Mandiant says a wave of recent ShinyHunters SaaS data-theft attacks is being fueled by targeted voice phishing (vishing) attacks and company-branded phishing sites that steal single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.
As first reported by BleepingComputer, threat actors are impersonating corporate IT and helpdesk staff and calling employees directly, claiming that MFA settings need to be updated. During the call, the targeted employee is directed to a phishing site that resembles their company's login portal.
According to Okta, these sites are using advanced phishing kits that allow threat actors to display interactive dialogs while on the phone with a victim.
While still talking to a targeted employee, the attacker relays stolen credentials in real time, triggers legitimate MFA challenges, and tells the target how to respond, including approving push notifications or entering one-time passcodes.
This allows attackers to successfully authenticate with stolen credentials and enroll their own devices in MFA.
Once they gain access to an account, they log in to an organization's Okta, Microsoft Entra, or Google SSO dashboard, which acts as a centralized hub listing all SaaS applications the user has permission to access.
Example Microsoft Entra SSO Dashboard
These applications include Salesforce, a primary target of ShinyHunters, Microsoft 365, SharePoint, DocuSign, Slack, Atlassian, Dropbox, Google Drive, and many other internal and third-party platforms.
For threat actors focused on data theft and extortion, the SSO dashboard becomes a springboard to a company's cloud data, allowing them to access multiple services from a single compromised account.
The ShinyHunters extortion group confirmed to BleepingComputer that they and some of their affiliates are behind these attacks. The extortion group also claims that other threat actors have since conducted similar attacks.
... continue reading