A group of cybercriminals, known as ShinyHunters, has boldly claimed responsibility for a series of sophisticated phishing attacks targeting Single Sign-On (SSO) accounts. These attacks have the potential to unlock a treasure trove of corporate data, leaving businesses vulnerable to extortion and data breaches.
But here's where it gets controversial: ShinyHunters, a notorious gang in the cybercrime world, has admitted to orchestrating these attacks, which exploit a critical weakness in the way many companies manage their online services and employee access.
In these attacks, threat actors cleverly impersonate IT support staff, calling employees and tricking them into revealing their login credentials and multi-factor authentication (MFA) codes. By luring employees into phishing sites that mimic company login portals, the attackers gain access to the victims' SSO accounts, which can open doors to a wide range of connected enterprise applications and services.
SSO services, provided by companies like Okta, Microsoft, and Google, are designed to simplify access for employees by linking multiple third-party applications into a single authentication flow. However, this convenience can also be a double-edged sword, as a compromised SSO account can serve as a master key to unlock access to various corporate systems and sensitive data.
The list of platforms commonly connected through SSO reads like a who's who of enterprise software: Salesforce, Microsoft 365, Google Workspace, Dropbox, Adobe, SAP, Slack, Zendesk, Atlassian, and many more. With access to just one of these accounts, attackers can potentially access a wealth of company data.
As reported by BleepingComputer, these attacks, known as vishing (voice phishing), have been carried out by threat actors posing as IT staff, using social engineering tactics to convince employees to log into phishing pages and complete real-time MFA challenges.
Once inside a victim's SSO account, the attackers can browse the list of connected applications and begin harvesting data from the platforms available to that user. This is where the real damage can occur, as the attackers can potentially access and steal sensitive company information.
BleepingComputer has confirmed that multiple companies targeted in these attacks have received extortion demands signed by ShinyHunters, indicating their involvement in the intrusions.
Okta, one of the targeted SSO service providers, initially declined to comment on the data theft attacks. However, they later released a report describing the phishing kits used in these voice-based attacks, which align with BleepingComputer's findings.
According to Okta, the phishing kits include a dynamic web-based control panel that allows attackers to manipulate what a victim sees on a phishing site in real-time while speaking to them on the phone. This enables threat actors to guide victims through the entire login and MFA authentication process, step by step.
ShinyHunters has confirmed to BleepingComputer that they are behind some of these social engineering attacks. They claim that Salesforce remains their primary target and that they are also targeting Microsoft Entra and Google SSO platforms.
Microsoft has not provided any comment, while Google has stated that they have no evidence their products are being abused in this campaign.
ShinyHunters claims to be using data stolen in previous breaches, such as the widespread Salesforce data theft attacks, to identify and contact employees. This data includes phone numbers, job titles, names, and other details, making their social engineering calls even more convincing.
Last night, the group relaunched their Tordata leak site, listing breaches at SoundCloud, Betterment, and Crunchbase. These companies have either confirmed or disclosed data breaches, with Crunchbase confirming today that data was indeed stolen from their corporate network.
This ongoing saga highlights the importance of robust security measures and employee awareness training to mitigate the risks of social engineering attacks. As the battle between cybercriminals and security experts rages on, the question remains: How can businesses protect themselves from these sophisticated threats?
What are your thoughts on this matter? Feel free to share your opinions and experiences in the comments below!
