The FBI has issued a FLASH alert warning that two risk clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal knowledge and extort victims.
“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) related to latest malicious cyber actions by cyber prison teams UNC6040 and UNC6395, answerable for a rising variety of knowledge theft and extortion intrusions,” reads the FBI’s FLASH advisory.
“Each teams have lately been noticed concentrating on organizations’ Salesforce platforms through completely different preliminary entry mechanisms. The FBI is releasing this data to maximise consciousness and supply IOCs which may be utilized by recipients for analysis and community protection.”
UNC6040 was first disclosed by Google Risk Intelligence (Mandiant) in June, who warned that since late 2024, risk actors had been utilizing social engineering and vishing assaults to trick staff into connecting malicious Salesforce Information Loader OAuth apps to their firm’s Salesforce accounts.
In some circumstances, the risk actors impersonated company IT assist personnel, who used renamed variations of the applying referred to as “My Ticket Portal.”
As soon as related, the risk actors used the OAuth software to mass-exfiltrate company Salesforce knowledge, which was then utilized in extortion makes an attempt by the ShinyHunters extortion group.
In these early knowledge theft assaults, ShinyHunters instructed BleepingComputer that they primarily focused the “Accounts” and “Contacts” database tables, that are each used to retailer knowledge about an organization’s clients.
These knowledge theft assaults had been widespread, impacting massive and well-known corporations, reminiscent of Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, and Tiffany & Co.
Later knowledge theft assaults in August additionally focused Salesforce clients, however this time utilized stolen Salesloft Drift OAuth and refresh tokens to breach clients’ Salesforce situations.
This exercise is tracked as UNC6395 and is believed to have occurred between August eighth and 18th, with the risk actors utilizing the tokens to focus on the corporate’s assist case data that was saved in Salesforce.
The exfiltrated knowledge was then analyzed to extract secrets and techniques, credentials, and authentication tokens shared in assist circumstances, together with AWS keys, passwords, and Snowflake tokens. These credentials may then be used to pivot to different cloud environments for extra knowledge theft.
Salesloft labored with Salesforce to revoke all Drift tokens and required clients to reauthenticate to the platform.
It was later revealed that the risk actors additionally stole Drift E-mail tokens, which had been used to entry emails for a small variety of Google Workspace accounts.
An investigation by Mandiant decided the assault originated in March, when Salesloft’s GitHub repositories had been compromised, permitting attackers to finally steal the Drift OAuth tokens.
Just like the earlier assaults, these new Salesloft Drift knowledge theft assaults impacted quite a few corporations, together with Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many extra.
Whereas the FBI didn’t identify the teams behind these campaigns, BleepingComputer was instructed by the ShinyHunters extortion group that they and different risk actors calling themselves “Scattered Lapsus$ Hunters, had been behind each clusters of exercise.
This group of hackers claims to have originated from and overlap with the Lapsus$, Scattered Spider, and ShinyHunters extortion teams.
On Thursday, the risk actors introduced through a website related to BreachForums that they deliberate to “go darkish” and cease discussing operations on Telegram.
Nevertheless, in a parting publish, the hackers claimed to have gained entry to the FBI’s E-Examine background examine system and Google’s Regulation Enforcement Request system, publishing screenshots as proof.
If official, this entry would enable them to impersonate legislation enforcement and pull delicate information of people.
When contacted by BleepingComputer, the FBI declined to remark, and Google didn’t reply to our e mail.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration developments.
