Blog

FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data

4 hours ago
3 minutes read

The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal data and extort victims.

“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions,” reads the FBI’s FLASH advisory.

“Both groups have recently been observed targeting organizations’ Salesforce platforms via different initial access mechanisms. The FBI is releasing this information to maximize awareness and provide IOCs that may be used by recipients for research and network defense.”

UNC6040 was first disclosed by Google Threat Intelligence (Mandiant) in June, who warned that since late 2024, threat actors were using social engineering and vishing attacks to trick employees into connecting malicious Salesforce Data Loader OAuth apps to their company’s Salesforce accounts.

In some cases, the threat actors impersonated corporate IT support personnel, who used renamed versions of the application called “My Ticket Portal.”

Once connected, the threat actors used the OAuth application to mass-exfiltrate corporate Salesforce data, which was then used in extortion attempts by the ShinyHunters extortion group.

In these early data theft attacks, ShinyHunters told BleepingComputer that they primarily targeted the “Accounts” and “Contacts” database tables, which are both used to store data about a company’s customers.

These data theft attacks were widespread, impacting large and well-known companies, such as Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, and Tiffany & Co.

See also  3 movies like 'Gods of Egypt' but better

Later data theft attacks in August also targeted Salesforce customers, but this time utilized stolen Salesloft Drift OAuth and refresh tokens to breach customers’ Salesforce instances.

This activity is tracked as UNC6395 and is believed to have occurred between August 8th and 18th, with the threat actors using the tokens to target the company’s support case information that was stored in Salesforce.

The exfiltrated data was then analyzed to extract secrets, credentials, and authentication tokens shared in support cases, including AWS keys, passwords, and Snowflake tokens. These credentials could then be used to pivot to other cloud environments for additional data theft.

Salesloft worked with Salesforce to revoke all Drift tokens and required customers to reauthenticate to the platform.

It was later revealed that the threat actors also stole Drift Email tokens, which were used to access emails for a small number of Google Workspace accounts.

An investigation by Mandiant determined the attack originated in March, when Salesloft’s GitHub repositories were compromised, allowing attackers to ultimately steal the Drift OAuth tokens.

Like the previous attacks, these new Salesloft Drift data theft attacks impacted numerous companies,  including Cloudflare, Zscaler, TenableCyberArkElasticBeyondTrustProofpointJFrogNutanixQualysRubrikCato Networks, Palo Alto Networks, and many more.

While the FBI did not name the groups behind these campaigns, BleepingComputer was told by the ShinyHunters extortion group that they and other threat actors calling themselves “Scattered Lapsus$ Hunters, were behind both clusters of activity.

This group of hackers claims to have originated from and overlap with the Lapsus$, Scattered Spider, and ShinyHunters extortion groups.

See also  FBI issues warning to all smartphone users — a dangerous new scam could be at your door

On Thursday, the threat actors announced via a domain associated with BreachForums that they planned to “go dark” and stop discussing operations on Telegram.

However, in a parting post, the hackers claimed to have gained access to the FBI’s E-Check background check system and Google’s Law Enforcement Request system, publishing screenshots as proof.

If legitimate, this access would allow them to impersonate law enforcement and pull sensitive records of individuals.

When contacted by BleepingComputer, the FBI declined to comment, and Google did not respond to our email.


Picus Blue Report 2025

46% of environments had passwords cracked, nearly doubling from 25% last year.

Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.


Source link

Related posts:

  1. ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH
  2. Fashion giant Chanel hit in wave of Salesforce data theft attacks
  3. North Korean Kimsuky hackers exposed in alleged data breach
  4. HR giant Workday discloses data breach after Salesforce attack
Tags
4 hours ago
3 minutes read
Back to top button
close