Introduction
Mandiant is tracking a significant expansion and escalation in the operations of threat clusters associated with ShinyHunters-branded extortion.
Attack Overview
These campaigns leverage evolved voice phishing (vishing) and victim-branded credential harvesting to successfully compromise single sign-on (SSO) credentials and enroll unauthorized devices into victim multi-factor authentication (MFA) solutions.
Technical Analysis
This activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, these intrusions rely on the effectiveness of social engineering to bypass identity controls and pivot into cloud-based software-as-a-service (SaaS) environments.
Impact
Organizations responding to an active incident should focus on rapid containment steps, such as severing access to infrastructure environments, SaaS platforms, and the specific identity stores typically used for lateral movement and persistence.
Detection & Response
Long-term defense requires a transition toward phishing-resistant MFA, such as FIDO2 security keys or passkeys, which are more resistant to social engineering than push-based or SMS authentication.
Security Lessons Learned
Implementing stronger, layered identity verification processes for support interactions, especially for requests involving account changes such as password resets or MFA modifications, is crucial.
- Help desk verification
- End-user education
- Identity and access management
- Infrastructure and application platforms
Cybersecurity is not just a technical issue; it is a human issue.
Recent Comments
No comments on this post yet.