Google Warns of Salesforce Data Theft via Social Engineering Attacks

A hacking group has been impersonating IT staff to breach companies' Salesforce tools, stealing data and extorting victims. The group has links to the Com, a loosely affiliated group of hackers. At least 20 companies in the US and Europe have been targeted, with some receiving extortion demands months after the data was stolen. Google urges companies to remain vigilant against social engineering attacks.

A sophisticated hacking group, identified as UNC6040, has been conducting social engineering attacks against multinational companies, primarily targeting their Salesforce platforms. According to Google's Threat Intelligence Group (GTIG), the attacks involve voice phishing to trick employees into connecting a modified version of Salesforce's Data Loader application [1].

The UNC6040 group impersonates IT support personnel, requesting employees to accept a connection to the Salesforce Data Loader application. This tool allows users to import, export, update, or delete data within Salesforce environments. By tricking employees into entering a "connection code," the attackers gain access to the victim's Salesforce environment and subsequently move laterally to other connected platforms such as Okta, Microsoft 365, and Workplace [1].

The group's primary objective is to exfiltrate sensitive data, including communications, authorization tokens, and documents. Following the initial data theft, UNC6040 has been observed moving laterally through the victim's network, accessing and exfiltrating data from other platforms [1]. In some cases, the data exfiltration process was stopped prematurely due to the intervention of protection systems that detected unauthorized activity. However, the threat actors are aware of this risk and experiment with various packet sizes before escalating their attack [1].

UNC6040 uses modified versions of the Salesforce Data Loader, renaming them to fit the social engineering context, such as "My Ticket Portal." The group also employs Mullvad VPN IPs to obfuscate their activities and has been linked to the infamous ShinyHunters extortion group, which is known for demanding ransoms from victims [1].

Google reports that extortion demands can come months after the initial data theft, suggesting that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data. The group claims affiliation with ShinyHunters to increase pressure on their victims [1].

Google recommends several protective measures, including restricting "API Enabled" permissions, limiting app installation authorization, and blocking access from commercial VPNs like Mullvad. Companies are urged to remain vigilant against social engineering attacks and implement robust security measures to safeguard their Salesforce tools [1].

References:
[1] https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/