The FBI has issued a FLASH alert over the threat posed to enterprises by threat groups targeting Salesforce environments.
According to the law enforcement agency, two threat groups, tracked as UNC6040 and UNC6395, have ramped up targeting of Salesforce customers amidst a spate of attacks in recent months.
“Both groups have recently been observed targeting organizations' Salesforce platforms via different initial access mechanisms,” the FBI said in its advisory.
The agency added it had released information to “maximize awareness” and provide indicators of compromise (IOCs) commonly associated with attacks by these groups.
So what should enterprises be looking out for?
How both groups are targeting Salesforce customers
According to the FBI, UNC6040 has been targeting Salesforce customers since October 2024, typically gaining initial access through social engineering techniques.
These include ‘vishing’ (voice-based phishing) attacks to dupe users into granting access to Salesforce accounts.
“UNC6040 threat actors commonly call victims’ call centers posing as IT support employees addressing enterprise-wide connectivity issues,” the advisory notes.
“Under the guise of closing an auto-generated ticket, UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials, allowing them access to targeted companies’ Salesforce instances to exfiltrate customer data.”
During these attacks, threat actors have used ‘phishing panels’, directing victims to phony login pages which record login details and ultimately give the hackers access.
“UNC6040 threat actors have also directly requested user credentials and multifactor authentication codes to authenticate and add the Salesforce Data Loader application, facilitating data exfiltration,” the advisory added.
Meanwhile, UNC6395 has been observed using a different method, capitalizing on compromised OAuth tokens for the Salesloft Drift application.
“Using the compromised OAuth tokens and third-party app integration, UNC6395 threat actors were able to compromise victims’ Salesforce instances and exfiltrate data,” the FBI noted.
A host of organizations globally have been impacted by Salesloft Drift breaches in recent months, with Google, Zscaler, Palo Alto Networks, and Cloudflare all revealing they’ve fallen victim.
Salesloft has since revoked active access and refresh tokens for Drift, preventing threat actors from accessing victims’ Salesforce platforms connected to the app.
How to know if you’ve been hit and what to do
In terms of IOCs, the FBI has detailed a list of IPs associated with both groups, with UNC6040 commanding the lion’s share. The agency recommends enterprises “investigate and vet indicators prior to taking action, such as blocking”.
A full list of UNC6040 IPs can be found below.
To mitigate the threat posed by these groups, the FBI also recommended a series of steps enterprises can take.
First and foremost, this includes training call center employees to recognize and report phishing attempts alongside implementation of MFA for “as many services as possible”.
Elsewhere, enterprises should implement authentication, authorization, and accounting (AAA) systems to “limit actions users can perform”.
“Apply the Principle of Least Privilege to user accounts and groups, allowing only the performance of authorized actions,” the agency said.
Other tips from the FBI include:
- Enforcement of IP-based access restrictions and monitoring of API usage.
- Monitoring network logs and browser session for anomalous activity and indicators of data exfiltration.
- Conduct reviews of third-party integrations connected to third-party software instances.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Jaguar Land Rover u-turns on cyber attack containment claims, admits ‘some data has been affected’
- LNER warns customers to remain vigilant after personal data exposed in cyber attack
- FBI warns 'indiscriminate' Salt Typhoon hacking campaign has hit organizations in more than 80 countries
-
Hackers are using these malicious npm packages to target developers Windows, macOS, and Linux systemsNews Security experts have issued a warning to developers after ten malicious npm packages were found to deliver infostealer malware across Windows, Linux, and macOS systems.
-
Equinix announces multi-billion pound data center investment in ‘huge win’ for UKNews The Hertfordshire site will double Equinix’s processing capacity in the UK
-
Google says reports of a 'huge' Gmail breach affecting millions of users are false, againNews Reports of a major Gmail affecting millions of users have been flooding the web this week – Google says they're "false" and you've nothing to worry about.
-
Enterprises can’t keep a lid on surging cyber incident costsNews With increasing threats and continuing skills shortages, AI tools are becoming a necessity for some
-
Cyber researchers have already identified several big security vulnerabilities on OpenAI’s Atlas browserNews Security researchers have uncovered a Cross-Site Request Forgery (CSRF) attack and a prompt injection technique
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Former NCSC head says the Jaguar Land Rover attack was the 'single most financially damaging cyber event ever to hit the UK' as impact laid bareNews Researchers said they place the UK financial impact of the attack on Jaguar Land Rover at around £1.9 billion.
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
Cyber experts have been warning about AI-powered DDoS attacks – now they’re becoming a realityNews DDoS attackers are flocking to AI tools and solutions to power increasingly devastating attacks
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
