A cyber gang that previously announced it was disbanding has reemerged with a massive extortion threat targeting Salesforce.
The group, now calling itself Scattered LAPSUS$ Hunters, claims to have access to data from approximately 40 companies that utilize the CRM platform. According to The Register, they are demanding $989 million to prevent around a billion customer records from appearing online. The group gave Salesforce until October 10 to negotiate payment.
Salesforce says it has no evidence that its own platform has been hacked. According to the company, the threats are based on previous or unconfirmed incidents. It is working with external specialists and authorities and is supporting potentially affected customers.
Telephone social engineering attacks
The renewed threat appears to be linked to the UNC6040 group, which specializes in telephone social engineering attacks, or vishing. In these attacks, criminals pose as IT staff to convince users to authorize a malicious application within Salesforce. This gives them access to sensitive customer information without exploiting a technical vulnerability.
According to Google Threat Intelligence Group (GTIG), Google’s internal Salesforce environment was also hit by a similar attack in June. The breach only involved basic information about small and medium-sized businesses and was quickly resolved. GTIG states that UNC6040 now uses its own Python apps to export data via the Salesforce API as soon as a victim gives permission. The group uses VPN services and the TOR network to hide its origin.
GTIG also describes a second group, UNC6240, which approaches victims for ransom months after the original breach. This group claims to be part of ShinyHunters, presumably to exert additional pressure. Google warned in August that ShinyHunters was working on a data leak site, which now appears to have happened with Scattered LAPSUS$ Hunters.
The tactics of these groups exhibit similarities to those of collectives such as Lapsus$ and Scattered Spider, which are linked to the broader network “The Com.” Researchers believe that this overlap indicates shared knowledge rather than direct collaboration.
Both Google and Salesforce emphasize the need for organizations to tighten their security. Recommended measures include limited rights for Data Loader use, strict control of connected apps, IP-based access restrictions, and mandatory multi-factor authentication. The return of Scattered LAPSUS$ Hunters shows that financially motivated cyber groups, despite arrests and previous promises to stop, are far from gone.