Google’s Threat Intelligence Group (GTIG) has revealed that the cyber threat group UNC6040 is conducting voice phishing attacks exploiting Salesforce instances. This investigation covers organized activities aimed at data exfiltration for financial gain.
According to GTIG, UNC6040 used non-official, modified connected apps to deceive companies into installing them, thereby stealing corporate data. The attackers impersonated IT support to phone victims and prompted them to install a malicious app disguised as Salesforce Data Loader.
They approached the problem not through technical vulnerabilities within Salesforce systems but by manipulating end-user trust. The attack targets span various industries, including tourism, retail, and education, primarily in the United States and Europe, impacting approximately 20 organizations so far.
In some cases, exfiltration activities occurred months after the initial breach. GTIG analyzed that UNC6040 is collaborating with other criminal organizations to commercially exploit the data. Attackers were reported to pressure victims by claiming connections with ‘ShinyHunters.’
GTIG noted that UNC6040’s attack infrastructure and tactics align with the cybercrime conglomerate known as ‘The Com,’ which includes groups like ‘Scattered Spider (UNC3994).’ They attempted to input MFA authentication information through phishing pages and used Mullvad VPN IPs to attempt data exfiltration.
GTIG emphasized that this attack is ongoing, and companies need to focus on user education and strengthening access management to mitigate such threats.
