Ethical Hacking News
The FBI has issued a flash alert warning of two cybercriminal groups, UNC6040 and UNC6395, that have been targeting Salesforce platforms with data theft and extortion attacks. These threats are part of a larger landscape of malicious actors exploiting vulnerabilities in cloud-based applications to steal sensitive data and hold organizations for ransom. Organizations must take immediate action to strengthen their security posture and protect themselves against these threats.
The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. The threats are part of a larger landscape of malicious actors exploiting vulnerabilities in cloud-based applications to steal sensitive data and hold organizations for ransom. Salesloft has been targeted by two threat groups using compromised OAuth tokens for their Drift application, resulting in the compromise of hundreds of organizations. Another threat group, UNC6395, has launched a widespread data theft campaign targeting Salesforce instances by exploiting compromised OAuth tokens. The convergence of these threats has led to an increase in data breaches and cyber attacks targeting Salesforce platforms.
The recent alert issued by the U.S. Federal Bureau of Investigation (FBI) regarding two cybercriminal groups, UNC6040 and UNC6395, has brought to light a sinister web of data theft and extortion attacks targeting Salesforce platforms. These threats are part of a larger landscape of malicious actors that have been exploiting vulnerabilities in cloud-based applications to steal sensitive data and hold organizations for ransom.
The FBI's flash alert highlights the growing concern of cybercrime groups targeting Salesforce instances using various initial access mechanisms. The most notable of these is UNC6040, a financially motivated threat cluster that has been engaged in vishing campaigns to obtain initial access to victims' Salesforce portals. This group has also been involved in large-scale data theft and extortion activities, utilizing modified versions of the Salesloft Drift application and custom Python scripts to breach victims' portals.
In an update issued by Salesloft this week, it was revealed that the attack on their GitHub account from March through June 2025, which led to the exploitation of OAuth tokens for the Salesloft Drift application, resulted in the compromise of hundreds of organizations. As a result, Salesloft has isolated the Drift infrastructure and taken the artificial intelligence (AI) chatbot application offline. The company is also in the process of implementing new multi-factor authentication processes and GitHub hardening measures.
Another threat group, UNC6395, has been attributed to a widespread data theft campaign targeting Salesforce instances in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift application. This attack was made possible due to the breach of Salesloft's GitHub account earlier this year.
The FBI's alert also highlights the involvement of another threat group, UNC6240, which has consistently claimed to be the ShinyHunters group in emails and calls to employees of victim organizations. This group is believed to be part of a larger network of threat actors that are preparing to escalate their extortion tactics by launching a data leak site (DLS).
The convergence of these threats has led to a significant increase in the number of data breaches and cyber attacks targeting Salesforce platforms. The FBI's alert serves as a stark reminder of the ever-evolving landscape of cybercrime and the need for organizations to remain vigilant and proactive in protecting themselves against these threats.
In a recent statement, Sam Rubin, senior vice president of Unit 42 Consulting and Threat Intelligence, noted that "these declarations rarely signal a true retirement." This sentiment highlights the fluid nature of threat groups, which often rebrand and resurface under new names after facing law enforcement attention. The FBI's alert underscores the importance of staying informed about emerging threats and taking proactive steps to protect against them.
In light of these developments, it is essential for organizations to take immediate action to strengthen their security posture and protect themselves against these threats. This includes implementing robust multi-factor authentication processes, patching vulnerabilities in cloud-based applications, and conducting regular security audits to identify potential weaknesses.
Furthermore, the FBI's alert highlights the importance of collaboration between law enforcement agencies and private sector organizations in combating cybercrime. The FBI's efforts to track down and disrupt threat groups such as UNC6040 and UNC6395 demonstrate a commitment to protecting the public from these malicious actors.
In conclusion, the rise of threats like UNC6040 and UNC6395 serves as a reminder of the ever-evolving landscape of cybercrime and the need for organizations to remain vigilant and proactive in protecting themselves against these threats. By staying informed about emerging threats and taking proactive steps to strengthen their security posture, organizations can minimize the risk of data breaches and cyber attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/FBI-Warns-of-Rising-Threats-to-Salesforce-Platforms-A-Glimpse-into-the-Dark-World-of-UNC6040-and-UNC6395-ehn.shtml
https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html
Published: Sat Sep 13 10:06:02 2025 by llama3.2 3B Q4_K_M
