- Two threat groups, UNC6040 and UNC6395, are actively targeting Salesforce accounts to steal sensitive data
- UNC6395 utilizes integrations such as Salesloft Operation Chatbot, while UNC6040 uses telephone-based social technique to emulate IT staff and gain access
- FBI warns that follow -up attacks are often performed by shinyhunters attached to scattered spider
Two separate threat actors are currently targeting organizations’ Salesforce accounts to steal sensitive data available within. This is according to the US Federal Bureau of Investigation (FBI), which has recently issued a flash advice to warn companies about the ongoing threat.
“The Federal Bureau of Investigation (FBI) releases this flash to convey indicators of compromise (IOCs) associated with recent malicious cyber activities of cyber criminal groups UNC6040 and UNC6395 responsible for an increasing number of data theft and extinction,” the agency said.
“Both groups have recently been observed targeting organizations’ Salesforce platforms via various initial access mechanisms. The FBI releases this information to maximize attention and provide IOCs that can be used by recipients for research and network defense.”
Spread spider and shiny
Recently, there were several reports of cyber criminals who compromised the company’s Salesforce accounts through Salesloft Operation Application, an AI Chatbot that can be integrated with Salesforce.
The FBI noticed this group as UNC6395, and apparently it hit some of the largest tech and security organizations, including cloudflare, zscaler, tenable, cyber sheets, elastic, beyondttrust, proofpoint, JFROG, Nutanix, Qualys, Boxes, Cato Networks, Palo Alto Networks and others.
The other group, the UNC6040, gained access by fooling their victims into sharing access. They would call them on the phone and pose as it supports employees who address problems with a company -covering connection.
“In the form of closing an auto-generated ticket fools UNC6040 players Customer Support Employees to take actions that give attackers access or lead to sharing employee information, giving them access to targeted corporate Salesforce deposits to exfilter customer data,” the FBI explained.
A threat actor known to have perfected this technique is scattered spider. While the FBI did not name this group in its advisory, it said follow -up extortion attacks were usually mounted by Shinyhunters, a group known to have worked with scattered spider. At one point, the groups even merged into a device they called the spreading flapsus $ hunters.
Via Bleeping computer
