Google's Threat Intelligence Group (GTIG) has exposed UNC6040, a vishing group targeting Salesforce users. This financially motivated collective impersonates IT support to trick employees into installing a malicious version of the Salesforce Data Loader app, enabling large-scale data theft and subsequent extortion. The campaign highlights the growing sophistication of social engineering attacks.

Vishing Campaign Uncovered

UNC6040 employs sophisticated voice phishing (vishing) tactics, primarily targeting English-speaking employees in various sectors including hospitality, retail, and education. The attackers call victims, posing as IT support, and guide them to a fake Salesforce connected app setup page. On this page, employees are persuaded to approve a modified version of the Salesforce Data Loader, often disguised with names like "My Ticket Portal."

Modus Operandi and Impact

Once the malicious Data Loader is installed, UNC6040 gains significant access to the compromised Salesforce environments. This allows them to:

• Access and query sensitive information.

• Exfiltrate large volumes of data.

• Move laterally within the victim's network to target other cloud services like Okta, Workplace, and Microsoft 365.

Google reports that approximately 20 organizations have been affected, with some experiencing successful data exfiltration and subsequent extortion attempts. Interestingly, extortion demands often surface months after the initial breach, suggesting a potential collaboration between the data-stealing group and another entity focused on monetization.

Affiliations and Tactics

UNC6040 has claimed affiliations with groups like ShinyHunters during extortion attempts, likely to increase pressure on victims. Technical indicators suggest ties to "The Com," a loosely organized cybercriminal ecosystem known for various illicit activities. While UNC6040 focuses on Salesforce data theft, its tactics, such as targeting Okta credentials and using IT support impersonation, align with broader trends seen in groups like Scattered Spider.

Key Takeaways

• Social Engineering is Key: The attacks rely entirely on human manipulation, not system vulnerabilities within Salesforce.

• Employee Education is Crucial: Organizations must prioritize training employees to recognize and resist vishing and other social engineering attempts.

• Salesforce's Stance: Salesforce has confirmed that the issue does not stem from any inherent vulnerability in its platform and has previously warned customers about such vishing attacks.

• Delayed Extortion: The significant time gap between initial compromise and extortion attempts means more organizations could face demands in the future.

This campaign underscores the evolving threat landscape where attackers increasingly target the human element through sophisticated social engineering, making robust cybersecurity awareness programs more critical than ever.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Fake IT support voice calls lead to cyber extortion and stolen company data, TechRadar.

• Hackers abuse modified Salesforce app to steal data, extort companies, Google says, Cybernews.

• Google Exposes Vishing Group UNC6040 Targeting Salesforce with Fake Data Loader App, The Hacker News.

• Google says hackers are using fake Salesforce app to attack businesses, Times of India.

• UNC6040 Targets Salesforce via Sophisticated Vishing Campaigns, TechNadu.