Fast Facts
- The FBI has issued a warning about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion, exploiting OAuth tokens and using phishing attacks.
- UNC6395 compromised Salesloft’s GitHub account, leading to a breach of its Drift AI chatbot application, prompting security measures and customer advisories.
- UNC6040 has been conducting large-scale data exfiltration via vishing, modified data loader tools, and API queries, often followed by extortion, with potential links to the ShinyHunters group.
- Cybercriminal groups like LAPSUS$ and ShinyHunters are disbanding or going dark, but experts warn these groups tend to re-emerge, emphasizing the need for ongoing vigilance.
Problem Explained
The FBI has issued a warning about two cybercriminal groups, UNC6040 and UNC6395, which have recently conducted significant attacks targeting Salesforce platforms. UNC6395, linked to a widespread data theft campaign in August 2025, exploited compromised OAuth tokens following a February-June breach of Salesloft’s GitHub account, prompting the company to shut down parts of its AI-driven Drift application and implement stronger security measures. Meanwhile, UNC6040, active since late 2024, has employed deception tactics like phishing and customized scripts to infiltrate Salesforce accounts, stealing large volumes of data and then extorting victims, sometimes months after the initial breach. Notably, these groups have been connected to broader coordinated criminal efforts, including the disbanding of the notorious LAPSUS$ group earlier this year—an action possibly driven by law enforcement pressure. Despite the group’s public claim to have gone dark, cybersecurity experts warn this may be a temporary halt, emphasizing the persistent danger posed by such malicious actors and the importance of continuous vigilance for organizations.
Risk Summary
The FBI has issued a warning about two cybercriminal groups, UNC6040 and UNC6395, that are actively stealing data and extorting victims by targeting Salesforce platforms through sophisticated initial access tactics, including compromised OAuth tokens, phishing, and API exploitation. UNC6395 exploited breached GitHub accounts to attack Salesforce instances, prompting organizations like Salesloft to enhance security measures and temporarily disable affected services. Meanwhile, UNC6040 has used social engineering, vishing, and custom scripting to exfiltrate large volumes of sensitive data, then threaten extortion, often linked to a broader threat cluster called UNC6240 associated with ShinyHunters. Notably, these groups are restructuring or disbanding, with some claiming to go dark after law enforcement actions, but experts warn that such closures are often temporary, and the threat landscape remains active. As cybercriminals continually adapt, organizations must uphold vigilant security protocols, recognize that data breaches and backdoors may persist undetected, and prepare for emerging tactics that could cause significant operational and reputational damage.
Fix & Mitigation
Quick action can significantly reduce the risk of data breaches and protect sensitive information when threats like UNC6040 and UNC6395 target Salesforce platforms. Prompt remediation is crucial to safeguard organizational assets, preserve trust, and prevent costly security incidents.
Mitigation Steps:
- Implement advanced threat detection tools
- Enforce strong authentication measures
- Regularly update and patch Salesforce systems
- Disable or restrict unnecessary user permissions
- Conduct staff training on cybersecurity practices
Remediation Actions:
- Isolate affected systems immediately
- Conduct a comprehensive security audit
- Remove or neutralize any identified malware or backdoors
- Notify relevant authorities and stakeholders
- Review and enhance incident response plans
Explore More Security Insights
Explore career growth and education via Careers & Learning, or dive into Compliance essentials.
Explore engineering-led approaches to digital security at IEEE Cybersecurity.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
