Summary
The cybercriminal group known UNC6040 is conducting sophisticated attacks by socially engineering employees into installing maliciously modified versions of Salesforce’s Data Loader tool, facilitating extensive data theft, according to new intelligence from Google Cloud. Exploiting phone-based social engineering (“vishing”), these attackers pose as IT support to trick victims into granting unauthorized Salesforce app access, enabling broad lateral movement across organizational cloud services. Notably, the campaign has affected around 20 organizations across hospitality, retail, education, and other sectors, with stolen data potentially being monetized by affiliated threat actors through delayed extortion demands.
Community Impact:
Retail and hospitality businesses may be vulnerable due to their reliance on cloud-based platforms like Salesforce for customer data and business operations. This campaign carries the risks of sensitive customer data exposure, operational disruption, and reputational harm. Additionally, Google researchers state, “GTIG has observed infrastructure across various intrusions that shares characteristics with elements previously linked to UNC6040 and threat groups suspected of ties to the broader, loosely organized collective known as “The Com.””
Given the risks posed by the campaign and recent surges in activity related to The Com, RH-ISAC Members are encouraged to review the intelligence in this report, and the original Google Cloud report.
Analysis:
UNC6040’s campaign leverages sophisticated social engineering techniques, particularly vishing (voice phishing), to trick employees into authorizing malicious Salesforce connected apps disguised as legitimate versions of Salesforce’s Data Loader tool. This strategy exploits the inherent trust in internal support staff, circumventing traditional security defenses without requiring technical exploits. Once installed, the malicious application enables extensive data extraction directly from Salesforce environments through customized queries executed via the Data Loader API. Attackers demonstrate technical agility by varying query techniques, including initially using smaller data chunks to evade detection, then rapidly scaling exfiltration volume once reconnaissance is complete. Furthermore, lateral movement into additional cloud services, such as Okta, Microsoft 365, and Workplace, illustrates a targeted, multi-platform approach designed to maximize data collection and persistence within compromised environments.