Dopious
Senior Member
Founding Member
Sapphire Member
Patron





This is a translated post, if you want to read the original, see original source at the bottom.
Google recently sent out an email stating that they had been hacked by the group ShinyHunters or more correctly written UNC6240 who claim to be ShinyHunters. The group uses a type of Vishing method to obtain an 8-digit token for Salesforce. Because it was an external instance of the Salesforce software that was hacked, but which contained customer data from, among other things, the Google Ads service.
The Google Threat Intelligence Group (GTIG) also notes that the group’s tactics have evolved over time. They have moved from using Salesforce Dataloader to using their own scripts (typically in Python), making them harder to track as they use Mullvad VPN and Tor to both intrude and exfiltrate customer data. The use of compromised accounts to register attacked applications has also increased.
Google conducted a forensics operation on one of its affected Salesforce instances in June. GTIG analysis showed that only limited, mostly public company data was exfiltrated for a short period of time before access was disabled.
As countermeasures, GTIG recommends, among other things, that the principle of least privilege is strictly applied, that the management of connected apps is restricted and carefully reviewed, that access is regulated via IP policies, and that Salesforce Shield support (transaction security, event monitoring) is used to monitor and block unusual activity. Furthermore, the importance of widespread use of multi-factor authentication is emphasized.
Source: https://kryptera.se/google-hackade-av-shinyhunters/
Google recently sent out an email stating that they had been hacked by the group ShinyHunters or more correctly written UNC6240 who claim to be ShinyHunters. The group uses a type of Vishing method to obtain an 8-digit token for Salesforce. Because it was an external instance of the Salesforce software that was hacked, but which contained customer data from, among other things, the Google Ads service.
The Google Threat Intelligence Group (GTIG) also notes that the group’s tactics have evolved over time. They have moved from using Salesforce Dataloader to using their own scripts (typically in Python), making them harder to track as they use Mullvad VPN and Tor to both intrude and exfiltrate customer data. The use of compromised accounts to register attacked applications has also increased.
Google conducted a forensics operation on one of its affected Salesforce instances in June. GTIG analysis showed that only limited, mostly public company data was exfiltrated for a short period of time before access was disabled.
As countermeasures, GTIG recommends, among other things, that the principle of least privilege is strictly applied, that the management of connected apps is restricted and carefully reviewed, that access is regulated via IP policies, and that Salesforce Shield support (transaction security, event monitoring) is used to monitor and block unusual activity. Furthermore, the importance of widespread use of multi-factor authentication is emphasized.
Source: https://kryptera.se/google-hackade-av-shinyhunters/