Full Report
Researchers at Google said the current campaign involving versions of the Salesforce Data Loader tool has targeted about 20 organizations and is ongoing.
Analysis Summary
# Incident Report: UNC6040 Exploits Salesforce Data Loader via Vishing for Data Exfiltration
## Executive Summary
The cybercriminal operation designated UNC6040 (linked to "The Com") perpetrated a widespread campaign targeting approximately 20 organizations across the Americas and Europe, primarily in hospitality, retail, and education. Attackers used sophisticated voice phishing (vishing) to trick employees into installing malicious, modified versions of the legitimate Salesforce Data Loader application, granting them extensive access for data exfiltration across Salesforce, Okta, and Microsoft 365 environments. In some cases, extortion demands were delayed by several months, suggesting potential partnerships with secondary threat actors.
## Incident Details
- Discovery Date: Wednesday (when Google published the blog)
- Incident Date: Campaign began "a few months ago" and is ongoing.
- Affected Organization: Approximately 20 organizations targeted.
- Sector: Hospitality, Retail, Education, and others.
- Geography: The Americas and Europe.
## Timeline of Events
### Initial Access
- Date/Time: Several months prior to discovery.
- Vector: Voice Phishing (Vishing) / Social Engineering.
- Details: Attackers impersonated IT support personnel over the phone, convincing victims to install a malicious connected app, often disguised as a modified version of Salesforce Data Loader.
### Lateral Movement
- After installing the malicious app, attackers gained extensive access to exfiltrate data from Salesforce environments and subsequently moved to target credentials and data within other cloud services like Okta, Workplace, and Microsoft 365.
### Data Exfiltration/Impact
- Sensitive data was successfully exfiltrated from victim Salesforce environments, with some successful exfiltration occurring before detection. Extortion demands were sometimes made months after the initial intrusion.
### Detection & Response
- Detection: Identified by researchers at Google's Threat Intelligence Group.
- Response actions taken: Google published findings, leading to awareness across the cybersecurity community. In at least one observed case, detection led to the revocation of access.
## Attack Methodology
- Initial Access: Social Engineering (Vishing) resulting in user authorization of a malicious connected app disguised as Data Loader.
- Persistence: Not explicitly detailed, but access was maintained via the authorized malicious connected app/API access to Salesforce.
- Privilege Escalation: Not explicitly detailed, but unauthorized access to sensitive environments (Salesforce, Okta, M365) was achieved.
- Defense Evasion: Exploiting user trust via high-quality, English-language vishing calls impersonating IT support; utilizing a legitimate tool's functionality (Data Loader) in a malicious context.
- Credential Access: Targeting credentials for services like Okta was explicitly mentioned as a goal.
- Discovery: Executing numerous test queries with small chunk sizes within the Salesforce environment to map valuable data before rapid bulk exfiltration.
- Lateral Movement: Moving beyond the initial Salesforce compromise to other cloud services (Okta, M365).
- Collection: Querying and extracting entire data tables from Salesforce environments.
- Exfiltration: Data extraction via large volume transfers after initial testing, using the authorized (but malicious) Data Loader application capabilities.
- Impact: Data theft and subsequent extortion attempts; claimed affiliation to groups like ShinyHunters to increase pressure.
## Impact Assessment
- Financial: Extortion demands were made, though amounts were not disclosed. Potential costs associated with remediation and recovery.
- Data Breach: Sensitive data exfiltrated from Salesforce environments; potential access to Okta and Microsoft 365 data.
- Operational: Potential disruption due to data access/exfiltration, though ransomware deployment was not observed in this specific campaign.
- Reputational: High risk due to the nature of social engineering impacting internal trust and external perception following data loss.
## Indicators of Compromise
- Network indicators: *[Not explicitly detailed in the summary of threat actor activity, though external connections would be required for exfiltration]*
- File indicators: Modified/malicious connected applications disguised as Salesforce Data Loader.
- Behavioral indicators: Unusual queries or large chunk size data transfers originating from the application authorization session; vishing calls impersonating IT support targeting specific employee roles.
## Response Actions
- Containment measures: In at least one observed instance, access was revoked upon detection, stopping immediate exfiltration.
- Eradication steps: Not explicitly detailed, but would logically include revoking the malicious app authorization and ensuring all compromised credentials (e.g., Okta) are reset.
- Recovery actions: Not explicitly detailed, but would involve data restoration and hardening security policies surrounding application authorization.
## Lessons Learned
- Key takeaways: Employee trust, especially when dealing with IT support communications (even via phone/vishing), remains a critical exploit vector, successfully bypassing technical controls. The dependency on legitimate tools’ functionality (like Data Loader) for malicious purposes is effective.
- What could have been done better: Better technical controls around what "connected apps" are authorized and the scope of data they can access, even after user authorization. Stronger MFA enforcement across all cloud services mentioned (Okta).
## Recommendations
- Prevention measures for similar incidents: Implement strict policies requiring multi-factor authentication (MFA) for all administrative or data access changes, even when initiated via seemingly legitimate application authorizations. Conduct specific vendor risk training focused on social engineering techniques like vishing targeting cloud application integrations (Salesforce connected apps). Salesforce administrators should strictly limit the permissions granted to user-installed connected apps.