Google’s Salesforce accounts have been compromised in a continuing cyber attack, resulting in the theft of user information by hackers.

Google confirmed that one of its corporate Salesforce instances was compromised in June by the threat group tracked as UNC6040. This incident forms part of a broader Salesforce attack campaign involving voice phishing attacks aimed at stealing sensitive data from organisations’ Salesforce environments, followed by extortion demands. The breach underscores the increasing risks associated with social engineering tactics targeting cloud platforms, where attackers impersonate IT support to gain unauthorised access. According to Google’s Threat Intelligence Group (GTIG), the intrusion occurred through methods similar to those observed in other UNC6040 operations. In this case, the impacted instance stored contact information and notes for small and medium businesses. GTIG’s analysis revealed that the threat actors retrieved data during a brief window before access was revoked. Fortunately, the exfiltrated information was limited to basic, largely publicly available details such as business names and contact details. Google responded swiftly by cutting off access, conducting an impact analysis, and implementing mitigations.

The incident highlights the evolving tactics of UNC6040. Initially reliant on Salesforce’s Data Loader, the group has transitioned to custom Python scripts that replicate its functions. UNC6040 hackers initiate attacks through voice calls via Mullvad VPN or TOR networks, subsequently automating data collection. GTIG notes that attackers have shifted from creating trial accounts with webmail to using compromised accounts from unrelated organisations to register malicious applications. This adaptation complicates tracking and attribution, making it more challenging for security teams to detect and respond effectively. Extortion plays a crucial role in UNC6040’s strategy. After data theft, which can occur months prior, victims receive demands for Bitcoin payments within 72 hours, often via emails from addresses like shinycorp@tuta[.]com or shinygroup@tuta[.]com. The actors falsely claim affiliation with the notorious ShinyHunters group to increase pressure. GTIG warns that these threat actors may soon launch a data leak site to escalate their tactics, potentially exposing stolen data from recent breaches, including those linked to Salesforce hacks. The campaign’s infrastructure overlaps with elements associated with “The Com,” a loosely organised collective known for similar social engineering schemes. UNC6040 specifically targets English-speaking employees in multinational firms, exploiting their trust in IT support calls to harvest credentials and access platforms like Okta and Microsoft 365. In some intrusions, attackers have customised tools with names like “My Ticket Portal” to align with their phishing pretexts, demonstrating a high level of sophistication. GTIG emphasises that these attacks exploit human vulnerabilities rather than flaws within Salesforce itself. No inherent weaknesses in the platform were involved; instead, the success of these attacks stems from convincing users to grant access.

A total of 6,500 Axis servers are found to have the Remoting Protocol open, with 4,000 of them located in the United States susceptible to potential exploits.

Vietnamese cybercriminals have employed the PXA Stealer tool to target 4,000 IP addresses, successfully compromising 200,000 passwords worldwide.

WhatsApp developers are facing threats from malicious npm packages that come with a remote kill switch.

The United States has declared a funding allocation of $100 million aimed at enhancing cybersecurity for state, local, and tribal governments.

Similar Posts