UNC6040 is a threat group conducting voice phishing (vishing) campaigns to breach Salesforce environments and steal large volumes of sensitive data for extortion purposes. Their attacks involve impersonating IT support to trick employees into authorizing malicious apps, enabling data exfiltration and lateral network movement. #UNC6040 #Salesforce #ShinyHunters
Keypoints
- UNC6040 specializes in vishing attacks targeting Salesforce organizations to access and steal sensitive customer and operational data.
- The group impersonates IT support via live and automated phone calls to manipulate employees into installing a malicious version of Salesforce’s Data Loader.
- Authorized malicious apps allow attackers to access the Salesforce environment and laterally move to other platforms like Okta, Workplace, and Microsoft 365.
- Approximately 20 organizations across multiple sectors in the Americas and Europe have been impacted by UNC6040’s opportunistic campaigns.
- UNC6040’s tactics overlap with cybercrime collective The Com but focus specifically on Salesforce data theft and delayed extortion attempts claiming affiliation with ShinyHunters.
- Salesforce acknowledged these attacks are social engineering-based with no platform vulnerabilities involved and published guidance to mitigate risks.
- Recommended defenses include employee education, strict app authorization policies, behavioral monitoring, Zero Trust implementation, and phishing-resistant MFA.
MITRE Techniques
- [T1386] Spearphishing via Service – UNC6040 uses phone-based social engineering calls impersonating IT support to trick employees into installing malicious applications (“…impersonating IT support personnel in convincing phone-based social engineering attacks…”).
- [T1566.002] Phishing: Spearphishing Link – Attackers direct victims to authorize malicious connected apps in Salesforce (“Victims are guided to Salesforce’s connected app setup page and asked to authorize the malicious app…”).
- [T1078] Valid Accounts – The group harvests credentials to access Salesforce and lateral systems such as Okta and Microsoft 365 (“UNC6040 moves laterally across the network, targeting other platforms and harvesting credentials…”).
- [T1046] Network Service Scanning – Using automated phone systems to gather reconnaissance data including internal application names and contacts (“These systems help them gather reconnaissance… before engaging targets directly.”).
- [T1036.005] Masquerading: Match Legitimate Name or Location – Malicious Data Loader tools disguised as “My Ticket Portal” to evade suspicion (“The malicious version is often disguised under a different name like, ‘My Ticket Portal.’”).
Indicators of Compromise
- [File Names] Malicious app disguised as Salesforce Data Loader – example: “My Ticket Portal”
- [TTP] Vishing phone calls impersonating IT support – live calls and automated phone systems with pre-recorded messages
Read more: https://www.varonis.com/blog/salesforce-vishing-threat-unc604