Google Threat Intelligence Group (GTIG) has identified a group with all the hallmarks of ShinyHunters using voice phishing (vishing) and fake credential harvesting websites to steal sensitive data.
In an advisory, the tech giant warned the group primarily gains access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.
Once inside, the attackers target cloud-based SaaS applications to exfiltrate sensitive data and internal communications that they can use in subsequent extortion demands.
Google is currently tracking the activity under several threat clusters, including UNC6661, UNC6671, and UNC6240.
Last month, for example, UNC6661 pretended to be IT staff and called employees at targeted organisations, claiming that the company was updating MFA settings.
The threat actor then directed employees to victim-branded credential harvesting sites to capture credentials and MFA codes, with victims thereafter registering their own device for MFA.
According to Google, threat actors moved laterally through victim customer environments to exfiltrate data from various SaaS platforms.
While the attacks are targeted, analysis suggests that subsequent access is probably opportunistic, determined by the specific permissions and applications accessible via the individual compromised SSO session. Google stressed that the activity isn't the result of a security vulnerability in vendors' products or infrastructure.
"In some cases, they have appeared to target specific types of information. For example, the threat actors have conducted searches in cloud applications for documents containing specific text including 'poc', 'confidential', 'internal', 'proposal', 'salesforce', and 'vpn' or targeted personally identifiable information (PII) stored in Salesforce," researchers said.
"Additionally, UNC6661 may have targeted Slack data at some victims' environments, based on a claim made in a ShinyHunters-branded data leak site (DLS) entry."
Valuable intelligence
Cory Michal, CSO at AppOmni, praised the level of operational detail in the report, and particularly the volume and specificity of indicators of compromise that weren’t previously public.
This intelligence could prove vital for organizations that find themselves in the crosshairs moving forward, Michael noted.
“Publishing concrete domains, tooling names/artifacts, and workflow-level signals gives defenders something they can deploy immediately at scale (email/web filtering, OAuth/app controls, identity telemetry detections, and retro-hunting),” he said.
“It helps the ecosystem disrupt infrastructure and tradecraft faster by enabling consistent blocking and takedown actions across many organizations rather than each team rediscovering the same indicators in isolation.”
What can enterprises do to protect themselves?
Google has published guidance on hardening, logging, and detection against the threats.
Organizations responding to an active incident should focus on rapid containment steps, such as severing access to infrastructure environments, SaaS platforms, and the specific identity stores typically used for lateral movement and persistence.
Long-term defense, meanwhile, requires a transition toward phishing-resistant MFA, such as FIDO2 security keys or passkeys, which are more resistant to social engineering than push-based or SMS authentication.
“Companies should treat this as both a hunt and prevent problem: First, take the IoCs in the report and run them through your detection-and-response workflows (SIEM/SOAR, email security, web proxy/DNS, EDR, and SaaS audit logs) to identify any historical or active exposure," Michal added.
Michael added they should add continuous monitoring for look-alike domain registrations that incorporate their company name or common brands that they use for login, support, and HR.
"In many of these campaigns, those newly registered domains are a leading indicator, they show up before the first vishing call, so catching and blocking them early (and tightening your help desk/MFA enrollment controls in parallel) can meaningfully reduce the chance the intrusion ever gets to the “mass download and extortion” stage,” he said.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
The CVE system isn’t working – what's next?
HPE ProLiant Compute DL340 Gen12 review
The FBI has seized the RAMP hacking forum, but will the takedown stick? History tells us otherwise
Hackers are using LLMs to generate malicious JavaScript in real time – and they’re going after web browsers
Everything we know so far about the Nike data breach
Thousands of Microsoft Teams users are being targeted in a new phishing campaign
Microsoft warns of rising AitM phishing attacks on energy sector
LastPass issues alert as customers targeted in new phishing campaign
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radar
Hacked London council warns 100,000 households at risk of follow-up scams
