Ethical Hacking News
The FBI has issued a FLASH alert warning of two threat clusters, UNC6040 and UNC6395, which have been compromising organizations' Salesforce environments to steal data and extort victims. The threat actors behind these campaigns claim to be part of the ShinyHunters extortion group, also known as "Scattered Lapsus$ Hunters." These attacks have impacted numerous large companies, including Google, Adidas, Qantas, and many more. The FBI warned that both groups have been targeting organizations' Salesforce platforms via different initial access mechanisms.
FBI issues FLASH alert on two threat clusters, UNC6040 and UNC6395, targeting Salesforce environments to steal data and extort victims. Threat actors claim to be part of the ShinyHunters extortion group, also known as "Scattered Lapsus$ Hunters." Threat actors use social engineering and vishing attacks to trick employees into connecting malicious Salesforce Data Loader OAuth apps. Data theft targets large companies, including Google, Adidas, Qantas, and others, with stolen information on customers. Later attack uses stolen Salesloft Drift OAuth tokens to breach Salesforce instances and steal support case information.
The Federal Bureau of Investigation (FBI) has issued a FLASH alert warning of two threat clusters, tracked as UNC6040 and UNC6395, which have been compromising organizations' Salesforce environments to steal data and extort victims. The threat actors behind these campaigns claim to be part of the ShinyHunters extortion group, also known as "Scattered Lapsus$ Hunters." They also overlap with the Lapsus$, Scattered Spider, and other groups.
According to Google Threat Intelligence (Mandiant), UNC6040 was first disclosed in June 2024. Since then, threat actors have been using social engineering and vishing attacks to trick employees into connecting malicious Salesforce Data Loader OAuth apps to their company's Salesforce accounts. In some cases, the threat actors impersonated corporate IT support personnel, who used renamed versions of the application called "My Ticket Portal." Once connected, the threat actors used the OAuth application to mass-exfiltrate corporate Salesforce data.
The initial data theft attacks targeted large and well-known companies, including Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, and Tiffany & Co. The stolen data included sensitive information about customers, such as account details and contact information.
Later, in August 2025, the threat actors targeted Salesforce customers again but this time used stolen Salesloft Drift OAuth and refresh tokens to breach customers' Salesforce instances. They stole support case information that was stored in Salesforce, including AWS keys, passwords, Snowflake tokens, and authentication credentials shared in support cases.
Salesloft worked with Salesforce to revoke all Drift tokens and required customers to reauthenticate to the platform. The investigation determined that the attack originated in March 2025 when Salesloft's GitHub repositories were compromised, allowing attackers to steal the Drift OAuth tokens.
The attack impacted numerous companies, including Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many more. The FBI warned that both groups have been targeting organizations' Salesforce platforms via different initial access mechanisms.
The threat actors claimed to have gained access to the FBI's E-Check background check system and Google's Law Enforcement Request system, publishing screenshots as proof. However, when contacted by BleepingComputer, the FBI declined to comment, and Google did not respond to the email.
The FBI issued the FLASH advisory to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395. The IOCs may be used by recipients for research and network defense. BleepingComputer was told that the ShinyHunters extortion group was behind both clusters of activity.
In a parting post, the hackers claimed to have gone dark but left behind evidence of their operations. This case highlights the importance of monitoring your organization's credentials and staying informed about emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/FBI-Issues-FLASH-Alert-Cybercriminal-Groups-UNC6040-and-UNC6395-Steal-Salesforce-Data-Impersonate-Law-Enforcement-ehn.shtml
https://www.bleepingcomputer.com/news/security/fbi-warns-of-unc6040-unc6395-hackers-stealing-salesforce-data/
https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html
https://en.wikipedia.org/wiki/Lapsus$
https://attack.mitre.org/groups/G1004/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
https://en.wikipedia.org/wiki/Scattered_Spider
Published: Sun Sep 14 17:42:24 2025 by llama3.2 3B Q4_K_M
