Lmst

ShinyHunters is expanding SaaS extortion — shifting from breaches to pressure campaigns across cloud apps. When data is everywhere, leverage is too. ☁️💣 #DataExtortion #SaaSSecurity

https://www.darkreading.com/cyberattacks-data-breaches/shinyhunters-expands-scope-saas-extortion-attacks

Alright team, it's been a bit quiet on the news front over the last 24 hours, but we've still got some interesting bits to chew on, including ongoing database extortion, a wild deepfake job application story, and a new privacy feature from Apple. Let's dive in:

Exposed MongoDB Instances Under Attack ⚠️
- A persistent threat actor is still hitting misconfigured MongoDB instances, wiping databases and demanding low ransoms (around £400-£500 in Bitcoin) for data restoration, though there's no guarantee of recovery.
- Research shows over 208,500 MongoDB servers are publicly exposed, with 3,100 lacking authentication, and nearly half of those already compromised.
- Admins must avoid public exposure, enforce strong authentication, use firewalls, update to the latest versions, and continuously monitor for unauthorised activity.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/exposed-mongodb-instances-still-targeted-in-data-extortion-attacks/

Deepfake Job Applicants: A New Social Engineering Frontier 🧠
- An AI security startup CEO recently faced a sophisticated deepfake candidate applying for a security researcher role, highlighting the growing use of AI in recruitment scams.
- Even experienced professionals can struggle with the "inner turmoil" of confronting a deepfake, underscoring the challenge of verifying identity in remote hiring.
- Companies should implement a mix of low-tech (trust your gut, mandate cameras on, ask for physical interaction) and high-tech solutions (deepfake detection tools) to combat this evolving threat, as the cost of hiring a malicious actor can be substantial.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/01/ai_security_startup_ceo_posts/

Apple Enhances iPhone Location Privacy 🔒
- Apple is rolling out a new "Limit Precise Location" feature for some iPhone and iPad models (iOS 26.3+), allowing users to restrict cellular networks to only approximate location data.
- This feature, which doesn't affect emergency calls or app-shared location, appears to be a response to past FCC fines against major carriers for illegally sharing user location data.
- While currently limited to specific devices and carriers (e.g., Telekom DE, EE/BT UK, Boost Mobile US, AIS/True TH), it marks a significant step towards giving users more control over how carriers track their movements.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/apple/new-apple-privacy-feature-limits-location-tracking-on-iphones-ipads/

#CyberSecurity #ThreatIntelligence #MongoDB #DataExtortion #Deepfake #SocialEngineering #AI #RecruitmentScams #Apple #DataPrivacy #InfoSec #CyberAttack #Vulnerability #IncidentResponse

Nike investigates a data breach after an extortion gang leaks internal files — brand power doesn’t stop data pressure. Extortion, not encryption, is now the leverage. 👟🔓 #DataExtortion #Breach

https://www.bleepingcomputer.com/news/security/nike-investigates-data-breach-after-extortion-gang-leaks-files/

Ransomware extortion is surging across Europe — where stolen data, not encryption, is now the weapon of choice. 💶💣 #Ransomware #DataExtortion

https://www.darkreading.com/cyberattacks-data-breaches/europe-increase-ransomware-extortion

⚠️ Salesforce rejects ransom demand after data extortion #Salesforce says it will not negotiate with or pay extortionists claiming they stole data from its customers. ScatteredLapsus$Hunters target client systems, not the core Salesforce platform. #ransomNews #dataextortion #cloudsecurity

🚨 Hackers extort Salesforce after mass customer data theft SSLSH breached #Salesforce by exploiting permissions flaws, stole customer data from dozens of clients, and is now extorting both Salesforce and affected customers. #ransomNews #SalesforceHack #DataExtortion

I find the ShinyHunters (UNC6040/UNC6240) Salesforce Campaign really interesting, because it highlights the impact of two key threat vectors/types that - in my conversations , at least - aren't being accounted for by traditional TI teams.

1. Data Theft & Extorsion Actors
2. Actors capitalising on 3rd Party Platform Applications

Curious to know - do your orgs track and threat model opportunistic Data Theft and Extorsion Actors, or just focus on the APTs and ransomware groups of the world?

The largest ransom payment in history was $75 million to the Dark Angels Ransomware group in 2024, purportedly by pharma giant Cencora. With 27TB of corporate data stolen from the org and no mention of ransomware being deployed, the eye-watering payment was to prevent leaking/sale of the stolen data which included customer "names, addresses, dates of birth, diagnoses, prescriptions and medications."

https://www.bloomberg.com/news/articles/2024-09-18/gang-got-75-million-for-cencora-hack-in-largest-known-ransom

The group weren't well known prior to the attack, and the absence of ransomware being deployed highlights the need to prioritise the identification and protection of sensitive data and customer PII - agnostic of whatever group might seek to target it.

Also, we're all aware of Malicious OAuth applications in o365, but are your orgs aware of; monitoring, and locking down 3rd party platform integrations?

For those unaware of the campaign, here's the AI-generated TLDR of a Google report in the activity: Https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion

Threat Summary: UNC6040/ShinyHunters Voice Phishing and Data Extortion Campaign

Key Points & Technical Summary:

A financially motivated threat cluster, tracked by Google as UNC6040, has been conducting a widespread campaign targeting organizations' Salesforce CRM instances. The campaign's primary objective is large-scale data theft for the purpose of extortion, which is carried out by a related cluster, UNC6240. This group often uses the moniker ShinyHunters in their communications with victims.

The core of the attack vector is a sophisticated voice phishing (vishing) campaign. The threat actors impersonate corporate IT support personnel in phone calls to employees of the targeted organization.

The primary technical steps of the attack are as follows:
* Social Engineering: The actor guides the targeted employee to Salesforce's connected app setup page.
* Malicious App Authorization: The employee is convinced to authorize a malicious version of the "Data Loader" application. This is done by having the employee enter a connection code provided by the attacker, which links the attacker-controlled application to the victim's Salesforce environment.
* Data Exfiltration: Once the malicious app is authorized, UNC6040 gains significant API access, allowing them to query and exfiltrate sensitive data from the Salesforce instance. While initially leveraging modified versions of the Salesforce Data Loader, the group has evolved its tooling to include custom Python-based scripts for data extraction.
* Anonymization: The attackers utilize services like Mullvad VPN and TOR exit nodes to initiate the vishing calls and for data exfiltration, complicating attribution and tracking efforts.
* Extortion: Following the data theft, UNC6240 initiates contact with the victim organization, demanding a ransom payment in Bitcoin, typically within a 72-hour timeframe, to prevent the public release of the stolen data. The group is also reportedly preparing to launch a dedicated data leak site to increase pressure on victims.

Additional Context & Related Activity

Activity Cluster:

The activity is attributed to the cluster pair UNC6040 (initial access and data theft) and UNC6240 (extortion). This group leverages the reputation of the well-known ShinyHunters extortion group to intimidate victims. The cluster is financially motivated and has demonstrated a growing sophistication in its social engineering tactics and technical tooling.

Other Compromises & Targets:

This campaign has impacted numerous high-profile organizations across various sectors. Besides Google, other publicly confirmed victims of this campaign include:
* Cisco
* Chanel
* Adidas

The targeting appears to be opportunistic, focusing on multinational corporations that are heavy users of Salesforce CRM. There has been an initial focus on English-speaking employees.

Techniques & TTPs:

Beyond the core vishing-to-malicious-app-authorization chain, other observed Tactics, Techniques, and Procedures (TTPs) include:
* Credential Targeting: In some cases, the actors have targeted Okta credentials, likely obtained through prior infostealer malware infections or separate phishing campaigns.
* Lateral Movement: Using compromised credentials, the actors have been observed moving laterally within victim networks to access and exfiltrate data from other systems, including Microsoft 365.
* Reconnaissance: The group conducts thorough reconnaissance to craft convincing narratives, identifying internal application names and IT support procedures to make their vishing calls more credible.

Timeline:
* June 4, 2025: Google's Threat Intelligence Group (GTIG) first publishes a warning about the rise in vishing and extortion activity targeting Salesforce customers, designating the threat actor as UNC6040.
* June 2025: Google becomes a victim of the same campaign, with one of its own corporate Salesforce instances being breached. The compromised data was related to small and medium-sized business contacts.
* July 24, 2025: Cisco identifies a similar breach of its CRM system resulting from a vishing attack.
* Early August 2025: Google, Cisco, and other victims publicly disclose the breaches. Google updates its original blog post to include the fact that it was also a victim. Extortion demands from UNC6240/ShinyHunters follow these disclosures.

#CyberSecurity #ThreatIntelligence #ShinyHunters #DataExtortion #SalesforceSecurity #Vishing #ThirdPartyRisk #ThreatModeling #IncidentResponse #UNC6040 #UNC6240 #Ransomware #Salesforce #InformationSecurity #Infosec #Cybersec #ThreatIntel
#Cisco #Google #CyberAttack

‼️ Google’s Threat Intelligence Group identified a campaign by threat actors tracked as UNC6040 and tied to ShinyHunters that uses voice phishing to get employees to install a spoofed Salesforce Data Loader app. 😳 This grants the attackers direct access to Salesforce environments, enabling large-scale data theft and later extortion. Victim organizations span Europe and the Americas, and even Google’s own Salesforce instance was compromised.

TL;DR
⚠️ Modified Data Loader via connected app grants CRM access
🔐 Vishing calls impersonate IT support to trick users
🧠 Affects about 20 organizations, including major brands
🔍 Salesforce confirms no platform flaw, blames social engineering

https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/
#Cybersecurity #SocialEngineering #DataExtortion #SalesforceSecurity #security #privacy #cloud #infosec

Ransomware without the ransomware?

In this new episode of Cyberside Chats, @sherridavidoff and @MDurrin unpack the evolving trend of data-only extortion, where threat actors skip the encryption and go straight to blackmail.

From the rebrand of Hunters International to World Leaks, and the rise of extortion-as-a-service, this episode reveals how modern cybercriminals are getting more efficient—and more ruthless.
Watch or listen for strategies to reduce your risk!

📽️ Watch the video: https://youtu.be/eCQXhhdyC-s
🎧 Listen to the podcast: https://www.chatcyberside.com/e/the-rise-of-ransomware-less-extortion-a-new-cyber-threat/

#Cybersecurity #DataExtortion #Ransomware #IncidentResponse #RiskManagement #CISO #LMGSecurity #CybersideChats #CyberInsurance #ThreatIntelligence #InfoSec

Hunters International just reinvented itself as "World Leaks" – switching from ransomware to a full-blown data extortion play. Could your sensitive info be next? Read the surprising shift in cybercrime tactics.

https://thedefendopsdiaries.com/hunters-internationals-shift-to-data-extortion-a-new-era-in-cybercrime/

#dataextortion
#cybercrime
#huntersinternational
#cybersecuritytrends
#databreach