Full Report
Google has observed hackers claiming to be the ShinyHunters extortion group conducting social engineering attacks against multi-national companies to steal data from organization's SalesForce platforms. [...]
Analysis Summary
# Incident Report: Salesforce Data Extortion Campaign
## Executive Summary
Threat actors, tracked as UNC6040, executed a targeted data extortion campaign primarily focusing on compromising Salesforce accounts using sophisticated social engineering techniques. The attackers gained initial access via phishing and manipulated users into installing malicious applications, potentially leading to data exfiltration. The final monetization often involved a secondary actor claiming affiliation with the known extortion group ShinyHunters, leveraging significant delays between compromise and extortion demands.
## Incident Details
- Discovery Date: Not explicitly stated, but activity linked to Google's reporting.
- Incident Date: Ongoing/Varies (Extortion demands observed months after initial compromise).
- Affected Organization: Various organizations using Salesforce (Targeted campaign).
- Sector: General (Applicability across any sector using Salesforce).
- Geography: Not specified, but the use of global infrastructure implies broad targeting.
## Timeline of Events
### Initial Access
- Date/Time: Not specified, but precedes data access and later extortion.
- Vector: Social engineering combined with phishing pages impersonating Okta.
- Details: Attackers tricked victims into installing malicious applications (e.g., renaming an app to "My Ticket Portal") during alleged support calls.
### Lateral Movement
- Details: While specific internal lateral movement details are limited, the end goal suggests access was gained to sensitive Salesforce data repositories.
### Data Exfiltration/Impact
- Details: Sensitive data was stolen from compromised Salesforce instances. This data was held for potential future extortion.
### Detection & Response
- Date/Time: Detection linked to Google's analysis and public disclosure.
- Details: Google identified the activity associated with UNC6040 and observed the subsequent extortion attempts linked to ShinyHunters.
## Attack Methodology
- Initial Access: Phishing, Social Engineering (tricking users during support calls), convincing targets to install malicious apps.
- Persistence: Implied via access gained through legitimate-looking installed applications.
- Privilege Escalation: Not explicitly detailed, likely leveraged installed application permissions within the Salesforce environment.
- Defense Evasion: Use of commercial VPNs (Mullvad) for data exfiltration to obfuscate activity.
- Credential Access: Likely gained through convincing users to authorize malicious apps or via compromised Okta phishing pages.
- Discovery: (Inferred) Once inside Salesforce, reconnaissance would target sensitive files/records.
- Lateral Movement: (Inferred) Movement within the Salesforce platform or connected systems to locate data.
- Collection: Gathering sensitive data from targeted Salesforce environments.
- Exfiltration: Data transferred while utilizing Mullvad VPN IPs.
- Impact: Data extortion/blackmail attempts.
## Impact Assessment
- Financial: Potential costs associated with remediation, legal consultation, and ransom negotiations (though specific figures are not provided).
- Data Breach: Sensitive corporate data stored within targeted Salesforce environments.
- Operational: Disruption due to extortion demands, potential suspension of services if demands aren't met.
- Reputational: Damage from being publicly associated with a data breach and subsequent extortion.
## Indicators of Compromise
- Network indicators: Use of activity routed through Mullvad VPN IPs for exfiltration (Defanged representation: `[obfuscated_mullvad_ip_range]`).
- File indicators: Malicious applications installed by victims during social engineering interactions.
- Behavioral indicators: Users authorizing new, unusual applications within Salesforce, especially following unsolicited support contact.
## Response Actions
- Containment: Proposed restriction of "API Enabled" permissions in Salesforce.
- Eradication: (Inferred) Revoking permissions granted to malicious installed applications.
- Recovery: (Inferred) Restoring configurations and potentially changing credentials following compromise.
## Lessons Learned
- Social engineering targeting B2B SaaS platforms (like Salesforce) remains a highly effective initial access method, especially when impersonating trusted support personnel.
- Threat actors are segmenting their operations, with groups (UNC6040) gaining access and collaborating with established extortion groups (ShinyHunters) for monetization months later.
- Reliance on single-factor authentication or weak authorization controls within SaaS environments can be exploited even with strong perimeter security.
## Recommendations
- Strictly limit or disable the "API Enabled" permission setting for standard users within Salesforce.
- Implement tighter controls on application installation and authorization within the Salesforce environment (Limitation of app installation authorization).
- Block or restrict network access originating from known commercial VPN providers (e.g., Mullvad) for critical administrative or data access paths, if feasible and appropriate.
- Enhance user training specifically on recognizing social engineering attacks that involve remote assistance or application installation requests during support interactions.