The FBI has shared indicators of compromise (IoCs) related to two malicious campaigns concentrating on Salesforce clients for knowledge theft and extortion.
The primary marketing campaign, attributed to a risk actor tracked as UNC6040 and ongoing for a number of months, depends on voice phishing (vishing) to persuade staff on the sufferer organizations to grant them entry to the Salesforce occasion or to share credentials for the portal.
In some circumstances, the attackers information the worker to approve a modified Salesforce Knowledge Loader software variant that grants them entry to the information saved within the Salesforce occasion.
“UNC6040 risk actors have utilized phishing panels, directing victims to go to from their cellphones or work computer systems in the course of the social engineering calls. After acquiring entry, UNC6040 risk actors have then used API queries to exfiltrate massive volumes of information in bulk,” the FBI notes in its alert (PDF).
After stealing the information, the cybercriminals ship extortion calls for to the sufferer organizations, threatening to launch the knowledge publicly except a ransom is paid in cryptocurrency.
Salesforce warned of such a assaults in March, roughly three months earlier than Google mentioned that, in some situations, UNC6040 was seen transferring laterally to different platforms, akin to Microsoft 365, Okta, and Office.
UNC6040 has claimed affiliation with the notorious ShinyHunters extortion group, which seems linked to the Scattered Spider hackers.
The second malicious operation the FBI warns about is the latest widespread Salesforce-Salesloft knowledge theft marketing campaign that hit over 700 organizations by way of the combination with the Drift AI chatbot, and which has been attributed to a risk actor tracked as UNC6395.Commercial. Scroll to proceed studying.
As a part of the assault, hackers used compromised OAuth tokens for Drift to entry the Salesforce situations and steal massive quantities of information. The hackers exfiltrated the tokens from Drift’s AWS occasion, after gaining access to Salesloft’s GitHub account between March and June 2025.
Over a dozen cybersecurity companies have disclosed knowledge breaches linked to the assault, with HackerOne and Qualys being the newest to verify the influence.
Along with publishing IoCs related to these campaigns, the FBI is recommending that organizations implement phishing-resistant multi-factor authentication (MFA), prepare their name middle on phishing, implement authentication, authorization, and accounting (AAA) techniques, implement IP-based entry restrictions, monitor logs, and evaluate third-party integrations.
“The FBI recommends organizations examine and vet indicators previous to taking motion, akin to blocking,” the company notes.
Associated: US Authorities Is Investigating Messages Impersonating Trump’s Chief of Employees, Susie Wiles
Associated: West Virginia Credit score Union Notifying 187,000 Folks Impacted by 2023 Knowledge Breach
Associated: New ‘SmartAttack’ Steals Air-Gapped Knowledge Utilizing Smartwatches
Associated: Russian Hacker Will get 12 Years in Huge Knowledge Theft Scheme
