Full Report
Cushman & Wakefield activated incident response protocols after serial extortionists issued separate threats Real estate giant Cushman & Wakefield has confirmed a data breach after two cybercrime groups, ShinyHunters and Qilin, separately claimed responsibility for attacks on the company.…
Analysis Summary
# Incident Report: Dual Extortion Threat Targeting Cushman & Wakefield
## Executive Summary
Cushman & Wakefield, a global real estate giant, confirmed a data breach resulting from a "vishing" (voice phishing) attack. The incident gained notoriety as two separate cybercriminal entities, ShinyHunters and Qilin, both claimed responsibility for compromising the organization within days of each other. While operations remained normal, the attackers claim to have exfiltrated over 500,000 corporate records.
## Incident Details
- **Discovery Date:** Early May 2024 (publicly confirmed May 5)
- **Incident Date:** May 1, 2024 (per attacker claims)
- **Affected Organization:** Cushman & Wakefield
- **Sector:** Commercial Real Estate Services
- **Geography:** Global / United States
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately May 1, 2024
- **Vector:** Vishing (Voice Phishing)
- **Details:** An employee was targeted via a fraudulent phone call and socially engineered into providing credentials or granting access to the corporate environment.
### Lateral Movement
- **Details:** Specific movement techniques were not disclosed, but the threat actors successfully pivoted from the initial point of compromise to internal data repositories, specifically targeted at CRM environments.
### Data Exfiltration/Impact
- **Date:** May 1 – May 4, 2024
- **Details:** ShinyHunters claimed to have stolen over 500,000 Salesforce records containing Personally Identifiable Information (PII) and internal corporate data.
### Detection & Response
- **How it was discovered:** Likely triggered by the public listing of the company on Qilin’s leak site (May 4) and direct extortion communication from ShinyHunters.
- **Response actions taken:** Activated incident response protocols, containment steps initiated, and third-party forensic advisors engaged.
## Attack Methodology
- **Initial Access:** Vishing (Social Engineering).
- **Persistence:** Not disclosed; likely via hijacked legitimate credentials.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Use of legitimate employee credentials obtained via vishing to bypass standard security alerts.
- **Credential Access:** Social engineering (Vishing).
- **Discovery:** Exploration of CRM (Salesforce) environments.
- **Lateral Movement:** Movement from user endpoint/account to cloud-based CRM.
- **Collection:** Gathering of Salesforce PII and corporate data.
- **Exfiltration:** Transfer of 500,000+ records to attacker-controlled infrastructure.
- **Impact:** Extortion/Data Leak threat (Pay-or-leak model).
## Impact Assessment
- **Financial:** Unknown; potential for regulatory fines and extortion demands.
- **Data Breach:** Over 500,000 Salesforce records including PII.
- **Operational:** Limited; systems and operations reported to be running normally.
- **Reputational:** Significant public visibility due to two high-profile threat groups claiming the same victim simultaneously.
## Indicators of Compromise
- **Network indicators:** None disclosed in the report.
- **File indicators:** None disclosed (incident focused on cloud/SaaS data).
- **Behavioral indicators:** Unusual login locations/times for the compromised employee; unexpected bulk export of records from Salesforce.
## Response Actions
- **Containment measures:** Isolation of unauthorized activity.
- **Eradication steps:** Password resets and session revocations for affected accounts.
- **Recovery actions:** Forensic investigation supported by third-party experts to determine the full scope of exfiltration.
## Lessons Learned
- **Vulnerability of Social Channels:** Even with robust technical controls, the "human firewall" remains a primary point of failure via vishing.
- **Dual-Threat Environment:** Organizations may be targeted by multiple independent groups simultaneously, complicating the attribution and remediation process.
- **SaaS Security:** Supply chain and CRM platforms (like Salesforce) are high-value targets for modern extortion groups.
## Recommendations
- **Enhanced Awareness Training:** Specifically target "vishing" and social engineering tactics in employee security training.
- **Strict MFA Policies:** Implement FIDO2/WebAuthn-based hardware keys to mitigate the risk of OTP interception during vishing calls.
- **Conditional Access:** Implement stringent geographic and device-based access policies for sensitive platforms like Salesforce.
- **DLP for SaaS:** Enable Data Loss Prevention (DLP) and monitoring for bulk exports or unusual reporting activity within CRM environments.