As the COVID-19 pandemic swept the world in 2020 and upended the way businesses operated, another threat was also emerging: The ShinyHunters group has been both bothersome and threatening to security teams as the cybercriminal group tries to amass legitimate credentials, primarily for organizations’ cloud services.
But if enterprise companies can detect the group’s activities, they “can stop ransomware attacks before they are ever launched,” researchers at Intel 471 wrote in a blog post, detailing the likely courses of action ShinyHunters could take and how that might help companies get ahead of the group.
While not as well known as other ransomware groups, ShinyHunters burst on the scene a little more than a year ago and gained some prominence with breaches of Microsoft’s GitHub account and Bonobos, a men’s retailer, as well as an attack on Pixlr, a photo editing app.
Once the group obtains credentials, it plies company databases for PII that it then sells online. The group has been collecting enterprise data like gamers collect Pokémon, the researchers pointed out, adding that the group famously claimed to have 70 million records, complete with personally identifiable information (PII), swiped from AT&T.
In February, the hacking group began flooding the Dark0de market with the personal data of millions of people. The volume of records quickly caught the attention of security pros. In addition to information on 400 million Facebook users and a database of Instagram users, the information included data on 300 million users – including Social Security numbers for 40 million – from lead generation company Astoria Company LLC, whose network of websites gathers information on consumers seeking services like discounted car loans, medical insurance and payday loans.
Intel 471 researchers estimate that ShinyHunters has racked up tens of millions of dollars in damages against the companies it has successfully targeted.
“Intel 471 has also observed ShinyHunters targeting DevOps personnel or GitHub repository companies in order to steal valid OAuth credentials,” the researchers wrote. “These OAuth keys are used to access cloud infrastructure and bypass any two-factor authentication processes that are in place.”
Because the group searches “a company’s GitHub repository source code for vulnerabilities within the code itself,” Intel 471 said they use them “in further, more complex, third-party or supply chain attacks.” The group’s machinations underscore the kind of risks to the supply chain that proliferate from third-party breaches—the kind that keep security practitioners up at night.
Most Likely Courses of Action
Intel 471 breaks down the different courses of action (CoAs) ShinyHunters actors could take based on the tactics, techniques and procedures (TTPs) they use. Organizations might find these most likely courses of action (MLCoA) particularly useful in helping to identify and anticipate the most dangerous courses of action (MDCoA). For instance, in the reconnaissance phase, identifying organizations using Microsoft 365 and scouting out valid accounts might be most likely, while identifying third-party companies that store OAuth tokens is considered a most dangerous course of action.
Similarly, using accounts to log into cloud services is most likely but hacking third parties to steal OAuth tokens, then leveraging them to bypass 2FA to get into cloud services, is among the most dangerous options.
“Intel 471 has also observed the group follow TTPs in the MDCoA column, but then leveraging the credentials in secondary or tertiary attacks,” the researchers wrote.