Google Warns of Salesforce Data Theft via Social Engineering Attacks
AinvestWednesday, Jun 4, 2025 10:29 am ET
1min readA hacking group has been impersonating IT staff to breach companies' Salesforce tools, stealing data and extorting victims. The group has links to the Com, a loosely affiliated group of hackers. At least 20 companies in the US and Europe have been targeted, with some receiving extortion demands months after the data was stolen. Google urges companies to remain vigilant against social engineering attacks.
A sophisticated hacking group, identified as UNC6040, has been conducting social engineering attacks against multinational companies, primarily targeting their Salesforce platforms. According to Google's Threat Intelligence Group (GTIG), the attacks involve voice phishing to trick employees into connecting a modified version of Salesforce's Data Loader application [1].The UNC6040 group impersonates IT support personnel, requesting employees to accept a connection to the Salesforce Data Loader application. This tool allows users to import, export, update, or delete data within Salesforce environments. By tricking employees into entering a "connection code," the attackers gain access to the victim's Salesforce environment and subsequently move laterally to other connected platforms such as Okta, Microsoft 365, and Workplace [1].
The group's primary objective is to exfiltrate sensitive data, including communications, authorization tokens, and documents. Following the initial data theft, UNC6040 has been observed moving laterally through the victim's network, accessing and exfiltrating data from other platforms [1]. In some cases, the data exfiltration process was stopped prematurely due to the intervention of protection systems that detected unauthorized activity. However, the threat actors are aware of this risk and experiment with various packet sizes before escalating their attack [1].
UNC6040 uses modified versions of the Salesforce Data Loader, renaming them to fit the social engineering context, such as "My Ticket Portal." The group also employs Mullvad VPN IPs to obfuscate their activities and has been linked to the infamous ShinyHunters extortion group, which is known for demanding ransoms from victims [1].
Google reports that extortion demands can come months after the initial data theft, suggesting that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data. The group claims affiliation with ShinyHunters to increase pressure on their victims [1].
Google recommends several protective measures, including restricting "API Enabled" permissions, limiting app installation authorization, and blocking access from commercial VPNs like Mullvad. Companies are urged to remain vigilant against social engineering attacks and implement robust security measures to safeguard their Salesforce tools [1].
References:
[1] https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/
Disclaimer: The news articles available on this platform are generated in whole or in part by artificial intelligence and may not have been reviewed or fact checked by human editors. While we make reasonable efforts to ensure the quality and accuracy of the content, we make no representations or warranties, express or implied, as to the truthfulness, reliability, completeness, or timeliness of any information provided. It is your sole responsibility to independently verify any facts, statements, or claims prior to acting upon them. Ainvest Fintech Inc expressly disclaims all liability for any loss, damage, or harm arising from the use of or reliance on AI-generated content, including but not limited to direct, indirect, incidental, or consequential damages.
Comments
No comments yet