Researchers warn that a recently disclosed extortion campaign linked to ShinyHunters represents an escalation of tactics used by the group.
ShinyHunters late last month claimed credit for a series of voice phishing attacks that led to extortion demands against five organizations.
Multiple groups linked to a ShinyHunters-branded campaign that leverages voice phishing and victim-branded credential-harvesting sites to gain access to corporate environments by gaining access to single sign-on credentials and multifactor authentication codes, according to Mandiant, the incident response arm of Google Threat Intelligence Group.
After gaining access, the threat groups target cloud-based software-as-a-service applications in order to steal sensitive data and other internal documents for use in future extortion campaigns.
GTIG researchers are tracking the threat groups as UNC6661, UNC6671 and UNC6240.
Since mid-January, hackers from UNC6661 called employees at victim organizations under the guise of being IT staffers. The hackers falsely claimed the company was updating multifactor settings and directed the workers to a branded credential harvesting site. This allowed the site to capture MFA codes and single sign-on credentials.
Mandiant confirmed that, in certain cases, hackers gained access to accounts belonging to Okta customers. This activity was referenced in a January blog post from Okta about a campaign using phishing kits.
Based on several overlapping issues, including the use of a common Tox account as part of negotiations, researchers linked the subsequent extortion activity to UNC6240. Extortion emails provided some details of what was stolen and demanded payment within 72 hours.
Researchers confirmed a new data leak site posted in late January with information about alleged victims. As previously reported, security researcher Alon Gal told Cybersecurity Dive that hacks against five organizations were claimed.
Hackers linked to UNC6671 have conducted similar attacks, impersonating IT staff, since in early January. The credential-harvesting domains used the same structure to those used by UNC6661, but were registered through a different service.
