Introduction
Mandiant has identified an expansion in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters-branded extortion operations.
Attack Overview
These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.
Technical Analysis
Once inside, the threat actors target cloud-based software-as-a-service (SaaS) applications to exfiltrate sensitive data and internal communications for use in subsequent extortion demands.
Impact
The threat actors have targeted specific types of information, including documents containing specific text and personally identifiable information (PII) stored in Salesforce.
Detection & Response
Mandiant has published a comprehensive guide with proactive hardening and detection recommendations, and Google published a detailed walkthrough for operationalizing these findings within Google Security Operations.
Security Lessons Learned
This activity highlights the importance of organizations moving towards phishing-resistant MFA and underscores the effectiveness of social engineering.
If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.
Recent Comments
No comments on this post yet.