Fast Facts
-
FBI Alert: The FBI warns of two threat actors, UNC6040 (ShinyHunters) and UNC6395, targeting Salesforce customers to steal data and extort funds.
-
Attack Methods: UNC6040 employs voice phishing (vishing) and social engineering to access Salesforce accounts by impersonating IT support, while UNC6395 exploits stolen OAuth tokens from Salesloft’s Drift app.
-
Data Exfiltration Risks: Attackers manipulate organizations into authorizing malicious apps, enabling mass data exfiltration from Salesforce environments without proper authentication.
- Preventative Measures: The FBI recommends training staff on phishing recognition, implementing phishing-resistant MFA, and monitoring network activity to avert these threats.
[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘FBI Warns of Threat Actors Hitting Salesforce Customers’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘
The FBI warned that two threat actors are targeting Salesforce customers for opportunities to steal data from and extort them.
The advisory, published Friday, comes courtesy of the FBI’s Internet Crime Complaint Center (IC3) and concerns two threat actors: UNC6040 (also known as ShinyHunters) and UNC6395. UNC6040 is a threat actor that specializes in voice phishing or vishing and recently was observed using social engineering to pose as IT support staff to get into Salesforce environments. UNC6395, meanwhile, is best known for using stolen OAuth tokens from Salesloft’s Drift application, which has a Salesforce integration, to steal sensitive data from hundreds of Salesforce environments earlier this year.
The FBI’s latest advisory provides additional context into the technical aspects of the threat campaigns, particularly UNC6040’s activity, which began last fall.
UNC6040’s Infection Chain
The FBI said that since October 2024, UNC6040 has conducted social engineering attacks — primarily vishing — to access organizations’ Salesforce accounts. The group would pose as IT support employees and call the target’s call center, claiming that they’re addressing “enterprise-wide connectivity issues.”
“Under the guise of closing an auto-generated ticket, UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials, allowing them access to targeted companies’ Salesforce instances to exfiltrate customer data,” the advisory read.
In some cases, the attackers would trick the employee into visiting a phishing page in order to gain initial access, before using API calls to harvest data. In others, the attacker simply requests login or MFA credentials.
The FBI also said UNC6040 tricks organizations into authorizing malicious apps to connect to the org’s Salesforce portal. The application, “often a modified version of Salesforce’s Data Loader,” gives threat actors the ability to exfiltrate large amounts of sensitive data while bypassing authentication requirements. The applications are created via Salesforce trial accounts, which do not require a legitimate corporate account register the apps.
UNC6395 Attacks
In an interesting case of follow-on threat activity, the FBI alert said some UNC6040 victims have then “received extortion emails allegedly from the ShinyHunters group, demanding payment in cryptocurrency to avoid publication of exfiltrated data.” According to a June report from Google Threat Intelligence Group, UNC6040 has “consistently claimed to be the threat group ShinyHunters.”
Regarding UNC6395, the FBI took the opportunity to warn the public about the group’s theft of OAuth tokens for Salesloft Drift in order to compromise Salesforce-connected victims. On Aug. 20, “Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application, terminating any threat actor access to victims’ Salesforce platforms from the previously connected Salesloft app.”
Dark Reading contacted Salesforce to ask about the FBI’s advisory. In response, a spokesperson said that since that August revocation, “Salesforce re-enabled integrations with Salesloft technologies, with the exception of any Drift app” and that Drift will remain disabled “until further notice.”
Furthermore, the spokesperson emphasized that the campaigns were not limited to Salesloft’s Drift integration, and that as Google previously noted, “the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations.” Finally, they added that these campaigns do not involve any vulnerability in the Salesforce platform.
Mitigating UNC6040 and UNC6395
To defend against the threat posed by the threat actors behind these campaigns, the FBI recommends organizations train call center employees to recognize and report phishing attempts; require employees use phishing-resistant MFA; implement “authentication, authorization, and accounting (AAA) systems to limit actions users can perform”; enforce IP-based access restrictions; monitor network logs and browser activity for signs of compromise; and review all third-party connections to software instances.
The advisory also includes indicators of compromise, including IP addresses and URLs associated with the two campaigns.
Dark Reading contacted Salesloft for comment.
‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of
[/gpt3]
Stay Ahead with the Latest Tech Trends
Explore the future of technology with our detailed insights on Artificial Intelligence.
Discover archived knowledge and digital history on the Internet Archive.
CyberRisk-V1
