Cyber Criminal Groups Compromising Salesforce Instances for Data Theft and Extortion

SUMMARY :

Two cyber criminal groups, UNC6040 and UNC6395, are targeting organizations' Salesforce platforms for data theft and extortion. UNC6040 uses social engineering, particularly voice phishing, to gain access to Salesforce accounts. They trick employees into granting access or sharing credentials, then use API queries or malicious connected apps to exfiltrate data. UNC6395 exploits compromised OAuth tokens for the Salesloft Drift application to access Salesforce instances. Both groups have been observed exfiltrating large volumes of customer data. Victims of UNC6040 have received extortion emails demanding cryptocurrency payments to prevent data publication. The FBI has provided numerous IP addresses and other indicators of compromise associated with these groups, along with recommended mitigations to enhance security and prevent such attacks.

OPENCTI LABELS :

social engineering,extortion,data theft,vishing,oauth,salesforce,api exfiltration,shinyhunters


AI COMMENTARY :

1. Introduction: In today’s interconnected digital landscape, threat actors continue to evolve their tactics to target critical business platforms. Recent intelligence highlights two cyber criminal groups, UNC6040 and UNC6395, focusing on Salesforce instances to carry out data theft and extortion. Leveraging sophisticated social engineering and technical exploits, these adversaries have demonstrated the capability to exfiltrate customer records at scale and demand cryptocurrency payments in exchange for silencing their illicit operations.

2. UNC6040’s Social Engineering and Vishing Operations: UNC6040 relies heavily on vishing campaigns, a form of voice-based social engineering, to compromise employee credentials. By posing as trusted support personnel or executives, they convince targeted staff to grant access or share multifactor authentication tokens. Once inside a Salesforce environment, the group employs API exfiltration techniques and malicious connected applications to harvest sensitive data. The seamless combination of human manipulation and automated data retrieval tools makes UNC6040 a formidable threat in the realm of extortion and data theft.

3. UNC6395’s OAuth Token Exploitation: In contrast, UNC6395 exploits compromised OAuth tokens tied to third-party applications like Salesloft Drift. By hijacking the authentication framework, this group gains legitimate-looking access to Salesforce instances without raising immediate suspicion. Through these stolen tokens, they execute bulk downloads of customer and account records, bypassing many traditional security controls. The use of OAuth abuse underscores the importance of stringent token management practices and regular auditing of connected apps within a Salesforce organization.

4. Indicators of Compromise and FBI Involvement: The FBI’s collaboration has unearthed numerous IP addresses, domain names, and malicious payload signatures associated with both UNC6040 and UNC6395. Security teams can leverage these indicators of compromise to detect ongoing intrusions and block malicious traffic. Public reports reference connections to other notorious groups such as ShinyHunters, demonstrating potential overlaps in tooling or infrastructure. Maintaining an up-to-date threat intelligence feed and sharing findings with law enforcement agencies enhances early warning capabilities and collective defense efforts.

5. Recommended Mitigations and Best Practices: To mitigate the risks posed by these cyber criminal groups, organizations must adopt a layered approach. Strengthening user awareness training around social engineering and vishing attempts reduces the likelihood of credential compromise. Enforcing strict OAuth token policies, including frequent token revocation and scope minimization, limits the attack surface for API exfiltration. Implementing robust monitoring of connected apps, alongside granular logging of administrative actions, provides visibility into anomalous behavior. Finally, deploying network segmentation and multi-factor authentication across all critical systems bolsters resilience against both human-centric and technical attack vectors.

6. Conclusion: As cyber criminals refine their methods, especially within cloud-based platforms like Salesforce, organizations must stay vigilant and proactive. The activities of UNC6040 and UNC6395 serve as a stark reminder that social engineering and OAuth exploitation are potent tools for data theft and extortion. By integrating threat intelligence, reinforcing security controls, and fostering collaboration with law enforcement, enterprises can better defend their customer data and maintain trust in their digital operations.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Cyber Criminal Groups Compromising Salesforce Instances for Data Theft and Extortion