Mandiant, a Google company, said Friday that it has seen “expanded threat activity” using tradecraft consistent with extortion-themed attacks organized by a group of financially motivated hackers known as Shiny Hunters.
This attack utilizes sophisticated voice phishing (also known as vishing) and a fake credential aggregator site that imitates the targeted company to gain unauthorized access to the victim’s environment by harvesting sign-on (SSO) credentials and multi-factor authentication (MFA) codes.
The ultimate goal of the attack is to target cloud-based software-as-a-service (SaaS) applications, siphon sensitive data and internal communications, and extort victims.
The tech giant’s threat intelligence team said it is tracking activity under multiple clusters, including UNC6661, UNC6671, and UNC6240 (also known as Shiny Hunters), and that these groups may be evolving their modus operandi or imitating previously observed tactics.
“This methodology of targeting identity providers and SaaS platforms is consistent with previous observations of threat activity prior to ShinyHunters-branded extortion, but the range of cloud platforms targeted continues to expand as these threat actors seek more sensitive data for extortion purposes,” Mandiant said.
“Additionally, recent incidents appear to have escalated extortion tactics, including harassment of victim employees.”
Here are more details on vishing and credential theft activity:
UNC6661 has been observed impersonating IT staff to call employees of targeted victim organizations and direct them to a credential harvesting link instructing them to update their multi-factor authentication (MFA) settings. This activity was recorded from early to mid-January 2026. The stolen credentials are then used to register their devices with MFA and then travel across the network to exfiltrate data from the SaaS platform. In at least one case, attackers armed with access to a compromised email account sent more phishing emails to contacts at a cryptocurrency-focused company. The email was then deleted to cover its tracks. This is followed by extortion efforts by UNC6240. UNC6671 has also been observed deceiving victims by impersonating IT staff since early January 2026 as part of an effort to obtain credentials and MFA authentication codes on victim-branded credential aggregators. In at least some instances, threat actors gained access to Okta customer accounts. UNC6671 also utilized PowerShell to download sensitive data from SharePoint and OneDrive. The differences between UNC6661 and UNC6671 are related to the use of different domain registrars to register the credential harvesting domains (NICENIC for UNC6661 and Tucows for UNC6671) and the fact that the extortion emails sent after the UNC6671 activity did not overlap with known UNC6240 indicators. This indicates that a variety of people may be involved, demonstrating the amorphous nature of these cybercrime groups. Furthermore, the targeting of crypto companies suggests that the attackers may be seeking avenues for further financial gain.
To combat the threats posed to SaaS platforms, Google has outlined a long list of hardening, logging, and detection recommendations.
Improve help desk processes, such as requiring personnel to make live video calls to verify identity. Restrict access to trusted exit points and physical locations. Enforce strong passwords. Remove SMS, phone calls, and emails as authentication methods. Restrict management plane access, audit exposed secrets, and enforce device access controls. Implement logging to increase visibility of identity actions, authorizations, and SaaS export operations. Detect MFA device enrollment and MFA life cycle changes. Look for OAuth/app authentication events that suggest mailbox manipulation activity using utilities such as ToogleBox Email Recall, or ID events that occur outside of normal business hours.
Google said, “This action is not the result of any security vulnerability in the vendor’s products or infrastructure.” “Instead, we continue to emphasize the effectiveness of social engineering and emphasize the importance of organizations moving to phish-resistant MFA whenever possible. Methods such as FIDO2 security keys and passkeys are resistant to social engineering, unlike push-based or SMS authentication.”
Source link
