A financially motivated hacker group has been targeting Salesforce instances for months in a campaign that uses voice phishing to engage in data theft and follow-on extortion attempts, according to Google Threat Intelligence Group.
The hackers, whom Google tracks as UNC6040, impersonated IT workers and tricked employees at often English-speaking branches of multinational companies into sharing sensitive credentials that were then used to access the organizations’ Salesforce data, Google said in a blog post published Wednesday.
As part of the social engineering campaign, the hackers tricked workers at these companies into visiting the Salesforce-connected app setup page, at which point the attackers used an unauthorized, malicious version of the Salesforce Data Loader app to access and steal sensitive information from the customers’ Salesforce environments.
Beyond the immediate data thefts, the hackers were able to move laterally within target networks, accessing victims’ other cloud services and moving into internal corporate networks.
Salesforce warned about these social engineering attacks in a March blog post. A company spokesperson told Cybersecurity Dive that there is no indication the attacks are linked to any vulnerability in the Salesforce platform.
“Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices,” the spokesperson said via email.
Salesforce urged customers to enable multifactor authentication, limit access privileges and restrict login IP addresses, in the blog.
It wasn’t immediately clear why Salesforce instances were particularly being targeted or how the hackers learned about the Salesforce tool. Google researchers have not observed other threat actors using this tool.
Different attacks exhibited differences in how proficient the attackers were in deploying the malicious version of the tool, researchers said.
“The difference in proficiency likely reflects a team with different skills and knowledge of the Salesforce platform,” Austin Larsen, principal threat analyst at GTIG, said via email. “It’s probable this expertise was acquired through prior operations or research, not from insider knowledge.”
In a number of cases, hackers have launched extortion attempts months after gaining initial access, according to researchers. There is evidence that the hackers have been working with an outside partner, because in some cases the hackers extorting their targets claim to be affiliated with the ShinyHunters threat group.
The Salesforce activity mirrors a recent increase in the use of voice phishing as a tool for social engineering attacks.
Larsen said there are broad overlaps between the Salesforce hackers and an underground collective known as “The Com,” which includes the notorious cybercrime gang dubbed Scattered Spider. Larsen cautioned, however, that the threat actor involved in the Salesforce attacks is a distinct group from the threat group tracked as UNC3944, which overlaps with a subset of Scattered Spider activity
