Google Breached via Salesforce Vishing Campaign Linked to UNC6040 & ShinyHunters

In June 2025, Google became one of several high-profile organizations compromised in a coordinated Salesforce CRM data breach campaign. This attack was executed via sophisticated voice phishing (vishing) techniques, targeting employees with social engineering tactics that facilitated unauthorized access to sensitive Salesforce instances. The operation is attributed to the threat actor groups UNC6040 (initial access and data theft) and UNC6240 (extortion), with affiliations to the notorious ShinyHunters collective.

Severity Level: High

Incident Overview

• Date Identified: June 2025
• Attack Vector: Voice phishing leading to malicious Salesforce app authorization
• Threat Actors: UNC6040 (initial compromise), UNC6240/ShinyHunters (extortion)
• Targeted Service: Google’s Salesforce CRM environment for SMB contacts
• Impact Scope: Exfiltration of basic business contact information
• Detection and Response: Google cut off access promptly, conducted internal forensics, and initiated mitigations

How The Breach Happened

1. Initial Access via Vishing

Attackers impersonated Google IT personnel via phone calls to trick employees into authorizing a malicious connected app inside the Salesforce environment.

2. Abuse of Salesforce Data Loader

Once the app was authorized, the actor exfiltrated data using either:

• Modified Salesforce Data Loader
• Custom Python-based data extraction scripts

3. Infrastructure Used:

• VPNs (e.g., Mullvad)
• TOR exit nodes
• Okta phishing panels
• Compromised accounts for staging the malicious app deployment

4. Exfiltration Channel

API-based data exports through Salesforce’s connected app framework
TOR-enabled delivery of exfiltrated data to attacker-controlled servers

Data Exposed During The Breach

Data Type:

• Small & medium business (SMB) contact information
• Publicly available or low-sensitivity records

Data Examples:

• Company names
• Contact names
• Email addresses
• Meeting notes / metadata

No PII, credentials, or sensitive internal assets were confirmed to be compromised

Lessons Learned

• Vishing remains a potent threat. Even well-secured organizations are vulnerable when humans are manipulated in real time.
• MFA alone is not enough. Attackers bypassed MFA through social engineering; real-time session manipulation must be anticipated.
• Organizations must actively configure and secure SaaS environments beyond default settings.

Recommendations

1. Conduct mandatory vishing simulation training for all employees, especially IT support and helpdesk roles.
2. Educate staff on MFA push fatigue attacks and social engineering pretexts such as “Salesforce troubleshooting” or “security testing.”
3. Enforce MFA universally, including for Salesforce and connected apps. Ensure:
   • MFA is enforced at login and app authorization.
   • FIDO2 or phishing-resistant MFA methods are used where possible.
4. Restrict Salesforce Connected App authorizations:
   • Limit “Customize Application” & “Manage Connected Apps” to a vetted admin group
   • Use Salesforce allowlisting to permit only verified apps (e.g., block unknown apps like “My Ticket Portal”).
5. Enable Salesforce Shield with:
   • Transaction Security Policies to detect: Unusual data exports, App authorizations, Logins from TOR/VPN IPs
   • Event Monitoring to log: User access behavior, API calls, App installations
6. Enforce IP-based login restrictions in Salesforce:
   • Allow logins only from enterprise and VPN subnets
   • Block logins from known TOR nodes or suspicious IPs
7. Integrate with cloud security posture management (CSPM) to assess misconfigurations in Salesforce, Okta, and Microsoft 365.
8. For tools like Data Loader, which often require the “API Enabled” permission for full functionality, limit its assignment strictly.
9. Per Salesforce’s guidance, review and configure Data Loader access to restrict the number of users who can perform mass data operations, and regularly audit profiles and permission sets to ensure appropriate access levels.
10. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/716054002709930f7ef8e4725b72537375366156f94b5525e2c88028aa8b8ca9/iocs

Source:

• https://www.bleepingcomputer.com/news/security/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks/
• https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.