Google: Hackers Target Salesforce Accounts in Data Extortion Attacks
Google's Threat Intelligence Group (GTIG) has recently observed hackers targeting Salesforce accounts as part of a sophisticated social engineering campaign to steal sensitive data. The attacks, which have been identified as "UNC6040," involve voice phishing attacks against English-speaking employees who work with the Salesforce platform.
The attackers impersonate IT support personnel, requesting the target employee to accept a connection to Salesforce's Data Loader application. This modified version of the app is used to export data stored in Salesforce instances and then move laterally through connected platforms such as Okta, Microsoft 365, and Workplace. The goal is to access more sensitive information stored on these platforms, including sensitive communications, authorization tokens, documents, and more.
The attackers use various tactics to trick victims into installing the modified app, often renaming it to "My Ticket Portal" during an alleged support phone call. Once installed, the app allows the attacker-controlled Data Loader to link to the victim's environment, thereby granting access to sensitive data.
How the Attacks Work
The attacks follow this workflow:
- The attacker makes a voice call to the target employee, impersonating an IT support personnel and requesting permission to connect to Salesforce Data Loader.
- The target employee is tricked into opening the Salesforce connect setup page and entering a "connection code," which links the actor-controlled Data Loader to their environment.
- The attacker exports data stored in Salesforce instances using the modified app, granting access to additional cloud platforms such as Okta, Microsoft 365, and Workplace.
- The attacker accesses more sensitive information stored on these platforms, including authorization tokens, documents, and communications.
In some cases, the attackers have been observed moving laterally through the victim's network, accessing and exfiltrating data from other platforms. The threat actors use Mullvad VPN IPs to obfuscate their activity.
The ShinyHunters Connection
Google has observed that the attackers claim to be part of the infamous ShinyHunters extortion group, which is known for its data theft attacks and ransom demands. The actors use phishing pages impersonating Okta, linking them to threat actors associated with "The Com" or Scattered Spider tactics.
In some instances, the attackers have been observed attempting to extort companies into paying a ransom not to leak the stolen data. These extortion demands can come months later, suggesting that the UNC6040 threat cluster has partnered with another group to monetize access to the stolen data.
Prevention and Mitigation
Google recommends taking the following steps to prevent and mitigate these attacks:
- Restricting "API Enabled" permissions on Salesforce platforms.
- Limiting app installation authorization.
- Blocking access from commercial VPNs like Mullvad.
Organizations can also take steps to protect themselves from social engineering attacks, such as implementing robust cybersecurity awareness and best practices, using Multi-Factor Authentication, and restricting access to sensitive data.
Conclusion
The UNC6040 threat cluster highlights the importance of vigilance when it comes to protecting sensitive data. By understanding how these attacks work and taking proactive measures to prevent them, organizations can minimize the risk of falling victim to these sophisticated social engineering campaigns.