A forced recovery group has launched a new data leak site to publicly evacuate dozens of companies affected by a wave of salesforce violations, leaking samples of data stolen into attacks.
Actor Shainhemers with danger responsible for these attacks claim to be part of scattered spider and lapsus $ groups, collectively refer to themselves as “scattered lapsus $ hunters”.
Today, he launched a new data leak site, with 39 companies affected by the attacks. Each entry consists of samples of allegedly stolen data from salesforce examples of victims, and the victims warns to “stop” public disclosure of their data before reaching the time limit of 10 October.
Companies exiting the data leak site include famous brands and organizations, including Fedex, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald’s, Valgrace, Instacc, Cartier, Adidas, CK Fifth Avenue, Air France and KLM, KLM, KLM.
“All of them were contacted long ago, they saw the email because I saw them downloading samples several times. Most of them did not disclose and ignored,” Shinhetors told Blapping Computer.
“We recommend you to move forward in the correct decision, your organization can prevent this data from releasing, can gain control over the situation and all operations can remain stable as usual. We recommend a decision-maker to join because we are presenting a clear and mutually beneficial opportunities to resolve the matter,” he warned on the leakage site.
The danger actors also added a separate entry, requesting that salesforce pays ransom to prevent all the affected customers’ data (with approximately 1 billion records) to prevent leaking.
He said, “Should you comply with, we will partially return from any active or pending conversation with your customers. Your customers will not be attacked again nor will they face us again, do you pay,” he said.
The forced recovery group also threatened the company, saying that the law would help firms to pursue civil and commercial cases against salesforce after data violations and warned that the company has also failed to protect the data of customers required by the European General Data Security Regulation (GDPR).
Scattered lapsus $ hunter has been targeted by salesforce customers with voice phishing attacks since the beginning of the year, affecting people who have affected companies. Google, Tiffany & Co,
In these attacks, the danger actors cheated employees to connect a malicious Oauth app to their company’s salesforce example. Shinyhunters told bleepingcomputer that while a special salesforce example could be targeted, it also included data for many subsidiaries, making the attacks more effective.
Once connected, the attackers stole the company’s database and used data to remove the victims via email. These forced recovery emails were signed by Shinyhunters, which in recent years was a notorious forced group associated with a long string of high-profile violations, which included the snowflake attack and the AT and T and Poversechul.
Shiny It has also claimed that the salesloft has used the stolen tokens with salesforce for the flow of salesloft to steal sensitive information including passwords, AWS accesses, and snowflake tokens from customer salesforce instance.
These attacks were tracked by Mandiants under a separate danger cluster called “UNC6395” as they have been unable to formally add violations of this group.
On a telegram channel associated with forced recovery group, danger actors claim that they will begin to exclude companies affected by the salesloft drift attacks on a separate data leak site to be launched on October 10.
Shinyhunters first told Bleepingcomputer that Slesloft data theft attacks affected around 760 companies and resulted in the theft of 1.5 billion salesfors records.
Salesloft attacks are known to influence on Google, Palo Alto Network, CyberkCloudflare, Rubric, Elastic, Beyond, Proof point, JfrogZscaler, Worthy, Neutanix, QualisAnd Cato network, among many othersShinyhunters claim that if ransom is paid at the stage of this initial forced recovery, companies will not be re -expanded under the Slesloft Campaign.
“We know about the efforts of recent recovery by actors of danger, which we have investigated in partnership with external experts and officials. Our findings are related to these efforts that are related to past or unbalanced events, and we are associated with customers affected to provide support,” Said in a statement Published by shinyhunters after launching its data leak site.
“At this time, there is no indication that the salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
Update 03 October, 11:02 EDT: Salesforce statement added.
attend Violation and attack simulation summit And experience Future of security verificationListen to top experts and see how AI-managed base Breach is changing and attacking simulation.
Do not remember the event that will shape the future of your safety strategy
