Full Report
Google Threat Intelligence Group said about 20 organizations have been hit by a cybercrime group it tracks as UNC6040. The post Salesforce customers duped by series of social-engineering attacks appeared first on CyberScoop.
Analysis Summary
# Incident Report: Social Engineering Campaign Targeting Salesforce Users
## Executive Summary
A financially motivated threat group, tracked as UNC6040, executed a widespread social-engineering campaign targeting approximately 20 organizations across hospitality, retail, and education sectors. The attackers convinced employees to install a malicious, illegitimate version of Salesforce Data Loader, which led to credential theft via MFA bypass and subsequent data exfiltration from Salesforce and connected cloud services like Okta and Microsoft 365. The ongoing impact includes data theft and potential extortion attempts against the affected entities.
## Incident Details
- **Discovery Date:** Wednesday (Prior to June 4, 2025 - date of the report)
- **Incident Date:** Ongoing campaign, details of specific intrusions not provided.
- **Affected Organization:** Approximately 20 organizations across various sectors.
- **Sector:** Hospitality, Retail, and Education.
- **Geography:** The Americas and Europe.
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified, ongoing campaign.
- **Vector:** Voice Phishing (Vishing) combined with social engineering.
- **Details:** Attackers called targeted employees, posing as IT support, referencing a nonexistent open IT support ticket. They then directed victims to a phishing site or a fake "Salesforce Setup Connect" page to resolve the alleged issue.
### Lateral Movement
- Attackers used the initial compromised credentials (which included MFA factors due to the approval process) to access the victim's Salesforce environment.
- From the Salesforce environment, the attackers initiated lateral movement to steal data from other connected platforms, specifically mentioning Okta, Microsoft 365, and Workplace.
### Data Exfiltration/Impact
- Data was stolen from the victim organization’s Salesforce environment.
- Data was exfiltrated from connected services following lateral movement.
- The campaign resulted in data theft and multiple extortion attempts.
### Detection & Response
- **How it was discovered:** Detected and reported by Google Threat Intelligence Group.
- **Response actions taken:** Google published a threat report detailing the campaign. Salesforce issued a statement affirming platform security and attributing the incident to user exploitation. (Specific organizational response actions are not detailed in the provided text.)
## Attack Methodology
- **Initial Access:** Voice Phishing (Vishing) convincing users to install malicious software disguised as Salesforce Data Loader.
- **Persistence:** Not explicitly detailed, but maintenance of access was achieved via stolen credentials and MFA bypass.
- **Privilege Escalation:** Not explicitly detailed, but gaining access to the Salesforce environment implies the attackers obtained privileged account access or permissions associated with the installed application.
- **Defense Evasion:** The attack relied on *social engineering* to bypass traditional security controls by gaining explicit user consent for the malicious installation/approval process.
- **Credential Access:** Harvesting of sensitive credentials and Multi-Factor Authentication (MFA) codes during the malicious installation/approval process using fake Salesforce pages.
- **Discovery:** Attackers subsequently discovered and targeted connected cloud platforms (Okta, M365).
- **Lateral Movement:** Moving from compromised Salesforce instances to connected identity and productivity platforms (Okta, M365, Workplace).
- **Collection:** Stealing data specifically from Salesforce environments and other connected platforms.
- **Exfiltration:** Data exfiltration occurred after successful cloud access.
- **Impact:** Data theft and resulting extortion attempts.
## Impact Assessment
- **Financial:** At least several extortion attempts noted; specific organizational financial costs are unknown.
- **Data Breach:** Sensitive data stolen from Salesforce environments and connections to Okta, Microsoft 365, and Workplace.
- **Operational:** Not specified, but data theft and extortion likely caused operational disruption.
- **Reputational:** Impact on the reputation of affected organizations and cloud vendors (Salesforce) due to the nature of the highly targeted social engineering.
## Indicators of Compromise
- **Network indicators:** Phishing sites/fake “Salesforce Setup Connect” page (URLs are sensitive and should be sought in the full non-defanged report).
- **File indicators:** Malicious, illegitimate version of **Salesforce Data Loader**.
- **Behavioral indicators:** Requests for users to approve application installation/access via a fake external page, often citing an open IT ticket.
## Response Actions
- **Containment measures:** Not specified, but necessary steps would involve immediately revoking compromised credentials and disabling the malicious application installation mechanism.
- **Eradication steps:** Removing the unauthorized application and any persistence mechanisms established by UNC6040.
- **Recovery actions:** Resetting all potentially compromised credentials, including MFA tokens, across Salesforce, Okta, and Microsoft 365 for affected users and potentially organization-wide.
## Lessons Learned
- Cloud environments leveraging integrations (like Salesforce) combined with SSO/OAuth significantly amplify the risk of identity-based attacks when MFA factors are compromised.
- Social engineering, particularly vishing combined with application approval prompts, remains a highly effective initial access vector, even against organizations with modern security tools.
- UNC6040 exhibits focus and sophistication by specializing in targeting the Salesforce ecosystem.
## Recommendations
- **User Training:** Mandate enhanced security awareness training focused specifically on social engineering tactics, especially voice phishing targeting IT support and application installations.
- **MFA Implementation:** Review MFA enforcement policies to ensure that application authorization prompts generated by external sources are thoroughly vetted and that high-privilege accounts utilize hardware-based authenticators where possible.
- **Application Auditing:** Regularly audit and review authorized third-party applications connected to core cloud services (Salesforce, Okta, M365) to identify and remove unauthorized installs.
- **Zero Trust Architecture:** Strengthen controls around service-to-service communication and identity federation to limit the blast radius when a central identity provider (like Okta) is compromised.