How to check if you’ve been affected by Salesforce attacks – and stop hackers dead in their tracks
The FBI has detailed steps enterprises can take to prevent falling victim to Salesforce attacks
The FBI has issued a FLASH alert over the threat posed to enterprises by threat groups targeting Salesforce environments.
According to the law enforcement agency, two threat groups, tracked as UNC6040 and UNC6395, have ramped up targeting of Salesforce customers amidst a spate of attacks in recent months.
“Both groups have recently been observed targeting organizations' Salesforce platforms via different initial access mechanisms,” the FBI said in its advisory.
The agency added it had released information to “maximize awareness” and provide indicators of compromise (IOCs) commonly associated with attacks by these groups.
So what should enterprises be looking out for?
How both groups are targeting Salesforce customers
According to the FBI, UNC6040 has been targeting Salesforce customers since October 2024, typically gaining initial access through social engineering techniques.
These include ‘vishing’ (voice-based phishing) attacks to dupe users into granting access to Salesforce accounts.
“UNC6040 threat actors commonly call victims’ call centers posing as IT support employees addressing enterprise-wide connectivity issues,” the advisory notes.
“Under the guise of closing an auto-generated ticket, UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials, allowing them access to targeted companies’ Salesforce instances to exfiltrate customer data.”
During these attacks, threat actors have used ‘phishing panels’, directing victims to phony login pages which record login details and ultimately give the hackers access.
“UNC6040 threat actors have also directly requested user credentials and multifactor authentication codes to authenticate and add the Salesforce Data Loader application, facilitating data exfiltration,” the advisory added.
Meanwhile, UNC6395 has been observed using a different method, capitalizing on compromised OAuth tokens for the Salesloft Drift application.
“Using the compromised OAuth tokens and third-party app integration, UNC6395 threat actors were able to compromise victims’ Salesforce instances and exfiltrate data,” the FBI noted.
A host of organizations globally have been impacted by Salesloft Drift breaches in recent months, with Google, Zscaler, Palo Alto Networks, and Cloudflare all revealing they’ve fallen victim.
Salesloft has since revoked active access and refresh tokens for Drift, preventing threat actors from accessing victims’ Salesforce platforms connected to the app.
How to know if you’ve been hit and what to do
In terms of IOCs, the FBI has detailed a list of IPs associated with both groups, with UNC6040 commanding the lion’s share. The agency recommends enterprises “investigate and vet indicators prior to taking action, such as blocking”.
A full list of UNC6040 IPs can be found below.
To mitigate the threat posed by these groups, the FBI also recommended a series of steps enterprises can take.
First and foremost, this includes training call center employees to recognize and report phishing attempts alongside implementation of MFA for “as many services as possible”.
Elsewhere, enterprises should implement authentication, authorization, and accounting (AAA) systems to “limit actions users can perform”.
“Apply the Principle of Least Privilege to user accounts and groups, allowing only the performance of authorized actions,” the agency said.
Other tips from the FBI include:
- Enforcement of IP-based access restrictions and monitoring of API usage.
- Monitoring network logs and browser session for anomalous activity and indicators of data exfiltration.
- Conduct reviews of third-party integrations connected to third-party software instances.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Jaguar Land Rover u-turns on cyber attack containment claims, admits ‘some data has been affected’
- LNER warns customers to remain vigilant after personal data exposed in cyber attack
- FBI warns 'indiscriminate' Salt Typhoon hacking campaign has hit organizations in more than 80 countries
-
Thousands of Asus routers are being used to fuel a massive cyber crime spreeNews Black Lotus Labs has spotted a massive botnet of Asus routers built by malware that uses a common peer networking tool
-
New UK schemes aim to boost number of women in tech – and keep them in the sectorNews The initiative includes work placements and plans to help women return to the workforce after time away
-
Salesforce issues customer alert as ShinyHunters group claims Experience Cloud breachNews Threat actors are using a modified version of the AuraInspector tool, according to Salesforce
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
-
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documentsNews Linwei Ding told Chinese investors he could build a world-class supercomputer
