The Federal Bureau of Investigation (FBI) has released a detailed flash advisory disclosing indicators of compromise (IOCs) and tactics used by two cybercrime groups—UNC6040 and UNC6395—to breach Salesforce customer environments and siphon sensitive data.
Coordinated with the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS/CISA), the bulletin aims to equip security teams and system administrators with actionable intelligence to detect, investigate, and thwart these sophisticated campaigns.
Since October 2024, UNC6040 has relied heavily on social engineering voice phishing (vishing) to dupe call center staff into granting access to Salesforce accounts.
Posing as IT support representatives, attackers guide victims through closing a purported service ticket and coax them into sharing credentials or multifactor authentication (MFA) codes.
In many cases, the threat actors direct victims to Salesforce’s connected app setup page, tricking them into authorizing a fake Data Loader application.
Once approved, the malicious connected app issues OAuth tokens that appear legitimate to Salesforce’s systems, bypassing conventional defenses such as password resets, login alerts, and MFA challenges.
The unauthorized integration then enables bulk data exfiltration via API queries without raising immediate suspicion.
UNC6395, by contrast, leveraged compromised OAuth tokens associated with the Salesloft Drift chatbot application in August 2025.
Upon obtaining valid tokens, UNC6395 operators accessed and exfiltrated customer data directly through the trusted Salesloft integration.
Salesforce and Salesloft swiftly invalidated all active access and refresh tokens for the Drift application on August 20, effectively cutting off the attackers’ persistent access.
IOC Details
The FBI’s advisory publishes exhaustive lists of IP addresses, URLs, and user-agent strings tied to both UNC6040 and UNC6395 activities.
UNC6040’s known malicious infrastructure includes more than one hundred IP addresses spanning ranges such as 13.67.175.79, 20.190.130.40, 23.145.40.165, and 146.70.211.119, among others.
Key URLs used in vishing lures and exfiltration include login.salesforce[.]com/setup/connect with varied user_code parameters, as well as decoy domains like help[victim][.]com and php scripts hosted on attacker-controlled servers.
UNC6395’s footprint comprises roughly twenty IP addresses—including 208.68.36.90, 154.41.95.2, and 185.220.101.180—and user-agent strings such as Salesforce-Multi-Org-Fetcher/1.0, Salesforce-CLI/1.0, and python-requests/2.32.4.
These artifacts enable defenders to tune detection rules, block malicious traffic, and perform retrospective log analysis to uncover stealthy intrusions.
Mitigations
To bolster resilience against these OAuth-based exfiltration campaigns, the FBI recommends organizations adopt a layered defense approach.
Training call center and support staff to recognize social engineering ploys is essential, as is enforcing phishing-resistant MFA across all externally facing services.
Implementing strict authentication, authorization, and accounting (AAA) controls helps enforce the principle of least privilege, limiting third-party integrations to only those with a verified business need.
Organizations should also enforce IP-based access restrictions on critical platforms and continuously monitor API usage for anomalous query patterns that indicate bulk data extraction.
Routine audits of third-party applications connected to Salesforce instances can reveal stale or unauthorized integrations; rotating API keys and revoking unused OAuth tokens further reduces the attack surface.
Network defenders are urged to examine logs for connections resembling known malicious IOCs, correlate disparate events to map out potential compromise chains, and leverage intrusion detection systems tuned to the listed IP addresses and user-agent identifiers.
By sharing these IOCs and attack methodologies, the FBI aims to drive proactive defense measures and community collaboration.
Organizations that detect suspicious activity or possess additional intelligence are encouraged to contact their local FBI Cyber Squad or report incidents through the FBI’s Internet Crime Complaint Center.
Swift sharing of threat data will help forestall future intrusions and protect sensitive customer information within cloud environments.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
