A new report from Google Threat Intelligence Group (GTIG) reveals a threat to Salesforce instances. However, the danger has nothing to do with any shortcomings in the CRM platform, but rather human deception.
The hacker campaign, carried out by the group UNC6040, as named by Google, is taking place in both Europe and America. By impersonating IT support in phone calls, the attackers are able to obtain credentials from large multinationals, among others. In addition, they had fake Salesforce Data Loader apps downloaded to steal sensitive data. According to the Google researchers, UNC6040 specializes in this method of attack.
Voice phishing as an attack method
The campaign revolves around the well-known voice phishing (also known as ‘vishing’), in which cybercriminals contact employees by telephone. This method is becoming increasingly common in the cybersecurity world, as was evident again earlier this year in attacks via Apple iMessage. The phone call is the first step in a complex social engineering attack.
The hackers pretend to be Salesforce employees and claim that there are urgent technical problems. They direct employees to a fake website where they can download a modified version of Data Loader. This program is normally used for large-scale data import into Salesforce environments, so many employees have no reason to suspect malicious intent on the part of the person they are talking to on the phone.
According to Google researchers, installing the fake app gives attackers “significant capabilities to access, investigate, and exfiltrate sensitive information. This is done directly through the Salesforce environment and therefore without hacking it. Access to Salesforce allows them to break into other cloud services and internal networks.
In other words, this is another example of the security trend of simply logging in rather than hacking your way in. This was also discussed in our recent conversation with Trend Micro.
Recommended reading: Trend Micro keeps an eye on today’s and tomorrow’s threats
“The Com”
UNC6040 is believed to be related to the larger hacker group “The Com.” There is a significant overlap in their well-known TTPs (tactics, techniques, procedures): imitating IT support, stealing Okta credentials, and focusing on English-speaking victims. Google cannot say with certainty that these hacker groups are actually related, other than the fact that they visit the same dark web communities.
A Google spokesperson confirmed to Reuters that approximately 20 organizations have been affected by the UNC6040 campaign, which has been ongoing for several months. Some of these organizations have actually had data stolen.
Salesforce responded by pointing out that the problem does not lie with vulnerabilities in their platform. A spokesperson called it “targeted social engineering scams designed to exploit gaps in individual users’ security awareness and best practices.”
Advance warnings
Salesforce had already published a warning in March about voice phishing attacks and the misuse of modified Data Loader versions. The timing of this warning indicates that the company was already aware of this campaign at that time.