ShinyHunters-Linked Vishing Campaign Steals MFA Codes to Breach SaaS Platforms for Extortion
Google-owned Mandiant reported an expansion in ShinyHunters-style intrusions using voice phishing (vishing) and spoofed credential-harvesting sites to steal SSO credentials and MFA codes, enabling unauthorized access to cloud SaaS environments. Mandiant tracked the activity across multiple clusters (UNC6661, UNC6671, and UNC6240 / ShinyHunters) and assessed the objective as data theft from cloud applications (including internal communications) followed by extortion, with some incidents involving escalatory pressure such as harassment of victim personnel. In observed tradecraft, operators impersonated IT staff, directed employees to phishing links under the pretext of updating MFA settings, then used captured credentials to enroll attacker-controlled devices for MFA.
Separate reporting characterized the same campaign as a broad vishing operation with hundreds of organizations in scope, reinforcing that the activity is not limited to a single SaaS provider and is focused on identity-layer compromise rather than software exploitation. Other items in the set were unrelated: a supply-chain compromise of eScan antivirus update infrastructure distributing a backdoor, a Fortinet write-up on Interlock ransomware tradecraft, an article on EU vulnerability identifier policy, and general security-awareness/detection-engineering content; these do not describe the ShinyHunters vishing activity and should not be treated as part of the same incident thread.
Related Entities
Organizations
Sources
Related Stories
ShinyHunters SaaS Data Theft via Vishing-Enabled SSO Credential and MFA Capture
**ShinyHunters** has been linked to a wave of SaaS-focused data-theft and extortion activity enabled by targeted **voice phishing (vishing)** and company-branded phishing portals designed to capture **SSO credentials** and **MFA codes**. Mandiant reported that attackers impersonate IT/helpdesk staff, direct employees to realistic login pages, and use real-time interaction (including guiding victims to approve push prompts or provide one-time codes) to authenticate and then **enroll attacker-controlled devices into MFA**. After account takeover, the actor pivots through **Okta, Microsoft Entra, or Google** SSO dashboards to rapidly access downstream SaaS services (e.g., *Salesforce*, *Microsoft 365/SharePoint*, *DocuSign*, *Slack*, *Atlassian*, *Dropbox*, *Google Drive*), turning a single compromised identity into broad cloud data access. Separately, **Bumble** reported a phishing-driven compromise of a **contractor account**, after which ShinyHunters allegedly claimed theft of ~**30 GB** of data—reported as largely internal files sourced from **Google Drive** and **Slack**—while Bumble stated there was no evidence of exposure of user chats or profiles. Reporting also tied ShinyHunters to other claimed or alleged thefts affecting consumer and enterprise brands (including Match Group properties such as *Hinge*, *Match*, and *OkCupid*), consistent with the broader pattern of leveraging compromised identities and SaaS access paths for data exfiltration and extortion leverage.
1 months ago
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
1 months ago
ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The **ShinyHunters** extortion group claimed responsibility for a recent **Okta SSO voice-phishing (vishing)** campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise **Crunchbase** and **Betterment**, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming. ShinyHunters published alleged datasets for **Crunchbase, Betterment, and SoundCloud** on a newly launched leak site, asserting the dumps contain **PII** and large record counts (reported as **>20 million** for Betterment, **~2 million** for Crunchbase, and **~30+ million** for SoundCloud). **SoundCloud** stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was *not* obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly **20% of users** (about **28 million** based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
1 months ago