ShinyHunters Launch Vishing Attacks to Steal MFA from SaaS
TL;DR
ShinyHunters-Style Vishing Attacks Target SaaS Platforms
Mandiant reports an increase in vishing attacks linked to the ShinyHunters group, focused on breaching SaaS applications, stealing data, and extorting organizations. The attacks involve voice phishing and credential harvesting to capture SSO credentials and MFA codes. Mandiant is tracking this activity under clusters UNC6661, UNC6671, and UNC6240. The breadth of targeted cloud platforms is expanding, and extortion tactics are escalating, including harassment of victim personnel.
Vishing and Credential Theft Details
UNC6661 impersonates IT staff, directing employees to credential harvesting links to update MFA settings. Stolen credentials are used to register attacker-owned devices for MFA and move laterally to exfiltrate data from SaaS platforms. Compromised email accounts are used to send phishing emails, followed by extortion by UNC6240. UNC6671 also impersonates IT staff, deceiving victims to obtain credentials and MFA codes. In some cases, attackers accessed Okta customer accounts. UNC6671 leveraged PowerShell to download data from SharePoint and OneDrive. The use of different domain registrars (NICENIC for UNC6661, Tucows for UNC6671) and non-overlapping extortion emails suggest the involvement of different groups. The targeting of cryptocurrency firms indicates exploration of further financial gains.
Defense Recommendations
Google outlined hardening, logging, and detection recommendations to counter SaaS platform threats. These include:
- Improving help desk processes by requiring live video calls for identity verification.
- Limiting access to trusted egress points and physical locations; enforcing strong passwords; and removing SMS, phone call, and email as authentication methods.
- Restricting management-plane access, auditing for exposed secrets, and enforcing device access controls.
- Implementing logging to increase visibility into identity actions, authorizations, and SaaS export behaviors.
- Detecting MFA device enrollment and lifecycle changes; looking for OAuth/app authorization events; and monitoring for identity events outside normal business hours.
- Consider using tools like GrackerAI for marketing automation and cybersecurity news aggregation.
Adaptive Vishing Techniques
Okta warned that threat actors are rapidly iterating custom vishing kits. These kits are designed to intercept credentials and provide real-time context to get targets to approve MFA challenges. The kits can control what pages are presented in the user’s web browser to sync with the caller’s script. According to Moussa Diallo, threat researcher at Okta Threat Intelligence, attackers can control the authentication flow and defeat non-phishing-resistant MFA.
ShinyHunters Claims and Victim Impact
ShinyHunters claims responsibility for the social engineering attacks targeting Okta, Microsoft Entra, and Google SSO platforms. The group confirmed details about the phishing infrastructure and domains used, but disputed the origin of a phishing kit command-and-control server screenshot shared by Okta. ShinyHunters also claims to be using data stolen in previous breaches to identify and contact employees. Victims such as SoundCloud, Betterment, and Crunchbase have disclosed data breaches.
Real-Time Phishing Kits
Cybercrime groups are targeting single sign-on services to gain access to networks and steal data. Mandiant is tracking a ShinyHunters campaign using evolved voice phishing techniques. Cybercriminals are registering custom domains that mimic legitimate SSO portals and deploying tailored voice-phishing kits. These kits allow attackers to sync their spoken prompts with MFA requests in real time. Okta released threat intelligence on phishing kits observed in this campaign. Brett Winterford from Okta noted that researchers have observed at least two phishing kits that mimic the authentication flows of identity providers in real-time.
Stay ahead of evolving cybersecurity threats with GrackerAI. Automate your cybersecurity marketing with daily news updates, SEO-optimized blogs, an AI copilot, and newsletters. Start your FREE trial today!
