Hacking Group Exploits Salesforce Through Voice Phishing
A recent investigation has unveiled the tactics employed by a hacking group known as UNC6040, which is adept at exploiting the Salesforce platform. This group utilizes voice phishing (vishing) methods to gain initial footholds within targeted networks. Following these breaches, they exfiltrate sensitive data and threaten to publish the stolen information online. The Google Threat Intelligence Group (GTIG) is closely monitoring these activities and has shared their insights through a detailed report.
The Tactics of UNC6040
The hacking operation often starts with UNC6040 posing as IT support personnel. They reach out to unsuspecting employees, creating a façade of legitimacy that facilitates their next steps. By pretending to offer assistance, these hackers lure individuals into granting access to a compromised version of Salesforce’s Data Loader, a tool specifically designed for managing large datasets.
GTIG’s analysis highlights that, in certain intrusions, modified versions of the Data Loader are used to exfiltrate data from Salesforce systems. The degree of sophistication in executing these data queries seems to vary across different attacks, indicating a level of adaptability from the hackers.
Data Exfiltration Strategies
UNC6040 employs different strategies when exfiltrating data. In some incidents, the group gradually siphons off small amounts of data to remain undetected initially. On other occasions, they launch more aggressive attacks, resulting in the rapid extraction of substantial datasets and even entire Salesforce tables.
Once initial data is compromised, the group’s operations do not stop there. Evidence suggests that they capture user credentials, enabling lateral movement within the victim’s network and accessing additional information from platforms such as Microsoft 365 and Okta. Notably, the group utilizes a phishing panel based on Okta to enhance their efforts.
Social Engineering at Its Core
The mechanisms employed by UNC6040 underline a critical aspect of modern cyber threats: they exploit human vulnerabilities rather than software flaws. The group’s tactics revolve around advanced social engineering, manipulating individuals into installing malicious software without raising suspicion.
GTIG explains that during social engineering interactions, UNC6040 directly requests user credentials and multifactor authentication codes from victims, allowing them to add the malicious Data Loader application to the targeted Salesforce environment.
Possible Connections to Other Hacking Collectives
Intriguingly, there are indications that UNC6040 may be affiliated with a broader hacking collective known as "The Com." Analysts have noted similarities in the techniques and procedures they utilize. Furthermore, during extortion communications post-data theft, attackers have claimed connections to notorious hacking groups like ShinyHunters, suggesting that UNC6040 may not operate in isolation.
Salesforce’s Stance on Security
Salesforce has responded to these incidents by emphasizing that the security breaches are not due to inherent flaws within their platform. A spokesperson stated, “Salesforce has enterprise-grade security built into every part of our platform, and there’s no indication the issue described stems from any vulnerability inherent to our services.”
Instead, they attribute these attacks to sophisticated social engineering scams aimed at exploiting individual users’ cybersecurity awareness gaps. Salesforce emphasizes the importance of shared responsibility in security, offering tools such as multifactor authentication and IP restrictions to help guard against these emerging threats.
Conclusion
The activities of UNC6040 serve as a timely reminder of the increasing sophistication of cyber threats. As businesses continue to rely on platforms like Salesforce for critical operations, it is essential to stay vigilant against such tactics. Adopting robust cybersecurity practices and remaining aware of social engineering risks can significantly enhance the protection of sensitive data in today’s digital landscape.
For further insights into securing Salesforce environments, you can explore the comprehensive resources provided by both Google and Salesforce.
