ShinyHunters Elevate Cyber Extortion Tactics with Advanced Cloud-Based Attacks
The cybercriminal group known as ShinyHunters has significantly escalated its extortion operations by adopting sophisticated methods that target cloud-based systems across various organizations. Their latest strategies involve a combination of voice phishing (vishing) and meticulously crafted credential-harvesting websites to illicitly obtain employee login information.
Sophisticated Social Engineering Techniques
ShinyHunters employ a dual-faceted approach to infiltrate corporate networks:
1. Voice Phishing (Vishing): Posing as IT support personnel, attackers contact employees under the pretense of updating security protocols. During these calls, they direct employees to fraudulent websites designed to capture login credentials.
2. Credential-Harvesting Websites: These deceptive sites are engineered to closely resemble legitimate company login pages, tricking employees into entering their single sign-on credentials and multi-factor authentication codes.
This blend of human manipulation and technical deceit has proven highly effective, enabling attackers to gain unauthorized access to sensitive corporate data.
Expansion of Targeted Cloud Platforms
Analysts from Google Cloud have identified that ShinyHunters’ activities are now being tracked under three distinct threat clusters: UNC6661, UNC6671, and UNC6240. These groups have broadened their scope, targeting a diverse array of cloud platforms to extract valuable data for extortion purposes. Notably, their aggressive tactics now include direct harassment of victim employees and launching denial-of-service (DoS) attacks against company websites.
Attack Mechanism and Data Exfiltration
The group’s modus operandi involves several key steps:
1. Domain Spoofing: Attackers register domains that mimic legitimate corporate portals, using patterns like companynamesso.com or companynameinternal.com to enhance the credibility of their phishing sites.
2. Credential Theft and Persistent Access: Upon acquiring employee credentials, attackers register their own authentication devices, ensuring ongoing access to victim accounts.
3. Systematic Data Theft: They navigate through corporate cloud environments, extracting data from platforms such as SharePoint, Salesforce, DocuSign, and Slack.
4. Targeted Document Searches: The cybercriminals specifically search for documents containing terms like confidential, internal, proposal, and vpn within cloud applications.
5. Concealment of Unauthorized Access: In some instances, they deploy tools like ToogleBox Recall within Google Workspace accounts to permanently delete security notification emails, preventing employees from discovering unauthorized device access.
6. Extortion: After exfiltrating data, attackers send ransom emails demanding Bitcoin payments within 72 hours, often providing samples of stolen information hosted on file-sharing platforms to substantiate their claims.
Mitigation Strategies
To counteract these advanced social engineering attacks, security experts recommend the adoption of phishing-resistant authentication methods, such as FIDO2 security keys or passkeys. These technologies are designed to withstand social engineering tactics that can compromise traditional SMS or push-based authentication systems.
Conclusion
The evolution of ShinyHunters’ tactics underscores the critical need for organizations to enhance their cybersecurity measures, particularly in safeguarding cloud-based systems. Implementing robust authentication methods and educating employees about sophisticated phishing schemes are essential steps in mitigating the risks posed by such advanced cyber threats.
