The cybercrime group known as ShinyHunters has made headlines for its ongoing campaign of data breaches and is now reported to be actively exploiting vulnerabilities in companies’ GitHub repositories. This analysis highlights the group’s strategies for conducting broader and more sophisticated cyberattacks.
According to a report from Intel 471 shared with The Hacker News, ShinyHunters operates primarily on Raid Forums and draws its name and imagery from the Pokémon universe, specifically a shiny Umbreon character. The group parallels the gameplay of Pokémon by “collecting” user data and subsequently reselling it.
This development comes against the backdrop of a troubling rise in data breach costs, which have increased from an average of $3.86 million to $4.24 million, marking a 17-year high. Compromised credentials were found to play a role in 20% of reported breaches in studies involving over 500 organizations.
Since its rise to notoriety in April 2020, the ShinyHunters group has claimed responsibility for numerous high-profile data breaches, affecting entities such as Tokopedia, Wattpad, Pixlr, and Microsoft’s GitHub account. An assessment by Risk Based Security highlighted that over 1.12 million unique email addresses linked to S&P 100 companies and various government entities were exposed as of late 2020.
Recently, ShinyHunters attempted to auction a database supposedly containing personal information of 70 million customers from AT&T, although the telecom provider has refuted claims of a data breach within its systems.
The group exhibits a pattern of compromising developer repositories and websites to acquire credentials and API keys for cloud services, which they then exploit to access sensitive data. This has significant implications for the security of organizations that utilize cloud infrastructure.
Moreover, the group’s targeting of DevOps personnel and GitHub repositories raises alarms about their ability to steal valid OAuth tokens. Such tokens enable them to circumvent two-factor authentication, further complicating security measures for vulnerable enterprises.
While ShinyHunters may not enjoy the same level of infamy as various ransomware affiliates, understanding their operational tactics is crucial for organizations aiming to mitigate potential cyber threats. The researchers emphasized the need for vigilance, stating that information gathered by ShinyHunters often ends up on underground markets, where it becomes a tool for launching further attacks.
To defend against such threats, it is essential for businesses to detect activity associated with groups like ShinyHunters, as proactive measures can stymie ransomware attacks before they escalate. Frameworks such as the MITRE ATT&CK Matrix provide valuable insights into the tactics and techniques employed, including initial access, persistence, and privilege escalation, allowing organizations to bolster their security protocols.
