- Two groups of threats, UNC6040 and UNC6395, are actively aimed at Salesforce accounts to steal confidential data
- UNC6395 exploits integrations such as the Salesloft drift chatbot, while UNC6040 uses social engineering based on the phone to impersonate IT staff and get access
- The FBI warns that follow -up extortion attacks are often carried out by Shinyhunters, linked to a dispersed spider
Two separate threat actors are currently pointing to the Salesforce accounts of organizations to steal confidential data inside. This is according to the Federal Office of Research of the United States (FBI), which recently issued a flash notice to warn companies about continuous threat.
“The Federal Research Office (FBI) is releasing this Flash to disseminate the compromise indicators (IOC) associated with recent malicious cyber activities by cyber groups UNC6040 and UNC6395, responsible for a growing number of data theft and extrusion intrusions,” said the agency in her advisor.
“Recently it has been observed that both groups are aimed at the Salesforce platforms of organizations through different initial access mechanisms. The FBI is releasing this information to maximize consciousness and provide COI that the recipients can use for the research and defense of the network.”
Scattered spider and squeaky
In recent times, there were numerous reports of cybercriminals who committed the company’s Salesforce accounts through the application of Drift of Salesloft, a chatbot of AI that can be integrated with Salesforce.
The FBI described this group as UNC6395 and apparently, hit some of the largest technology and security organizations, including Cloudflare, Zscaler, tenable, Cybark, Elastic, Beymondtrust, Proofpoint, Jfrog, Nutanix, Quallys, Rubrik, Cato Networks, Palo Alto Networks and others.
The other group, UNC6040, got access to deceiving their victims to share access. They would call them on the phone, getting through you to employees who address the connectivity problems of the entire company.
“Under the appearance of closing a ticket generated by cars, the actors of UNC6040 deceive customer service employees to take measures that give the attackers access or lead to the exchange of credentials of the employees, which allows them to access the instances of the sales force of the specific companies to exfilt the data of the customers,” said the FBI.
A threat actor who is known that this technique has perfected is a scattered spider. While the FBI did not appoint that group on their notice, he said that follow -up extortion attacks were generally mounted by Shinyhunters, a group that is known to have been working along with a scattered spider. At one time, the groups even merged into an entity called SCATTeredlapsus $ hunters.
Through Bleepingcomputer
