How ShinyHunters Hackers Exploit SSO to Steal Cloud Data

A recent surge in data theft attacks attributed to the ShinyHunters group leverages sophisticated voice phishing schemes to hijack employee credentials and bypass multi-factor authentication. Security researchers at Mandiant detail how these threat actors impersonate IT support staff, convincing targets to visit fraudulent login pages that mimic legitimate company portals. This method allows attackers to steal single sign-on credentials and real-time MFA codes, providing a direct pathway into a company’s entire cloud ecosystem.

During these vishing calls, employees are told their multi-factor authentication settings require an update. The caller directs them to a phishing website that closely resembles their organization’s actual SSO login page. Advanced phishing kits enable interactive dialogs while the attacker remains on the line with the victim. In real time, the threat actor uses the stolen credentials, triggers the legitimate MFA challenge, and instructs the employee on how to respond, whether by approving a push notification or entering a one-time passcode. This process successfully authenticates the attacker and allows them to enroll their own device for future access.

Once inside, the compromised account provides a centralized view of all permitted SaaS applications through dashboards like Okta, Microsoft Entra, or Google. This SSO dashboard becomes a powerful springboard, granting access to a wide array of services including Salesforce, Microsoft 365, SharePoint, DocuSign, Slack, and cloud storage platforms. For groups focused on data theft and extortion, this single point of failure unlocks vast amounts of sensitive corporate data.

Mandiant tracks this activity across several threat clusters, including UNC6661 and UNC6671, with extortion demands linked to ShinyHunters (UNC6240). After gaining access, attackers act opportunistically, exfiltrating data from whatever cloud applications are available through the compromised session. Forensic logs reveal telltale signs, such as file downloads from SharePoint showing a PowerShell User-Agent, or bulk document downloads from DocuSign tied to known malicious IP addresses.

In one notable incident involving an Okta customer, attackers used a specific tool to cover their tracks. They enabled a Google Workspace add-on called “ToogleBox Recall,” designed to search for and permanently delete emails. The threat actors used it to remove a “Security method enrolled” notification from Okta, preventing the employee from discovering a new MFA device had been registered to their account.

The phishing domains employed in these campaigns follow predictable naming conventions designed to impersonate corporate resources. Common patterns include variations like `sso.com`, `internal.com`, and `support.com`. For instance, the breach at Match Group, which impacted Hinge and Tinder, used the domain `matchinternal.com`. These domains are often registered through providers like NICENIC or Tucows, while attackers obscure their real locations using commercial VPN services and residential proxy networks.

To defend against these intrusions, Mandiant recommends that organizations prioritize detecting specific behavioral patterns. Key indicators include SSO account compromise followed by rapid data exfiltration from SaaS platforms, the use of PowerShell to access SharePoint or OneDrive, unexpected OAuth authorizations for tools like ToogleBox Recall in Google Workspace, and the deletion of MFA modification notification emails.

Security teams are advised to harden identity workflows, especially around authentication resets, ensure they are collecting the right telemetry, and implement detections aimed at identifying post-phishing behavior before significant data theft can occur. Mandiant has released detailed guidance and specific detection rules for platforms like Google SecOps to help organizations bolster their defenses against these evolving vishing and data extortion campaigns.

(Source: Bleeping Computer)