Google Warns of Vishing, Extortion Campaign Targeting Salesforce Customers

A threat actor specializing in voice phishing (vishing) attacks is targeting Salesforce customers in a large-scale data theft and extortion campaign, Google warns.

The threat actor, tracked as UNC6040, impersonates IT support personnel in phone engagements with employees at targeted organizations, convincing them to authorize a malicious application’s access to the businesses’ Salesforce portals.

As part of the observed attacks, UNC6040 guides the victim to access Salesforce’s connected app setup page and approve a modified, unauthorized version of Salesforce’s Data Loader application.

Once access has been granted, the application allows the threat actor to exfiltrate sensitive information from the compromised Salesforce environment. The data is then used to extort the victim organization, sometimes months after the intrusion.

“Such access not only results in direct data loss but also frequently serves as a precursor to lateral movement, enabling the attackers to compromise other cloud services and internal corporate networks,” Google explains.

The threat actor was seen exfiltrating data using Salesforce’s Data Loader application and moving laterally to other platforms, including Microsoft 365, Okta, and Workplace.

In all observed incidents, UNC6040 relied solely on social engineering for initial access, and not the exploitation of a Salesforce vulnerability, Google notes. Salesforce warned of such attacks months ago.

Still ongoing, the campaign started months ago and hit approximately 20 organizations, Google says. Described as opportunistic, UNC6040’s attacks targeted the education, hospitality, retail, and other sectors in the Americas and Europe.

Presumably working with another threat actor to monetize access to the stolen data, the group was seen claiming affiliation with the notorious ShinyHunters hackers, likely to increase pressure on victims, Google says.

UNC6040 infrastructure used to access Salesforce applications also hosted an Okta phishing panel that the group directed victims to. During phone calls, the threat actor also requested user credentials and multifactor authentication codes for Salesforce Data Loader authentication.

Google’s investigation into these attacks uncovered links to threat actors associated with the cybercrime collective ‘The Com’ (that Scattered Spider is part of), through overlapping TTPs such as “social engineering via IT support, the targeting of Okta credentials, and an initial focus on English-speaking users at multinational companies”.

“This campaign by UNC6040 is particularly notable due to its focus on exfiltrating data specifically from Salesforce environments. Furthermore, this activity underscores a broader and concerning trend: threat actors are increasingly targeting IT support personnel as a primary vector for gaining initial access, exploiting their roles to compromise valuable enterprise data,” Google notes.

Related: 26 New Threat Groups Spotted in 2024: CrowdStrike

Related: Firebase, Google Apps Script Abused in Fresh Phishing Campaigns

Related: Why Bullying Employees Into Compliance Won’t Work

Related: Brad Arkin is New Chief Trust Officer at Salesforce