Google’s Salesforce Instances Hacked in Ongoing Attack

Google has confirmed that one of its corporate Salesforce instances was compromised in June by the threat group tracked as UNC6040.

This incident is part of a Salesforce attack campaign involving voice phishing attacks aimed at stealing sensitive data from organizations’ Salesforce environments, followed by extortion demands.

The breach highlights the growing risks of social engineering tactics targeting cloud platforms, with attackers impersonating IT support to gain unauthorized access.

According to Google’s Threat Intelligence Group (GTIG), the intrusion occurred through similar methods observed in other UNC6040 operations.

In Google’s case, the impacted instance stored contact information and notes for small and medium businesses. GTIG’s analysis showed that the threat actors retrieved data during a brief window before access was revoked.

Fortunately, the exfiltrated information was limited to basic, largely publicly available details like business names and contact details. Google swiftly responded by cutting off access, conducting an impact analysis, and implementing mitigations.

UNC6040 Vishing Tactics

This event highlights UNC6040’s changing tactics. Initially relying on Salesforce’s Data Loader, the group has transitioned to custom Python scripts that replicate its functions.

UNC6040 hackers initiate attacks with voice calls via Mullvad VPN or TOR networks, automating data collection afterward. GTIG notes that attackers have moved from creating trial accounts with webmail to using compromised accounts from unrelated organizations to register malicious apps.

This adaptation complicates tracking and attribution, making it harder for security teams to detect and respond.

Extortion plays a key role in UNC6040’s playbook. After data theft, which can occur months prior, victims receive demands for Bitcoin payments within 72 hours, often via emails from addresses like shinycorp@tuta[.]com or shinygroup@tuta[.]com.

The actors falsely claim affiliation with the notorious ShinyHunters group to heighten pressure. GTIG warns that these threat actors may soon launch a data leak site to escalate tactics, potentially exposing stolen data from recent breaches, including those tied to Salesforce hacks.

The campaign’s infrastructure overlaps with elements linked to “The Com,” a loosely organized collective known for similar social engineering ploys. UNC6040 targets English-speaking employees in multinational firms, exploiting their trust in IT support calls to harvest credentials and access platforms like Okta and Microsoft 365.

In some intrusions, attackers have customized tools with names like “My Ticket Portal” to align with their phishing pretexts, demonstrating a high level of sophistication.

GTIG emphasizes that these attacks exploit human vulnerabilities rather than Salesforce flaws. No inherent platform weaknesses were involved; instead, success stems from convincing users to grant access. This trend signals a shift toward targeting IT personnel as entry points for data exfiltration.

To combat such threats, experts recommend robust defenses. Organizations should enforce the principle of least privilege, limiting permissions for tools like Data Loader. Rigorous management of connected apps, IP-based access restrictions, and universal multi-factor authentication (MFA) is crucial.

Advanced monitoring via Salesforce Shield can detect anomalies like large data downloads. Regular audits and user training on vishing tactics are essential to prevent MFA fatigue and credential sharing.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial