Keypoints
- ShinyHunters is an international threat group infamous for large-scale data breaches and for owning BreachForums.
- They publicly claimed breaches involving Tokopedia, Microsoft GitHub, Wattpad, Pixlr, Pizza Hut Australia, AT&T, and more, with datasets ranging from millions to hundreds of millions of records.
- The group uses diverse techniques: scanning GitHub repos for weaknesses, exploiting unsecured cloud storage, siphoning credentials and API keys, and phishing to harvest user data.
- Dark web activity includes selling or trading stolen data on platforms such as Empire, Exploit, and RaidForums, and later reviving BreachForums V2 under their influence.
- One of their operatives, Sezyo Kaizen (Sebastien Raoult), was sentenced to three years in prison with $5 million restitution for phishing and credential harvesting actions.
- SOCRadar promotes defensive capabilities (CSM, threat hunting, breach datasets, account breach checks) to help detect and respond to ShinyHunters-style threats.
MITRE Techniques
- [T1589.001] Gather Victim Identity Information: Credentials/Email Addresses, Phishing for Information – Engaging in reconnaissance to gather information about targets’ systems, networks, or credentials. ‘Engaging in reconnaissance to gather information about targets’ systems, networks, or credentials.’
- [T1566] Phishing, [T1078.002, T1078.004] Valid Accounts: Domain Accounts/Cloud Account – Using phishing and valid accounts to gain initial access or escalate privileges within networks or cloud environments. ‘Using phishing and valid accounts to gain initial access or escalate privileges within networks or cloud environments.’
- [T1528] Steal Application Access Tokens – Stealing application access tokens to access cloud services and bypass authentication mechanisms. ‘Stealing application access tokens to access cloud services and bypass authentication mechanisms.’
- [T1580] Cloud Infrastructure Discovery – Performing discovery activities targeted at. ‘Performing discovery activities targeted at’
- [T1210, T1072] Exploitation of Remote Services, Software Deployment Tools – Exploiting vulnerabilities in remote services or misusing software deployment tools for lateral movement. ‘Exploiting vulnerabilities in remote services or misusing software deployment tools for lateral movement.’
- [T1530, T1213] Data from Cloud Storage Object, Data from Information Repositories – Collecting data from cloud storage and information repositories, including codebases and databases. ‘Collecting data from cloud storage and information repositories, including codebases and databases.’
- [T1567] Exfiltration Over Web Service – Exfiltrating stolen data using web services as a covert channel to bypass network monitoring. ‘Exfiltrating stolen data using web services as a covert channel to bypass network monitoring.’
Indicators of Compromise
- [Domain] Platforms used for sale/distribution on the dark web – Empire, Exploit, RaidForums
- [File Hash] Password hashes and related data types – SHA2-384, bcrypt
- [Email Address] Compromised identifiers – 71 million unique email addresses (Tokopedia data)
- [PII] Personal data exposed – SSN, DOB in AT&T dataset; names, phone numbers, emails, and other data in Wattpad breach
Read more: https://socradar.io/dark-web-profile-shinyhunters/