A voice phishing threat actor, UNC6040, is targeting Salesforce users through social engineering to steal data and conduct extortion campaigns. The attacks involve impersonating IT support to trick employees into granting unauthorized access, leading to data exfiltration and lateral movement across cloud services. #UNC6040 #ShinyHunters #ScatteredSpider #SalesforceDataLoader
Keypoints
- UNC6040 primarily uses social engineering without exploiting Salesforce vulnerabilities.
- The threat actor impersonates IT support staff to manipulate employees into granting access.
- Attackers exfiltrate data via Salesforceβs Data Loader and move laterally to other platforms.
- The campaign has affected approximately 20 organizations across various sectors in the Americas and Europe.
- There are links between UNC6040 and other cybercrime groups like ShinyHunters and The Com.