<\/p>\n
\u201cWhile several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, leading to stolen data being published on the ShinyHunters DLS,\u201d Mandiant said. (DLS is brief for data leak site.)<\/p>\n
An evaluation of a bash script left within the staging environment shows the attackers performed reconnaissance on compromised organizations, including mapping the PeopleSoft configurations, viewing process scheduler, and WebLogic server XML configurations. Eventually, the threat actors established an outbound SSH connection to 176.120.22.24, the IP address hosting ShinyHunters\u2019 DLS. The stolen data was first compressed using the zstd tool. The DLS claimed to have recovered 48GB of information from a single victim.<\/p>\n <\/a><\/p>\n \n Credit: \n A partially redacted section of the ShinyHunters\u2019 DLS.<\/p>\n Mandiant<\/p>\n <\/span>\n <\/p>\n<\/p><\/div>\n<\/figcaption><\/figure>\n ShinyHunters has been energetic since not less than 2019. Over the past several years, it has executed scores of hacks against a few of the world\u2019s largest corporations, affecting hundreds of thousands of individuals downstream. A small sample of victims includes Ticketmaster (through the breach of Snowflake, which hosted the information), Spain\u2019s biggest bank, Santander, and Salesforce (and, through it, Google and, reportedly<\/a>, many other corporations). ShinyHunters uses various techniques to realize initial access, including exploiting cloud misconfigurations and software vulnerabilities, stealing OAuth tokens, supply chain attacks, voice phishing, and other types of social engineering.<\/p>\n
\n Mandiant\n <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>
\n Credit:<\/p>\n