Google Warns of Salesforce Data Theft via Social Engineering Attacks
ByAinvest
Wednesday, Jun 4, 2025 10:29 am ET1min read
CRM--
The UNC6040 group impersonates IT support personnel, requesting employees to accept a connection to the Salesforce Data Loader application. This tool allows users to import, export, update, or delete data within Salesforce environments. By tricking employees into entering a "connection code," the attackers gain access to the victim's Salesforce environment and subsequently move laterally to other connected platforms such as Okta, Microsoft 365, and Workplace [1].
The group's primary objective is to exfiltrate sensitive data, including communications, authorization tokens, and documents. Following the initial data theft, UNC6040 has been observed moving laterally through the victim's network, accessing and exfiltrating data from other platforms [1]. In some cases, the data exfiltration process was stopped prematurely due to the intervention of protection systems that detected unauthorized activity. However, the threat actors are aware of this risk and experiment with various packet sizes before escalating their attack [1].
UNC6040 uses modified versions of the Salesforce Data Loader, renaming them to fit the social engineering context, such as "My Ticket Portal." The group also employs Mullvad VPN IPs to obfuscate their activities and has been linked to the infamous ShinyHunters extortion group, which is known for demanding ransoms from victims [1].
Google reports that extortion demands can come months after the initial data theft, suggesting that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data. The group claims affiliation with ShinyHunters to increase pressure on their victims [1].
Google recommends several protective measures, including restricting "API Enabled" permissions, limiting app installation authorization, and blocking access from commercial VPNs like Mullvad. Companies are urged to remain vigilant against social engineering attacks and implement robust security measures to safeguard their Salesforce tools [1].
References:
[1] https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/
GOOG--
A hacking group has been impersonating IT staff to breach companies' Salesforce tools, stealing data and extorting victims. The group has links to the Com, a loosely affiliated group of hackers. At least 20 companies in the US and Europe have been targeted, with some receiving extortion demands months after the data was stolen. Google urges companies to remain vigilant against social engineering attacks.
A sophisticated hacking group, identified as UNC6040, has been conducting social engineering attacks against multinational companies, primarily targeting their Salesforce platforms. According to Google's Threat Intelligence Group (GTIG), the attacks involve voice phishing to trick employees into connecting a modified version of Salesforce's Data Loader application [1].The UNC6040 group impersonates IT support personnel, requesting employees to accept a connection to the Salesforce Data Loader application. This tool allows users to import, export, update, or delete data within Salesforce environments. By tricking employees into entering a "connection code," the attackers gain access to the victim's Salesforce environment and subsequently move laterally to other connected platforms such as Okta, Microsoft 365, and Workplace [1].
The group's primary objective is to exfiltrate sensitive data, including communications, authorization tokens, and documents. Following the initial data theft, UNC6040 has been observed moving laterally through the victim's network, accessing and exfiltrating data from other platforms [1]. In some cases, the data exfiltration process was stopped prematurely due to the intervention of protection systems that detected unauthorized activity. However, the threat actors are aware of this risk and experiment with various packet sizes before escalating their attack [1].
UNC6040 uses modified versions of the Salesforce Data Loader, renaming them to fit the social engineering context, such as "My Ticket Portal." The group also employs Mullvad VPN IPs to obfuscate their activities and has been linked to the infamous ShinyHunters extortion group, which is known for demanding ransoms from victims [1].
Google reports that extortion demands can come months after the initial data theft, suggesting that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data. The group claims affiliation with ShinyHunters to increase pressure on their victims [1].
Google recommends several protective measures, including restricting "API Enabled" permissions, limiting app installation authorization, and blocking access from commercial VPNs like Mullvad. Companies are urged to remain vigilant against social engineering attacks and implement robust security measures to safeguard their Salesforce tools [1].
References:
[1] https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/
Stay ahead of the market.
Get curated U.S. market news, insights and key dates delivered to your inbox.
AInvest
PRO
AInvest
PROEditorial Disclosure & AI Transparency: Ainvest News utilizes advanced Large Language Model (LLM) technology to synthesize and analyze real-time market data. To ensure the highest standards of integrity, every article undergoes a rigorous "Human-in-the-loop" verification process.
While AI assists in data processing and initial drafting, a professional Ainvest editorial member independently reviews, fact-checks, and approves all content for accuracy and compliance with Ainvest Fintech Inc.’s editorial standards. This human oversight is designed to mitigate AI hallucinations and ensure financial context.
Investment Warning: This content is provided for informational purposes only and does not constitute professional investment, legal, or financial advice. Markets involve inherent risks. Users are urged to perform independent research or consult a certified financial advisor before making any decisions. Ainvest Fintech Inc. disclaims all liability for actions taken based on this information. Found an error?Report an Issue
Comments
No comments yet