ShinyHunters Secret to Success: Breaking the Trust Barrier
ShinyHunters is a little like the West Nile virus, delivered by a bite from a lowly mosquito that comes out of nowhere, often undetected until the target shows symptoms of illness.
Time and again in April alone, ShinyHunters operatives hit high-profile targets like Zara, Vimeo and Rockstar, even analytics vendor Anodot. In the latter case, it swiped cloud credentials and then spread its venom to the company’s customers.
Why is this ransomware gang so effective? Part of the answer, at least, lies in organizations’ security postures and gaps. But these hackers also owe their success in part to a structural issue. In the Anodot case, ShinyHunters banked on federated trust to move through environments, untouched.
“ShinyHunters didn’t need a clever exploit. They found a structural shortcut: Compromise one vendor that holds credentials to dozens of customer clouds, and you’re inside all of them at once,” says Amit Shuster, VP of Product, Vetric, noting that Anodot’s product required inbound OAuth and API access to its customers’ data sources — Snowflake, BigQuery, S3, Kinesis.
“Once they were inside Anodot, they didn’t need to attack Vimeo or Rockstar directly. They already had the keys,” says Shuster.
The success of the campaign, he says, “is really a function of how much trust modern enterprises delegate to their data vendors without thoroughly checking what that trust means architecturally.”
In other words, the attack class is not new but rather an old one “that finally found a target-rich environment,” Shuster says.
Observability, which has grown more important to cybersecurity, has “also become a false sense of security for a lot of organizations,” says Shuster.
Noting that the Anodot breach is a “direct refutation” of the “assumption that if you have enough visibility into your environment, you can catch anything,” Shuster explains that no observability tool would have flagged the malicious activity because it “looked exactly like legitimate activity — real credentials, expected access patterns, authorized API calls.”
The trust boundary that broke in the Anodot case “is one most organizations haven’t drawn clearly: The difference between ‘this vendor can see my data’ and ‘this vendor holds credentials into my infrastructure,’” he says.
“Anodot needed to read customer clouds to deliver its product, so customers granted that access,” and “what they didn’t fully reckon with is that those credentials now live in Anodot’s environment — and Anodot’s blast radius became their blast radius,” he says.
ShinyHunters has developed quite a reputation for choosing high-value targets with long tentacles, as the recent attack on Instructure underscores.
“Unfortunately, the recent incident with Instructure is not uncommon as ShinyHunters follows a consistent formula: Target a widely used platform, exploit the access it provides, and weaponize the data against the institutions that trusted it,” says Nathaniel Jones, vice president, security and AI strategy, and field CISO at Darktrace.
The breach “is a serious incident, and the scale being reported, which includes hundreds of millions of users across thousands of institutions globally, reflects the kind of high-value target ShinyHunters has pursued with increasing frequency,” says Darren Guccione, CEO and cofounder at Keeper Security.
“Educational platforms hold an unusual concentration of sensitive data, such as personal identifiers, institutional records and private communications, making this a particularly consequential exposure,” he adds.
Likewise, so do sectors like healthcare and medical technology—a case in point is the ShinyHunters attack on Medtronic. The company was able to “successfully contained the breach to its corporate IT network, preventing disruption to its manufacturing and product lines,” says Agnidipta Sarkar, Chief Evangelist at ColorTokens.
“ShinyHunters’ continued success against enterprise targets tells us that organizations are still granting far more access than any individual role requires,” says Chris Radkowski, GRC expert at Pathlock. Enforcing least-privilege access and continuous access certification at the application layer would have significantly reduced the risks associated with this attack.
The success of the attacks says a lot about an organization’s security posture. “ShinyHunters’ continued success against enterprise targets tells us that organizations are still granting far more access than any individual role requires,” says Chris Radkowski, GRC expert at Pathlock.
“Enforcing least-privilege access and continuous access certification at the application layer would have significantly reduced the risks associated with this attack,” he says.
