UNC6040 Exploits Salesforce Integrations to Steal Data and Extort Global Enterprises

Google’s TIG has identified and tracked a financially motivated threat actor group, UNC6040, executing advanced vishing campaigns targeting Salesforce environments. By impersonating IT support staff, the attackers deceive victims into authorizing malicious applications that exploit Salesforce’s Data Loader for data exfiltration. These operations lead to data theft followed by delayed extortion, sometimes involving claims of affiliation with threat collectives like ShinyHunters.

Severity Level: High

Threat Overview

This UNC6040 campaign follows a social engineering-driven attack chain that strategically abuses trust and over-permissioned SaaS platforms, especially Salesforce. Here’s a detailed breakdown of the attack sequence:

• Target Reconnaissance: UNC6040 identifies target organizations, usually English-speaking branches of multinational firms. Specific employees, often those in IT support or with elevated access, are selected.
• Vishing (Initial Access): Attackers impersonate internal IT support via phone calls, exploiting trust to socially engineer users. Victims are coerced into navigating to Salesforce’s Connected App Setup and authorizing a malicious app.
• Malicious App Authorization: Victims are guided to install a modified version of Salesforce Data Loader, disguised with names like “My Ticket Portal”. Once authorized, this app is granted API-level access to the organization’s Salesforce data.
• Credential Harvesting & MFA Bypass: During the call, UNC6040 operators request user credentials and MFA codes under the pretense of resolving IT issues. These are used to authenticate the malicious app or access internal systems.
• Data Exfiltration (Salesforce): Using the rogue Data Loader, UNC6040 exports sensitive customer or business data from Salesforce. Query patterns may start small to avoid detection, followed by bulk extraction once established.
• Lateral Movement (Cloud Platforms): UNC6040 uses harvested credentials to pivot into other services like Okta or Microsoft 365, broadening access to additional sensitive data across the victim’s cloud environment.
• Extortion: Demands typically surface weeks or months after the initial breach. The attackers claim to be affiliated with ShinyHunters to apply psychological pressure, demanding payment in exchange for not leaking or selling the stolen data.
• UNC6040 infrastructure includes phishing panels (Okta-themed), VPN services like Mullvad, and overlapping TTPs seen in actors associated with “The Com”.

Recommendations:

1. Grant users only the permissions essential for their roles, no more, no less. Specifically for tools like Data Loader, which often require the “API Enabled” permission for full functionality, limit its assignment strictly. This permission allows broad data export capabilities; therefore, its assignment must be carefully controlled. Per Salesforce’s guidance, review and configure Data Loader access to restrict the number of users who can perform mass data operations, and regularly audit profiles and permission sets to ensure appropriate access levels.
2. To counter unauthorized access attempts, including those from threat actors using commercial VPNs, implement IP address restrictions. Set login ranges and trusted IPs, thereby restricting access to your defined enterprise and VPN networks.
3. Control how external applications, including Data Loader, interact with your Salesforce environment. Diligently manage access to your connected apps, specifying which users, profiles, or permission sets can use them and from where.
4. Critically, restrict powerful permissions such as “Customize Application” and “Manage Connected Apps”, which allow users to authorize or install new connected applications, only to essential and trusted administrative personnel.
5. Consider developing a process to review and approve connected apps, potentially allowlisting known safe applications to prevent the unauthorized introduction of malicious ones, such as modified Data Loader instances.
6. Ensure MFA is robustly implemented across your organization and that users are educated on MFA fatigue tactics and social engineering attempts designed to circumvent this critical protection.

MITRE ATT&CK

Source:

• https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
• https://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats
• https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations
• https://www.salesforce.com/blog/protect-against-social-engineering/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.