The FBI has issued a FLASH alert over the threat posed to enterprises by threat groups targeting Salesforce environments.
According to the law enforcement agency, two threat groups, tracked as UNC6040 and UNC6395, have ramped up targeting of Salesforce customers amidst a spate of attacks in recent months.
“Both groups have recently been observed targeting organizations' Salesforce platforms via different initial access mechanisms,” the FBI said in its advisory.
The agency added it had released information to “maximize awareness” and provide indicators of compromise (IOCs) commonly associated with attacks by these groups.
So what should enterprises be looking out for?
How both groups are targeting Salesforce customers
According to the FBI, UNC6040 has been targeting Salesforce customers since October 2024, typically gaining initial access through social engineering techniques.
These include ‘vishing’ (voice-based phishing) attacks to dupe users into granting access to Salesforce accounts.
“UNC6040 threat actors commonly call victims’ call centers posing as IT support employees addressing enterprise-wide connectivity issues,” the advisory notes.
“Under the guise of closing an auto-generated ticket, UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials, allowing them access to targeted companies’ Salesforce instances to exfiltrate customer data.”
During these attacks, threat actors have used ‘phishing panels’, directing victims to phony login pages which record login details and ultimately give the hackers access.
“UNC6040 threat actors have also directly requested user credentials and multifactor authentication codes to authenticate and add the Salesforce Data Loader application, facilitating data exfiltration,” the advisory added.
Meanwhile, UNC6395 has been observed using a different method, capitalizing on compromised OAuth tokens for the Salesloft Drift application.
“Using the compromised OAuth tokens and third-party app integration, UNC6395 threat actors were able to compromise victims’ Salesforce instances and exfiltrate data,” the FBI noted.
A host of organizations globally have been impacted by Salesloft Drift breaches in recent months, with Google, Zscaler, Palo Alto Networks, and Cloudflare all revealing they’ve fallen victim.
Salesloft has since revoked active access and refresh tokens for Drift, preventing threat actors from accessing victims’ Salesforce platforms connected to the app.
How to know if you’ve been hit and what to do
In terms of IOCs, the FBI has detailed a list of IPs associated with both groups, with UNC6040 commanding the lion’s share. The agency recommends enterprises “investigate and vet indicators prior to taking action, such as blocking”.
A full list of UNC6040 IPs can be found below.
To mitigate the threat posed by these groups, the FBI also recommended a series of steps enterprises can take.
First and foremost, this includes training call center employees to recognize and report phishing attempts alongside implementation of MFA for “as many services as possible”.
Elsewhere, enterprises should implement authentication, authorization, and accounting (AAA) systems to “limit actions users can perform”.
“Apply the Principle of Least Privilege to user accounts and groups, allowing only the performance of authorized actions,” the agency said.
Other tips from the FBI include:
- Enforcement of IP-based access restrictions and monitoring of API usage.
- Monitoring network logs and browser session for anomalous activity and indicators of data exfiltration.
- Conduct reviews of third-party integrations connected to third-party software instances.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Jaguar Land Rover u-turns on cyber attack containment claims, admits ‘some data has been affected’
- LNER warns customers to remain vigilant after personal data exposed in cyber attack
- FBI warns 'indiscriminate' Salt Typhoon hacking campaign has hit organizations in more than 80 countries
-
Bridging the data disconnectSponsored Podcast How can businesses make the most of their data for customer success?
-
Lenovo Chromebook Plus 14 (Gen 10) reviewReviews The Lenovo Chromebook Plus 14 is a beautifully put-together, AI-ready Chromebook with excellent performance, good battery life, and a fantastic OLED screen
-
Kids hacking for kicks are causing security headaches at schoolsNews More than half of cyber incidents at schools are caused by students, with some tech-savvy pupils attempting to bypass security and network controls.
-
Mobile app security is a huge blind spot for developer teams – 93% are confident their applications are secure, but 62% reported breaches last yearNews Organizations are overconfident about their mobile app security practices, according to new research, and it’s putting enterprises and consumers alike at risk.
-
LNER warns customers to remain vigilant after personal data exposed in cyber attackNews LNER has warned customers to remain vigilant for social engineering attacks after a cyber attack on the rail operator exposed personal data.
-
Jaguar Land Rover u-turns on cyber attack containment claims, admits ‘some data has been affected’News Jaguar Land Rover (JLR) has admitted some data may have been accessed by hackers following a cyber attack which severely disrupted production.
-
Everything we know about the Plex data breach so farNews Plex advised users to sign out of any connected devices that are currently logged in and enable two-factor authentication if they haven’t already.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
FBI warns 'indiscriminate' Salt Typhoon hacking campaign has hit organizations in more than 80 countriesNews The Salt Typhoon hacker group has waged several major campaigns against US telecoms companies and critical infrastructure operators – now it's ramping up attacks globally.
-
Salesloft Drift hackers had access to company GitHub account for months before attacksNews Hackers behind the Salesloft Drift breach had access to the company’s GitHub account for several months before waging a flurry of attacks, the company has revealed.
