A financially motivated group of hackers is having a roaring success targeting Salesforce instances for “large-scale data theft and subsequent extortion” using social engineering techniques, warned Google this week.
The group has “demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements” including within what it described as “English-speaking branches of multinational corporations.”
That’s according to Google’s threat intelligence group, which tracks the threat actor as “UNC6040” and which confirmed that in “all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce” – although they do typically escalate from “vishing” techniques to persuading victims to install a hacker-controlled Salesforce “Data Loader” application, said Google.
A threat report from the company flagged overlapping TTPs with a loosely knit black hat collective known as “The Com”, including the targeting of Okta credentials, although Google cautions “it's plausible that these similarities stem from associated actors operating within the same communities, rather than indicating a direct operational relationship.”
The report comes after Salesforce urged users on March 12 to be aware of this kind of social engineering attack and shared a range of security best practices and hygiene steps to reduce the risk of being picked off. Many, like the use of MFA, however, are bypassed in the attacks through social engineering techniques. Google noted that the attacks often involve tricking users into satisfying an MFA prompt (e.g., for authorising a malicious connected app), including via a fake Okta login panel.
“This panel was used to trick victims into visiting it from their mobile phones or work computers during the social engineering calls. In these interactions, UNC6040 also directly requested user credentials and multifactor authentication codes to authenticate and add the Salesforce Data Loader application, facilitating data exfiltration…” it said.
Lock down permissions
It urged IT/security to more tightly control how external applications, including Data Loader, interact with your Salesforce environment.
“Diligently manage access to your connected apps, specifying which users, profiles, or permission sets can use them and from where.
“Critically, restrict powerful permissions such as "Customize Application" and "Manage Connected Apps"—which allow users to authorize or install new connected applications—only to essential and trusted administrative personnel,” urged Google on June 4, adding that firms should “consider developing a process to review and approve connected apps, potentially allowlisting known safe applications to prevent the unauthorized introduction of malicious ones, such as modified Data Loader instances.”
Critically, defenders should be aware that calls (by phone or Teams et al) masquerading as IT support can be hugely convincing and informed by prior reconaissance. For example Sophos has seen such attacks spoofing the actual number of IT support and having names and other details to hand of the actual IT support team, gleaned from LinkedIn, previous data breaches, or other avenues.
The link has been copied!
