"Google-owned Mandiant on Friday said it identified an "expansion in threat activity" that uses tradecraft consistent with extortion-themed attacks orchestrated by a financially motivated hacking group known as ShinyHunters. The attacks leverage advanced voice phishing (aka vishing) and bogus credential harvesting sites mimicking targeted companies to gain unauthorized access to victim environments by collecting sign-on (SSO) credentials and multi-factor authentication (MFA) codes. The end goal of the attacks is to target cloud-based software-as-a-service (SaaS) applications to siphon sensitive data and internal communications and extort victims."
"UNC6661 has been observed pretending to be IT staff in calls to employees at targeted victim organizations, directing them to credential harvesting links under the guise of instructing them to update their multi-factor authentication (MFA) settings. The activity was recorded between early and mid-January 2026. The stolen credentials are then used to register their own device for MFA and then move laterally across the network to exfiltrate data from SaaS platforms."
Mandiant identified an expansion in threat activity using tradecraft consistent with ShinyHunters-branded extortion. Attackers use advanced voice phishing (vishing) and fraudulent credential harvesting sites that mimic targeted companies to collect sign-on (SSO) credentials and multi-factor authentication (MFA) codes. Stolen credentials are used to register attacker-controlled MFA devices and enable lateral movement into cloud-based SaaS environments to siphon sensitive data and internal communications. Threat activity is being tracked across multiple clusters, including UNC6661, UNC6671, and UNC6240, to account for evolving tactics or mimicry. Actors have broadened targeted cloud platforms and escalated extortion tactics, including harassment of victim personnel.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]