Full Report
Google Threat Intelligence Group said about 20 organizations have been hit by a cybercrime group it tracks as UNC6040. The post Salesforce customers duped by series of social-engineering attacks appeared first on CyberScoop.
Analysis Summary
# Incident Report: UNC6040 Social Engineering Campaign Targeting Salesforce Users
## Executive Summary
A financially motivated threat group, tracked as UNC6040, executed a widespread social engineering campaign impersonating IT support against approximately 20 organizations across hospitality, retail, and education sectors. Attackers tricked employees into installing a malicious version of Salesforce's Data Loader, leading to credential theft, bypass of MFA, data exfiltration from Salesforce, and subsequent lateral movement to connected cloud environments (Okta, Microsoft 365). The attacks focused on data theft and subsequent extortion attempts.
## Incident Details
- **Discovery Date:** The threat report was released on Wednesday (June 4, 2025, based on the article date).
- **Incident Date:** Ongoing campaign at the time of reporting.
- **Affected Organization:** Approximately 20 organizations globally.
- **Sector:** Hospitality, Retail, and Education.
- **Geography:** The Americas and Europe.
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified, but occurred prior to detection.
- **Vector:** Voice phishing (vishing) combined with social engineering.
- **Details:** Attackers called targeted employees posing as IT support, referencing a nonexistent IT support ticket. Victims were directed to a phishing site or a fake "Salesforce Setup Connect" page to "resolve" the issue.
### Lateral Movement
- **Details:** After gaining initial access to Salesforce credentials and MFA codes, UNC6040 moved laterally to steal data from other connected cloud platforms, including Okta, Microsoft 365, and Workplace.
### Data Exfiltration/Impact
- **Details:** Attackers stole data from the victim organization's Salesforce environment. The incidents resulted in data theft and extortion attempts against the victims.
### Detection & Response
- **How it was discovered:** Google Threat Intelligence Group identified and published a threat report on the campaign methodology.
- **Response actions taken:** Salesforce stated their platform was not vulnerable and social engineering was the cause. Response actions by affected organizations would include remediation for identity compromise and data recovery.
## Attack Methodology
- **Initial Access:** Voice phishing (vishing) demanding users install malicious, illegitimate Salesforce Data Loader software.
- **Persistence:** Not explicitly detailed, but access gained through compromised credentials/MFA likely allowed sustained access until credentials were reset.
- **Privilege Escalation:** Bypassing Multi-Factor Authentication (MFA) codes entered by the user during the social engineering session.
- **Defense Evasion:** Utilizing legitimate infrastructure (impersonation of IT support) and legitimate application conduits (Salesforce Data Loader) to execute the malicious payload and gain consent.
- **Credential Access:** Through tricking users into approving access or entering credentials on a phishing site when prompted by the "support" call.
- **Discovery:** Initial focus was on gaining access to Salesforce environments.
- **Lateral Movement:** Utilizing connected identity providers (Okta) and cloud services (M365, Workplace) linked via authorized integrations/OAuth.
- **Collection:** Exfiltrating data specifically from compromised Salesforce environments.
- **Exfiltration:** Data theft leading to extortion attempts.
- **Impact:** Data loss and attempted financial extortion.
## Impact Assessment
- **Financial:** At least several extortion attempts were tracked, though success rate is unknown.
- **Data Breach:** Sensitive data residing within Salesforce environments, and data from connected systems (Okta, M365). Volume/nature not specified beyond "data theft."
- **Operational:** Disruption stemming from identity compromise and remediation efforts.
- **Reputational:** Potential reputational damage for affected organizations due to data breaches and extortion.
## Indicators of Compromise
- **Network indicators (defanged):** Phishing sites/fake "Salesforce Setup Connect" pages used to solicit MFA codes or credentials.
- **File indicators:** Malicious, illegitimate version of Salesforce Data Loader application installed on victim systems.
- **Behavioral indicators:** Employees receiving unexpected calls masquerading as IT support regarding non-existent support tickets, directing them to install software or enter MFA approvals.
## Response Actions
- **Containment measures:** Not detailed, but would involve immediate revocation of compromised credentials, especially those tied to Okta/MFA, and blocking communication paths identified from the social engineering lures.
- **Eradication steps:** Removal of malicious Data Loader installations; forcing enterprise-wide password resets, especially for system administrators.
- **Recovery actions:** Restoring data integrity; working with affected organizations to address extortion demands/attempts.
## Lessons Learned
- **Key takeaways:** Identity-based attacks leveraging legitimate integration protocols (OAuth) and social engineering remain highly effective, especially when combined with MFA fatigue/bypass techniques (like vishing).
- **What could have been done better:** Organizations need stricter verification procedures for IT support requests involving software installs or MFA approvals, regardless of the purported source (e.g., verifying MFA approvals only from known internal channels).
## Recommendations
- **Prevention measures for similar incidents:** Enhance security awareness training focused specifically on voice phishing/vishing and the dangers of approving MFA prompts/installing software based on unsolicited IT support calls.
- Implement stricter controls over the installation of administrative tools like Data Loader, perhaps requiring admin approval or whitelisting.
- Review and potentially reduce the scope of permissions granted via OAuth integrations between critical cloud services (Salesforce, Okta, M365).