Salesforce customers duped by series of social-engineering attacks
A financially motivated threat group posing as IT support has intruded the systems of about 20 organizations by duping employees into installing a malicious, illegitimate version of Salesforce’s Data Loader and granting broader access to cloud-based environments, Google Threat Intelligence Group said in a threat report released Wednesday.
The attacks, which Google attributes to UNC6040, have hit organizations in hospitality, retail and education across the Americas and Europe, resulting in data theft and extortion.
“Our current assessment indicates that a limited number of organizations were affected as part of this campaign, approximately 20,” Austin Larsen, principal threat analyst at Google Threat Intelligence Group, told CyberScoop in an email. “We are tracking at least several extortion attempts, but we cannot comment on how many were successful.”
Organizations’ adoption of widespread integrations and privileged access to multiple cloud-based services in corporate environments — paired with support for single sign-on services such as Okta and authentication protocols like OAuth — amplifies the risk posed by identity-based attacks.
Attackers have gained access to victim networks by calling targeted employees on the phone and convincing them to install and approve the malicious Salesforce application, exposing sensitive credentials and multi-factor authentication codes, according to Google.
UNC6040 used this access to steal data from the victim organization’s Salesforce environment, and then initiate lateral movement to steal data from other connected platforms, including Okta, Microsoft 365 and Workplace, researchers said.
“Salesforce has enterprise-grade security built into every part of our platform, and there’s no indication the issue described stems from any vulnerability inherent to our services,” a spokesperson for Salesforce said in a statement. “Attacks like voice phishing are targeted social-engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.”
Google said the threat group’s social-engineering tactics and initial focus on English-speaking users at multinational companies shares similarities with activities linked to members of “The Com,” suggesting some potential overlap and association with the global collective of loosely affiliated cybercriminals. Yet, researchers noted UNC6040 is unique in focusing on exfiltrating data from Salesforce environments.
Attackers set their phishing lures by calling targeted individuals, posing as IT administrators offering support for alleged general IT issues. UNC6040 claims the issue stems from a nonexistent open IT support ticket that the victim can’t access due to system differences, according to Google.
The victim is then directed to visit a phishing site or a fake “Salesforce Setup Connect” page, which requires an eight-digit code, to close the ticket, researchers said.
Upon entering and confirming the code on their mobile device or computer, victims unwittingly authenticate access to UNC6040 via OAuth and add the malicious application to their Salesforce instance.
Salesforce, which maintains that security is a shared responsibility, warned customers of threats posed by social-engineering attacks in guidance it released in a blog post earlier this year.
