Cyber Criminal Groups Compromising Salesforce Instances for Data Theft and Extortion

Description

Two cyber criminal groups, UNC6040 and UNC6395, are targeting organizations' Salesforce platforms for data theft and extortion. UNC6040 uses social engineering, particularly voice phishing, to gain access to Salesforce accounts. They trick employees into granting access or sharing credentials, then use API queries or malicious connected apps to exfiltrate data. UNC6395 exploits compromised OAuth tokens for the Salesloft Drift application to access Salesforce instances. Both groups have been observed exfiltrating large volumes of customer data. Victims of UNC6040 have received extortion emails demanding cryptocurrency payments to prevent data publication. The FBI has provided numerous IP addresses and other indicators of compromise associated with these groups, along with recommended mitigations to enhance security and prevent such attacks.