Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Financially motivated hackers linked to ShinyHunters have been observed using social engineering techniques to gain access to victim networks via a popular customer service and sales platform.
A hacking group with intimate knowledge of the Salesforce platform has been observed using voice phishing techniques to gain initial access to victim networks before exfiltrating data and threatening to publish the data online.
The Google Threat Intelligence Group (GTIG) is actively tracking the campaign and recently published its findings.
The hacking group, known only as UNC6040, initially makes contact with a victim by claiming to be an IT support worker. Once that identity is established, the hackers trick the employee into authorising a connection to a malicious version of Salesforce’s Data Loader, an application designed to facilitate the importing, exporting, and updating of large volumes of data.
“In some of the intrusions using Data Loader, threat actors utilised modified versions of Data Loader to exfiltrate Salesforce data from victim organisations,” GTIG said in a recent blog post.
“The proficiency with the tool and capabilities by executed queries seems to differ from one intrusion to another.”
In some cases, the threat actor spends time exfiltrating small chunks of data before being detected, while in others, the size of the datasets being stolen quickly escalates, allowing for entire Salesforce tables to be successfully exfiltrated.
Once UNC6040 has exfiltrated Salesforce data, it’s also been observed harvesting user credentials in order to gain lateral movement in the network and access further data from platforms such as Microsoft 365 and Okta. In addition, the threat actor uses a phishing panel based on Okta.
“This panel was used to trick victims into visiting it from their mobile phones or work computers during the social engineering calls,” GTIG said.
“In these interactions, UNC6040 also directly requested user credentials and multifactor authentication codes to authenticate and add the Salesforce Data Loader application, facilitating data exfiltration.”
It’s also thought that UNC6040 has links to a hacking collective known as ‘The Com’, based on overlaps in tactics, techniques, and procedures. In some cases, when a victim is later being extorted post-data-exfiltration, the threat actor making contact has claimed links to the ShinyHunters hacking group.
It should be pointed out that the hackers are not taking advantage of any inherent flaw within Salesforce, but rather using advanced social engineering techniques to trick users into installing the malicious Data Loader.
“Salesforce has enterprise-grade security built into every part of our platform, and there’s no indication the issue described stems from any vulnerability inherent to our services. Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users’ cyber security awareness and best practices,” a Salesforce spokesperson told Cyber Daily.
“Security is a shared responsibility, and we provide customers with tools, guidance, and security features like multifactor authentication and IP restrictions to help defend against evolving threats.”
You can read Google’s full blog post here, and read more about securing Salesforce here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
