Ad
Image credit: DC_Studio/Envato
Instances of Salesforce inside organizations have become targets of voice phishing (vishing) campaigns that aim to compromise large amounts of data and apply extortion tactics. The threat known as UNC6040 “has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements” over the past several months, according to Google Threat Intelligence Group (GTIG), which is tracking the vishing campaign.
UNC6040 “has proven particularly effective” in tricking employees into sharing sensitive credentials, ultimately resulting in the theft of an organization’s Salesforce data. The targets are often English-speaking branches of multinational corporations.
“In the past year, we’ve observed an uptick in the use of vishing for initial access,” Genevieve Stark, head of cybercrime and hacktivism analysis at GTIG, told TechRepublic. “Many of these incidents have targeted IT support staff, who typically have elevated privileges for managing accounts and installing software.”
To date, about 20 organizations have been affected, GTIG said.
Victims unknowingly authorize an illegitimate data loader app
The actor deceives victims into authorizing a malicious connected app, often an unauthorized and modified version of Salesforce’s Data Loader, to access their organization’s Salesforce portal.
Salesforce designed Data Loader to efficiently import, export, and update large volumes of data within its platform.
During a vishing call, the actor directs the victim to Salesforce’s connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version. This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.
In some cases, extortion attempts aren’t observed until months after UNC6040 is given access to Salesforce, which GTIG says “could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data.”
Vishing threat seeks user credentials and MFA authentication codes
UNC6040 has demonstrated lateral movement by leveraging applications on the Salesforce platform to access an Okta phishing panel. Victims are tricked into visiting this panel from their mobile phones or work computers during the social engineering calls.
To authenticate and add the Salesforce Data Loader application, UNC6040 has also directly requested user credentials and multifactor authentication (MFA) codes to facilitate data exfiltration and further lateral movement.
Must-read security coverage
How to reduce vishing attacks
Given that threat actors conducting vishing attacks often leverage social engineering tactics to reset account passwords, Stark recommends that organizations, follow these tips to mitigate their risk.
- Rigorously verify identity: Train service desk personnel to confirm employee identity before any account modifications or sharing of security-sensitive information, especially for privileged accounts.
- Enforce least privilege: Grant users only essential permissions, particularly for data access tools.
- Implement out-of-band verification: For high-risk changes such as MFA resets and privileged password changes, use secondary verification methods such as call-backs or corporate email confirmations.
- Apply IP-based access restrictions: Limit unauthorized access attempts, including those from commercial VPNs.
Ad
