Google tracking hackers using voice phishing and malicious app to steal data
Threat actors are impersonating IT personnel to lure employees into giving access to their organisation's Salesforce data through a malicious application, the Google Threat Intelligence Group (GTIG) has warned.
Researchers at GTIG said it is tracking UNC6040, a financially motivated group that specialises in voice phishing (vishing) campaigns to compromise an organisation's Salesforce instances for data theft and subsequent extortion.
Operators at UNC6040 impersonate IT support personnel in a vishing call to deceive employees into authorising a malicious version of Salesforce's Data Loader, according to GTIG.
This gives the hackers "significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments."
"This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organisation's Salesforce data," the GTIG said in a blog post.
It clarified that the malicious version of the Data Loader is not authorised by Salesforce.
"In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce," it said.
A spokesperson from Salesforce also told Reuters that the vishing campaigns are "targeted social engineering scams designed to exploit gaps in individual users' cybersecurity awareness and best practices."
Salesforce previously flagged these incidents involving the malicious version of the Data Loader app in March.
GTIG said extortion activities aren't observed until several months after the initial intrusion activity, which could mean that UNC6040 has partnered with a second threat actor that monetises access to the stolen data.
"During these extortion attempts, the actor has claimed affiliation with the well-known hacking group ShinyHunters, likely as a method to increase pressure on their victims," it said.
Roughly 20 organisations have been affected by UNC6040, with a subset of them having their data successfully exfiltrated, a Google spokesperson told Reuters.
Salesforce warned of the threat of a "malicious connected app" in March.
"In some cases, we have observed that the malicious connected app is a modified version of the Data Loader app published under a different name and/or branding. Once the threat actor gains access to a customer’s Salesforce account or adds a connected app, they use the connected app to exfiltrate data," the company wrote in a blog post.
To help its customers, the organisation highlighted key platform features and outlined best practices, such as enabling multi-factor authentication, adding a security contact, and restricting login IP ranges to the company and VPN network.
"While not exhaustive, this list includes links to additional resources so customers can make informed security decisions that best protect their Salesforce instances," it said.
Phishing is the most common form of cybercrime, with an estimated 3.4 billion spam emails sent every day, according to AAG IT Services.
A separate report from KnowBe4 earlier this year revealed that HR- and IT-related emails are the top-clicked phishing emails in its phishing simulations.
