- Two threat groups, UNC6040 and UNC6395, actively target the Salesforce accounts to steal sensitive data
- UNC6395 uses integrations such as the Salesloft Drift chatbot, while UNC6040 uses telephone -based social engineering to usurp the identity of IT staff and access
- The FBI warns that follow -up attacks are often carried out by shinyhuters, linked to a scattered spider
Two distinct threat actors are currently targeting the Salesforce accounts of organizations to steal sensitive data found inside. This is in accordance with the Federal Bureau of Investigation (FBI), which recently published a Flash opinion to warn companies in the current threat.
“The Federal Bureau of Investigation (FBI) publishes this Flash to disseminate compromise indicators (CIO) associated with recent malware by cyber-criminals UNC6040 and UNC6395 groups, responsible for an increasing number of data and extortion,” said the agency in its council.
“The two groups have recently been observed to target the Salesforce platforms of organizations via various initial access mechanisms. The FBI publishes this information to maximize awareness and provide IOCs that can be used by recipients for research and defense of the network.”
Scattered spider and shinyhuanters
In recent times, there have been many cybercriminals reports that have compromised the company’s SalesForce accounts via the Salesloft Drift application, an AI chatbot which can be integrated into Salesforce.
The FBI qualified this group as UNC6395 and apparently, it struck some of the largest technological and security organizations, notably Cloudflare, Zscaler, Table, Cyberark, Elastic, Beyondtrust, Proofpoint, Jfrog, Nutanix, Qualits, Rubrik, Cato Networks, Palo Alto Networks and others.
The other group, UNC6040, had access by encouraging their victims to share access. They would call them on the phone, posing as IT to help employees solve connectivity problems on the business scale.
“Under the cover of the closing of an automatically generated ticket, the players of the UNC6040 inform employees of customer support to take measures which grant attackers access or lead to the sharing of employee identification information, allowing them to access the dirty bodies of targeted companies to exfiltrate customer data,” said the FBI.
An actor of threat known for having perfected this technique is a scattered spider. Although the FBI did not appoint this group in its opinion, he said that follow -up attacks were generally mounted by Shinyhuters, a group known to have worked with Sported Spider. At one point, the groups even merged into an entity that they nicknamed Hunters of Scortedlapsus.
Via Bleeping Compompute
