ShinyHunters and Scattered Spider Intensify Cyber Attacks on Salesforce
ReliaQuest has reported a resurgence in activity from the cybercriminal group ShinyHunters, which has recently launched attacks against Salesforce and targeted major organisations, including Google. The firm’s recent assessment analysed domain registration patterns and infrastructure related to ShinyHunters, suggesting a potential collaborative relationship with the threat group Scattered Spider that may have begun as early as July 2024. Following a year of relative inactivity, during which most operations subsided after the arrest of several alleged members, ShinyHunters has re-emerged, now targeting high-profile companies across various sectors, including technology, finance, and retail. Their primary method of monetisation remains the sale of stolen data on underground forums. The latest campaign is characterised by the use of phishing domains and Salesforce credential harvesting pages, indicating a more refined approach compared to previous efforts. Evidence includes the emergence of a BreachForums user under the alias “Sp1d3rhunters,” linked to both ShinyHunters and historical breaches, as well as overlapping characteristics in domain registrations.
ReliaQuest’s analysis highlights significant similarities between ShinyHunters’ recent tactics and those attributed to Scattered Spider. These similarities include coordinated domain registrations themed around phishing campaigns, particularly relating to ticketing and Salesforce, and the use of vishing and credential harvesting attacks that mimic IT support staff. Such developments have prompted speculation about collaboration or the sharing of resources and infrastructure between the two groups. This latest wave of ShinyHunters-attributed attacks reveals a dramatic shift in tactics, moving beyond the group’s previous credential theft and database exploitation. The campaigns have incorporated hallmark Scattered Spider techniques, such as highly targeted vishing campaigns that impersonate IT support staff to trick employees into authorising access to malicious ‘connected apps.’ These apps often masquerade as legitimate tools, allowing attackers to steal sensitive business data. The assessment further points out circumstantial evidence of an alliance, including the overlapping presence of both groups in similar attack sectors and timeframes, as well as online cybercriminal forum activity that combines their names and tactics.
Categories: Cybercriminal Activity, Collaboration Between Threat Groups, Evolving Attack Tactics
Tags: ShinyHunters, Cybercriminal, Salesforce, Credential Theft, Phishing, Vishing, Collaboration, Data Breaches, Domain Registration, Attack Tactics