Salesforce platforms are being cracked open for data theft - FBI warns of UNC6040 and UNC6395 IOCs

News
By published

Two groups are going after data held in Salesforce accounts

Padlock against circuit board/cybersecurity background
(Image credit: Getty Images)
  • Two threat groups, UNC6040 and UNC6395, are actively targeting Salesforce accounts to steal sensitive data
  • UNC6395 exploits integrations like the Salesloft Drift chatbot, while UNC6040 uses phone-based social engineering to impersonate IT staff and gain access
  • The FBI warns that follow-up extortion attacks are often carried out by ShinyHunters, linked to Scattered Spider

Two separate threat actors are currently targeting organizations’ Salesforce accounts to steal sensitive data found within. This is according to the US Federal Bureau of Investigation (FBI), which recently issued a FLASH advisory to warn businesses about the ongoing threat.

"The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions," the agency said in its advisory.

"Both groups have recently been observed targeting organizations' Salesforce platforms via different initial access mechanisms. The FBI is releasing this information to maximize awareness and provide IOCs that may be used by recipients for research and network defense."

Scattered Spider and ShinyHunters

In recent times there were numerous reports of cybercriminals who compromised company Salesforce accounts through the Salesloft Drift application, an AI chatbot that can be integrated with Salesforce.

The FBI labeled this group as UNC6395 and apparently, it struck some of the biggest tech and security organizations, including Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and others.

The other group, UNC6040, gained access by tricking their victims into sharing the access. They would call them on the phone, posing as IT support employees addressing enterprise-wide connectivity issues.

“Under the guise of closing an auto-generated ticket, UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials, allowing them access to targeted companies’ Salesforce instances to exfiltrate customer data,” the FBI explained.

A threat actor known to have perfected this technique is Scattered Spider. While the FBI did not name that group in its advisory, it did say that the follow-up extortion attacks were usually mounted by ShinyHunters, a group known to have been working together with Scattered Spider. At one point, the groups even merged into an entity they dubbed ScatteredLapsus$Hunters.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.