Several voice-based social engineering attacks have prompted renewed scrutiny of single sign-on ecosystem security assumptions. The cybercrime collective ShinyHunters has publicly announced that it has carried out an extensive campaign to harvest SSO credentials from approximately 100 organizations, signaling an intentional shift toward identity-centered intrusion methods.
As a result of the early disclosures, substantial amounts of data have already been exposed, as leaks have been confirmed to platforms such as SoundCloud, Crunchbase, and Betterment, which have affected tens of millions of user records.
Moreover, the intrusions were not the result of software malfunctions or misconfigurations, but rather carefully executed voice phishing attacks that took advantage of human trust in modern authentication workflows to achieve success.
A growing reality for enterprises is underscored by this tactic. As authentication becomes more centralized via single sign-on providers, compromises of individual identities can result in systemic access to entire SaaS environments, amplifying the scale and impact of these breaches.
Once an employee’s single sign-on credentials have been successfully accessed, the impact is extensive beyond the initial account compromise.
By gaining access to a single sign-on identity, attackers will gain access to the organization’s broader application ecosystem.
Various SSO platforms, including Okta, Microsoft Entra, and Google, streamline authentication by federating access to a variety of internal and third-party services under a single login, which facilitates streamlining authentication.
As a result of this architecture, usability and administrative control are improved, but risk is also concentrated, as a single breached identity can unlock multiple downstream systems.
The SSO dashboard provides authenticated users with an integrated view of all enterprise applications connected to it, transforming a compromised account into a digital footprint map of the organization.
A number of business-critical applications are commonly integrated into platforms, including Microsoft 365, Google Workspace, Salesforce, SAP, Slack, Atlassian, Dropbox, Adobe, Zendesk, and other software as a service applications.
ShinyHunters and associated actors have exploited this model through targeted voice phishing campaigns, impersonating internal IT personnel, and guiding victims through credential entry and multi-factor authentication challenges on convincingly replicated login portals.
Following authentication, the attackers systematically enumerate all available applications within the SSO environment, and then begin extracting data from each platform, enabling massive data thefts and lateral expansion across interconnected services before security teams may detect any abnormal activity.
In the aftermath of initial access, attackers began targeting cloud-based software-as-a-service environments, which are systematically targeting systems for storing corporate data and internal documents. The objective goes beyond data theft, with stolen information increasingly being utilized for subsequent extortion campaigns following the initial data theft.
Various designations are being tracked by
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: