The FBI has issued a FLASH alert warning that two risk clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal knowledge and extort victims.
“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) related to current malicious cyber actions by cyber felony teams UNC6040 and UNC6395, chargeable for a rising variety of knowledge theft and extortion intrusions,” reads the FBI’s FLASH advisory.
“Each teams have lately been noticed concentrating on organizations’ Salesforce platforms through totally different preliminary entry mechanisms. The FBI is releasing this data to maximise consciousness and supply IOCs which may be utilized by recipients for analysis and community protection.”
UNC6040 was first disclosed by Google Risk Intelligence (Mandiant) in June, who warned that since late 2024, risk actors had been utilizing social engineering and vishing assaults to trick staff into connecting malicious Salesforce Information Loader OAuth apps to their firm’s Salesforce accounts.
In some instances, the risk actors impersonated company IT help personnel, who used renamed variations of the appliance referred to as “My Ticket Portal.”
As soon as related, the risk actors used the OAuth utility to mass-exfiltrate company Salesforce knowledge, which was then utilized in extortion makes an attempt by the ShinyHunters extortion group.
In these early knowledge theft assaults, ShinyHunters instructed BleepingComputer that they primarily focused the “Accounts” and “Contacts” database tables, that are each used to retailer knowledge about an organization’s clients.
These knowledge theft assaults had been widespread, impacting giant and well-known firms, reminiscent of Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, and Tiffany & Co.
Later knowledge theft assaults in August additionally focused Salesforce clients, however this time utilized stolen Salesloft Drift OAuth and refresh tokens to breach clients’ Salesforce cases.
This exercise is tracked as UNC6395 and is believed to have occurred between August eighth and 18th, with the risk actors utilizing the tokens to focus on the corporate’s help case data that was saved in Salesforce.
The exfiltrated knowledge was then analyzed to extract secrets and techniques, credentials, and authentication tokens shared in help instances, together with AWS keys, passwords, and Snowflake tokens. These credentials may then be used to pivot to different cloud environments for added knowledge theft.
Salesloft labored with Salesforce to revoke all Drift tokens and required clients to reauthenticate to the platform.
It was later revealed that the risk actors additionally stole Drift E-mail tokens, which had been used to entry emails for a small variety of Google Workspace accounts.
An investigation by Mandiant decided the assault originated in March, when Salesloft’s GitHub repositories had been compromised, permitting attackers to finally steal the Drift OAuth tokens.
Just like the earlier assaults, these new Salesloft Drift knowledge theft assaults impacted quite a few firms, together with Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many extra.
Whereas the FBI didn’t title the teams behind these campaigns, BleepingComputer was instructed by the ShinyHunters extortion group that they and different risk actors calling themselves “Scattered Lapsus$ Hunters, had been behind each clusters of exercise.
This group of hackers claims to have originated from and overlap with the Lapsus$, Scattered Spider, and ShinyHunters extortion teams.
On Thursday, the risk actors introduced through a site related to BreachForums that they deliberate to “go darkish” and cease discussing operations on Telegram.
Nevertheless, in a parting put up, the hackers claimed to have gained entry to the FBI’s E-Test background test system and Google’s Regulation Enforcement Request system, publishing screenshots as proof.
If respectable, this entry would enable them to impersonate regulation enforcement and pull delicate information of people.
When contacted by BleepingComputer, the FBI declined to remark, and Google didn’t reply to our electronic mail.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration developments.
