Full Report
The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims. [...]
Analysis Summary
# Threat Actor: UNC6040 and UNC6395 (Associated with ShinyHunters, Scattered Lapsus$ Hunters)
## Attribution & Identity
Threat clusters tracked as **UNC6040** and **UNC6395** are identified as cyber criminal groups responsible for data theft and extortion intrusions targeting Salesforce environments. The extortion group **ShinyHunters** claims responsibility for using the stolen data. The actors also self-identify as **"Scattered Lapsus$ Hunters,"** claiming overlap and origins from the **Lapsus$** and **Scattered Spider** groups.
## Activity Summary
The FBI issued a FLASH alert regarding the activities of UNC6040 and UNC6395, who are compromising organizations' Salesforce environments for data theft and subsequent extortion.
**UNC6040 Activity (Reported since late 2024):**
* Utilized social engineering and vishing attacks to trick employees into authorizing malicious Salesforce Data Loader OAuth applications.
* Impersonated corporate IT support staff, often using applications renamed "My Ticket Portal."
* Mass-exfiltrated corporate Salesforce data, specifically targeting the "Accounts" and "Contacts" database tables.
* The exfiltrated data was leveraged for extortion attempts by ShinyHunters.
**UNC6395 Activity (Observed August 8th - 18th):**
* Targeted Salesforce customers by exploiting stolen **Salesloft Drift OAuth and refresh tokens**.
* Used the compromised tokens to target and exfiltrate **support case information** stored in Salesforce.
* Exfiltrated data was analyzed to extract secrets, credentials, and authentication tokens (including **AWS keys, passwords, and Snowflake tokens**), potentially allowing pivots to other cloud environments.
* Later, actors also stole **Drift Email tokens**, leading to access of emails in a small number of **Google Workspace** accounts. This activity stemmed from a supply chain compromise of Salesloft's GitHub repositories in March.
The actors also claimed to have gained access to the **FBI's E-Check background check system** and **Google's Law Enforcement Request system**, publishing screenshots as proof.
## Tactics, Techniques & Procedures
- **Initial Access (UNC6040):** Social engineering, Vishing, Impersonation (IT support staff).
- **Initial Access (UNC6395):** Supply chain compromise (Salesloft GitHub repositories leading to token theft).
- **Authentication Abuse:** Gaining unauthorized access via malicious Salesforce Data Loader OAuth apps.
- **Token Theft/Abuse (UNC6395):** Usage of stolen Salesloft Drift OAuth/refresh tokens and Drift Email tokens.
- **Lateral Movement/Exfiltration:** Using stolen credentials (AWS keys, Snowflake tokens) from Salesforce support cases to pivot to other cloud environments.
- **Data Exfiltration:** Mass-exfiltration of Salesforce data (Accounts, Contacts) and support case information.
- **Extortion:** Using stolen data for extortion attempts (by ShinyHunters).
## Targeting
- **Sectors:** Broad impact across various sectors due to targeting large corporations (Tech, Insurance, Retail, Automotive, etc.).
- **Geography:** Global prevalence implied by the list of targeted large multinational companies.
- **Victims (UNC6040):** Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, Tiffany & Co.
- **Victims (UNC6395/Salesloft chain):** Cloudflare, Zscaler, Tenable, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many others.
## Tools & Infrastructure
- **Malware families used:** Not explicitly named, but focused on leveraging legitimate application mechanisms (OAuth).
- **Tokens/Apps Targeted:** Salesforce Data Loader OAuth apps, Salesloft Drift OAuth tokens, Salesloft Drift refresh tokens, Drift Email tokens.
- **Infrastructure:** Actors use a domain associated with **BreachForums** for communication and public announcements.
## Implications
The combination of both clusters highlights a significant and evolving threat against SaaS platforms, specifically Salesforce. UNC6040 focuses on deceiving users into granting direct access, while UNC6395 demonstrates a sophisticated supply chain attack leading to the compromise of session tokens, which allows access not only to Salesforce but also pivots to other cloud environments (AWS, Snowflake) via embedded information in support cases. The actors' claims of breaching law enforcement systems suggest a high level of operational capability and potential for compromise of sensitive government/investigative data.
## Mitigations
- **General Awareness:** Implement defense measures based on the FBI FLASH advisory IOCs (though IOCs are not detailed in this text snippet).
- **Salesforce Security:** Scrutinize and audit all connected OAuth applications, particularly Data Loader tools, and monitor for newly installed or unusual apps.
- **Social Engineering Defense:** Enhance employee training against vishing and social engineering campaigns impersonating IT support.
- **Token Management (UNC6395 specific):** Immediately revoke and reauthenticate all Salesloft Drift and associated tokens/sessions following the breach notification.
- **Support Case Security:** Review policies regarding the sharing of sensitive credentials (AWS keys, tokens) within support tickets, as this serves as a high-value data extraction point.