Mandiant warns that ShinyHunters-branded extortion campaigns are expanding, using vishing and victim-branded credential-harvesting phishing kits to compromise SSO and enroll unauthorized devices into MFA for cloud SaaS environments. The group has registered fake domains targeting over 100 organizations across multiple sectors, prompting urgent guidance to revoke session tokens, disable compromised accounts, restrict IdP and SaaS access, and enforce high-assurance verification during containment. #ShinyHunters #Mandiant
Keypoints
- ShinyHunters registers fake domains and uses specialized phishing kits to harvest credentials.
- Actors employ vishing to bypass SSO protections and enroll unauthorized devices into MFA.
- Mandiant advises rapid containment by revoking session tokens and disabling compromised accounts.
- Organizations should restrict access to IdPs, SaaS apps, VPNs, and disable public self-service password resets.
- Use high-assurance verification methods and educate users to recognize vishing and phishing attempts.
Read More: https://www.securityweek.com/shinyhunters-branded-extortion-activity-expands-escalates/