The FBI has issued a FLASH alert warning that two threat clusters, UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal data and extort victims. The FBI’s FLASH advisory releases indicators of compromise (IOCs) to assist research and defense.
Officials say the two groups have been observed targeting Salesforce platforms through different initial access mechanisms, with the information intended to maximize awareness and support network defense efforts.
UNC6040 was first disclosed by Google Threat Intelligence (Mandiant) in June, with assessments describing social-engineering and vishing campaigns that tricked employees into authorizing Salesforce Data Loader OAuth apps. In some cases attackers impersonated corporate IT staff and used renamed versions of the application, such as “My Ticket Portal.” Once connected, the OAuth app was used to mass-exfiltrate Salesforce data, which was then used in extortion attempts by the ShinyHunters group.
In early data-theft attacks, actors targeted the Accounts and Contacts database tables in Salesforce, which store customer data. The campaigns impacted numerous large organizations, including Kering and Tiffany & Co., among others.
Augmenting the data theft, August campaigns leveraged stolen Drift OAuth and refresh tokens to breach Salesforce customers. Salesforce moved to revoke all Drift tokens and required customers to reauthenticate. Exfiltrated data reportedly included credentials such as AWS keys, passwords and Snowflake tokens, enabling potential pivot to other cloud environments.
Investigations by Mandiant traced the March origin of a related attack to a compromise of Salesloft’s GitHub repositories, enabling attackers to steal Drift OAuth tokens later used to access Salesforce data. The incident affected numerous companies, including Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks. A broader summary is also available at Drift breach site.
The FBI did not publicly name the groups behind these campaigns, but researchers cited by reporting describe ties to extortion-focused actors who identify themselves as “ShinyHunters”, and who intersect with groups such as Lapsus$, Scattered Spider and related affiliates. In a recent communication, the hackers claimed to have gained access to the FBI’s E-Check background-check system and Google’s Law Enforcement Request system via a domain associated with BreachForums, though independent verification was not provided. The FBI declined to comment and Google did not respond to requests for comment.