"The first campaign, attributed to a threat actor tracked as UNC6040 and ongoing for several months, relies on voice phishing (vishing) to convince employees at the victim organizations to grant them access to the Salesforce instance or to share credentials for the portal. In some cases, the attackers guide the employee to approve a modified Salesforce Data Loader application variant that grants them access to the data stored in the Salesforce instance. "UNC6040 threat actors have utilized phishing panels, directing victims to visit from their mobile phones or work computers during the social engineering calls. After obtaining access, UNC6040 threat actors have then used API queries to exfiltrate large volumes of data in bulk," the FBI notes in its alert (PDF). After stealing the data, the cybercriminals send extortion demands to the victim organizations, threatening to release the information publicly unless a ransom is paid in cryptocurrency."
"The second malicious operation the FBI warns about is the recent widespread Salesforce-Salesloft data theft campaign that hit over 700 organizations through the integration with the Drift AI chatbot, and which has been attributed to a threat actor tracked as UNC6395. As part of the attack, hackers used compromised OAuth tokens for Drift to access the Salesforce instances and steal large amounts of data. The hackers exfiltrated the tokens from Drift's AWS instance, after having acces"
Two distinct campaigns targeted Salesforce customers for data theft and extortion. One campaign, attributed to UNC6040, used voice phishing to coerce employees into granting access or approving a modified Salesforce Data Loader application that provided API access for bulk data exfiltration. Stolen datasets were followed by cryptocurrency extortion demands. UNC6040 has been observed moving laterally to Microsoft 365, Okta, and Workplace and has claimed ties to the ShinyHunters extortion group linked to Scattered Spider. A separate campaign attributed to UNC6395 exploited compromised OAuth tokens from Drift's AWS environment to access Salesforce via the Salesloft integration, affecting over 700 organizations.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]