Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft
Summary:
GTIG researchers have identified a significant expansion in the tradecraft used by the financially motivated threat group ShinyHunters (tracked under various clusters including UNC6240, UNC6661, and UNC6671). While historically known for large-scale database thefts, the group has evolved into a highly sophisticated "social engineering first" entity, mimicking the aggressive vishing (voice phishing) tactics of groups like Scattered Spider. The current campaign focuses on compromising Single Sign-On (SSO) credentials and abusing OAuth permissions to infiltrate SaaS environments. Attackers typically pose as IT support staff, calling employees to "assist" with MFA issues or password resets, ultimately leading the victim to a branded credential-harvesting page. Once access is gained, the group registers unauthorized devices for MFA and leverages "connected apps", often masquerading as legitimate tools like Salesforce Data Loaders, to exfiltrate massive amounts of sensitive corporate data, PII, and internal communications for extortion purposes.
Security Officer Comments:
For organizations, this activity represents a shift from technical vulnerability exploitation to the systematic weaponization of human trust and SaaS interconnectivity. ShinyHunters is no longer just looking for a "hole in the wall"; they are calling the front desk and asking for the keys. The impact on our member base is particularly acute because we rely heavily on interconnected SaaS ecosystems where a single compromised SSO session can grant lateral movement across multiple critical platforms (CRM, HRIS, and Email). Because these attackers are fluent in English and use highly personalized vishing scripts, they often bypass traditional automated security controls. The collaboration or overlap with groups like Scattered Spider suggests a professionalization of "access-as-a-service," where the initial compromise is handled by social engineering specialists and then handed off to exfiltration and extortion specialists. For IT-ISAC members, the primary risk is not just data loss, but the downstream extortion of employees and clients, as these actors have recently escalated to harassing personnel directly to force payment.
Suggested Corrections:
Mandiant has published a comprehensive guide with proactive hardening and detection recommendations.
Link(s):
https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft
GTIG researchers have identified a significant expansion in the tradecraft used by the financially motivated threat group ShinyHunters (tracked under various clusters including UNC6240, UNC6661, and UNC6671). While historically known for large-scale database thefts, the group has evolved into a highly sophisticated "social engineering first" entity, mimicking the aggressive vishing (voice phishing) tactics of groups like Scattered Spider. The current campaign focuses on compromising Single Sign-On (SSO) credentials and abusing OAuth permissions to infiltrate SaaS environments. Attackers typically pose as IT support staff, calling employees to "assist" with MFA issues or password resets, ultimately leading the victim to a branded credential-harvesting page. Once access is gained, the group registers unauthorized devices for MFA and leverages "connected apps", often masquerading as legitimate tools like Salesforce Data Loaders, to exfiltrate massive amounts of sensitive corporate data, PII, and internal communications for extortion purposes.
Security Officer Comments:
For organizations, this activity represents a shift from technical vulnerability exploitation to the systematic weaponization of human trust and SaaS interconnectivity. ShinyHunters is no longer just looking for a "hole in the wall"; they are calling the front desk and asking for the keys. The impact on our member base is particularly acute because we rely heavily on interconnected SaaS ecosystems where a single compromised SSO session can grant lateral movement across multiple critical platforms (CRM, HRIS, and Email). Because these attackers are fluent in English and use highly personalized vishing scripts, they often bypass traditional automated security controls. The collaboration or overlap with groups like Scattered Spider suggests a professionalization of "access-as-a-service," where the initial compromise is handled by social engineering specialists and then handed off to exfiltration and extortion specialists. For IT-ISAC members, the primary risk is not just data loss, but the downstream extortion of employees and clients, as these actors have recently escalated to harassing personnel directly to force payment.
Suggested Corrections:
Mandiant has published a comprehensive guide with proactive hardening and detection recommendations.
- Enforce Phishing-Resistant MFA: Transition from SMS, voice, or push-based MFA to FIDO2/WebAuthn-compliant hardware security keys (e.g., YubiKeys) or passkeys. These are currently the only effective defense against the credential harvesting and proxying tactics used by ShinyHunters.
- Strengthen Help Desk Verification: Implement "High-Assurance" identity verification for all password resets or MFA device enrollments. This should include out-of-band verification via a known manager or a live video call with a government-issued ID check.
- Audit OAuth and Connected Apps: Regularly review and prune third-party application permissions within SaaS environments. Specifically, look for and disable unapproved "Data Loader" or "Backup" tools that have wide-reaching permissions to export data.
- Implement Session Hardening: Configure aggressive session timeouts and enforce IP-based conditional access policies. Restricting SaaS login sessions to known corporate egress IP addresses can prevent attackers from using stolen credentials from unauthorized locations.
- Monitor for New Device Enrollments: Set up automated alerts for any new MFA device registration, especially when it occurs shortly after a password reset or from an unfamiliar IP address/ISP.
- Vishing Awareness Training: Conduct targeted social engineering simulations that specifically mimic the "IT Support" vishing calls used by ShinyHunters to ensure employees are aware that legitimate IT staff will never ask for their MFA codes or direct them to non-corporate login portals.
Link(s):
https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft