Google-owned Mandiant on Friday mentioned it recognized an “growth in menace exercise” that makes use of tradecraft in keeping with extortion-themed assaults orchestrated by a financially motivated hacking group referred to as ShinyHunters.
The assaults leverage superior voice phishing (aka vishing) and bogus credential harvesting websites mimicking focused firms to realize unauthorized entry to sufferer environments by gathering sign-on (SSO) credentials and multi-factor authentication (MFA) codes.
The top aim of the assaults is to focus on cloud-based software-as-a-service (SaaS) purposes to siphon delicate information and inner communications and extort victims.
The tech large’s menace intelligence staff mentioned it is monitoring the exercise below a number of clusters, together with UNC6661, UNC6671, and UNC6240 (aka ShinyHunters), in order to account for the chance that these teams could possibly be evolving their modus operandi or mimicking beforehand noticed techniques.
“Whereas this system of focusing on id suppliers and SaaS platforms is in keeping with our prior observations of menace exercise previous ShinyHunters-branded extortion, the breadth of focused cloud platforms continues to broaden as these menace actors search extra delicate information for extortion,” Mandiant famous.
“Additional, they look like escalating their extortion techniques with latest incidents, together with harassment of sufferer personnel, amongst different techniques.”
Particulars of the vishing and credential theft exercise are as follows –
- UNC6661 has been noticed pretending to be IT workers in calls to workers at focused sufferer organizations, directing them to credential harvesting hyperlinks below the guise of instructing them to replace their multi-factor authentication (MFA) settings. The exercise was recorded between early and mid-January 2026.
- The stolen credentials are then used to register their very own machine for MFA after which transfer laterally throughout the community to exfiltrate information from SaaS platforms. In a minimum of one case, the menace actor weaponized their entry to compromised electronic mail accounts to ship extra phishing emails to contacts at cryptocurrency-focused firms. The emails had been subsequently deleted to cowl up the tracks. That is adopted by extortion exercise carried out by UNC6240.
- UNC6671 has additionally been recognized as impersonating IT workers to deceive victims as a part of efforts to acquire their credentials and MFA authentication codes on victim-branded credential harvesting websites since early January 2026. In a minimum of some cases, the menace actors gained entry to Okta buyer accounts. UNC6671 has additionally leveraged PowerShell to obtain delicate information from SharePoint and OneDrive.
- The variations between UNC6661 and UNC6671 relate to the usage of completely different area registrars for registering the credential harvesting domains (NICENIC for UNC6661 and Tucows for UNC6671), in addition to the truth that an extortion electronic mail despatched following UNC6671 exercise didn’t overlap with recognized UNC6240 indicators.
- This means that completely different units of individuals could also be concerned, illustrating the amorphous nature of those cybercrime teams. What’s extra, the focusing on of cryptocurrency companies means that the menace actors may be seeking to discover additional avenues for monetary acquire.
To counter the menace posed to SaaS platforms, Google has outlined a protracted checklist of hardening, logging, and detection suggestions –
- Enhance assist desk processes, together with requiring personnel to require a stay video name to confirm their id
- Restrict entry to trusted egress factors and bodily areas; implement robust passwords; and take away SMS, cellphone name, and electronic mail as authentication strategies
- Limit management-plane entry, audit for uncovered secrets and techniques and implement machine entry controls
- Implement logging to extend visibility into id actions, authorizations, and SaaS export behaviors
- Detect MFA machine enrollment and MFA life cycle adjustments; search for OAuth/app authorization occasions that recommend mailbox manipulation exercise utilizing utilities like ToogleBox E mail Recall, or id occasions occurring outdoors regular enterprise hours
“This exercise will not be the results of a safety vulnerability in distributors’ merchandise or infrastructure,” Google mentioned. “As a substitute, it continues to focus on the effectiveness of social engineering and underscores the significance of organizations transferring in the direction of phishing-resistant MFA the place potential. Strategies equivalent to FIDO2 safety keys or passkeys are immune to social engineering in ways in which push-based, or SMS authentication usually are not.”
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s traits at present: learn extra, subscribe to our e-newsletter, and turn into a part of the NextTech neighborhood at NextTech-news.com
