Threat Insight

Cyber Extortion Group “Shiny Hunters” Targets Salesforce Customers

A wave of data breaches impacting companies like Qantas, Allianz Life, LVMH, and Adidas has been linked to a group of cyber extortion criminals calling themselves “Shiny Hunters”. The criminals have targeted major enterprises based on their use of the Salesforce software.

  • Insight
Shiny Hunters

In these attacks, the threat actors impersonated IT support staff in phone calls to targeted employees, attempting to persuade them into visiting Salesforce’s connected app setup page. On this page, they were told to enter a “connection code”, which linked a malicious version of Salesforce’s Data Loader OAuth app to the target’s Salesforce environment.

Previously, Shiny Hunters have been linked to a large-scale cybersecurity incident in June 2024 involving unauthorized access to customer cloud environments hosted on Snowflake Inc., a cloud-based data warehousing platform.

Assessment

Shiny Hunters is assessed to consist of cybercriminals tied to the cybercrime network known as “the Com”. This is the same ecosystem of young Western hackers, mostly from North America and UK, as the ransomware group known as “Octo Tempest” or “Scattered Spider” is from. There also appears to be some overlap between members of Octo Tempest and Shiny Hunters.

The Com, or “Hacker Com” is a loose network that has spawned several cybercrime brands. The name “Octo Tempest” is mostly used to describe members of the network that collaborate with Russian ransomware-as-a-Service groups and deploy ransomware, while “Shiny hunters” appears to be a brand used by some members for data leak extortion only attacks, that doesn’t involve Russian RaaS groups.

Both Shiny Hunters and Octo Tempest favor voice phishing, with phone calls impersonating IT staff, as an initial attack vector to gain access to networks. Any organization that uses English commonly in calls with Helpdesk or IT support can become a target of these attacks, but the criminals may have members capable of using other languages too.

The proliferation of these cybercriminals means that organizations need to protect themselves against social engineering attacks by criminals impersonating IT staff. This is especially important for all organizations that use Salesforce software as that is the target of the current campaign, but similar attacks can be directed against other applications in the future. This includes both raising awareness internally, both among personnel that may become target for these social engineering attacks and among cybersecurity so they can spot if attackers are successful.

References

[1] https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
[2] https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion/
[3] https://soc.truesec.app/threat-insights/TS-ThreatInsight-2024-65