Researchers Share Common Tactics of ShinyHunters Threat Group

Intel 471 researchers break down common tactics and techniques of the data-stealing group behind many big breaches.

Dark Reading Staff, Dark Reading

August 24, 2021

1 Min Read
Dark Reading logo in a gray background | Dark Reading

New information from Intel 471 examines the common exploit tactics of the cybercrime group known as ShinyHunters.

ShinyHunters is behind several high-profile breaches over the last two years. Its attacks often start with a breach of legitimate credentials, most likely for a company's cloud services, Intel 471 researchers write in a blog post. Since surfacing in April 2020, "the group has been behind some of the most notable data breaches that have been made public. Those include breaches of Microsoft's GitHub account, photo editing app Pixlr, and men's clothing retailer Bonobos.”

Researchers provide a breakdown of the courses of action ShinyHunters often takes in an attack. The group often starts by searching for companies that are using Microsoft Office 365 and look for valid accounts. They also often search for third parties that store GitHub open authorization tokens and do research to identify research and development employees in an organization. They then use the credentials in secondary or tertiary attacks.

"The group will also search a company's GitHub repository source code for vulnerabilities within the code itself. These vulnerabilities are used in further, more complex, third-party or supply chain attacks," the post says. "Tracking actors like this are crucial to preventing your enterprise from being hit with such an attack."

Read the full post here.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights