Google is warning about large-scale, financially motivated vishing attacks targeting Salesforce customers, with the goal of subsequent data exfiltration and cyber extortion.
For months, Google’s Threat Intelligence Group (GTIG) has tracked a prolific campaign dubbed UNC6040 attributed to a minor league threat group known as “The Com.” The threat actor gains access to an organization’s network by impersonating IT support staff via phone-based phishing attacks (vishing).
“Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements,” Google stated.
High-profile Salesforce customers compromised via vishing attacks
Upon gaining access, the threat actor leverages Salesforce’s Data Loader component, which allows bulk import, export, and update.
They trick Salesforce customers into authorizing access to their organizations’ portals to access data by guiding them into authorizing a rogue Data Loader app called “My Ticket Portal,” which differs significantly from its legitimate counterpart in naming and branding.
“This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce,” Google explained.
The component supports a graphical user interface and command-line interaction, with “significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.” It also supports OAuth authentication and direct integration via “connected apps.”
During the attack, the threat actor also requests login credentials and multifactor authentication (MFA) codes. Targeted Salesforce customers are directed to a “Salesforce Setup Connect” page that requires an 8-digit MFA code to close the apparent ticket.
Salesforce customers were previously warned about similar vishing attacks and advised to apply security best practices, including enabling MFA, whitelisting IP address ranges, and adhering to the principle of Least Privilege.
“To help our customers strengthen their cybersecurity posture and defend against these types of sophisticated threats, we’re highlighting key platform features and best practices,” Salesforce stated.
Social engineering attacks on Salesforce customers
Meanwhile, Google says the vishing attacks do not exploit any Salesforce product vulnerability, but rely solely on human weakness. The human aspect is usually the weakest link in every organization’s cybersecurity strategy.
“In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce,” Google noted.
According to James McQuiggan, a security awareness advocate at KnowBe4, employees should think twice before engaging with strangers via phone.
“You wouldn’t blindly open your front door to a stranger, so we must consider whether you should pick up the phone and trust the voice on the other end. Ask yourself: Were you expecting this call?” McQuiggan said. “Think about it. If someone knocked at your door and you weren’t expecting anyone, would you swing it open? Probably not. Most of us would peek through the window, check the camera, or at least ask, ‘Who is it?’”
Additionally, the threat actor leverages the access to pivot to Salesforce customers’ platforms, such as Microsoft 365, Okta, and Workplace, and harvest more sensitive information. The threat actor’s infrastructure also hosts an Okta phishing panel, to which they direct Salesforce customers.
“Such access not only results in direct data loss but also frequently serves as a precursor to lateral movement, enabling the attackers to compromise other cloud services and internal corporate networks,” Google added.
After exfiltrating sensitive information, the attacker uses various extortion tactics, such as disclosing their alleged affiliations to other prolific threat actors like ShinyHunters, to force compliance. In some cases, extortion attempts occur months after successful vishing attacks, suggesting that UNC6040 works with another threat actor.
“In some instances, extortion activities haven’t been observed until several months after the initial UNC6040 intrusion activity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data,” Google said.
At least 20 organizations across various sectors, including education, hospitality, and retail, have experienced Salesforce vishing attacks. English-speaking employees in multinational organizations are often targeted, suggesting that the Salesforce vishing attacks primarily target large corporations.
Nonetheless, Salesforce says it was aware of a small subset of impacted customers, and the hacking campaign was not widespread.
