Ethical Hacking News
The FBI has issued a flash alert warning of malicious activities carried out by two cybercriminal groups targeting Salesforce platforms for data theft and extortion.
The FBI has issued a flash alert about two cybercriminal groups targeting Salesforce platforms for data theft and extortion.The groups, UNC6040 and UNC6395, have been using various tactics such as phone scams, vishing, and social engineering to gain access to company accounts.The attackers can steal customer databases and demand cryptocurrency in exchange for not releasing the data.Organizations are advised to strengthen their defenses, including training staff to recognize phishing attempts, enforcing MFA, and applying the Principle of Least Privilege.Routine measures include restricting IP-based access, monitoring API usage, tracking network logs, and reviewing third-party integrations.
The Federal Bureau of Investigation (FBI) has issued a flash alert to warn of malicious activities carried out by two cybercriminal groups tracked as UNC6040 and UNC6395. These groups have been increasingly targeting Salesforce platforms for data theft and extortion, posing a significant threat to organizations that rely on the platform for their operations.
The FBI's flash alert was released with Indicators of Compromise (IOCs) for the two groups, which are responsible for a rising number of data theft and extortion intrusions. The alert highlights the fact that both groups have been observed targeting organizations' Salesforce platforms via different initial access mechanisms.
One group, UNC6040/UNC6240, has been targeting Salesforce users with phone scams, tricking employees into connecting malicious apps to their company accounts. This access allows the attackers to steal customer databases, which are later used for extortion. The attacks have already hit major firms such as Google, Cisco, Adidas, Qantas, and Allianz.
The UNC6040 group has been targeting Salesforce accounts using vishing and social engineering tactics since October 2024. Actors pose as IT support, tricking call center employees into sharing credentials or approving malicious connected apps, often a modified Salesforce Data Loader. They use OAuth tokens to bypass MFA and other defenses, allowing bulk data exfiltration via API queries. Threat actors also register malicious apps through Salesforce trial accounts to avoid detection.
Some victims later receive extortion emails, allegedly from ShinyHunters, demanding cryptocurrency to prevent data leaks. The FBI's flash alert warns organizations to strengthen their defenses against cybercriminals targeting Salesforce and other systems.
The other group, UNC6395, has been exploiting compromised OAuth tokens for the Salesloft Drift app, allowing data exfiltration. In August 2025, Salesloft revoked all tokens on August 20, cutting off attacker access. The FBI advises organizations to take measures such as training call center staff to recognize phishing attempts, enforcing MFA, and applying the Principle of Least Privilege with AAA systems.
Recommended measures also include restricting IP-based access, monitoring API usage for unusual activity, tracking network logs and browser sessions for signs of data exfiltration, and reviewing all third-party integrations. Additionally, organizations should rotate API keys, credentials, and authentication tokens regularly. The FBI recommends investigating and vetting indicators prior to taking action, such as blocking.
The recent rise in attacks on Salesforce platforms highlights the importance of cybersecurity awareness and robust defense strategies. As the threat landscape continues to evolve, it is crucial for organizations to stay vigilant and proactive in protecting themselves against sophisticated cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/FBI-Warns-of-Sophisticated-Salesforce-Attacks-by-UNC6040-and-UNC6395-Groups-ehn.shtml
https://securityaffairs.com/182159/cyber-crime/fbi-warns-of-salesforce-attacks-by-unc6040-and-unc6395-groups.html
https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html
Published: Sat Sep 13 15:29:51 2025 by llama3.2 3B Q4_K_M
