Many major organizations appear to have been targeted in a recent cybercrime campaign linked to the ShinyHunters group, according to security firm Silent Push.
Over the past 30 days, Silent Push has identified domains suggesting that the threat actors have been preparing or conducting attacks against at least 100 organizations in sectors such as software and technology, financial, biotech and pharma, financial services, real estate, energy and utilities, healthcare, logistics and transportation, manufacturing, retail, and insurance.
Silent Push has named major companies such as Atlassian, Adyen, Canva, Epic Games, HubSpot, Moderna, ZoomInfo, GameStop, WeWork, Halliburton, Sonos, and Telstra.
The hackers have set up fake domains targeting these companies, but it’s unclear whether any attacks were conducted or whether their attempts to gain access to systems were successful.
In the campaign, the cybercriminals used voice phishing (vishing) to target single sign-on (SSO) accounts associated with Okta and other identity platforms.
In attacks observed by Okta and others, threat actors used specialized phishing kits that enable them to intercept credentials and trick victims into helping them bypass multi-factor authentication.
“The most critical of these features are client-side scripts that allow threat actors to control the authentication flow in the browser of a targeted user in real-time while they deliver verbal instructions or respond to verbal feedback from the targeted user,” Okta explained.
It added, “It’s this real-time session orchestration that delivers the plausibility required to convince the threat actor’s target to approve push notifications, submit one time passcodes (OTP) or take other actions the threat actor needs to bypass MFA controls.”
ShinyHunters is the public-facing entity that has taken credit for the attacks, but Silent Push has attributed the campaign — based on TTPs — to Scattered LAPSUS$ Hunters, the group formed last year by Lapsus$, Scattered Spider, and ShinyHunters members.
On the ShinyHunters leak website, the cybercriminals recently listed companies such as Betterment, Crunchbase, and SoundCloud, all of which have confirmed suffering a data breach.
Alon Gal, CTO of threat intelligence firm Hudson Rock, learned from ShinyHunters that these are victims of the Okta SSO vishing campaign. The hackers have released millions of records allegedly stolen from these companies.
Google’s Mandiant has also been tracking this campaign, which it has described as active and ongoing.
“After gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data. An actor that identifies as ShinyHunters has approached some of the victim organizations with an extortion demand,” said Charles Carmakal, CTO of Mandiant Consulting.
“While this is not the result of a security vulnerability in vendors’ products or infrastructure, we strongly recommend moving toward phishing-resistant MFA, such as FIDO2 security keys or passkeys where possible, as these protections are resistant to social engineering attacks in ways that push-based or SMS authentication are not. Administrators should also implement strict app authorization policies and monitor logs for anomalous API activity or unauthorized device enrollments,” Carmakal added.
*updated with statement from Charles Carmakal
Related: Google Warns of Vishing, Extortion Campaign Targeting Salesforce Customers
Related: Organizations Warned of Rise in Okta Support Phishing Attacks
Related: Security Industry Skeptical of Scattered Spider-ShinyHunters Retirement Claims
