Google announced last week that they have been targeted by a threat group following a series of Salesforce-related data breaches. The actor has claimed affiliation with the well-known hacking group, ShinyHunters (aka UNC6240) – likely as a method to increase pressure on their victims.
This breach comes amid an ongoing wave of Salesforce-related hacking incidents over the past week, with Chanel, Qantas, Adidas, Victoria’s Secret, and many others all facing socially engineered attacks.
In turn, Salesforce have released an advisory statement, further detailing that Salesforce themselves have not been compromised and that they will continue to support their customers’ security posture.
Note: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners should prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We’ve published this article to help.
How Were Google Infiltrated?
Google’s recent breach could be viewed as ironic, given the fact that their threat intelligence group (GTIG) were the first to actually draw attention to ShinyHunter’s known tactics.
GTIG detailed that Salesforce users were being socially engineered into downloading malicious apps, most notably a fake Data Loader app, which then gave the hackers access to their org to then claim sensitive data.
This is often done through voice phishing (Vishing), a type of cyberattack that uses phone calls to trick victims into revealing sensitive information. The group will act as IT tech support and trick employees into following malicious instructions.
Speaking to Salesforce Ben, Google have confirmed that the attack impacted a small amount of information in their instance and that it has since been rectified.
“This event affected a limited set of data in one of Google’s corporate Salesforce instances used to communicate with prospective Ads customers,” a spokesperson said.
“The affected system contained basic business contact information such as business name, phone number, and related notes. Google Security teams have assessed the instance, and mitigations have been put in place. Google systems were not accessed, and there is no impact to data contained in Google Products, or to Google Cloud. We will continue to update our blog post as more information becomes available.”
Google also confirmed that all impacted customers have been informed.
This incident marks one of the most high-profile instances yet of a security team publicly warning about a threat actor’s tactics, only to be successfully targeted by them. It also raises the question: if a group like ShinyHunters can compromise an organization with Google’s resources, what hope do smaller companies have of defending themselves against a similar campaign?
ShinyHunters: “Next Time It’s Going to Be Much Much Worse”
This ongoing wave of attacks has already impacted several large Salesforce companies, but according to ShinyHunters themselves, this may only be the start of a long-term mission that could create even worse long-term consequences.
Speaking to Databreaches.net, a spokesperson from the group explained that their Vishing approach was impenetrable, despite current efforts from law enforcement to identify their voices.
“Even the NSA (National Security Agency) can’t stop or identify us anymore,” The spokesperson said. “Those are AI-generated voices. For example, they won’t be able to locate anyone based off background noises such as powerline humming noise that you can’t hear. They can’t cross-reference the power companies’ logs with the time frames of us calling these companies.
“They can use such information to get an approximate location, but in our case, not possible. Forget about triangulation technology, too; that wouldn’t work. We were providing state-of-the-art SIP providers.”
The spokesperson has also expressed confidence in their most recent Google exploitation, and that a more malevolent plan could be in the works.
“If trillionaires like Google can’t stop us, then billionaires are nothing. Law enforcement doesn’t have such funding or massive budgets either. They will forget about us in a month or two once we’re done. Then we’ll come back and launch another several-month to year-long sophisticated campaign. Next time it’s going to be much, much worse.”
So far, reports suggest that the type of data being obtained is largely personal data – names, phone numbers, email addresses, company names, etc. There has not yet been any suggestion that ShinyHunters have taken financial data or any sensitive internal documentation that could pose an immediate and severe operational risk.
A more damaging breach, as the group is speculating, could involve the theft of payment details, authentication credentials, or proprietary corporate intelligence – the kind of information that could easily be weaponized. It’s obvious that this “campaign” could only be the beginning of a much larger exploitation event.
What Can Salesforce Do About It?
This recent wave of breaches leaves Salesforce in a rather difficult position. It’s not them that has created this problem, nor do they have anything in particular to fix. But it’s still their name in headlines next to words “breach”, “attack”, and “theft”, all of which could lead to reputational risk.
In the wake of Google’s announcement – which is arguably the most significant so far – Salesforce released a short advisory message guiding users towards their best practices help page.
“As social engineering and phishing threats continue to rise, our top priority is to help customers strengthen their security posture.
“We encourage all customers to review our blog post on key platform features and best practices, including enabling multi-factor authentication (MFA), enforcing the principle of least privilege, and carefully managing connected applications.”
The CRM giant also encouraged the fact that it’s not them that have been compromised.
“The Salesforce platform has not been compromised, and this issue is not due to any known vulnerability in our technology. We know how disruptive and stressful these incidents can be, and our teams are fully engaged to support affected customers and help minimize any impact. If you have questions about your Salesforce security settings or need support, please reach out to Salesforce Support via the Help portal.”
While many may look to Salesforce for help or comment, their position is more like that of a landlord whose tenants are leaving their doors unlocked – there’s only so much they can do.
However, as these incidents continue to surface and grow in scale, it will be interesting to see what steps the company might take to address the issue or distance their name from the fallout entirely.
Final Thoughts
As this campaign continues to take shape, be sure to follow Salesforce’s current recommended steps on their help page, and speak openly with your team if you feel as though you may have been targeted.
We recently discussed on Salesforce Ben that many of these social engineering attacks may have taken place months ago, with the breaches only being executed now. This delay means some organizations might be sitting on compromised accounts without realizing it, making ongoing vigilance just as important as immediate action.
Staying proactive, regularly reviewing access logs, and reinforcing security awareness within your team could be the difference between catching a breach early, or becoming the next headline.
