The financially motivated threat cluster UNC6040, tracked by Google Threat Intelligence Group (GTIG), has been orchestrating a series of voice phishing (vishing) campaigns specifically aimed at compromising Salesforce environments of multinational corporations.
Unlike traditional cyberattacks that leverage software vulnerabilities, UNC6040 relies entirely on manipulating human behavior, impersonating IT support personnel to deceive employees predominantly in English-speaking branches into granting access or sharing sensitive credentials.
This approach has facilitated large-scale data theft from Salesforce instances, with the stolen information later used for extortion, sometimes months after the initial breach.
Sophisticated Voice Phishing Tactics
The campaign’s success underscores a growing trend of threat actors targeting IT support roles as a gateway to valuable enterprise data, highlighting the critical need for robust user awareness and security controls in cloud environments.
UNC6040’s primary tactic involves tricking victims into authorizing a malicious connected app, often a modified version of Salesforce’s legitimate Data Loader tool, during vishing calls.
By guiding unsuspecting employees to the Salesforce connected app setup page and convincing them to approve a counterfeit app sometimes branded deceptively as “My Ticket Portal” attackers gain extensive access to query and exfiltrate sensitive data directly from the compromised environment.
This abuse of Data Loader, which inherently supports bulk data operations through OAuth integration, does not exploit any inherent Salesforce vulnerability but rather capitalizes on human error.
Leveraging Malicious Data Loader Apps
GTIG reports varying levels of sophistication in data extraction, with some intrusions involving cautious test queries before rapid, large-scale exfiltration of entire data tables, while others were detected early, limiting the theft to a fraction of the targeted information.
Additionally, UNC6040 often uses infrastructure like Mullvad VPN IPs and Okta phishing panels to further credential harvesting and lateral movement across cloud platforms such as Microsoft 365, amplifying the scope of their breaches.
Intriguingly, overlaps in tactics and infrastructure with groups tied to “The Com” collective suggest potential community connections, though direct operational links remain unclear.
The delayed extortion attempts, sometimes linked to claims of affiliation with the notorious ShinyHunters group, indicate possible collaboration with secondary actors who monetize the stolen data, extending the threat lifecycle for victims.
This campaign exemplifies the persistent efficacy of vishing as a financially motivated attack vector, particularly against cloud-based systems like Salesforce.
To counter such threats, organizations must adopt a defense-in-depth strategy, prioritizing least privilege access especially for tools like Data Loader with powerful API permissions and enforcing strict connected app management.
Implementing IP-based access restrictions, universal multi-factor authentication (MFA), and advanced monitoring via Salesforce Shield for detecting anomalous data downloads are also critical.
As UNC6040’s activities reveal, the shared responsibility model of cloud security demands not just platform safeguards but proactive user training and policy enforcement to mitigate the human-centric risks that fuel such intrusions.
With potential downstream extortion looming for affected entities, the urgency to harden defenses against social engineering has never been greater.
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
Source link
