Rise of Vishing Campaigns: Understanding the Threat from UNC6040
Overview of the Threat
In recent cybersecurity news, Google has identified a new threat cluster, known as UNC6040, specifically focused on voice phishing, or vishing. This group has been targeting organizations using Salesforce to conduct large-scale data theft and extortion. This evolving cyber threat illustrates the increasingly sophisticated tactics employed by malicious actors in the digital landscape.
The Tactics of UNC6040
According to Google’s Threat Intelligence Group (GTIG), UNC6040 has successfully infiltrated networks by masquerading as IT support personnel during phone interactions. This clever use of social engineering has enabled attackers to manipulate English-speaking employees into revealing sensitive information or performing actions that compromise the organization’s security. These tactics not only showcase the attackers’ skills but also highlight vulnerabilities within organizational defenses.
Methodology: Exploiting Salesforce
A particularly alarming aspect of UNC6040’s methodology involves a modified version of Salesforce’s Data Loader. This application is crucial for importing, exporting, and updating data within the Salesforce platform. During vishing attacks, attackers lead their targets to approve this altered app, often disguised under misleading names such as “My Ticket Portal.” Once authorized, hackers gain access to Salesforce environments, facilitating data exfiltration without detection.
Lateral Movement Within Networks
UNC6040’s attacks don’t stop at stealing data. Once the initial breach is achieved, the group can navigate laterally across the victim’s network. This enables them to access additional platforms like Okta, Workplace, and Microsoft 365, broadening their scope of data theft. The chain reaction of compromised systems can lead to extensive data loss across multiple services, amplifying the potential fallout for affected organizations.
Extortion as a Follow-Up Strategy
In select cases, UNC6040 has escalated its operations by engaging in extortion activities months after the initial intrusion. This indicates a strategic approach to monetize stolen data, possibly in collaboration with other malicious entities. During these extortion attempts, the group has claimed connections to the infamous ShinyHunters hacking collective, a tactic meant to heighten pressure on their victims.
Similarities with Other Threat Actors
The methods used by UNC6040 are reminiscent of tactics employed by other financially motivated groups within the cybercrime ecosystem, particularly The Com and Scattered Spider. The focus on stealing Okta credentials and the strategy of social engineering through IT impersonation reflect a broader trend among organized cybercriminals.
Salesforce’s Response
Salesforce has acknowledged the vishing campaigns that target its customers. The company issued warnings in March 2025 about threat actors impersonating IT personnel to lure employees into sharing credentials or approving malicious applications. Salesforce noted the risks associated with users navigating to phishing links designed to steal authentication tokens, underscoring the critical need for heightened vigilance among its clientele.
Increasing Targeting of IT Staff
One notable takeaway from this situation is the growing trend of targeting IT support staff as a primary pathway to gain unauthorized access. This shift in focus raises concerns about the effectiveness of existing training and security measures within organizations. The successes of campaigns like those executed by UNC6040 serve as stark reminders of the continuous evolution of cyber threats.
Implications for Organizations
The persistence and adaptability of UNC6040 are indicative of a serious threat landscape that organizations need to navigate. The significant timeframe between initial breaches and extortion demands also suggests that many organizations may unknowingly harbor vulnerabilities that could result in future compromise. It is imperative for businesses to reassess their cybersecurity protocols, particularly regarding employee training and response strategies to social engineering attempts.
The ongoing narrative of UNC6040 exemplifies the complex nature of contemporary cyber threats, urging organizations to actively bolster their defenses against increasingly sophisticated tactics.
