Full Report
FLASH Alert-20250912-001 TLP:Clear Summary The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions. Both groups have recently been observed targeting organizations’ Salesforce platforms via... Source
Analysis Summary
# Threat Actor: UNC6040 and UNC6395 (Joint Threat Summary)
## Attribution & Identity
The threat actors are identified as cyber criminal groups designated by the FBI as UNC6040 and UNC6395. The alert groups them together based on recent shared activity type (Salesforce compromise) but notes they utilize different initial access mechanisms.
## Activity Summary
Both UNC6040 and UNC6395 are responsible for a rising number of data theft and extortion intrusions. They are currently observed specifically targeting organizations' Salesforce platforms. The primary activity involves gaining access to these platforms to conduct data theft, often followed by extortion.
## Tactics, Techniques & Procedures
* Specific TTPs are not detailed in the provided summary, other than the objective of **gaining access to Salesforce instances**.
* The groups use **different initial access mechanisms** to compromise the platforms (specific methods not detailed).
* **Data Theft** and subsequent **Extortion** are the core operational methodologies.
## Targeting
* **Sectors:** Not explicitly detailed in the summary, but the focus on Salesforce suggests organizations utilizing this CRM platform across various industries are at risk.
* **Geography:** Not specified in the summary.
* **Victims:** Organizations utilizing Salesforce instances.
## Tools & Infrastructure
* Malware families used are **not mentioned** in the provided summary.
* Infrastructure (C2, domains, IPs) details are **not provided** in this summary, though they are referenced as being available in the full Flash Alert document.
## Implications
The activity poses a significant threat to organizations relying on Salesforce for critical business functions and data storage, leading to potential data exposure, reputational damage, and severe financial impact through extortion attempts. The parallel activity by two distinct groups targeting the same high-value platform increases the overall risk profile for Salesforce customers.
## Mitigations
* Given the targeting of Salesforce, organizations should **review and strengthen security controls pertaining to their Salesforce instances**.
* Ensure **monitoring is in place for reconnaissance or unauthorized access** attempts against Salesforce environments.
* The full FBI Flash Alert (referenced) is necessary for specific IOC-based mitigation actions.