Open to Non-MembersJoin RH-ISAC and Google Cloud Security for a threat briefing.
Tracking the Expansion of ShinyHunters SaaS Data Theft
Over the past several months, the threat clusters associated with the ShinyHunters brand have dramatically shifted their focus from traditional perimeter breaches to the aggressive targeting of identity providers and SaaS integrations. By leveraging sophisticated voice phishing (vishing) and victim-branded credential harvesting sites, these actors are successfully bypassing traditional multi-factor authentication (MFA) to compromise single sign-on (SSO) credentials and hijack high-value OAuth tokens.
In this briefing, Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group (GTIG), will provide a look at the evolution of these financially motivated campaigns.
This session will cover:
- An overview of the actors behind the ShinyHunters brand, including the tactics, techniques, and procedures (TTPs) of clusters like UNC6040, UNC6661, and UNC6240.
- The group’s shift toward the SaaS supply chain where stolen OAuth tokens were used to exfiltrate data from Salesforce, Snowflake, and Google Workspace.
- How the actors use vishing to masquerade as IT helpdesk staff to trick employees into authorized malicious device enrollments or data loader connections.
- The escalation of extortion tactics, which now include ransom demands exceeding $20 million in Bitcoin and threats of physical harassment or swatting against victim personnel.
- Strategic defense strategies for the retail and hospitality sectors, focusing on moving toward phishing-resistant MFA like FIDO2 security keys and implementing strict app authorization policies.
