Researchers Share Common Tactics of ShinyHunters Threat Group

New information from Intel 471 examines the common exploit tactics of the cybercrime group known as ShinyHunters.

ShinyHunters is behind several high-profile breaches over the last two years. Its attacks often start with a breach of legitimate credentials, most likely for a company's cloud services, Intel 471 researchers write in a blog post. Since surfacing in April 2020, "the group has been behind some of the most notable data breaches that have been made public. Those include breaches of Microsoft's GitHub account, photo editing app Pixlr, and men's clothing retailer Bonobos.”

Researchers provide a breakdown of the courses of action ShinyHunters often takes in an attack. The group often starts by searching for companies that are using Microsoft Office 365 and look for valid accounts. They also often search for third parties that store GitHub open authorization tokens and do research to identify research and development employees in an organization. They then use the credentials in secondary or tertiary attacks.

"The group will also search a company's GitHub repository source code for vulnerabilities within the code itself. These vulnerabilities are used in further, more complex, third-party or supply chain attacks," the post says. "Tracking actors like this are crucial to preventing your enterprise from being hit with such an attack."

Read the full post here.