A new report from Googles Threat Intelligence Group GTIG has revealed an evolving and sophisticated cybercrime operation known as UNC6040. This financially motivated threat cluster specializes in voice phishing vishing campaigns, where attackers impersonate IT support staff to trick employees into granting access to their companys Salesforce data. This method has proven particularly effective against English-speaking employees in multinational corporations.
How the Attacks WorkThe vishing attacks involve a malicious actor calling an employee and socially engineering them to authorize a fraudulent application within their companys Salesforce portal. This application, often a modified version of Salesforce's legitimate Data Loader tool, gives the attackers the ability to access, query, and steal large volumes of sensitive data. In a recent update, Google disclosed that a similar attack in June impacted one of its own corporate Salesforce instances, leading to the theft of basic business information for small and medium-sized businesses before the breach was contained.
Evolving Tactics and ExtortionGoogles report also highlights that the groups tactics are changing. The attackers, now using custom Python scripts instead of the Data Loader app, have moved to using anonymized services like Mullvad VPN and TOR to initiate vishing calls and exfiltrate data, making them more difficult to track.
Following the data theft, a related threat group, UNC6240, is extorting victims by demanding a bitcoin payment within 72 hours. During these communications, the group often claims to be the well-known hacking group ShinyHunters to increase pressure on the victims. Google Threat Intelligence believes that these new tactics, including the potential launch of a data leak site, are likely being prepared to intensify the pressure on victims.
