• Guidance from the Frontlines: Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS Mandiant Introduction Mandiant is tracking a significant expansion and escalation in the operations of threat clusters associated with ShinyHunters-branded extortion. • As detailed in our companion report, ‘Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft’, these campaigns leverage evolved voice phishing (vishing) and victim-branded credential harvesting to successfully compromise single sign-on (SSO) credentials and enroll unauthorized devices into victim multi-factor authentication (MFA) solutions. • This activity is not the result of a security vulnerability in vendors’ products or infrastructure. • Instead, these intrusions rely on the effectiveness of social engineering to bypass identity controls and pivot into cloud-based software-as-a-service (SaaS) environments. • This post provides actionable hardening, logging, and detection recommendations to help organizations protect against these threats. • Organizations responding to an active incident should focus on rapid containment steps, such as severing access to infrastructure environments, SaaS platforms, and the specific identity stores typically used for lateral movement and persistence.
Article Summaries:
- Mandiant has issued guidance on a growing wave of ShinyHunters‑branded data‑theft campaigns that target SaaS environments. The attacks use advanced vishing and victim‑branded credential harvesting to steal single‑sign‑on credentials and enroll unauthorized devices into multi‑factor authentication (MFA) systems. No software vulnerability is involved; the threat relies on social engineering to bypass identity controls. Mandiant recommends immediate containment actions-revoking active sessions, disabling self‑service password resets, pausing new MFA registrations, and restricting remote access-to cut off attacker access. For long‑term defense, the firm urges a shift to phishing‑resistant MFA such as FIDO2 security keys or passkeys and enhanced logging and detection controls.
Sources: