The ShinyHunters threat group has ramped up sophisticated extortion attacks targeting cloud-based systems across multiple organizations. Google Cloud analysts discovered the criminals use voice phishing calls, pretending to be IT staff, to trick employees into visiting fake login websites that steal credentials and multi-factor authentication codes.
Once inside company systems, attackers access platforms like SharePoint, Salesforce, and Slack to steal confidential documents. They specifically search for files containing terms like "confidential" and "internal." The group then demands Bitcoin payments within 72 hours, providing stolen data samples as proof.
Google tracks this activity under three threat clusters: UNC6661, UNC6671, and UNC6240. Security experts recommend phishing-resistant authentication like FIDO2 security keys to prevent these social engineering attacks.
Source: Cybersecurity News