Article Details

Canva among ~100 targets of ShinyHunters Okta identity-theft campaign. Atlassian, RingCentral, ZoomInfo also among tech targets. ShinyHunters has targeted around 100 organizations in its latest Okta single sign-on (SSO) credential stealing campaign, according to researchers and the criminal group itself. In a Monday report, Silent Push researchers said the identity-theft operation set its sights on more than 100 Okta SSO accounts across "high-value enterprises." The cyber threat hunters also listed all of the companies across which they have "detected active targeting or infrastructure preparation directed at your domain" in the last 30 days. We are not going to list all of the names - head over to the Silent Push blog to check out the organizations, which span multiple industries - but the technology and software firms include Atlassian, AppLovin, Canva, Epic Games, Genesys, HubSpot, Iron Mountain, RingCentral, and ZoomInfo. To be clear: this doesn't mean any of these companies have been breached. "We have no intel to share on any specific attacks and are unable to confirm if any have been successful," Silent Push senior threat researcher Zach Edwards told The Register. "We do believe the orgs we've listed on our public blog have been targeted." ShinyHunters would not confirm how many companies it has breached using their Okta SSO credentials, nor say how many have been targeted in the campaign, but did tell The Register that 100 was "close." Google's Mandiant team also confirmed on Monday that it's "tracking a new, ongoing ShinyHunters-branded campaign." It uses "evolved" voice-phishing techniques to "compromise SSO credentials from victim organizations, and enroll threat actor controlled devices into victim MFA solutions," Mandiant Consulting CTO Charles Carmakal told The Register. "This is an active and ongoing campaign. After gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data," he continued. "An actor that identifies as ShinyHunters has approached some of the victim organizations with an extortion demand." Carmakal added that while these identity attacks are not caused by a security flaw in the products or infrastructure, Mandiant "strongly" recommends organizations use phishing-resistant multi-factor authentication (MFA), such as FIDO2 security keys (like YubiKeys) or passkeys. "These protections are resistant to social engineering attacks in ways that push-based or SMS authentication are not," he said. "Administrators should also implement strict app authorization policies and monitor logs for anomalous API activity or unauthorized device enrollments." This latest ShinyHunters campaign came to light last week after Okta issued an alert about criminals voice-phishing for SSO credentials and using those to target organizations' accounts. Okta declined to comment beyond its Thursday blog. On Friday, ShinyHunters told The Register that it was behind the campaign, and said it had gained access to Crunchbase and Betterment by voice-phishing their Okta single sign-on codes. The criminals also leaked what they claimed to be more than 20 million records belonging to Betterment and 2 million belonging to Crunchbase.