Hackers have stolen large amounts of data by tricking employees at companies into installing a modified version of a Salesforce-related app, reports say.
Google’s Threat Intelligence Group (GTIG) discovered the hackers yesterday, claiming that a fake Salesforce Data Loader app tricked many across Europe and the Americas into exporting their company data to the group, according to Reuters.
How Did This Happen?
In what’s been described as an active campaign, the group of hackers – which Google have named as UNC6040 – tactically voice phished (Vishing) English-speaking branches of multi-national corporations that use Salesforce over phone calls to compromise their data by downloading this deceptive app.
Google stressed that, in all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.
The hackers tricked victims into opening the connected apps setup page and entering a code, linking a malicious, attacker-controlled replica of the Data Loader app – a tool used for importing, exporting, and bulk managing Salesforce data – to their Salesforce environment, Reuters reported.
Once downloaded by employees, this rogue app granted hackers extensive access, enabling them to query and exfiltrate sensitive data directly from compromised Salesforce customer accounts.
A researcher from GTIG told CSO: “In one instance, a threat actor used small chunk sizes for data exfiltration from Salesforce but was only able to retrieve approximately 10% of the data before detection and access revocation. In another case, numerous test queries were made with small chunk sizes initially. Once sufficient information was gathered, the actor rapidly increased the exfiltration volume to extract entire tables.”
After successfully breaching Salesforce, UNC6040 moved on to different cloud companies such as Okta, Microsoft 365, and Workplace, reports say.
Researchers also noted that extortion attempts sometimes emerged months after the initial intrusion, with attackers claiming connections to the notorious ShinyHunters group, likely to amplify pressure. The delayed extortion hints that UNC6040 may be transferring or selling stolen data to other cybercriminals who then exploit it for extortion, resale, or additional attacks.
According to GTIG findings, UNC6040 could be part of a broader criminal ecosystem where multiple groups coordinate different stages of cyberattacks. This conclusion arises from observed similarities in tactics, techniques, and procedures between UNC6040 and threat actors associated with a loosely affiliated collective called “The Com,” which also includes Scattered Spider.
A GTIG spokesperson said that companies have been impacted by the UNC6040 campaign, with a subset of them having their data already successfully exfiltrated.
A Salesforce spokesperson said: “Salesforce has enterprise-grade security built into every part of our platform, and there’s no indication the issue described stems from any vulnerability inherent to our services. Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.
“Security is a shared responsibility, and we provide customers with tools, guidance, and security features like Multi-Factor Authentication and IP restrictions to help defend against evolving threats.”
Salesforce Admins Targeted
Adding a new connected app requires elevated permissions that are typically assigned to a Salesforce administrator. The fact that multiple high-profile companies fell victim to such a social engineering attack raises serious questions as to the support and training that is being given to critical employees with the keys to Salesforce environments.
On the back of this, every CIO in the Salesforce install base should be considering investment in security training for their Salesforce team, and Salesforce administrators themselves should be asking themselves if they might be next.
It doesn’t take much to imagine how Salesforce admins, proud of their accomplishments, advertising their skills on LinkedIn, could have been collected and systematically targeted as part of this exploit.
Final Thoughts
While this may not be Salesforce’s fault, it’s a stark reminder to remain diligent around what modern-day hacking looks like and the approaches these teams are taking to access company information.
For more information, check out Salesforce’s article on protecting your Salesforce environment from engineering hacks.
Have you been affected by the hack? Email us at tips@salesforceben.com
Comments: