Mandiant has reported an increase in sophisticated extortion attacks linked to the hacking group ShinyHunters, which utilizes advanced social engineering to breach corporate environments. These attackers use fraudulent websites and phone-based phishing to steal login credentials and bypass security codes, ultimately aiming to steal data from cloud applications for ransom.

The cybersecurity firm Mandiant recently disclosed a significant uptick in malicious activity attributed to the financially motivated threat group known as ShinyHunters. This group is expanding its reach by targeting a wider variety of cloud-based platforms to exfiltrate sensitive internal information. Researchers are currently tracking several distinct activity clusters to determine if the group is refining its existing methods or if multiple actors are adopting similar high-level tactics.

To gain initial entry into corporate networks, the attackers deploy a combination of voice phishing and deceptive websites that look exactly like a company's internal login portal. By tricking employees into entering their credentials on these fake sites, the hackers can capture both single sign-on passwords and multi-factor authentication codes in real time. This allows them to bypass traditional security layers that many organizations rely on to protect their digital perimeter.

Once the attackers have secured access, they focus their efforts on software-as-a-service applications where sensitive corporate data and private communications are stored. By siphoning this information, they create leverage for extortion demands against the victimized companies. Mandiant observed that the scope of these attacks is growing as the group seeks out more valuable data sets to increase the pressure during negotiations.

In addition to the technical aspects of the breaches, the threat actors have begun employing more aggressive and personal tactics to ensure payment. Recent incidents have shown an escalation in behavior, including the direct harassment of company personnel. This shift suggests a move toward more confrontational and psychological methods of extortion beyond simple data theft.

The ongoing evolution of these tactics highlights the persistent threat posed by identity-based attacks on modern cloud infrastructure. As the group continues to diversify its targets and refine its social engineering techniques, organizations are being urged to strengthen their identity management and monitoring systems. The goal of the attackers remains consistent: finding the most efficient way to turn stolen corporate secrets into financial gain.

Source: Mandiant Finds ShinyHunters Style Vishing Used To Steal MFA And Breach SaaS