ShinyHunters Salesforce Data Theft Could Get Worse


Investigations from the US cybersecurity group Mandian have uncovered an expansion in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters breaches, indicating that the issue is far from over.Ā 

A new report from Google Threat Intelligence has outlined how the SaaS data theft operations are currently broadening, with threat actors now expanding to more cloud platforms and more sensitive data types.

Salesforce Data BreachesĀ 

Large-scale reporting on ShinyHunters within the SaaS space began last year when the group announced that they were one of the threat actors behind a wave of Salesforce data theft incidents.Ā 

These incidents involved vishing (voice phishing), social engineering attacks, and MFA code theft to compromise corporate SSO accounts.

READ MORE: Salesforce Data Theft Roundup: Everything You Need to Know

In November, Google confirmed that hackers had stolen the Salesforce-stored data of over 200 companies, and although ShinyHunters was not the sole group responsible for all of these hacks, the actors are reportedly tied to hacks relating to companies such as Gainsight, Allianz Life, Pandora, Chanel, and more.

Last month, ShinyHunters were allegedly behind one of the most recent breaches in this campaign, with the US food delivery platform Grubhub being named as the victim.Ā 

The Latest Activity

Google Threat Intelligenceā€™s latest report on the case has now detailed that the breaches are not only still underway and actively being monitored, but that the extent of them is likely to get worse.Ā 

The report details that this activity is linked to a broad ecosystem of threat actors rather than one single group, with threat clusters UNC6661, UNC6671, and UNC6240 being identified.

These attackers have been impersonating IT staff and calling employees, claiming MFA updates are required, leading victims to engage with SSO portals that the hackers are then able to obtain sensitive information from.Ā 

Google Threat Intelligence highlights that no vendor vulnerabilities have been exploited, as the attacks rely on social engineering, meaning that Salesforce and other affected vendors do not have known vulnerabilities that are being targeted. A full list of phishing domain patterns to look out for can be found in the report.Ā 

Last October, the FBI took down a BreachForums portal used by ShinyHunters ā€œas a data leak extortion site for the widespread Salesforce attacksā€, but the report indicates that extortion activity is still taking place.Ā 

The named tactics include:

  • ShinyHuntersā€‘branded ransom emails.
  • Threats with 72ā€‘hour payment deadlines.
  • Proof of data theft hosted on Limewire.
  • Harassment of employees.
  • DDoS attacks on victim websites.

A new ShinyHunters-branded data leak site emerged in late January, showcasing the ongoing nature of these attacks.

READ MORE: Why the Salesforce Data Loader Breach Is Still a Risk for Admins

There is currently a strong recommendation to adopt phishing-resistant MFA that includes FIDO2 and passkeys, as well as utilizing detection software and hunting queries for suspicious activity.Ā 

Final ThoughtsĀ 

There is now confirmation that the same threat actors behind the Salesforce data breaches of last year are expanding to more cloud platforms and more sensitive data types.Ā 

It indicates a maturing criminal ecosystem within the SaaS space, and that this is likely a much larger campaign than originally thought, highlighting the need for robust security training, tools, and implementation.Ā 

Leave a Reply

Your email address will not be published. Required fields are marked *