ShinyHunters, an infamous threat actor group behind several high-profile data breaches has risen to prominence since it first appeared in April 2020. The gang has claimed responsibility for a string of data breaches, including Pixlr, ChqBook, Tokopedia, BigBasket, Microsoft’s GitHub account, and MeetMindful among others.
According to a new report from Intel 471, the group uses multiple tactics to breach networks in an attempt to collect a trove of enterprise data. It is to be noted that the cybercriminal group, which primarily operates through the RaidForums marketplace, derives its name and motivation from a Pokemon character named shiny Umbreon Pokémon. While the gang’s targets are spread across different sectors, the methods to pilfer the sensitive data remain the same.
Type of data sought by ShinyHunters
ShinyHunters preferably looks for legitimate credentials which can later be used to target database infrastructure to gather PII to be resold on the marketplace for profit.
Intel 471 has also observed that the gang is targeting DevOps personnel and GitHub repositories to steal valid OAuth credentials. These OAuth keys can give the adversary access to cloud infrastructure.
Worth noting
In addition to stealing OAuth credentials, the group also searches vulnerabilities within a company’s GitHub repository source code. These vulnerabilities can be used further to orchestrate third-party or supply chain attacks.
What is the cause of concern?
ShinyHunters may not be as notorious as ransomware gangs who are continuously on a mission to extort their victims. However, the scope of attacks by these threat actors cannot be unseen.
With the average cost of a data breach this year estimated to be at approximately $4.4 million, researchers indicate that ShinyHunters has cost companies tens of millions of dollars in damages so far.
The bottom line
The information gathered by ShinyHunters often ends up in a dark web forum for sale. This sensitive information is a gold mine for ransomware and other malware actors who use it to launch their attacks. Therefore, tracking such actors before they breach vulnerable networks is crucial to prevent organizations from falling victims to further attacks.