The FBI has issued a flash alert warning that two danger clusters tracked as UNC6040 and UNC6395 are compromising the salesforce environment of organizations to steal data and remove the victims.
“The Federal Bureau of Investigation (FBI) Cyber Criminal Groups are releasing this flash to transmit indicators of agreement (IOCs) associated with recent malicious cyber activities by UNC6040 and UNC6395, issuing this flash, which is responsible for the increasing number of data theft and forced recovery,” FBI flash advisor,
“Both groups have recently been seen targeting salesforce platforms of organizations through various early access mechanisms. FBI is releasing this information to maximize awareness and provide IOC that can be used by recipients for research and network defense.”
The UNC6040 was first revealed by the Google Threat Intelligence in June, who warned that since the end of 2024, the actor of danger was using social engineering and vishing attacks so that employees could be deceived to add malicious salesforce data loader Oauth Apps to their company’s salesfores accounts.
In some cases, the danger actors applied corporate IT support personnel, who used enrolled versions of the application called “My Ticket Portal”.
Once added, the danger actors used the Oauth application for large -scale corporate salesforce data, which was then used in efforts to extort for forced recovery by the Shainhemers Extortion Group.
In these early data theft attacks, Shinyhunters told bleepingcomputer that they mainly “targeted” “accounting book” And “Contact“Database tables, which are both used to store data about customers of a company.
These data theft attacks were widespread, which affected large and famous companies, such as Google, Adidas, Qantas, Allianz Life, Cisco, KerningLouis Witon, Dyer, and Tiffany & Co.
Later data theft attacks in August also targeted salesforce customers, but this time the stolen salesloft drift ooutes and refresh tokens were used to dissolve the salesforce institutes of customers.
This activity has been tracked as UnC6395 and is believed to have occurred between August 8 to August 18, with the danger actors using tokens to target the information about the support case of the company stored in the salesfors.
Exfiltrated data was then analyzed to extract mysteries, credentials and certification tokens shared in support cases including AVS keys, passwords and snowflake tokens. These credentials can be used to pive in other cloud environment for additional data theft.
Slesloft worked to cancel all drift tokens with salesforce and customers needed to reuse on the platform.
It was later revealed that the danger actors also stole the drift email tokens, which were used to reach the email for a small number of Google workpiece accounts.
A mandient investigation introduced the attack in March, when the Githib Repository of the salesloft was compromised, allowing the attackers to eventually steal the flowing tokens.
Like the previous attacks, these new salesloft drift data theft attacks affected many companies, including Cloudflare, Zscler, Worthy, Cyberk, Elastic, Beyond, Proof point, Jfrog, Neutanix, Qualis, Rubric, Cato networkPalo Alto Network, and Too much,
While the FBI did not name the groups behind these campaigns, the BlappingComper was told by the Shainhemers Extortion Group that he and the other danger actors themselves “call the scattered lapsus $ hunter, behind both groups of activity.
This group of hackers claims that lapsus $, scattered spider and shinytors have been overlap and overlap with forcible recovery groups.
On Thursday, the danger actors announced through a domain associated with Brechforam that they planned “dark” and stopped discussing the operation on Telegram.
However, in a farewell post, hackers claimed that the FBI’s e-check background check system and Google’s law enforcement request system, claim to publish the screenshot as proof.
If valid, this access will allow them to apply law enforcement and draw sensitive records of individuals.
When contacted by bleepingcomputer, FBI refused to comment, and Google did not respond to our email.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
