UNC6040 Hacks Salesforce Via Vishing And Malicious Data Loader Apps, Google Warns

Press Release – Google Threat Intelligence Group – GTIG
According to Google, attackers impersonate IT support on live calls, directing users to approve unauthorised Data Loader apps via Salesforce's connected app interface. These apps, often disguised with innocuous names like My Ticket Portal, grant …
A new Google Cloud Threat Intelligence report has revealed a sophisticated vishing campaign targeting Salesforce environments, enabling large-scale data theft and extortion. The operation, attributed to threat cluster UNC6040, leverages modified versions of Salesforce's Data Loader and malicious connected apps to compromise organisations—without exploiting any Salesforce vulnerabilities.
According to Google, attackers impersonate IT support on live calls, directing users to approve unauthorised Data Loader apps via Salesforce's connected app interface. These apps, often disguised with innocuous names like 'My Ticket Portal,' grant direct access to sensitive CRM data.
No legitimate Salesforce systems are compromised in the attacks, the bad actors exploit end-user trust to infiltrate other systems.
Once initial access is secured, attackers use harvested credentials to move laterally into platforms such as Okta and Microsoft 365. In some cases, exfiltration went undetected for months before extortion attempts occurred—sometimes under the banner of groups like ShinyHunters.
UNC6040's infrastructure included Okta phishing panels and commercial VPN services such as Mullvad. The group's techniques overlap with those seen in campaigns linked to 'The Com', a loosely affiliated cybercriminal collective.
GTIG advises defenders to implement strict access controls, limit API privileges, and use Salesforce Shield for anomaly detection. IP-based restrictions and rigorous app allowlisting are also critical, given the threat actors' reliance on human manipulation rather than technical exploits.
'This campaign demonstrates how modern attackers exploit trust and routine admin functions to bypass even hardened cloud environments,' GTIG noted.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

1News

a day ago

• 1News

Man pleads guilty after $410m Bitcoin theft led to parents' kidnapping

A Connecticut man whose parents were kidnapped after he took part in a US$245 million (NZ$410 million) Bitcoin theft has pleaded guilty to fraud and money laundering conspiracy charges and has agreed to testify against his co-defendants, according to court documents that were unsealed this week. Veer Chetal, 19, from Danbury, Connecticut, was one of three men charged with stealing 4100 Bitcoins from a victim in Washington, DC, in an elaborate online scam last August. The trio lived large after the heist, spending millions of dollars on cars, jewellery, rental mansions and nightclub parties, prosecutors say. A week after the theft, Chetal's parents were assaulted and kidnapped briefly in Danbury in a failed ransom plot aimed at Chetal, who the attackers believed had a large amount of cryptocurrency, authorities said. Chetal's criminal case was unsealed on Monday in federal court in Washington, revealing his guilty pleas in November and his agreement to cooperate with federal authorities investigating the Bitcoin theft. It also revealed new allegations that he was involved in about 50 similar thefts that raked in another US$3 million (NZ$5.03 million) between November 2023 and September 2024. Another man charged in the Bitcoin theft, Malone Lam, was also among 13 people indicted by a federal grand jury in May in an alleged online racketeering conspiracy involving cryptocurrency thefts across the US and overseas that netted more than US$260 million (NZ$436 million), including the US$245 million (NZ$410 million) Bitcoin theft. ADVERTISEMENT Chetal is facing 19 to 24 years in prison, a fine between US$50,000 and US$500,000 (NZ$83,845.60 and NZ$838,456.1) and restitution to the victim that has yet to be determined, according to federal sentencing guidelines and his plea agreement. His lawyer, David Weinstein, declined to comment, saying Chetal's case is still pending. In September, federal agents with a search warrant raided Chetal's apartment in Brunswick, New Jersey, and his parents' home in Danbury in connection with the US$245 million ((NZ$410 million) Bitcoin heist. Authorities said they found more than US$500,000 (NZ$838,452.70) in cash, expensive jewellery and watches and high-end clothing. Federal agents also said Chetal had US$39 million (NZ$65.4 million) worth of cryptocurrency that he turned over to investigators. Authorities alleged Chetal, Lam and Jeandiel Serrano were involved in online 'social engineering' attacks against cryptocurrency holders. Lam would send victims alerts about unauthorized attempts to access their crypto accounts, while the others would call the victims posing as representatives from well-known companies like Google and Yahoo and gain access to their accounts, authorities said. Messages seeking comment were left with lawyers for Lam and Serrano today. An advertisement for the cryptocurrency Bitcoin is displayed on a building in Hong Kong on Nov. 18, 2021. (Source: Associated Press) A week after the theft, six Florida men were accused of kidnapping Chetal's parents in broad daylight in Danbury. One of them crashed a car into the parents' Lamborghini, while others pulled up in a van, police said. The attackers forced the couple out of their vehicle, beat them, put them in the van and tied them up, police said. ADVERTISEMENT The plot was foiled, and the attackers were arrested quickly because there were eyewitnesses who immediately called police, and an off-duty FBI agent happened to be driving by at the time of the kidnapping, authorities said. Federal agents said a seventh man who was later arrested in connection with the kidnapping had previously gotten into a dispute with Chetal that turned physical at a Miami nightclub. The attack on the couple is part of an increasing trend worldwide in robbers using violence to steal cryptocurrency. Chetal, who was attending Rutgers University in New Jersey at the time of the US$245 million (NZ$410.8 million) theft and later withdrew, was born in India and came to the US with his family when he was 4 years old in 2010, according to court documents. His father was granted a foreign worker's visa, and his wife and children obtained related dependent visas. Federal authorities said Chetal could face deportation as a result of the criminal case. Authorities say Chetal's father lost his job at Morgan Stanley because of the kidnapping and his son's connection to it. Chetal was initially released from federal custody on his own recognisance. But a judge ordered him detained until trial earlier this year after federal prosecutors said they discovered Chetal was involved in another crypto theft worth US$2 million (NZ$3.35 million) in October that he didn't tell them about, after he had begun cooperating with federal authorities.

Techday NZ

3 days ago

• Techday NZ

World's largest data breach exposes 16 billion credentials

The scale of the latest data breach, involving a staggering 16 billion new credentials and passwords, is forcing both experts and organisations to reckon with the ongoing weaknesses in global digital security. Described as the world's largest data breach, the incident has reportedly swept up data from a vast array of online platforms, including not only commercial giants like Apple and Google but also government services and numerous SaaS (Software as a Service) applications. Brian Soby, co-founder and CTO at AppOmni, whose company specialises in securing digital records, believes the breach was inevitable given the industry's reliance on outmoded security frameworks. Soby warns that the gravity of the situation goes beyond the raw numbers: "This isn't just a collection of old, previously leaked passwords; it appears to be a new, massive, and highly organised library of credentials." According to Soby, cybercriminals now hold a "roadmap for widespread account takeovers" that threatens the backbone of modern digital life — cloud services and SaaS applications — potentially outpacing many current security defences. Soby highlights a critical vulnerability at the heart of today's enterprises. While many organisations invest in identity management and access security projects, basic misconfigurations and failure to disable outdated forms of credential use leave them exposed. "Large credential dumps such as these are likely to highlight just how many organisations indeed remain vulnerable to credential attacks due to these insufficient protections," he adds. Spencer Young, Senior Vice President EMEA at cybersecurity firm Delinea, echoes the concern, underlining that static credentials, especially passwords which are seldom changed, represent an Achilles' heel. "Passwords alone – especially unrotated ones – leave consumers and organisations vulnerable to phishing, credential stuffing, and Pass-the-Hash attacks," he notes. Young stresses that the traditional advice of strong password hygiene is no longer sufficient. Instead, initiatives like automated password rotation and credential vaulting, which reduce the window of opportunity for attackers, should be the new standard. In terms of longer-term solutions, Young observes that passwordless authentication approaches are gaining traction. "Technologies such as biometrics, where biometric data remains encrypted and safely stored in the device and does not travel across the network, improves the authentication process," he explains. However, he warns that passwords themselves are far from obsolete; they are increasingly being relegated to the background as part of a layered, multifactor authorisation system that may include one-time passwords or magic links to enhance security. With cybercriminals orchestrating campaigns using vast troves of login data, the scale of weaponisation is unprecedented. Tim Eades, CEO and co-founder at Anetac, illustrates the dilemma facing organisations across the world, as these troves become "a commodity that are bought, sold, and weaponised in countless attacks." Eades notes that the unrelenting circulation of stolen records magnifies the risk over time, especially as new AI agents — sometimes deployed without adequate safeguards — can introduce further vulnerabilities and thousands of new access points for attackers. "The part that keeps CISOs up at night? These records circulate for years, the risk doesn't go away, it only grows over time." Raising further alarm, Eades points out that until affected organisations are identified, compromised individuals may have no warning or recourse. This opacity not only endangers users but also perpetuates a cycle in which threat actors vie to surpass one another, pushing the boundaries of data breaches ever further. He urges organisations to reinforce security measures: "Leaders should protect all credentials like they are the keys to the castle." Encouraging the use of unique passwords, two-factor authentication, and embedding a culture of security awareness are presented as essential starting points. Another concern arising from the breach is the "snowball effect" it might have on cyber-attacks, especially through the proliferation of sleeper accounts. Xavier Sheikrojan, Senior Risk Intelligence Manager at Signifyd, warns that fraudsters may use stolen credentials not just for immediate exploitation but to create dormant accounts for later and larger-scale attacks. He advocates for proactive action, urging businesses to monitor user behaviour, force password resets, and continually refine machine learning systems aimed at picking up fraudulent activity. As experts across the sector agree, the exposure of billions of records simultaneously marks a pivotal moment in the digital security landscape. While technology continues to advance, so too does the capacity and sophistication of cybercrime, prompting renewed calls for organisations and individuals alike to treat identity and access security with unwavering seriousness and vigilance.

Techday NZ

6 days ago

• Techday NZ

Jamf report finds phishing & infostealers surge on Apple devices

Jamf has released its Security 360 Report, highlighting significant security trends and risks for mobile and Mac devices within organisational environments worldwide. The report, which examines both mobile and macOS platforms, identifies phishing, infostealers, and operating system vulnerabilities as major concerns and areas where enterprises need to focus their cybersecurity efforts. According to Josh Stein, Vice President of Product Strategy at Jamf, the aim of the research is to help security professionals understand and manage the challenges posed by both longstanding and emerging threats. "Our goal with this research is to inform security leaders about the risks impacting their organizations – whether those risks impact Mac or mobile – and provide tangible recommendations for safeguarding their organizations against increasingly sophisticated attacks," said Josh Stein, VP of Product Strategy at Jamf. "Age-old threats like phishing remain extremely prevalent and cannot be overlooked…nor can threats skyrocketing in popularity like infostealers. Jamf remains deeply committed to continuous threat research to not only protect our customers but also contribute valuable insights to the broader security community." Mobile threats The report notes that mobile devices are frequently the sole tools used by employees to access work resources, emphasising the need for robust defences across a variety of threat vectors. Jamf segmented its analysis of mobile device threats into four key areas: phishing, vulnerability management, application risk and malware, and spyware. Phishing attacks remain especially prevalent, with Jamf identifying approximately 10 million such attacks in the past year. The company reported that 25% of organisations experienced a social engineering incident and that one in ten users clicked on a malicious phishing link. The report suggests security training programmes and the adoption of layered, zero-trust security models can help mitigate these risks. In terms of vulnerability management, Jamf found that 32% of organisations had at least one device with critical vulnerabilities, and that 55.1% of mobile devices in use within workplaces were running on a vulnerable operating system. The company highlighted the importance of timely updates to patch known vulnerabilities, as provided by both Apple and Google. The research further discussed application risk, referencing Jamf's previous identification of a Transparency, Consent and Control (TCC) bypass flaw on iOS. The company demonstrated how side-loaded apps can compromise user privacy and emphasised the need for security controls that extend beyond just keeping operating systems up to date. Spyware and advanced malware were identified as threats that, though less frequent than on some platforms, are extremely sophisticated when they do emerge. High-profile individuals, including journalists, politicians, and diplomats, are at particular risk, with Apple sending compromise notifications to users in around 100 countries last year. The report recommends treating mobile devices with the same level of security as other endpoints in the enterprise environment. Threats to macOS Mac devices, which were once principally used by executives and creatives, have become common fixtures in enterprises across a range of sectors. According to the report, this proliferation has broadened the attack surface and increased the diversity of threats targeting the platform. Jamf outlined three principal areas of concern for macOS: application risk and malware, vulnerability management, and social engineering. Infostealers have become the dominant form of malware on Macs, accounting for 28.36% of all Mac malware analysed by Jamf, compared to just 0.25% in the previous year's findings. The report singles out employees in industries such as cryptocurrency as needing to be particularly alert, advocating for both ongoing training and adequate technological defences. The report also addresses myths about macOS security, noting that vulnerabilities persist despite perceptions of invulnerability. Jamf highlighted a recently discovered flaw in Gatekeeper, a mechanism intended to stop unverified apps from being run. The report notes the requirement for both effective technical controls and regular employee training to counter risks posed by software vulnerabilities. Social engineering threats, including phishing, exploit the widespread adoption of Macs in the workplace. Jamf cited campaigns that use professional social media platforms such as LinkedIn as initial attack vectors, rather than the email channels typically associated with phishing. The company recommends comprehensive employee training on all forms of phishing relevant to Mac users. Methodology The findings in the Security 360 Report are based on the analysis of 1.4 million devices protected by Jamf, conducted in the first quarter of 2025. The scope of analysis covered the previous year, included users in 90 countries, and spanned multiple mobile and desktop platforms, including iOS, iPadOS, Android, and macOS devices. The report draws on Jamf's proprietary Threat Intelligence, incorporating data from original research, device usage metrics, and analysis of news and external data feeds.