A sophisticated voice phishing operation has emerged as a significant threat to organizations worldwide, with cybercriminals successfully infiltrating Salesforce environments to steal sensitive data and demand ransom payments.
Google’s Threat Intelligence Group has identified this financially motivated campaign, designating the primary threat cluster as UNC6040, which has demonstrated alarming success in breaching corporate networks through convincing telephone-based social engineering attacks.
Voice Phishing Targets IT Support
The cybercriminal group UNC6040 has perfected a deceptive strategy that involves impersonating IT support personnel during telephone calls to unsuspecting employees.
These attackers primarily target English-speaking branches of multinational corporations, exploiting the trust employees place in apparent technical support staff.
During these fraudulent calls, the criminals guide victims through a process that appears legitimate but actually grants unauthorized access to their organization’s Salesforce instances.
- Malicious App Authorization: Attackers direct victims to Salesforce’s connected app setup page to approve fake Data Loader applications.
- Modified Tools: The criminals use altered versions of legitimate Salesforce Data Loader software with different names or branding.
- Extensive Access: Once authorized, these malicious apps provide broad capabilities to access, query, and steal organizational data.
- Trust Exploitation: The scheme relies on employees’ inherent trust in apparent IT support personnel.
The attackers’ methodology centers on manipulating victims into authorizing malicious connected applications within their Salesforce portals.
They accomplish this by directing employees to Salesforce’s connected app setup page and instructing them to approve what appears to be a legitimate Data Loader application.
However, this application is actually a modified version controlled by the threat actors, bearing different names or branding to avoid detection.
Once authorized, this malicious app provides the criminals with extensive capabilities to access, query, and steal sensitive organizational data directly from the compromised Salesforce environments.
Google’s own corporate Salesforce instance fell victim to similar UNC6040 activity in June, affecting contact information for small and medium businesses.
While the company quickly responded and limited the breach to basic business information, the incident demonstrates the campaign’s broad reach and effectiveness against even security-conscious organizations.
Following successful data exfiltration, a secondary threat group designated UNC6240 initiates extortion activities, sometimes waiting several months before making contact with victims.
These extortion attempts typically involve direct communication with employees of the targeted organization, demanding bitcoin payments within 72-hour deadlines.
The extortionists consistently claim affiliation with the notorious hacking group ShinyHunters, likely as a psychological tactic to increase pressure on their victims.
Google intelligence reports suggest these threat actors may be preparing to escalate their tactics by launching a data leak site, which would provide a platform for publicly releasing stolen information if ransom demands are not met.
This development represents a significant escalation in the group’s capabilities and demonstrates their commitment to monetizing stolen data through multiple pressure points.
Strengthen Salesforce Security Protocols
Security experts emphasize that defending against these sophisticated social engineering attacks requires implementing comprehensive protection strategies.
Organizations should strictly adhere to the principle of least privilege, particularly for data access tools like Data Loader, which requires the “API Enabled” permission for full functionality.
This powerful permission allows broad data export capabilities and must be carefully controlled and regularly audited.
Critical security measures include rigorous management of connected applications, with organizations needing to control how external applications interact with their Salesforce environments.
Administrative personnel should restrict powerful permissions such as “Customize Application” and “Manage Connected Apps” to essential trusted staff only.
Additionally, implementing IP-based access restrictions can counter unauthorized access attempts from commercial VPNs commonly used by these threat actors.
The campaign highlights the evolving nature of cybercrime, where traditional security measures must be complemented by comprehensive user education and robust monitoring systems to detect anomalous data access patterns and unauthorized application installations.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
