- Two threat groups, UNC6040 and UNC6395, are actively targeting Salesforce accounts to steal sensitive data
- UNC6395 exploits integrations like the Salesloft Drift chatbot, while UNC6040 uses phone-based social engineering to impersonate IT staff and gain access
- The FBI warns that follow-up extortion attacks are often carried out by ShinyHunters, linked to Scattered Spider
Two separate threat actors are currently targeting organizations’ Salesforce[1] accounts to steal sensitive data found within. This is according to the US Federal Bureau of Investigation (FBI), which recently issued a FLASH advisory to warn businesses about the ongoing threat.
“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions,” the agency said in its advisory.
“Both groups have recently been observed targeting organizations’ Salesforce platforms via different initial access mechanisms. The FBI is releasing this information to maximize awareness and provide IOCs that may be used by recipients for research and network defense.”
Scattered Spider and ShinyHunters
In recent times there were numerous reports of cybercriminals who compromised company Salesforce accounts through the Salesloft Drift application, an AI chatbot[2] that can be integrated with Salesforce.
The FBI labeled this group as UNC6395 and apparently, it struck some of the biggest tech and security organizations, including Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and others.
The other group, UNC6040, gained access by tricking their victims into sharing the access. They would call them on the phone, posing as IT support employees addressing enterprise-wide connectivity issues.
“Under the guise of closing an auto-generated ticket, UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials[3], allowing them access to targeted companies’ Salesforce instances to exfiltrate customer data,” the FBI explained.
A threat actor known to have perfected this technique is Scattered Spider. While the FBI did not name that group in its advisory, it did say that the follow-up extortion attacks were usually mounted by ShinyHunters, a group known to have been working together with Scattered Spider. At one point, the groups even merged into an entity they dubbed ScatteredLapsus$Hunters.
You might also like
References
- ^ Salesforce (www.techradar.com)
- ^ chatbot (www.techradar.com)
- ^ credentials (www.techradar.com)
- ^ BleepingComputer (www.bleepingcomputer.com)