Listen to this Post
Google Threat Intelligence Group (GTIG) has uncovered a financially motivated campaign by UNC6040, a threat actor using voice phishing (vishing) to compromise ~20 Salesforce customer instances. The attackers impersonate IT support, tricking employees into authorizing a malicious version of Salesforce’s Data Loader tool, enabling broad data exfiltration.
Key Tactics
- Vishing Calls: Social engineering via phone to gain trust.
- Malicious Data Loader: Fake tool granting attackers direct Salesforce access.
- Extortion: Post-theft ransom demands, sometimes falsely linked to “ShinyHunters.”
You Should Know: How to Detect & Mitigate UNC6040 Attacks
1. Monitor Suspicious Connected Apps
Salesforce admins should audit connected apps for unauthorized access:
List all connected apps (Salesforce CLI) sfdx force:mdapi:list -t ConnectedApp -u [bash] Revoke suspicious OAuth tokens sfdx force:data:soql:query -q "SELECT Id, AppName FROM ConnectedApplication WHERE LastUsedDate > LAST_N_DAYS:7" -u [bash]
2. Enforce Least Privilege in Salesforce
Restrict user permissions:
Check profile permissions sfdx force:source:retrieve -m Profile -u [bash] Disable unnecessary object access sfdx force:data:record:update -s Profile -v "PermissionsReadOnly=false" -w "Name='Standard User'" -u [bash]
3. Detect Anomalous Data Exports
Check for unusual Data Loader activity:
-- Query recent export jobs (Salesforce SOQL) SELECT Id, CreatedBy.Name, CreatedDate, JobType FROM BulkApiBatchJob WHERE JobType = 'Export' AND CreatedDate = LAST_N_DAYS:7 ORDER BY CreatedDate DESC
4. Block Malicious IPs (Linux Firewall)
If attackers use known IPs, block them via iptables:
sudo iptables -A INPUT -s [bash] -j DROP sudo iptables-save > /etc/iptables/rules.v4
5. Enable MFA & Session Timeouts
Force MFA for all users:
Enable MFA via Salesforce CLI sfdx force:apex:execute -f enableMFA.apex -u [bash]
What Undercode Say
UNC6040’s attack is a reminder that cloud security depends on human vigilance. Key takeaways:
– Train employees to recognize vishing attempts.
– Audit connected apps weekly.
– Restrict API access to only necessary users.
– Monitor logs for unusual data exports.
For defenders, automation is critical. Use SIEM tools (Splunk, ELK) to alert on suspicious Salesforce activity:
Sample log alert rule (ELK)
curl -XPUT 'http://localhost:9200/salesforce_alerts' -H 'Content-Type: application/json' -d '{
"query": { "match": { "event_type": "BulkApiExport" } },
"trigger": { "schedule": { "interval": "5m" } }
}'
Prediction
Expect more cloud-based social engineering attacks in 2025, with AI-generated voice phishing (deepfake vishing) becoming prevalent. Companies must adopt zero-trust models and behavioral analytics to counter these threats.
Expected Output
- : UNC6040’s Vishing Campaign Targeting Salesforce
- Mitigation: Least privilege, MFA, SIEM monitoring
- Commands: Salesforce CLI,
iptables, SOQL queries - Report Link: GTIG Investigation
IT/Security Reporter URL:
Reported By: Austin Larsen – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
