So … on TSB, I was mentioning during news notes that there was some type of new name that is going around for the group causing havoc called Shiny Hunters.
I’ve since refound the article, and we’ll be breaking down a chunk of it. The full article, which is a lengthy read, is linked at the bottom of this blog post.
I was right in regards to part of this name, and the article talks specificly about what’s going on. Its interesting the nane they chose. You don’t have a lot of time to guess, as the second paragraph tells you the name as shown below. Did you guess this name?
The beginning of the article says:
An extortion group has launched a new data leak site to publicly extort dozens of companies impacted by a wave of Salesforce breaches, leaking samples of data stolen in the attacks.
The threat actors responsible for these attacks claim to be part of the ShinyHunters, Scattered Spider, and Lapsus$ groups, collectively referring to themselves as “Scattered Lapsus$ Hunters.”
How many guessed this name as the name of the new group?
The article continues:
Today, they launched a new data leak site containing 39 companies impacted by the attacks. Each entry includes samples of data allegedly stolen from victims’ Salesforce instances, and warns the victims to reach out to “prevent public disclosure” of their data before the October 10 deadline is reached.
The article does state that if companies don’t comply, the data will be released or sold, but we’ve seen this tactic before where they claim they won’t do anything and they turn and do another.
The companies being extorted on the data leak site include well-known brands and organizations, including FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald’s, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA.
“All of them have been contacted long ago, they saw the email because I saw them download the samples multiple times. Most of them chose to not disclose and ignore,” ShinyHunters told BleepingComputer.
To add insult to injury, this paragraph says:
The extortion group also threatened the company, stating that it would help law firms pursue civil and commercial lawsuits against Salesforce following the data breaches and warned that the company had also failed to protect customers’ data as required by the European General Data Protection Regulation (GDPR).
This is because they know that they’re damned if they do and they’re damned if they don’t, and they’ve probably paid these types of things before with repercussions anyway. You could probably look this up.
Continuing my thoughts, the article says:
The threat actors also added a separate entry requesting that Salesforce pay a ransom to prevent all impacted customers’ data (approximately 1 billion records containing personal information) from being leaked.
Why the hell should the company now get involved, especially if they can’t find any vulnerability you took advantage of? The Salesforce people state that they can’t find anything, so I doubt they’ll pay but we’ll see.
They continue:
“Should you comply, we will withdraw from any active or pending negotiation indiviually from your customers. Your customers will not be attacked again nor will they face a ransom from us again, should you pay,” they added.
Stop me if you’ve heard that shit before and whether you believe it. We heard this with PowerSchool and other big time breaches where they said they wouldn’t release stuff and they did. Maybe not PowerSchool per see, but more notably, the healthcare breaches of the early Pandemic days.
Scattered Lapsus$ Hunters have been targeting Salesforce customers with voice phishing attacks since the beginning of the year, leading to breaches that have impacted companies such as Google, Cisco, Qantas, Adidas, Allianz Life, Farmers Insurance, Workday, as well as LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.
This means they have not slowed down, and there are no plans of shutting down because they can get what they want. And … they continue to talk to the press like Bleeping as though it is a normal operation going on.
The way they got in, says the article, is by tricking someone to authenticate using a malicious OAuth application to the instance. That’s when you need to think about whether that’s absolutely necessary or if everything is working. It starts with the human element.
Stop me if you’ve seen similar paragraphs like this one. It says:
Once connected, the attackers stole company databases and used the data to extort victims via email. These extortion emails were signed by ShinyHunters, a notorious extortion group linked to a long string of high-profile breaches in recent years, including the Snowflake attacks and those against AT&T and PowerSchool.
If Salesforce was the first, they apparently are also part of Salesloft too.
ShinyHunters also claimed to have used stolen OAuth tokens for Salesloft’s Drift AI chat integration with Salesforce to steal sensitive information, including passwords, AWS access keys, and Snowflake tokens, from customers’ Salesforce instances.
So it looks like they’re not going anywhere and I bet this could be a big topic for discussion during news notes in a future podcast to be released.
According to th article, there is information about salesloft here which might be of value. It says:
The Salesloft attacks are known to have impacted Google, Palo Alto Networks, CyberArk, Cloudflare, Rubrik, Elastic, BeyondTrust, Proofpoint, JFrog, Zscaler, Tenable, Nutanix, Qualys, and Cato Networks, among many others. ShinyHunters claim that companies will not be re-extorted under the Salesloft campaign if a ransom is paid in this initial extortion phase.
So they’re saying they’ll leave you alone if you pay, but we saw this during Covid when that threat came and went so I don’t buy that shit.
We left so much other things out that I could’ve mentioned, and the rticle itself is lengthy just like this one.
Its titled ShinyHunters launches Salesforce data leak site to extort 39 victims if you’d like to take a gander on this new name, what they’re up to and see how you might learn on protecting yourself from getting caught up in the mess.
As one group from Magnatune says: “It’s a jungle out there!”
Thanks for reading, make it a great day.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.