Salesforce data theft: Cyber gangs blackmail well-known companies on leak site

A conglomerate of criminal cyber gangs has published a leak site on the darknet. There it is blackmailing 39 well-known companies and threatening to publish data copied from Salesforce systems if the companies do not negotiate a ransom. The blackmail group is also threatening to work with law firms to assert civil and commercial claims against the victims.

The list of companies includes Adidas, ASICS, Cartier, Chanel, Cisco, Disney/Hulu, FedEx, Fujifilm, Google Adsense, HBO Max, Home Depot, IKEA, KFC, Marriott, McDonalds, Puma, Toyota, Stellantis, and UPS, as well as some airlines. The criminal groups are apparently working together under the leadership of ShinyHunters; the leak site also mentions the cybergang name “Scattered Laspsu$ Hunters,” which refers to the cybergangs Scattered Spider and Lapsus$ in addition to ShinyHunters. Google lists them under the abbreviation UNC6040.

The individual entries for the victims list which sensitive data was stolen. There is also a sample data set in each case. The criminals have set Friday, October 10, as the deadline for negotiations to begin. A higher-level entry – the fortieth – addresses Salesforce directly. The criminals would not publish the total of around one billion entries if the company were to contact the cyber gangs and enter into negotiations. Then the individual blackmailed companies would no longer have to pay. Bloomberg reported that Salesforce informed clients that the company won't pay ransom.

Voice phishing as a gateway

Back in June, Google reported on the criminal group UNC6040, which was monitored by the Google Threat Intelligence Group (GTIG). The criminal organization attacks companies with voice phishing calls and attempts to gain access to their Salesforce environments. It then steals data from there and uses it to blackmail the companies.

During the fraudulent phone calls, the attackers pretend to be IT support and use social engineering to try to convince employees to grant them access or provide them with sensitive access data. In the cases observed, the attackers always manipulated the end users; there was no abuse of any security vulnerabilities in Salesforce. Employees of English-speaking branches of multinational companies are usually targeted.

Google's IT security subsidiary, Mandiant, has now also published some guidelines on how companies can better arm themselves against UNC6040 attacks. These include verifying the identities of callers. Employees should not make any assumptions and should carry out an identity check for all security-relevant enquiries. Verification should also not be based on a single factor or use insecure characteristics – Google mentions the date of birth, the last four digits of the national insurance number, and previous names or names of superiors. It is better to rely on video calls and, for example, ask for company IDs to be shown. Calling back using known numbers is also an option. IT managers should take the time to study these and other tips.

(dmk)