Google Targeted in Cyberattack Linked to ShinyHunter Group

Google has reported a breach involving its data, attributed to the cybercriminal group known as ShinyHunter, which has been exploiting vulnerabilities in Salesforce databases. The incident highlights ongoing vulnerabilities within major tech platforms, as ShinyHunter continues to threaten various corporations through extortion tactics.

The compromised data, according to Google, primarily consists of information that is publicly accessible, including business names and contact details. In contrast, ShinyHunter claims that the stolen information holds greater value than Google asserts. This breach is a significant concern, as Salesforce has frequently been targeted by cyberattacks, which include social engineering scams, phishing attempts, and data breaches.

To provide insight into the attack’s implications, Digital Journal consulted Randolph Barr, Chief Information Security Officer at Cequence. Barr points out that fundamental security principles often represent the most significant vulnerabilities. He explains, “At a high level, the core security fundamentals continue to be the most common points of failure—particularly around credential hygiene, inconsistent MFA enforcement, and overlooked SaaS integration paths.”

Barr emphasizes that the recent Salesforce compromises illustrate how attackers exploit both technical misconfigurations and human oversights to access sensitive data. He details two primary techniques utilized by cybercriminals in these attacks. The first involves the deployment of infostealer malware, where attackers harvest credentials from infected devices to gain access to platforms like Salesforce.

Once these credentials are obtained, attackers can access cloud services using non-user interface methods, such as APIs, where multi-factor authentication (MFA) enforcement may be inadequate. “This type of compromise relies heavily on poor endpoint hygiene and gaps in identity and access management controls,” Barr added, particularly highlighting organizations that do not extend MFA to all access points.

The second technique, which appears to have been employed in Google’s situation, involves vishing (voice phishing) attacks orchestrated by a group identified as UNC6040. Rather than using malware, these attackers employ social engineering tactics, contacting employees directly to extract login credentials or trick them into approving MFA prompts. Once they gain entry into Salesforce, they can download customer data and subsequently threaten to release it unless a ransom is paid.

This tactic underscores a critical risk, as Barr notes: “This method highlights the limitations of technical controls when human behavior becomes the attack surface.” In Google’s case, while the stolen data was mostly publicly available, the means by which it was obtained raises significant concerns regarding the effectiveness of security measures in place.

Despite Google’s implementation of MFA, Barr warns that such protections can be bypassed through social engineering techniques. He stresses the importance of establishing additional safeguards, such as phishing-resistant MFA or step-up authentication, to mitigate potential threats.

Reflecting on Salesforce’s security protocols, Barr notes that while the company started enforcing MFA for user interface logins in 2022, many organizations did not extend these protections to service accounts or custom integrations. This oversight has created vulnerabilities that attackers are actively exploiting.

Looking ahead, Barr emphasizes the urgent need for comprehensive identity security that encompasses more than just MFA. He advocates for consistent enforcement across all access paths and a concerted effort to reduce human exploitability.

This incident serves as a stark reminder of the evolving landscape of cyber threats and the necessity for organizations to continually adapt their security practices to safeguard against emerging risks. With the ongoing campaign by groups like ShinyHunter, it is imperative for businesses to remain vigilant and proactive in their cybersecurity strategies.