The FBI has issued alerts on cyber threats from groups UNC6040 and UNC6395 targeting Salesforce platforms through various attack methods, including OAuth token exploitation and vishing campaigns. Companies like Salesloft and organizations using Salesforce are advised to enhance their security measures, as threat actors continue to execute data theft and extortion tactics. #UNC6040 #UNC6395 #Salesloft #ShinyHunters #LAPSUS$ #DataTheft
Keypoints
- The FBI warns of cyberattacks by UNC6040 and UNC6395 targeting Salesforce environments.
- UNC6395 exploited a GitHub breach to access Salesloftβs Salesforce instances in August 2025.
- UNC6040 has been conducting vishing campaigns and using custom scripts for data exfiltration since October 2024.
- Threat actors affiliated with ShinyHunters may plan to launch a data leak site to increase extortion pressure.
- The cybercriminal groups are known to rebrand and re-emerge, requiring ongoing vigilance from organizations.
Read More: https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html