As the frequency of data breaches globally rises, Google issued a warning this week that threat actors using the 'ShinyHunters' brand may be preparing to ramp up their extortion efforts.
This comes after the business disclosed attacks on Salesforce CRM platforms in June by the threat organisation ShinyHunters, also known as UNC6040.
UNC6040 (ShinyHunters) is a financially driven threat group that specialises in voice phishing tactics.
In a blog post, Google Threat Intelligence Group (GTIG) stated that the global Internet business responded to the incident, conducted an impact analysis, and initiated mitigation efforts.
It went on to say the attack was used to store contact information and notes for small and medium-sized businesses.
GTIC analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off.
It went on to add that the data obtained by the threat actor was limited to basic and widely available business information, such as company names and contact information.
GTIG said it tracks the extortion activities following UNC6040 intrusions, sometimes several months after the initial data theft.
It elaborated: “The extortion involves calls or emails to employees of the victim organisation demanding payment in bitcoin within 72 hours. During these communications, UNC6240 has consistently claimed to be the threat group ShinyHunters.
“In addition, we believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS). These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches. We continue to monitor this actor and will provide updates as appropriate.”
GTIG further cautioned that it has observed an evolution in UNC6040's TTPs.
In its caveat, GTIG said: “While the group initially relied on the Salesforce Dataloader application, they have since shifted to using custom applications. These custom applications are typically Python scripts that perform a similar function to the Dataloader app.
“The updated attack chain involves a voice call to enrol a victim, which the threat actor initiates while using Mullvad VPN IPs or TOR. Following this initial engagement, the data collection is automated and through TOR IPs, a change that further complicates attribution and tracking efforts.
“GTIG observed that the threat actor shifted from creating Salesforce trial accounts using webmail emails to using compromised accounts from unrelated organisations to initially register their malicious applications.”
It continued: “A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal. This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce.
“During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version.
“This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.”
According to GTIG, this way of abusing Data Loader functionality through malicious connected apps is consistent with recent discoveries outlined by Salesforce in their guidance on protecting Salesforce systems from such attacks.
It added: “In some instances, extortion activities haven't been observed until several months after the initial UNC6040 intrusion activity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data.
“During these extortion attempts, the actor has claimed affiliation with the well-known hacking group ShinyHunters, likely as a method to increase pressure on their victims.”
Share
