner[.]com, www. inner[.]com, and my inner[.]com - Help and helpdesk themes:
help[.]com, ticket- [.]help, and support- [.]com - Identification supplier impersonation:
okta[.]com, azure[.]com, and on zendesk[.]com - Entry portals:
entry[.]com, www. entry[.]com, and my acess[.]com
For instance, matchinternal[.]com was used within the current breach at Match Group, which uncovered information for the favored Hinge, Tinder, OkCupid, and Match relationship websites.
Mandiant notes that many IP addresses tied to the marketing campaign belong to industrial VPN companies or residential proxy networks, reminiscent of Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and nsocks
Mandiant additionally says that defenders ought to prioritize the next conduct detection to identification most of these assaults:
- SSO account compromise adopted by speedy information exfiltration from SaaS platforms.
- PowerShell Person-Agent accessing SharePoint or OneDrive
- Surprising Google Workspace OAuth authorization for ToogleBox Recall
- Deletion of MFA modification notification emails
To assist organizations defend towards most of these assaults, Mandiant has launched hardening, logging, and detection suggestions towards ShinyHunters vishing assaults.
This steering is organized round hardening identification workflows and authentication resets, logging the appropriate telemetry, and detections designed to seek out post-vishing conduct earlier than information theft happens.
Mandiant has additionally launched guidelines for Google SecOps to detect ShinyHunters exercise.
Fashionable IT infrastructure strikes sooner than handbook workflows can deal with.
On this new Tines information, find out how your staff can cut back hidden handbook delays, enhance reliability via automated response, and construct and scale clever workflows on high of instruments you already use.
