Google Hackers target Salesforce accounts in data extortion attacks

pMicrosoft June 2025 Patch Tuesday fixes exploited zeroday 66 flawsppFIN6 hackers pose as job seekers to backdoor recruiters devicesppTexas Dept of Transportation breached 300k crash records stolenppNew Secure Boot flaw lets attackers install bootkit malware patch nowppDanaBot malware operators exposed via C2 bug added in 2022ppConnectWise rotating code signing certificates over security concernsppNew Secure Boot flaw lets attackers install bootkit malware patch nowppSpeak a new language in weeks with this Babbel dealppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppGoogle has observed hackers claiming to be the ShinyHunters extortion group conducting social engineering attacks against multinational companies to steal data from organizations Salesforce platformsppAccording to Googles Threat Intelligence Group GTIG which tracks the threat cluster as UNC6040  the attacks target Englishspeaking employees with voice phishing attacks to trick them into connecting a modified version of Salesforces Data Loader applicationppThe attackers impersonate IT support personnel requesting the target employee to accept a connection to Salesforce Data Loader a client application that allows users to import export update or delete data within Salesforce environmentsppThe application supports OAuth and allows for direct app integration via the connected apps functionality in Salesforce explains the researchersppThreat actors abuse this by persuading a victim over the phone to open the Salesforce connect setup page and enter a connection code thereby linking the actorcontrolled Data Loader to the victims environmentppThe target organizations already use the Salesforce cloudbased customer relationship management CRM platform so the malicious request to install the tool appears legitimate within the attacks workflowppIn the UNC6040 attacks the app is used to export data stored in Salesforce instances and then use the access to move laterally through connected platforms such as Okta Microsoft 365 and WorkplaceppAccessing these additional cloud platforms allows the threat actors to access more sensitive information stored on those platforms including sensitive communications authorization tokens documents and moreppUNC6040 is a financially motivated threat cluster that accesses victim networks by voice phishing social engineering describes the GTIG reportppUpon obtaining access UNC6040 has been observed immediately exfiltrating data from the victims Salesforce environment using Salesforces Data Loader applicationppFollowing this initial data theft UNC6040 was observed moving laterally through the victims network accessing and exfiltrating data from other platforms such as Okta Workplace and Microsoft 365ppIn some cases the data exfiltration process was stopped prematurely as protection systems that detected unauthorized activity intervened to revoke access The threat actors appeared to be aware of this risk experimenting with various packet sizes before escalating their attackppUNC6040 also used modified versions of the Salesforce Data Loader appropriately named to fit the social engineering context For example renaming it to My Ticket Portal and tricking victims into installing the app on their systems during an alleged support phone callppGTIG reports the threat actors use Mullvad VPN IPs when exfiltrating the Salesforce data to obfuscate the activityppGoogle says that attacks used phishing pages impersonating Okta linking them to threat actors associated with the The Com or Scattered Spider tacticsppFor organizations using Salesforce Google recommends restricting API Enabled permissions limiting app installation authorization and blocking access from commercial VPNs like MullvadppMore information on protecting Salesforce from social engineering attacks is available hereppAfter publishing our story Salesforce confirmed to BleepingComputer that accounts are not breached through a vulnerability attack but rather via social engineering attacksppSalesforce has enterprisegrade security built into every part of our platform and theres no indication the issue described stems from any vulnerability inherent to our services Salesforce told BleepingComputerppAttacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users cybersecurity awareness and best practicesppSecurity is a shared responsibility and we provide customers with tools guidance and security features like MultiFactor Authentication and IP restrictions to help defend against evolving threats For full details please see our blog on how customers can protect their Salesforce environments from social engineering httpswwwsalesforcecomblogprotectagainstsocialengineeringppIn the attacks observed by Google the threat actors will eventually attempt to extort the company into paying a ransom not to leak the data Google says these extortion demands can come months later claiming to be from the infamous ShinyHunters extortion groupppIn some instances extortion activities havent been observed until several months after the initial UNC6040 intrusion activity which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data explains GoogleppDuring these extortion attempts the actor has claimed affiliation with the wellknown hacking group ShinyHunters likely as a method to increase pressure on their victimsppShinyHunters is a wellknown hacking group that has long been associated with data theft attacks that extort companies into paying a ransomppThreat actors associated with the group have been behind numerous highprofile attacks including the SnowFlake data theft attacks and the PowerSchool data breach that impacted 62 million studentsppPatching used to mean complex scripts long hours and endless fire drills Not anymoreppIn this new guide Tines breaks down how modern IT orgs are leveling up with automation Patch faster reduce overhead and focus on strategic work no complex scripts requiredpp3AM ransomware uses spoofed IT calls email bombing to breach networksppLuna Moth extortion hackers pose as IT help desks to breach US firmsppCoinbase data breach exposes customer info and government IDsppStolen Ticketmaster data from Snowflake attacks briefly for sale againppTax resolution firm Optima Tax Relief hit by ransomware data leakedppNot a member yet Register NowppGrocery wholesale giant United Natural Foods hit by cyberattackppMicrosoft June 2025 Patch Tuesday fixes exploited zeroday 66 flawsppSentinelOne shares new details on Chinalinked breach attemptppAI is a databreach time bomb Read the new reportppLearn about Scattered Spiders evolving TTPs and how to defend your organizationppOverdue a password healthcheck Audit your Active Directory for freeppElevate your cyber defense Learn to design powerful Blue Team playbooks with WazuhppLearn to build a strong Windows serviceprotect your systems from malware Start nowppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp