Mandiant details how ShinyHunters abuse SSO to steal cloud data

Source: BleepingComputer

Author: Lawrence Abrams

URL: https://www.bleepingcomputer.com/news/security/mandiant-details-how-shinyhunters-abuse-sso-to-steal-cloud-data/

ONE SENTENCE SUMMARY:

Mandiant reports ShinyHunters using advanced phishing and vishing tactics to steal SSO credentials, leading to widespread data theft.

MAIN POINTS:

1. ShinyHunters employs voice phishing to impersonate IT staff and target MFA details.
2. Phishing sites mimic company login portals to steal credentials and MFA codes.
3. Attackers use advanced kits to interact with victims, guiding them through MFA challenges.
4. Access to SSO dashboards allows exploitation of multiple SaaS services.
5. ShinyHunters and affiliates confirmed involvement and launched a data-leak site.
6. UNC6661, UNC6671, and UNC6240 clusters tracked by Mandiant, highlighting attack patterns.
7. Phishing domains impersonate corporate identities, supporting data theft and extortion.
8. Threat actors use compromised SSO sessions to steal sensitive cloud data.
9. Mandiant shares behavior detection tips and hardening recommendations for organizations.
10. The report emphasizes emerging security trends and priorities for leaders into 2026.

TAKEAWAYS:

1. Vishing and phishing remain critical threat vectors for stealing credentials.
2. Centralized SSO access is a significant risk for data exploitation.
3. Organizations must strengthen MFA and monitor for unusual account activities.
4. Collaborative efforts necessary to counteract sophisticated phishing attacks.
5. Security hardening and logging practices are essential for proactive defense.