The FBI has issued a critical alert warning organizations about two sophisticated cybercriminal groups, UNC6040 and UNC6395, actively targeting Salesforce platforms for extensive data theft and extortion. These groups employ distinct methods to gain initial access, posing a significant threat to sensitive customer data stored within Salesforce environments.

Key Takeaways

• Two distinct threat groups, UNC6040 and UNC6395, are actively targeting Salesforce platforms.

• UNC6040 uses vishing and social engineering to steal credentials and exfiltrate data.

• UNC6395 exploits compromised OAuth tokens, particularly from the Salesloft Drift application.

• Extortion attempts often follow data theft, with groups like ShinyHunters claiming responsibility.

• The FBI has released Indicators of Compromise (IoCs) to aid in defense and detection.

UNC6040: Vishing and Social Engineering Tactics

UNC6040, active since October 2024, employs voice phishing (vishing) and social engineering to infiltrate Salesforce instances. The group impersonates IT support staff, contacting organizations with fabricated "enterprise-wide connectivity issues." Under the guise of resolving a ticket, they trick customer support employees into sharing credentials or authorizing malicious applications, such as modified versions of Salesforce's Data Loader. These actions allow UNC6040 to exfiltrate large volumes of sensitive customer data. Following the data theft, extortion demands are often made, with the group frequently claiming to be "ShinyHunters."

UNC6395: Exploiting OAuth Tokens

UNC6395 is associated with data theft campaigns that exploit compromised OAuth tokens, particularly those related to the Salesloft Drift application, an AI chatbot integrated with Salesforce. By leveraging these stolen tokens, the group gained access to Salesforce environments, exfiltrating data that included secrets, credentials, and authentication tokens found in support cases. This supply chain attack potentially impacted hundreds of organizations. Salesloft has since taken steps to secure its environment, including revoking affected tokens and disabling the Drift application.

Extortion and Evolving Tactics

Both UNC6040 and UNC6395 have been linked to extortion activities. The FBI notes that after data is exfiltrated, victims may receive demands from groups like ShinyHunters. There are also indications that these threat actors, potentially consolidating under banners like "Scattered Lapsus$ Hunters," may be evolving their tactics, possibly by launching data leak sites to increase pressure on victims. Despite some groups announcing a cessation of activities, experts caution that such declarations are often temporary, with actors likely to rebrand and resurface.

FBI Recommendations and Defense

The FBI advises organizations to enhance their security posture by training employees to recognize phishing attempts, implementing phishing-resistant multi-factor authentication (MFA), enforcing strict access controls, and regularly monitoring network logs for suspicious activity. Reviewing all third-party application connections to Salesforce instances is also crucial. The FBI has provided IoCs to assist security teams in identifying and preventing these attacks.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks, The Hacker News.

• FBI warns about 2 campaigns targeting Salesforce instances, Cybersecurity Dive.

• Salesforce platforms are being cracked open for data theft, TechRadar.

• FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data, BleepingComputer.

• FBI Warns of Threat Actors Hitting Salesforce Customers, Dark Reading.