Canva Targeted in Credential-Theft by ShinyHunters: Report
The recent credential-theft campaign by ShinyHunters has raised alarms across multiple industries. This operation primarily targeted Okta single sign-on (SSO) accounts at high-value enterprises. Researchers from Silent Push detailed that the group aimed at over 100 accounts, though they have not confirmed any breaches yet.
Details of the ShinyHunters Campaign
According to Silent Push, the cybercriminal organization ShinyHunters has been active in its efforts to compromise SSO credentials. In a report issued on Monday, they highlighted their focus on “high-value enterprises.” Companies including Canva, Atlassian, AppLovin, Epic Games, and HubSpot were identified as part of the active targeting.
Targeted Organizations
- Atlassian
- AppLovin
- Canva
- Epic Games
- Genesys
- HubSpot
- Iron Mountain
- RingCentral
- ZoomInfo
While these companies are not confirmed to have been breached, the potential risk is alarming. Zach Edwards, a senior threat researcher at Silent Push, stated that they cannot affirm any specific breaches have occurred.
Details from Experts
Google’s Mandiant team also noted that they are monitoring this ongoing campaign. Mandiant’s Chief Technology Officer, Charles Carmakal, mentioned that ShinyHunters has employed sophisticated voice-phishing tactics. These methods are designed to compromise SSO credentials from various organizations.
After gaining access, attackers often pivot to SaaS environments, aiming to exfiltrate sensitive data.
Extortion Attempts
Some victim organizations have reportedly received extortion demands from individuals claiming affiliation with ShinyHunters. While these identity attacks do not stem from product vulnerabilities, Mandiant urges organizations to adopt robust security measures.
Recommendations for Protection
To enhance security against such threats, Mandiant strongly recommends using phishing-resistant multi-factor authentication (MFA). Options include:
- FIDO2 security keys (like YubiKeys)
- Passkeys
These methods are significantly more effective against social engineering attacks compared to traditional SMS or push notifications. Furthermore, organizations should enforce strict app authorization policies and regularly monitor logs for any unusual API activity.
This ShinyHunters campaign gained further attention last week when Okta issued alerts regarding voice-phishing tactics aimed at their SSO platform. Although Okta has chosen not to comment in detail, the implications of these actions on enterprise security are profound.
As the situation continues to develop, organizations are advised to stay vigilant and implement recommended security best practices to protect against potential attacks by ShinyHunters and similar groups.
