[German]I'm posting some more information here that I received from the Google Threat Intelligence Group (GTIG). The security experts have come across a campaign by the hacker group UNC6040 that uses voice phishing (vishing) to compromise Salesforce instances and steal data.
Advertising
What is vishing?
Vishing (which stands for "voice phishing") is a form of telephone fraud in which fraudsters attempt to obtain sensitive information such as login details, credit card numbers or bank details via telephone calls or voice messages.
Visher use fake phone numbers, voice-altering software, text messages and social engineering to trick their victims into revealing confidential information. The scammers often pose as trustworthy institutions to gain the victims' trust.
UNC6040 Salesforce Vishing
Salesforce is a US provider of cloud solutions. The company is considered the world's largest cloud software provider for businesses. The company offers a Data Loader application. This client application enables the mass import or export of data. The Data Loader is intended to be used to insert, update, delete or export Salesforce data records.
With the cybercriminal group UNC6040, which specializes in vishing, the callers pretend to be IT support employees on the phone and try to get called employees to install modified data loader applications (not authorized by Salesforce).
Using these data loader variants, UNC6040 gains access to sensitive data that the employee enters into the application. The attackers can then use this data to penetrate other cloud services and internal company networks.
Advertising
Salesforce warns of this attack
Salesforce has already responded and describes the methodology of abusing the data loader functions through modified apps in its guidelines for protecting Salesforce environments. It is therefore not a Salesforce vulnerability that leads to accounts being compromised, but classic social engineering to trick a user.
Probably 20 organizations affected
The Google Threat Intelligence Group (GTIG) estimates that a limited number of around 20 organizations are currently affected by these activities. The UNC6040 campaign began a few months ago and is still active, according to the statement.
According to the GTIG experts, the UNC6040 group is "opportunistic", i.e. it never misses an opportunity. Targeted industries include hospitality, retail, education and various other sectors in Europe and the Americas.
The organizations compromised in this way are sometimes blackmailed months after the initial breach. According to the experts, this could indicate that UNC6040 has entered into a partnership with a second threat actor who is monetizing the stolen data.
GTIG states that the hackers of UNC6040 claimed to belong to other groups such as ShinyHunters during extortion attempts. It is assumed that this is intended to increase the pressure on the victims.
However, the experts at the Google Threat Intelligence Group (GTIG) are following a different trail or have a suspicion. They have identified extensive overlaps between the infrastructure and TTPs (Tactics, Techniques and Procedures) of UNC6040 and the activities of the underground community "The Com". Therefore, a loose association of cybercriminals is suspected (UNC3944 / Scattered Spider is part of the same ecosystem).
According to GTIG's observations, UNC6040 uses the Okta phishing panels and directly requests MFA (multi-factor authentication) codes. Furthermore, Mullvad VPN IPs are used for data exfiltration.
Advertising
