In June 2025, Google confirmed a security breach involving one of its corporate Salesforce instances, attributed to the cyber threat group UNC6040. This incident is part of a broader campaign targeting Salesforce environments through sophisticated voice phishing (vishing) techniques aimed at exfiltrating sensitive data and extorting organizations.
Details of the Breach
The attackers employed vishing tactics to deceive Google employees into authorizing a malicious connected application, often a modified version of Salesforce’s Data Loader tool. This social engineering approach allowed unauthorized access to contact information and notes related to small and medium-sized businesses stored within Google’s Salesforce instance. The exfiltrated data primarily included business names and contact details, most of which are publicly accessible. Google promptly revoked the unauthorized access, conducted a thorough impact analysis, and implemented additional security measures to prevent future incidents.
UNC6040’s Evolving Tactics
UNC6040 has demonstrated adaptability in its attack methods. Initially, the group utilized Salesforce’s Data Loader for data extraction but has since transitioned to custom Python scripts that replicate its functionality. The attackers initiate their campaigns with vishing calls, often routed through Mullvad VPN or TOR networks, to collect credentials. Subsequently, they automate data extraction processes. Notably, UNC6040 has shifted from creating trial accounts with webmail services to using compromised accounts from unrelated organizations to register malicious applications, complicating detection and attribution efforts.
Extortion Strategies
Following data exfiltration, UNC6040 engages in extortion by demanding Bitcoin payments within 72 hours. These demands are typically communicated via emails from addresses such as shinycorp@tuta[.]com or shinygroup@tuta[.]com. The group falsely claims affiliation with the notorious ShinyHunters to increase pressure on victims. There is concern that UNC6040 may escalate their tactics by launching a data leak site to publicly expose stolen information from recent breaches, including those involving Salesforce environments.
Connection to The Com Collective
UNC6040’s infrastructure shows overlaps with elements linked to The Com, a loosely organized collective known for similar social engineering schemes. The group targets English-speaking employees in multinational corporations, exploiting trust in IT support calls to harvest credentials and gain access to platforms like Okta and Microsoft 365. In some cases, attackers have customized tools with names like My Ticket Portal to align with their phishing narratives, indicating a high level of sophistication.
Emphasis on Human Vulnerabilities
Google’s Threat Intelligence Group (GTIG) emphasizes that these attacks exploit human vulnerabilities rather than technical flaws within the Salesforce platform. The success of such campaigns relies on convincing users to grant access, highlighting the need for heightened awareness and vigilance among employees.
Recommended Security Measures
To mitigate the risk of similar attacks, organizations are advised to implement the following security measures:
– Principle of Least Privilege: Limit permissions for tools like Data Loader to only those necessary for specific roles.
– Rigorous Management of Connected Applications: Regularly review and manage connected apps to ensure they are authorized and secure.
– IP-Based Access Restrictions: Implement IP whitelisting to control access to sensitive platforms.
– Universal Multi-Factor Authentication (MFA): Enforce MFA across all access points to add an extra layer of security.
– Advanced Monitoring: Utilize tools like Salesforce Shield to detect anomalies, such as large data downloads, that may indicate unauthorized access.
– Regular Audits and User Training: Conduct periodic security audits and provide training to employees on recognizing and responding to vishing attempts to prevent credential sharing and MFA fatigue.
By adopting these measures, organizations can strengthen their defenses against social engineering attacks and protect sensitive data from unauthorized access and potential extortion attempts.
