Google Says ShinyHunters Widens Cloud Extortion

Google says the ShinyHunters threat group has significantly expanded its operations, using new tactics to extract sensitive cloud-based information from multiple organizations. The attackers now deploy voice phishing and fake websites that mimic corporate login portals to steal credentials and bypass multi-factor authentication. They often impersonate IT staff over the phone to trick employees into visiting malicious sites.

Google Cloud analysts identified three threat clusters—UNC6661, UNC6671, and UNC6240—linked to the activity. These groups target a wider range of cloud platforms, seeking valuable data from services like SharePoint, Salesforce, and Slack. Once inside, they register authentication devices to retain access.

ShinyHunters also employ harassment and denial-of-service attacks to pressure victims into paying ransoms. In some cases, they delete security notifications to avoid detection. Google says ShinyHunters demand Bitcoin within 72 hours, providing proof through leaked data samples.

Read the full investigation here: https://cybersecuritynews.com/google-uncovered-significant-expansion-in-shinyhunters/