Ethical Hacking News
The UNC6395 group has launched a sophisticated attack campaign that targets Salesforce tenants and exploits OAuth tokens. The attackers' operational discipline and strategic approach underscore the need for organizations to prioritize supply chain security and implement robust threat intelligence strategies.
The UNC6395 group has demonstrated impressive scale and operational discipline in its recent string of attacks. The attackers targeted hundreds of Salesforce tenants, exploiting stolen OAuth tokens to query and export data across multiple environments. Many of the targeted organizations were security and technology companies, suggesting a broader supply chain attack strategy. The UNC6395 group created an entry point for potential future attacks by infiltrating vendors and service providers. The attackers used OAuth credentials to exfiltrate sensitive data from customers' Salesforce instances, highlighting the severity of the breach. Salesloft has taken steps to mitigate the damage and is recommending that administrators re-authenticate their Salesforce connection.
The recent string of attacks attributed to the UNC6395 group has shed light on the cunning and calculated nature of modern cybersecurity threats. As reported by AppOmni's Chief Security Officer, Cory Michal, these attacks not only demonstrate an impressive scale but also exhibit a high level of operational discipline, rendering them particularly noteworthy.
According to Michal, the UNC6395 attacks involved the targeted exploitation of hundreds of Salesforce tenants belonging to specific organizations of interest. This was achieved through the use of stolen OAuth tokens, which allowed the attackers to methodically query and export data across multiple environments. The attackers' deliberate approach to covering their tracks by deleting jobs further underscores their operational awareness.
The sophistication of these attacks becomes even more evident when considering that many of the targeted and compromised organizations were themselves security and technology companies. This raises the possibility that the UNC6395 campaign may be part of a broader supply chain attack strategy, where the attackers aim to infiltrate vendors and service providers before targeting downstream customers and partners.
By exploiting trust relationships within the technology supply chain, the UNC6395 group has effectively created an entry point for potential future attacks. This strategic approach not only highlights the attackers' cunning but also underscores the need for organizations to reassess their security posture in light of these findings.
The specifics of the attack, as revealed by Salesloft, a sales automation platform, indicate that the attackers used OAuth credentials to exfiltrate data from customers' Salesforce instances. The UNC6395 group executed queries to retrieve information associated with various Salesforce objects, including Cases, Accounts, Users, and Opportunities. This level of access and control over sensitive data underscores the severity of the breach.
Salesloft has since taken steps to mitigate the damage by proactively revoking connections between Drift and Salesforce. The company is also recommending that administrators re-authenticate their Salesforce connection to re-enable the integration. While the exact scale of the activity remains unknown, Salesloft has notified all affected parties, demonstrating a commitment to transparency and customer support.
The development comes as Salesforce instances have become an increasingly popular target for financially motivated threat groups like UNC6040 and UNC6240 (aka ShinyHunters). The latter group, in collaboration with Scattered Spider (aka UNC3944), has been linked to several high-profile attacks in the past. This latest incident serves as a stark reminder of the evolving nature of cybersecurity threats.
In conclusion, the UNC6395 attacks serve as a testament to the cunning and calculated nature of modern threat actors. By targeting organizations within the technology supply chain, these attackers have effectively created an entry point for potential future attacks, highlighting the need for organizations to reassess their security posture in light of these findings.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Uncanny-Scale-and-Discipline-of-the-UNC6395-Attacks-Unveiling-a-Sophisticated-Supply-Chain-Threat-ehn.shtml
https://thehackernews.com/2025/08/salesloft-oauth-breach-via-drift-ai.html
https://www.csoonline.com/article/4046407/attackers-steal-data-from-salesforce-instances-via-compromised-ai-live-chat-tool.html
https://trust.salesloft.com/?uid=Drift/Salesforce+Security+Notification
Published: Wed Aug 27 05:59:54 2025 by llama3.2 3B Q4_K_M
