Google’s Threat Intelligence Group (GTIG) has reported a significant rise in social engineering attacks aimed at multinational companies utilizing Salesforce. Hackers, purportedly linked to the ShinyHunters group, are employing voice phishing tactics to manipulate employees into installing a compromised version of Salesforce’s Data Loader application. This alarming trend highlights the increasingly sophisticated methods attackers are using to penetrate corporate networks.
The attacks, tracked by GTIG as ‘UNC6040’, primarily focus on English-speaking employees, who are deceived into believing they are receiving legitimate IT support. By impersonating IT staff, the attackers encourage targets to connect to a modified Data Loader, which is commonly trusted within the Salesforce ecosystem. Once access is granted, the malicious app is leveraged to export sensitive data from Salesforce environments.
Upon gaining entry, the threat actors exploit their access to move laterally within the victim’s cloud infrastructure, infiltrating other platforms such as Okta, Microsoft 365, and Workplace. This lateral movement enables them to extract a wealth of sensitive information, ranging from internal communications to critical authorization tokens. Google’s report highlights the alarming speed at which data exfiltration occurs, often taking place almost immediately after access is obtained.
Extortion attempts often follow months after the initial compromise, with attackers claiming to be associated with ShinyHunters to heighten pressure on victims. ShinyHunters, a notorious hacking group known for high-profile data theft and ransom demands, has been connected to numerous significant data breaches. Organizations employing Salesforce are advised by Google to implement stringent security measures, including restricting API permissions and limiting app installation rights to mitigate the risks of falling prey to such sophisticated attacks. For more information, organizations can refer to guidance provided by Salesforce on protecting against social engineering attacks here.