- Google experts Warning of a current vision campaign
- Threatening actors have usually used IT support and encourage people to download malware
- They use false Salesforce applications to steal data
About twenty companies have lost their data when cybercriminals have uslder Salesforce and led them to download malware, experts warned.
A new Google Threat Intelligence Group (GTIG) report revealed how a threat actor followed as a C6040 targeting organizations in the West for months now.
They would call businesses in hospitality, retail, education and other verticals on the phone, and pretending to be an IT medium, encourage employees to download and install a contaminated version of Salesforce Data Loder, a customer application used to import in bulk, export, update, delete or insert data in Salesforce, mainly used by the administrator and developers Data volumes that cannot be easily managed by the administrator interface.
“Important capacities”
By installing the malicious program, the victims would grant the UNC6040 “important capacities” to access, question and exfiltrate sensitive information directly from the Salesforce compromise customer environments, GTIG said.
Google also said that the months would pass between the moment when they steal the data, and the moment when they would tend to try to extort the victim for money.
This, according to the researchers, could mean that a group is doing the theft, and another negotiation. The UNC6040 claimed an affiliation with groups such as shinyhuters in the past, and could be part of “the com”, a large collective of cybercriminals linked to LoGugly.
Infamous groups such as Spider Spider are also part of this underground ecosystem.
Finally, Google pointed out that in all cases observed, the attackers relied on manipulation and tips, targeting people, not on the system.
No vulnerability inherent in Salesforce has been found or used in this campaign – therefore, the best way to defend yourself against this, and other similar campaigns, would be to educate employees on the dangers of phishing and their variants (smisshing, paving, quays and others).
