Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft

Mandiant has observed an increase in threat activity consistent with ShinyHunters extortion operations. These actors employ sophisticated voice phishing and fake credential harvesting sites to steal single sign-on and multi-factor authentication credentials. Once access is gained, they target cloud-based SaaS applications to exfiltrate sensitive data for extortion. Google Threat Intelligence Group is tracking this activity under multiple threat clusters, including UNC6661, UNC6671, and UNC6240. The methodology of targeting identity providers and SaaS platforms is evolving, with an expanding breadth of cloud platforms being compromised. Recent incidents have escalated to include harassment of victim personnel. This activity exploits social engineering, not security vulnerabilities, highlighting the need for phishing-resistant multi-factor authentication. UNC6661 specifically impersonated IT staff to trick employees into revealing credentials and MFA codes. After initial access, UNC6661 moved laterally to exfiltrate data from various SaaS platforms like SharePoint, Salesforce, and DocuSign. In some cases, they used tools like ToogleBox Recall to delete evidence of their activity. Extortion activity, attributed to UNC6240, involved data leaks, ransom demands, and even SMS harassment. UNC6671 conducted similar vishing operations, but with some differences in domain registration and extortion tactics. The threat actors are refining their operations to gather more sensitive data for extortion, with recent activity showing a potential focus on individuals as well.