Google reports that hackers impersonating ShinyHunters are targeting multinational companies with social engineering attacks to steal Salesforce data, then use lateral movement to access additional platforms. The threat group exploits OAuth vulnerabilities via voice phishing, leading to potential data exfiltration and extortion. #ShinyHunters #UNC6040
Keypoints
- Hackers impersonate IT support to trick employees into installing malicious Salesforce Data Loader applications.
- The attack targets English-speaking employees using voice phishing tactics.
- Threat actors use modified Data Loader apps to export Salesforce data and move laterally to other platforms like Okta and Microsoft 365.
- Data exfiltration is often followed by extortion attempts claiming affiliation with the ShinyHunters group.
- Google recommends restricting API permissions, limiting app installations, and blocking VPNs to prevent such attacks.