Ethical Hacking News
ShinyHunters, a cloud-based extortion group, has been linked to a string of high-profile data breaches at major corporations such as Qantas, Allianz Life, LVMH, and Adidas. By impersonating IT support staff and using social engineering attacks, ShinyHunters is attempting to extort companies over email, threatening to release stolen information unless their demands are met. As experts continue to unravel the mysteries surrounding this group, one thing is clear: these threat actors are a force to be reckoned with.
ShinyHunters, an emerging threat actor, is linked to recent high-profile data breaches at major corporations. Experts suspect ShinyHunters are extortion groups using social engineering attacks to steal sensitive data from cloud-based CRM systems. The group impersonates IT support staff in phone calls to targeted employees and tries to persuade them into visiting a malicious version of Salesforce's connected app setup page. ShinyHunters threaten to release stolen information unless their demands are met via email, similar to ransomware-as-a-service gangs. The group is tracked by Google as UNC6040 and has been targeting Salesforce customers in social engineering attacks. Multiple companies have reported data breaches involving third-party customer service or cloud-based CRM systems. ShinyHunters may be operating in lockstep with another threat actor, Scattered Spider (UNC3944), indicating possible crossover between the two groups.
In recent weeks, a string of high-profile data breaches has rocked several major corporations, including Qantas, Allianz Life, LVMH, and Adidas. While the exact nature of these breaches remains shrouded in mystery, experts have been pointing fingers at an emerging threat actor known as ShinyHunters. In this article, we will delve into the world of ShinyHunters, exploring their tactics, techniques, and procedures (TTPs) and examining the evidence that links them to these recent breaches.
At its core, ShinyHunters appears to be an extortion group, using social engineering attacks to steal sensitive data from cloud-based CRM systems. Their modus operandi involves impersonating IT support staff in phone calls to targeted employees, attempting to persuade them into visiting a malicious version of Salesforce's connected app setup page. On this page, they were told to enter a "connection code," which linked a malicious version of Salesforce's Data Loader OAuth app to the target's Salesforce environment.
While the exact details of these attacks remain unclear, it is believed that ShinyHunters are attempting to extort companies over email, where they claim responsibility for the breach and threaten to release stolen information unless their demands are met. This approach bears similarities to ransomware-as-a-service gangs, where threat actors extort companies in exchange for a revenue share.
Experts have been tracking this group under the handle UNC6040, with Google's Threat Intelligence Group (GTIG) warning that threat actors tracked as UNC6040 were targeting Salesforce customers in social engineering attacks. In June, GTIG warned that these attacks were usually conducted through vishing (voice phishing), but credentials and MFA tokens were also stolen through phishing pages that impersonated Okta login pages.
In recent weeks, multiple companies have reported data breaches involving third-party customer service or cloud-based CRM systems. LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. each disclosed unauthorized access to a customer information database, with Tiffany Korea notifying customers the attackers breached a "vendor platform used for managing customer data." Adidas, Qantas, and Allianz Life also reported breaches involving third-party systems, with Allianz confirming it was a third-party customer relationship management platform.
While BleepingComputer has learned that the Qantas data breach also involved a third-party customer relationship management platform, the company will not confirm it is Salesforce. However, previous reporting from local media claims the data was stolen from Qantas' Salesforce instance.
Furthermore, court documents state that the threat actors targeted "Accounts" and "Contacts" database tables, both of which are Salesforce objects. While none of these companies have publicly named Salesforce, BleepingComputer has since confirmed that all were targeted in the same campaign detailed by Google.
It is worth noting that ShinyHunters appears to be operating in lockstep with another threat actor known as Scattered Spider (tracked by Mandiant as UNC3944). Both groups have been targeting the same industries at the same time, making it harder to attribute attacks. Some experts believe that both groups may be overlapping members of the same online communities.
According to Recorded Future intelligence, the overlapping TTPs between known Scattered Spider and ShinyHunters attacks indicate likely some crossover between the two groups. "The overlapping TTPs between known Scattered Spider and ShinyHunters attacks indicate likely some crossover between the two groups," Allan Liska, an Intelligence Analyst for Recorded Future, told BleepingComputer.
Other researchers have also pointed to a possible connection between ShinyHunters and the now-defunct Lapsus$ hacking group. One of the recently arrested Scattered Spider hackers was also in Lapsus$, fueling speculation about the extent of their cooperation.
While the exact nature of ShinyHunters' operations remains unclear, one thing is certain: these threat actors are leaving a trail of destruction in their wake. As companies struggle to come to terms with the implications of these breaches, it is clear that ShinyHunters will be watching closely, waiting for the perfect moment to strike again.
Related Information:
https://www.ethicalhackingnews.com/articles/ShinyHunters-The-Cloud-Based-Extortion-Group-Behind-a-Wave-of-High-Profile-Data-Breaches-ehn.shtml
https://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/
Published: Wed Jul 30 15:14:01 2025 by llama3.2 3B Q4_K_M
