The FBI has issued a FLASH alert warning that two risk clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal knowledge and extort victims.
“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) related to latest malicious cyber actions by cyber felony teams UNC6040 and UNC6395, accountable for a rising variety of knowledge theft and extortion intrusions,” reads the FBI’s FLASH advisory.
“Each teams have lately been noticed focusing on organizations’ Salesforce platforms through completely different preliminary entry mechanisms. The FBI is releasing this data to maximise consciousness and supply IOCs that could be utilized by recipients for analysis and community protection.”
UNC6040 was first disclosed by Google Menace Intelligence (Mandiant) in June, who warned that since late 2024, risk actors had been utilizing social engineering and vishing assaults to trick workers into connecting malicious Salesforce Knowledge Loader OAuth apps to their firm’s Salesforce accounts.
In some instances, the risk actors impersonated company IT help personnel, who used renamed variations of the applying known as “My Ticket Portal.”
As soon as related, the risk actors used the OAuth software to mass-exfiltrate company Salesforce knowledge, which was then utilized in extortion makes an attempt by the ShinyHunters extortion group.
In these early knowledge theft assaults, ShinyHunters instructed BleepingComputer that they primarily focused the “Accounts” and “Contacts” database tables, that are each used to retailer knowledge about an organization’s clients.
These knowledge theft assaults had been widespread, impacting massive and well-known firms, resembling Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, and Tiffany & Co.
Later knowledge theft assaults in August additionally focused Salesforce clients, however this time utilized stolen Salesloft Drift OAuth and refresh tokens to breach clients’ Salesforce cases.
This exercise is tracked as UNC6395 and is believed to have occurred between August eighth and 18th, with the risk actors utilizing the tokens to focus on the corporate’s help case data that was saved in Salesforce.
The exfiltrated knowledge was then analyzed to extract secrets and techniques, credentials, and authentication tokens shared in help instances, together with AWS keys, passwords, and Snowflake tokens. These credentials may then be used to pivot to different cloud environments for extra knowledge theft.
Salesloft labored with Salesforce to revoke all Drift tokens and required clients to reauthenticate to the platform.
It was later revealed that the risk actors additionally stole Drift E mail tokens, which had been used to entry emails for a small variety of Google Workspace accounts.
An investigation by Mandiant decided the assault originated in March, when Salesloft’s GitHub repositories had been compromised, permitting attackers to in the end steal the Drift OAuth tokens.
Just like the earlier assaults, these new Salesloft Drift knowledge theft assaults impacted quite a few firms,  together with Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many extra.
Whereas the FBI didn’t title the teams behind these campaigns, BleepingComputer was instructed by the ShinyHunters extortion group that they and different risk actors calling themselves “Scattered Lapsus$ Hunters, had been behind each clusters of exercise.
This group of hackers claims to have originated from and overlap with the Lapsus$, Scattered Spider, and ShinyHunters extortion teams.
On Thursday, the risk actors introduced through a website related to BreachForums that they deliberate to “go darkish” and cease discussing operations on Telegram.
Nonetheless, in a parting submit, the hackers claimed to have gained entry to the FBI’s E-Test background examine system and Google’s Regulation Enforcement Request system, publishing screenshots as proof.
If reliable, this entry would permit them to impersonate regulation enforcement and pull delicate data of people.
When contacted by BleepingComputer, the FBI declined to remark, and Google didn’t reply to our e-mail.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
