FBI Shares IoCs for Recent Salesforce Intrusion Campaigns

The cybercrime groups tracked as UNC6040 and UNC6395 have been extorting organizations after stealing data from their Salesforce instances.

The FBI has shared indicators of compromise (IoCs) associated with two malicious campaigns targeting Salesforce customers for data theft and extortion.

The first campaign, attributed to a threat actor tracked as UNC6040 and ongoing for several months, relies on voice phishing (vishing) to convince employees at the victim organizations to grant them access to the Salesforce instance or to share credentials for the portal.

In some cases, the attackers guide the employee to approve a modified Salesforce Data Loader application variant that grants them access to the data stored in the Salesforce instance.

“UNC6040 threat actors have utilized phishing panels, directing victims to visit from their mobile phones or work computers during the social engineering calls. After obtaining access, UNC6040 threat actors have then used API queries to exfiltrate large volumes ...