Members of a financially motivated threat group are impersonating IT support staff in convincing phone calls and talking employees into granting access to their organization’s Salesforce environments.
Over the past several months, the threat actor, whom Google’s threat intelligence group is tracking as UNC6040, has breached multiple organizations in this fashion and stolen large volumes of data from within their Salesforce platforms with a view to extort them later. Many of the victims have been within English-speaking branches at large multinational companies.
No Hack Attacks
“A prevalent tactic in UNC6040’s operations involves deceiving victims into authorizing a malicious connected app to their organization’s Salesforce portal,” Google said in a blog post this week. “This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce.”
UNC6040’s approach in the campaign, according to Google, is simple but effective. It relies entirely on vishing — or voice-based social engineering — rather than on vulnerability exploits or other technical tricks. In such scams, bad actors use phone calls and voice messages to interact directly with targets and smooth-talk them into taking unsafe actions, like disclosing credentials and sensitive data, authorizing malicious apps, and enabling remote access to their systems. The pretexts for the calls and messages can range widely — such as calls impersonating CISA staff, bank employees, or IT support staff.
Though low-tech, voice phishing has proven so effective that multiple threat groups have incorporated it into their attack playbooks.
In the UNC6040 campaign that Google is tracking, the scam begins with the victim receiving a phone call ostensibly from their organization’s IT department on some support-related pretext. During the call, the threat actor prompts the employee into visiting their Salesforce instance’s connected app setup page and approve a malicious version of Salesforce’s Data Loader app. In doing so, the victim unwittingly grants the threat actor the ability to access, query, and exfiltrate data from the organization’s now-compromised Salesforce environment.
Salesforce Data Loader is an app that allows organizations to bulk import, export, update, or delete Salesforce records using either a command-line option or a user interface. Salesforce has previously warned of attackers increasingly scamming users into adding a malicious version of Data Loader to their Salesforce instance or using vishing to steal credentials and multifactor authentication (MFA) tokens to their Salesforce accounts. Concerns over the trend prompted the company into issuing guidance in March for protecting their Salesforce environments against social engineering threats.
Lag Between Data Access and Extortion
Google said it has observed UNC6040 begin to exfiltrate data almost immediately after gaining access to an organization’s Salesforce environment. Following the initial data theft, the threat actor has often moved laterally across the victim network and attempted to access other platforms, such as Okta and Microsoft365, Google said.
In many cases though, UNC6040 has waited for months after the initial compromise and data theft to extort victims, meaning that some compromised organizations are likely to only hear from the threat actor in the coming months. Google interpreted the delay as a sign that UNC6040 has likely partnered with other groups that monetize access to the stolen data. “During these extortion attempts, the actor has claimed affiliation with the well-known hacking group ShinyHunters, likely as a method to increase pressure on their victims,” Google said.
Yoni Shohet, CEO of Valence Security, says UNC6040’s campaign is successful because it exploits a big blind spot many organizations still have around software-as-a-service (SaaS). “Attackers aren’t breaking in through a vulnerability — they’re socially engineering employees into granting them access or providing their credentials — including their multifactor authentication codes,” he says. “Most users can’t tell the difference between a legitimate and a malicious ‘Salesforce Data Loader’ or between a legitimate and a malicious IT support personnel.”
Other major SaaS platforms continue to be attractive targets for attackers as well because of how organizations use and manage them, Shohet says. These applications are very complex and include many configurations that when misconfigured by either an admin or a business user, can be leveraged by attackers to gain unauthorized access to sensitive data. “Most companies inherently trust these tools, especially when access is linked to reputable providers like Salesforce. But what’s often overlooked is that the responsibility to secure SaaS environments ultimately lies with the customer.”
Salesforce and Google have outlined several measures organizations can take to mitigate exposure to such attacks. Recommended measures include implementing the principle of least-privileged access, especially for tools such as Data Loader, restricting access to Salesforce instances to specific login IP ranges, and enabling MFA.
