Google's cyber experts traced the Salesforce hacks by ShinyHunters, only to discover they too had been compromised
The ShinyHunters group, a notorious cybercriminal organisation, has been targeting Salesforce databases, particularly those holding contact information and related notes for small and medium-sized businesses. This includes databases belonging to large corporations like Google, Adidas, Chanel, Pandora, Allianz Life, Qantas, and several LVMH brands.
The attacks are primarily executed via voice phishing (vishing) social engineering campaigns. The attackers impersonate IT support or trusted entities and trick employees into providing their Salesforce login credentials and multifactor authentication (MFA) codes. They also lure victims into installing malicious applications that grant the hackers access to the victim's Salesforce instance, from which they exfiltrate data.
Upon gaining access, the ShinyHunters group can access, query, and exfiltrate sensitive information directly from customer environments. After stealing the data, they typically initiate extortion by calling or emailing victim organisations demanding ransom payments in bitcoin, often within 72 hours. They are reportedly preparing to escalate these tactics by launching a public data leak site to increase pressure on victims.
The ShinyHunters group has also been collaborating with other criminal organisations, such as Scattered Spider, adopting their tactics to infiltrate financial and technology service providers.
Google's Threat Intelligence Group (GTIC) discovered a breach targeting a Salesforce database used by Google for storing information about small business customers. The data retrieved during the breach was basic and largely publicly available business information, such as business names and contact details.
William Wright, CEO of Closed Door Security, warned that ShinyHunters has executed a high volume of attacks via Salesforce and recommended organisations to secure their Salesforce databases. He suggested teaching employees about this attack trend, ensuring Multi-Factor Authentication (MFA) is applied to all accounts, and limiting employee access to the minimum level of privileges required.
The ShinyHunters group has not been sanctioned by the US, as mentioned in a separate news article about a major ransomware hosting provider being hit with US sanctions. An investigation into the tactics, techniques, and procedures (TTPs) of the ShinyHunters group was ongoing at the time of the breach.
In a separate incident, the ShinyHunters group claimed responsibility for a breach at Santander, affecting millions of customers globally. The breach involved the theft of financial data belonging to around 30 million customers, including credit card details.
The ongoing activity has been closely monitored by Google Threat Intelligence and industry researchers, highlighting a surge in Salesforce-targeted breaches exploiting human factors rather than system vulnerabilities alone.
- The escalating tactics of the ShinyHunters group, such as collaborating with other criminal organizations and planning to launch a public data leak site, have raised concerns in the field of cybersecurity, particularly in the general-news and crime-and-justice sectors.
- In response to the ShinyHunters'cybersecurity attacks on Salesforce databases, experts like William Wright, CEO of Closed Door Security, advise organizations to bolster their cybersecurity measures, including educating employees about current attack trends, implementing Multi-Factor Authentication (MFA), and limiting access privileges.
