The Federal Bureau of Investigation (FBI) has released a flash alert detailing the activities of two cybercriminal groups, UNC6040 and UNC6395, that are actively compromising Salesforce environments to steal data for extortion purposes.
The advisory, published by the FBI on September 12, 2025, provides indicators of compromise (IOCs) and defensive measures to help organizations protect against these ongoing campaigns that leverage distinct tactics to achieve their objectives.
Here is the detailed coverage of Lessons from Salesforce/Salesloft Drift Data Breaches – Detailed Case Study.
UNC6040’s Social Engineering Campaign
Since at least October 2024, the group tracked as UNC6040 has been using social engineering, particularly voice phishing (vishing), to gain initial access.
The threat actors call an organization’s help desk, posing as IT support staff, attempting to resolve a fake technical issue. During these calls, they persuade employees to either share their credentials or grant the attackers access to the company’s Salesforce instance.
A key tactic involves tricking employees into authorizing a malicious “connected app” within the Salesforce portal. This app is often a modified version of the legitimate Salesforce Data Loader tool.
By convincing a user with sufficient privileges to approve the application, UNC6040 gains persistent access via OAuth tokens issued by Salesforce.
This method can bypass security controls like multi-factor authentication (MFA) and password resets, as the activity appears to originate from a trusted, integrated application.
The attackers then use API queries to exfiltrate large volumes of data. Following the data theft, some victims have received extortion emails from the notorious “ShinyHunters” group, demanding payment to prevent the public release of the stolen information.
UNC6395 Exploits Third-Party Integration
The second group, UNC6395, employed a different method to breach Salesforce instances. In August 2025, these actors exploited compromised OAuth tokens associated with the Salesloft Drift application, an AI-powered chatbot that integrates with Salesforce.
By using these compromised third-party tokens, the group was able to access and exfiltrate data from the victim’s Salesforce environment, highlighting the security risks posed by third-party application integrations.
In response to this campaign, Salesloft and Salesforce collaborated to revoke all active access and refresh tokens for the Drift application on August 20, 2025. This action successfully terminated the threat actors’ access to the compromised Salesforce platforms through this specific vector.250912.pdf
The FBI has released an extensive list of IOCs, including IP addresses, malicious URLs, and user-agent strings associated with both UNC6040 and UNC6395, to help network defenders detect and block related activity. The agency strongly recommends that organizations take several steps to mitigate the risk of compromise.
Of course, here is the table with the Indicators of Compromise, with the IP addresses formatted as requested.
UNC6040 Indicators of Compromise
| IoC Type | Indicator |
|---|---|
| IP Address | 13.67.175[.]79 |
| IP Address | 20.190.130[.]40 |
| IP Address | 20.190.151[.]38 |
| IP Address | 20.190.157[.]160 |
| IP Address | 20.190.157[.]98 |
| IP Address | 23.145.40[.]165 |
| IP Address | 23.145.40[.]167 |
| IP Address | 23.145.40[.]99 |
| IP Address | 23.162.8[.]66 |
| IP Address | 23.234.69[.]167 |
| IP Address | 23.94.126[.]63 |
| IP Address | 31.58.169[.]85 |
| IP Address | 31.58.169[.]92 |
| IP Address | 31.58.169[.]96 |
| IP Address | 34.86.51[.]128 |
| IP Address | 35.186.181[.]1 |
| IP Address | 37.19.200[.]132 |
| IP Address | 37.19.200[.]141 |
| IP Address | 37.19.200[.]154 |
| IP Address | 37.19.200[.]167 |
| IP Address | 37.19.221[.]179 |
| IP Address | 38.22.104[.]226 |
| IP Address | 45.83.220[.]206 |
| IP Address | 51.89.240[.]10 |
| IP Address | 64.95.11[.]225 |
| IP Address | 64.95.84[.]159 |
| IP Address | 66.63.167[.]122 |
| IP Address | 67.217.228[.]216 |
| IP Address | 68.235.43[.]202 |
| IP Address | 68.235.46[.]22 |
| IP Address | 68.235.46[.]202 |
| IP Address | 68.235.46[.]151 |
| IP Address | 68.235.46[.]208 |
| IP Address | 68.63.167[.]122 |
| IP Address | 69.246.124[.]204 |
| IP Address | 72.5.42[.]72 |
| IP Address | 79.127.217[.]44 |
| IP Address | 83.147.52[.]41 |
| IP Address | 87.120.112[.]134 |
| IP Address | 94.156.167[.]237 |
| IP Address | 96.44.189[.]109 |
| IP Address | 96.44.191[.]141 |
| IP Address | 96.44.191[.]157 |
| IP Address | 104.223.118[.]62 |
| IP Address | 104.193.135[.]221 |
| IP Address | 141.98.252[.]189 |
| IP Address | 146.70.165[.]47 |
| IP Address | 146.70.168[.]239 |
| IP Address | 146.70.173[.]60 |
| IP Address | 146.70.185[.]47 |
| IP Address | 146.70.189[.]47 |
| IP Address | 146.70.189[.]111 |
| IP Address | 146.70.198[.]112 |
| IP Address | 146.70.211[.]55 |
| IP Address | 146.70.211[.]119 |
| IP Address | 146.70.211[.]183 |
| IP Address | 147.161.173[.]90 |
| IP Address | 149.22.81[.]201 |
| IP Address | 151.242.41[.]182 |
| IP Address | 151.242.58[.]76 |
| IP Address | 163.5.149[.]152 |
| IP Address | 185.141.119[.]136 |
| IP Address | 185.141.119[.]138 |
| IP Address | 185.141.119[.]151 |
| IP Address | 185.141.119[.]166 |
| IP Address | 185.141.119[.]168 |
| IP Address | 185.141.119[.]181 |
| IP Address | 185.141.119[.]184 |
| IP Address | 185.141.119[.]185 |
| IP Address | 185.209.199[.]56 |
| IP Address | 191.96.207[.]201 |
| IP Address | 192.198.82[.]235 |
| IP Address | 195.54.130[.]100 |
| IP Address | 196.251.83[.]162 |
| IP Address | 198.44.129[.]56 |
| IP Address | 198.44.129[.]88 |
| IP Address | 198.244.224[.]200 |
| IP Address | 198.54.130[.]100 |
| IP Address | 198.54.130[.]108 |
| IP Address | 198.54.133[.]123 |
| IP Address | 205.234.181[.]14 |
| IP Address | 206.217.206[.]14 |
| IP Address | 206.217.206[.]25 |
| IP Address | 206.217.206[.]26 |
| IP Address | 206.217.206[.]64 |
| IP Address | 206.217.206[.]84 |
| IP Address | 206.217.206[.]104 |
| IP Address | 206.217.206[.]124 |
| IP Address | 208.131.130[.]53 |
| IP Address | 208.131.130[.]71 |
| IP Address | 208.131.130[.]91 |
| URL | Login[.]salesforce[.]com/setup/connect?user_code=aKYF7V5N |
| URL | Login.salesforce.com/setup/connect?user_code=8KCQGTVU |
| URL | https://help[victim][.]com |
| URL | https://login[.]salesforce[.]com/setup/connect |
| URL | http://64.95.11[.]112/hello.php |
| URL | 91.199.42.164/login |
UNC6395 Indicators of Compromise
| IoC Type | Indicator |
|---|---|
| IP Address | 208.68.36[.]90 |
| IP Address | 44.215.108[.]109 |
| IP Address | 154.41.95[.]2 |
| IP Address | 176.65.149[.]100 |
| IP Address | 179.43.159[.]198 |
| IP Address | 185.130.47[.]58 |
| IP Address | 185.207.107[.]130 |
| IP Address | 185.220.101[.]33 |
| IP Address | 185.220.101[.]133 |
| IP Address | 185.220.101[.]143 |
| IP Address | 185.220.101[.]164 |
| IP Address | 185.220.101[.]167 |
| IP Address | 185.220.101[.]169 |
| IP Address | 185.220.101[.]180 |
| IP Address | 185.220.101[.]185 |
| IP Address | 192.42.116[.]20 |
| IP Address | 192.42.116[.]179 |
| IP Address | 194.15.36[.]117 |
| IP Address | 195.47.238[.]83 |
| IP Address | 195.47.238[.]178 |
| User-Agent | Salesforce-Multi-Org-Fetcher/1.0 |
| User-Agent | Salesforce-CLI/1.0 |
| User-Agent | python-requests/2.32.4 |
| User-Agent | Python/3.11 aiohttp/3.12.15 |
Key recommendations include training employees, especially call center staff, to recognize and report phishing and vishing attempts.
The FBI also advises enforcing phishing-resistant MFA across all possible services, applying the principle of least privilege to user accounts, and implementing strict IP-based access restrictions.
Furthermore, organizations should continuously monitor network logs and API usage for anomalous behavior indicative of data exfiltration and regularly review all third-party application integrations connected to their software platforms, rotating API keys and credentials frequently.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
