FBI Warns of UNC6040, UNC6395 Hackers Stealing Salesforce Data

Estimated reading time: 8 minutes

Key Takeaways:

  • The FBI has warned about UNC6040 and UNC6395 targeting Salesforce data.
  • UNC6040 uses social engineering and malicious OAuth apps.
  • UNC6395 exploits stolen Salesloft Drift OAuth tokens.

Table of Contents:

The FBI has issued a warning regarding two threat clusters, UNC6040 and UNC6395, actively compromising organizations’ Salesforce environments. These groups are engaged in data theft and extortion activities, prompting the FBI to release a FLASH alert to disseminate Indicators of Compromise (IOCs) and increase awareness among potential victims. Understanding these threats is crucial for maintaining data security and preventing breaches. This activity highlights the importance of real-time ransomware intelligence and a comprehensive cyber threat intelligence platform for breach detection and response.

UNC6040 and UNC6395: Hackers Targeting Salesforce Data

The Federal Bureau of Investigation (FBI) has released a FLASH advisory concerning malicious cyber activities attributed to cyber criminal groups UNC6040 and UNC6395. These groups are responsible for an increasing number of data theft and extortion incidents targeting Salesforce platforms. According to the advisory, both groups employ different initial access mechanisms to compromise organizations’ Salesforce environments. The FBI aims to enhance awareness and provide IOCs to aid in research and network defense efforts.

UNC6040: Social Engineering and Malicious OAuth Apps

UNC6040 was first identified by Google Threat Intelligence (Mandiant) in June. Since late 2024, this group has been using social engineering and vishing attacks to deceive employees into connecting malicious Salesforce Data Loader OAuth apps to their company’s Salesforce accounts. In some instances, the threat actors impersonated corporate IT support personnel and distributed renamed versions of the application under the guise of “My Ticket Portal.”

Once connected, the malicious OAuth application is used to exfiltrate corporate Salesforce data. This data is then leveraged in extortion attempts by the ShinyHunters extortion group. Early data theft attacks primarily targeted the “Accounts” and “Contacts” database tables, which store customer data. The breaches impacted a range of organizations, including Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, and Tiffany & Co.

This underscores the need for supply-chain risk monitoring, as well as robust brand leak alerting to detect unauthorized applications accessing sensitive data.

UNC6395: Stolen Salesloft Drift OAuth Tokens

In August, a series of data theft attacks targeted Salesforce customers using stolen Salesloft Drift OAuth and refresh tokens. This activity, tracked as UNC6395, is believed to have occurred between August 8th and 18th. The threat actors used the tokens to access support case information stored in Salesforce. The exfiltrated data was analyzed to extract secrets, credentials, and authentication tokens shared in support cases. These included AWS keys, passwords, and Snowflake tokens, which could be used to access other cloud environments for additional data theft.

Salesloft collaborated with Salesforce to revoke all Drift tokens and required customers to reauthenticate. Further investigation revealed that the threat actors also stole Drift Email tokens, which were used to access emails for a limited number of Google Workspace accounts. Mandiant’s investigation traced the attack back to a March breach of Salesloft’s GitHub repositories, which allowed the attackers to steal the Drift OAuth tokens.

Similar to the UNC6040 attacks, the UNC6395 attacks affected numerous companies, including Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, and Palo Alto Networks. The incident highlights the potential for significant damage when third-party integrations are compromised.

Attribution and Tactics

FBI warning about Salesforce data theft by UNC hacker groups

While the FBI did not identify the groups behind these campaigns, the ShinyHunters extortion group claimed responsibility for both clusters of activity. They stated that they and other threat actors calling themselves “Scattered Lapsus$ Hunters” were involved. This group claims to have originated from and overlap with the Lapsus$, Scattered Spider, and ShinyHunters extortion groups.

The threat actors announced plans to cease discussing operations on Telegram, but claimed to have gained access to the FBI’s E-Check background check system and Google’s Law Enforcement Request system. If verified, this access would enable them to impersonate law enforcement and obtain sensitive personal data.

Technical and Non-Technical Takeaways

This situation presents a number of considerations for both technical and non-technical stakeholders.

Technical Takeaways

  • OAuth Application Security: Implement stringent review processes for OAuth applications connecting to Salesforce environments. Verify the legitimacy and necessity of requested permissions. Consider using a dark web monitoring service to identify potential leaks of OAuth tokens.
  • Credential Management: Enforce strong password policies and multi-factor authentication (MFA) across all user accounts, especially those with administrative privileges. Regularly audit and rotate credentials, particularly for service accounts and API integrations.
  • API Security: Monitor API usage for anomalous activity, such as unusual data access patterns or large-scale data exfiltration. Implement rate limiting and access controls to prevent unauthorized access to sensitive data. Ensure robust API key management practices. Consider using a live ransomware API to stay ahead of potential threats.
  • Incident Response Planning: Develop and regularly test incident response plans that specifically address the risk of compromised Salesforce environments and third-party integrations. Ensure the plan includes procedures for isolating affected systems, containing data breaches, and communicating with stakeholders.
  • Network Segmentation: Implement network segmentation to limit the blast radius of potential breaches. Restrict access to critical Salesforce resources based on the principle of least privilege.
  • Vulnerability Management: Stay informed about the latest security vulnerabilities affecting Salesforce and related third-party applications. Apply patches and updates promptly to mitigate known risks.
  • Telegram threat monitoring: Monitor channels like Telegram for leaked credentials and data to take immediate remediation actions.

Non-Technical Takeaways

  • Employee Training: Conduct regular security awareness training to educate employees about social engineering and phishing attacks. Emphasize the importance of verifying the identity of IT support personnel and scrutinizing application permissions.
  • Third-Party Risk Management: Implement a robust third-party risk management program to assess the security posture of vendors and service providers that integrate with Salesforce. Ensure that contracts include clear security requirements and audit rights.
  • Data Governance: Establish clear data governance policies that define data ownership, access controls, and retention requirements. Regularly review and update these policies to reflect changes in the threat landscape and business requirements.
  • Legal and Compliance: Ensure compliance with relevant data privacy regulations, such as GDPR and CCPA. Maintain clear communication channels with legal counsel and regulatory authorities to address data breach incidents effectively.
  • Insurance Coverage: Review cyber insurance policies to ensure adequate coverage for data breach incidents affecting cloud-based platforms like Salesforce. Understand the scope of coverage and any exclusions that may apply.
  • Cyber threat intelligence platform: Implement a comprehensive platform with capabilities like underground forum intelligence to stay ahead of emerging threats.

PurpleOps and Salesforce Security

PurpleOps provides a range of services to help organizations protect their Salesforce environments from threats like UNC6040 and UNC6395. Our offerings include:

  • Cyber Threat Intelligence: Our cyber threat intelligence services provide real-time insights into emerging threats, including IOCs associated with known threat actors. This enables organizations to proactively detect and respond to potential attacks.
  • Dark Web Monitoring: We offer dark web monitoring services to identify compromised credentials and sensitive data that may be circulating on underground forums and marketplaces. This helps organizations take timely action to mitigate the risk of account compromise and data breaches.
  • Supply Chain Risk Monitoring: PurpleOps provides supply chain risk monitoring to assess the security posture of third-party vendors and service providers that integrate with Salesforce. This helps organizations identify and address potential vulnerabilities in their supply chain.
  • Brand Leak Alerting: Using our platform to monitor for brand mentions and data leaks across the internet can help you identify potential threats early.
  • Breach Detection: Leverage our breach detection services to rapidly identify and contain security incidents.

Furthermore, our expertise in red team operations and penetration testing can help organizations identify weaknesses in their Salesforce security posture and develop effective remediation strategies. We can simulate real-world attacks to test the effectiveness of security controls and provide actionable recommendations for improvement. Our services in supply-chain information security also ensure that third-party integrations do not introduce vulnerabilities into your Salesforce environment.

Our managed security services can offload the burden of daily monitoring and threat management, allowing your internal teams to focus on core business objectives. We can also assist with incident response, forensic analysis, and security consulting to help you navigate complex security challenges.

To learn more about how PurpleOps can help you protect your Salesforce environment, please visit our platform page and our services page.

For specific inquiries or to request a consultation, please contact us directly.

FAQ

Q: What are UNC6040 and UNC6395?

A: UNC6040 and UNC6395 are two threat clusters actively compromising organizations’ Salesforce environments, engaged in data theft and extortion.

Q: What is the primary method of attack used by UNC6040?

A: UNC6040 primarily uses social engineering and vishing attacks to trick employees into connecting malicious OAuth apps.

Q: How does UNC6395 compromise Salesforce environments?

A: UNC6395 uses stolen Salesloft Drift OAuth and refresh tokens to access support case information stored in Salesforce.