Cyber Criminal Groups Compromising Salesforce Instances for Data Theft and Extortion
Essential information
- Published
- 15/09/2025 14:01
- Modified
- 15/09/2025 21:15
- Tags
- 2025-09-15 api exfiltration data theft extortion oauth salesforce shinyhunters social engineering vishing
- Related entities
- 59 observables, 1 intrusion sets (apt), 7 techniques (mitre)
Description
Two cyber criminal groups, UNC6040 and UNC6395, are targeting organizations' Salesforce platforms for data theft and extortion. UNC6040 uses social engineering, particularly voice phishing, to gain access to Salesforce accounts. They trick employees into granting access or sharing credentials, then use API queries or malicious connected apps to exfiltrate data. UNC6395 exploits compromised OAuth tokens for the Salesloft Drift application to access Salesforce instances. Both groups have been observed exfiltrating large volumes of customer data. Victims of UNC6040 have received extortion emails demanding cryptocurrency payments to prevent data publication. The FBI has provided numerous IP addresses and other indicators of compromise associated with these groups, along with recommended mitigations to enhance security and prevent such attacks.