Full Report
A wave of data breaches impacting companies like Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion group, which has been using voice phishing attacks to steal data from Salesforce CRM instances. [...]
Analysis Summary
# Threat Actor: UNC6040 (ShinyHunters)
## Attribution & Identity
The threat actor is tracked as UNC6040 and engages in extortion under the name **ShinyHunters**. There is a belief among security researchers that UNC6040/ShinyHunters may consist of overlapping members with Scattered Spider (UNC3944) and is linked to "The Com" network of experienced English-speaking cybercriminals, based on overlapping TTPs.
## Activity Summary
UNC6040/ShinyHunters has been actively conducting data extortion attacks primarily by targeting cloud-based CRM systems, particularly Salesforce instances. The group gained notoriety through a recent wave of data breaches impacting high-profile corporations. The attacks involve gaining unauthorized access, stealing customer data, and then attempting private extortion via email. If extortion fails, they may proceed with public data leaks, similar to their previous Snowflake attacks.
## Tactics, Techniques & Procedures
- **Social Engineering/Vishing (Voice Phishing):** Impersonating IT support staff over phone calls to trick employees into compromising security.
- **Malicious Connected App Installation:** Persuading victims to visit the Salesforce connected app setup page and enter a connection code to link a malicious version of the **Data Loader OAuth app** (sometimes renamed to "My Ticket Portal") to the victim's Salesforce environment.
- **Credential and MFA Token Theft:** Stealing login credentials and Multi-Factor Authentication (MFA) tokens through phishing pages impersonating Okta login screens.
- **Targeting Specific Database Tables:** Court documents indicate targeting of Salesforce `Accounts` and `Contacts` database tables.
- **Focus on Data Theft Extortion:** In contrast to groups engaging in full network compromises and ransomware, this actor focuses on data theft leading to extortion attempts targeting a specific cloud platform/web application.
## Targeting
- **Sectors:** Insurance (Allianz Life), Aviation (Qantas), Luxury Retail/Fashion (LVMH subsidiaries: Louis Vuitton, Dior, Tiffany & Co.), Retail (Adidas).
- **Geography:** Affected companies are global or based in disclosed regions (e.g., Allianz Life Insurance Company of North America).
- **Victims:** Qantas, Allianz Life, LVMH (Louis Vuitton, Dior, Tiffany & Co.), Adidas, and other companies using third-party customer service or cloud-based CRM systems, specifically Salesforce.
## Tools & Infrastructure
- **Malware Families Used:** Malicious version of Salesforce's **Data Loader OAuth app**.
- **Infrastructure (C2, domains, IPs):** The primary method used for initial compromise involved using social engineering (vishing) to acquire connection codes for malicious app installation, rather than direct network intrusion leveraging C2 infrastructure observed in traditional breaches. Extortion attempts are conducted via email.
## Implications
This campaign signals a significant threat toward organizations relying on third-party cloud services and identity providers like Salesforce and Okta. UNC6040 demonstrates sophistication in blending technical credential harvesting with highly convincing social engineering (vishing) to bypass MFA controls by tricking users into authorizing malicious OAuth applications. The focus on customer data housed in specific cloud CRM environments presents systemic risk for supply chain reliance.
## Mitigations
- **Enforce MFA:** Essential for all Salesforce and Okta logins, although the actor's method attempts to bypass MFA via OAuth consent/connection codes.
- **Restrict Connected Apps/Manage Access Policies:** Scrutinize which third-party applications are authorized to access Salesforce data and restrict use where possible.
- **Principle of Least Privilege:** Enforce restrictive permissions for connected applications.
- **Enforce Trusted IP Ranges:** Configure Salesforce to only allow logins from known, trusted IP addresses.
- **Security Training:** Increase employee awareness regarding sophisticated voice phishing (vishing) attacks, especially concerning IT support impersonations and requests for "connection codes."
- **Utilize Security Features:** Implement Salesforce Shield features like Event Monitoring and Transaction Policies for advanced threat detection.