{"id":183841,"date":"2026-02-02T12:33:00","date_gmt":"2026-02-02T17:33:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/02\/shinyhunters-escalates-tactics-in-extortion-campaign-linked-to-okta-environments\/"},"modified":"2026-02-02T12:35:08","modified_gmt":"2026-02-02T17:35:08","slug":"shinyhunters-escalates-tactics-in-extortion-campaign-linked-to-okta-environments","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/02\/shinyhunters-escalates-tactics-in-extortion-campaign-linked-to-okta-environments\/","title":{"rendered":"ShinyHunters escalates tactics in extortion campaign linked to Okta environments"},"content":{"rendered":"<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/shinyhunters-tactics-extortion-okta-environ\/811112\/\">ShinyHunters escalates tactics in extortion campaign linked to Okta environments<\/a><\/p>\n<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/shinyhunters-tactics-extortion-okta-environ\/811112\/\">https:\/\/www.cybersecuritydive.com\/news\/shinyhunters-tactics-extortion-okta-environ\/811112\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-02 12:33:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.cybersecuritydive.com\">www.cybersecuritydive.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>Researchers warn that a recently disclosed extortion campaign linked to ShinyHunters represents an escalation of tactics used by the group.\u00a0<br \/>\nShinyHunters late last month claimed credit for a series of voice phishing attacks\u00a0that led to extortion demands against five organizations.\u00a0<br \/>\nMultiple groups linked to a ShinyHunters-branded campaign that leverages voice phishing and victim-branded credential-harvesting sites to gain access to corporate environments by gaining access to single sign-on credentials and multifactor authentication codes, according to Mandiant,\u00a0the incident response arm of Google Threat Intelligence Group.\u00a0<br \/>\nAfter gaining access, the threat groups target cloud-based software-as-a-service applications in order to steal sensitive data and other internal documents for use in future extortion campaigns.\u00a0<br \/>\nGTIG researchers are tracking the threat groups as UNC6661, UNC6671 and UNC6240.\u00a0<\/p>\n<p>Since mid-January, hackers from UNC6661 called employees at victim organizations under the guise of being IT staffers. The hackers falsely claimed the company was updating multifactor settings and directed the workers to a branded credential harvesting site. This allowed the site to capture MFA codes and single sign-on credentials.\u00a0<br \/>\nMandiant confirmed that, in certain cases, hackers gained access to accounts belonging to Okta customers. This activity was referenced in a January blog post from Okta about a campaign using phishing kits.\u00a0<br \/>\nBased on several overlapping issues, including the use of a common Tox account as part of negotiations, researchers linked the subsequent extortion activity to UNC6240. Extortion emails provided some details of what was stolen and demanded payment within 72 hours.\u00a0<br \/>\nResearchers confirmed a new data leak site posted in late January with information about alleged victims. As previously reported, security researcher Alon Gal told Cybersecurity Dive that hacks against five organizations were claimed.\u00a0<br \/>\nHackers linked to UNC6671 have conducted similar attacks, impersonating IT staff, since in early January. The credential-harvesting domains used the same structure to those used by UNC6661, but were registered through a different service.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ShinyHunters escalates tactics in extortion campaign linked to Okta environments https:\/\/www.cybersecuritydive.com\/news\/shinyhunters-tactics-extortion-okta-environ\/811112\/ Publish Date: 2026-02-02 12:33:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":183842,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/LVLPZCgJT7fEJm3q94Qg0EU-P9T284q1aN-NAUlbTKM\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9HZXR0eUltYWdlcy04MTc0ODYxNzQuanBn.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,25],"class_list":["post-183841","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-phishing"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183841"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=183841"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183841\/revisions"}],"predecessor-version":[{"id":183843,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183841\/revisions\/183843"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/183842"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=183841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=183841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=183841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}