Voice phishing against Salesforce users: data theft and blackmail

A criminal group that Google's Threat Intelligence Group (GTIG) calls UNC6040 – which has nothing to do with the SMD design with a size of 6 by 4 mm – and whose activities the IT researchers are observing, is attacking Salesforce users to steal data and blackmail the companies concerned. Google describes the group as opportunistic and financially motivated, specializing in vishing (voice phishing).

In the GTIG analysis, the authors write that UNC6040 campaigns are specifically designed to compromise organizations' Salesforce instances to steal data on a large scale and then blackmail the organization. The group has been successful several times in recent months. The members pretended to be IT support personnel during telephone calls and used social engineering to convince employees to grant them access or to hand over sensitive access data – in all cases observed, the attackers manipulated the end users and did not abuse any security vulnerabilities in Salesforce. Employees of English-speaking branches of multinational companies are usually targeted.

Persuasion to release malicious apps

The attackers trick victims into authorizing a malicious connected app for their company's Salesforce portal. In a vishing call, the perpetrators direct victims to the Salesforce Connected app setup page to legitimize a version of the data loader app with a different name or branding than the original. This app is often a modified version of Salesforce's Data Loader that has not been authorized by Salesforce. This ultimately gives the UNC6040 group extensive capabilities to access, retrieve and exfiltrate sensitive information directly from the victim's compromised Salesforce environment.

The attackers often show their patient side. In some cases, it took months after the compromise for the unauthorized data to be extracted. Google concludes that UNC6040 has joined forces with other threat actors to monetize the captured data.

Perfidious redirects

The criminal organization uses infrastructure to access Salesforce apps, which also hosts an Okta phishing panel. During the calls, the perpetrators tricked the victims into visiting the panel with their smartphone or work PC. They directly requested the victims' access data and multifactor authentication codes to log in and add the Salesforce data loader app to exfiltrate the data.

In the case of the modified data loader app, the criminals have apparently been able to get their hands on it: In one instance, the attackers used small blocks of data for exfiltration. However, this only allowed them to access ten percent of the data before they were discovered. Another case initially started numerous test queries with small blocks of data to then exfiltrate entire database tables.

Vishing is neither new nor innovative, Google explains. The focus here is particularly on Salesforce environments, i.e., classic customer support software. The trend of increasingly attacking IT support personnel to gain initial network access is becoming apparent. Attackers exploit their roles to steal valuable company data. The success of UNC6040 shows that this attack vector remains efficient.

Google suggests well-known countermeasures. For example, organizations should follow the principle of the lowest possible access rights. Access to connected apps should be restrictive. IP-based access barriers should also be used. Advanced Security Monitoring and Policy Enforcement through Salesforce Shield also makes sense. And, of course, companies should activate MFA. In combination, these measures at least help to make such attacks significantly more difficult.

Please also read:

Topic page on phishing on heise online

(dmk)