Attackers fake IT support calls to steal Salesforce data

Over the past several months, a threat group has been actively breaching organizations’ Salesforce instances and exfiltrating customer and business data, Google Threat Intelligence Group (GTIG) has warned.

The attackers in question – currently tracked as UNC6040 – are masters at voice phishing (“vishing“): they are impersonating the organizations’ IT support personnel and manipulating employees into sharing credentials and connecting a malicious app to their organization’s Salesforce portal.

The primary goal is the exfiltration of sensitive data, which is then used to attempt to extort money from the victim organization.

“Following this initial data theft, UNC6040 was observed moving laterally through the victim’s network, accessing and exfiltrating data from other platforms such as Okta, Workplace, and Microsoft 365,” Google’s threat analysts noted.

Salesforce-focused vishing

In this ongoing campaign, the threat actors primarily target English-speaking employees at multinational companies.

During the vishing calls, they trick them into connecting a malicious application to the organization’s Salesforce environment or, alternatively, into visiting phishing pages and entering their user credentials and multifactor authentication codes, which the attackers then use to authenticate and perform the app connection process themselves.

The malicious app they are using is a modified version of Salesforce’s legitimate Data Loader app, though the name and the branding is changed to avoid raising suspicion.

The attack flow (Source: Mandiant)

“This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments,” the threat analysts noted, but pointed out that the threat actors performing the data exfiltration and those performing the extortion activities might not be the same.

“In some instances, extortion activities haven’t been observed until several months after the initial UNC6040 intrusion activity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data,” they added.

“Given the extended time frame between initial compromise and extortion, it is possible that multiple victim organizations and potentially downstream victims could face extortion demands in the coming weeks or months.”

UNC6040’s social engineering tactics mirror broader vishing trends

UNC6040’s infrastructure and TTPs – vishing, impersonating IT support, targeting of Okta credentials – overlap with the loosely organized collective known as “The Com”, Google’s analysts noted.

The data exfiltration is performed at different speeds, and the proficiency with the tool and capabilities by executed queries seems to differ from one intrusion to another, Google’s analysts found.

“In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce,” they pointed out.

Salesforce is aware of these attacks, has been warning customers about them, and has been sharing best practices and platform features that can help defend against these types of threats.

Mandiant’s incident responders have also released a more general overview of the vishing threats that organizations are currently facing and advice on which defensive actions to take.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!