{"id":209191,"date":"2026-02-02T12:33:00","date_gmt":"2026-02-02T17:33:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/02\/shinyhunters-escalates-tactics-in-extortion-campaign-linked-to-okta-environments\/"},"modified":"2026-02-02T12:50:08","modified_gmt":"2026-02-02T17:50:08","slug":"shinyhunters-escalates-tactics-in-extortion-campaign-linked-to-okta-environments","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/02\/shinyhunters-escalates-tactics-in-extortion-campaign-linked-to-okta-environments\/","title":{"rendered":"ShinyHunters escalates tactics in extortion campaign linked to Okta environments"},"content":{"rendered":"

ShinyHunters escalates tactics in extortion campaign linked to Okta environments<\/a><\/p>\n

https:\/\/www.cybersecuritydive.com\/news\/shinyhunters-tactics-extortion-okta-environ\/811112\/<\/a><\/p>\n

Publish Date: 2026-02-02 12:33:00<\/a><\/p>\n

Source Domain: www.cybersecuritydive.com<\/a><\/p>\n

Researchers warn that a recently disclosed extortion campaign linked to ShinyHunters represents an escalation of tactics used by the group.\u00a0<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n

ShinyHunters late last month <\/span><\/span><\/span><\/span><\/span><\/span>claimed credit for a series of voice phishing attacks\u00a0<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>that led to extortion demands against five organizations.\u00a0<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n

Multiple groups linked to a ShinyHunters-branded campaign that leverages voice phishing and victim-branded credential-harvesting sites to gain access to corporate environments by gaining access to single sign-on credentials and multifactor authentication codes, <\/span><\/span><\/span><\/span><\/span><\/span>according to Mandiant,<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>\u00a0the incident response arm of Google Threat Intelligence Group.\u00a0<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n

After gaining access, the threat groups target cloud-based software-as-a-service applications in order to steal sensitive data and other internal documents for use in future extortion campaigns.\u00a0<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n

GTIG researchers are tracking the threat groups as UNC6661, UNC6671 and <\/span><\/span><\/span><\/span><\/span><\/span>UNC6240<\/span><\/span><\/span><\/span><\/span><\/span><\/span><\/span>.\u00a0<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n

Since mid-January, hackers from UNC6661 called employees at victim organizations under the guise of being IT staffers. The hackers falsely claimed the company was updating multifactor settings and directed the workers to a branded credential harvesting site. This allowed the site to capture MFA codes and single sign-on credentials.\u00a0<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n

Mandiant confirmed that, in certain cases, hackers gained access to accounts belonging to Okta customers. This activity was referenced in a January blog post from Okta about a campaign using phishing kits.\u00a0<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n

Based on several overlapping issues, including the use of a common Tox account as part of negotiations, researchers linked the subsequent extortion activity to UNC6240. Extortion emails provided some details of what was stolen and demanded payment within 72 hours.\u00a0<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n

Researchers confirmed a new data leak site posted in late January with information about alleged victims. As previously reported, security researcher Alon Gal told Cybersecurity Dive that hacks against five…<\/span><\/span><\/span><\/span><\/span><\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

ShinyHunters escalates tactics in extortion campaign linked to Okta environments https:\/\/www.cybersecuritydive.com\/news\/shinyhunters-tactics-extortion-okta-environ\/811112\/ Publish Date: 2026-02-02 12:33:00…<\/p>\n","protected":false},"author":1,"featured_media":209192,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/LVLPZCgJT7fEJm3q94Qg0EU-P9T284q1aN-NAUlbTKM\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9HZXR0eUltYWdlcy04MTc0ODYxNzQuanBn.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[25,57],"class_list":["post-209191","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-phishing","tag-security"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209191"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=209191"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209191\/revisions"}],"predecessor-version":[{"id":209193,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209191\/revisions\/209193"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/209192"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=209191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=209191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=209191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}