Increase in Menace from Vishing Gang Focused on Corporate Information, according to Google's Report
A cybercrime operation known as UNC6040 has been identified by Google's Threat Intelligence Group (GTIG) as a significant threat to multinational corporations. This financially motivated group specializes in voice phishing (vishing) campaigns, impersonating Salesforce IT support staff to trick employees into granting access to their company's sensitive Salesforce data.
The attacks, particularly effective against English-speaking employees, employ a fraudulent application, often a modified version of Salesforce's Data Loader tool. This malicious software gives attackers the ability to access, query, and steal large volumes of data.
To defend against these attacks, organizations should:
- Train employees to recognize social engineering and vishing attempts, especially those impersonating IT or Salesforce support. Awareness is critical because attackers rely on convincing communication to bypass technical controls.
- Enforce robust Multi-Factor Authentication (MFA) policies to prevent credential misuse even if usernames and passwords are compromised, since attackers specifically seek MFA codes during calls.
- Restrict and monitor privileged access to Salesforce environments, limiting who can install or use connected apps and third-party tools, and scrutinize their legitimacy.
- Deploy Salesforce-native security tools, such as WithSecure Cloud Protection for Salesforce, which can block malicious files, phishing links, and detect compromised credentials in real time across Salesforce workflows.
- Maintain strict controls on downloading and running external tools within Salesforce environments, including blocking unauthorized versions of tools like Salesforce Data Loader associated with these attacks.
- Implement real-time monitoring and incident response plans to detect and mitigate suspicious access quickly, as the attackers exploit brief access windows before being cut off.
- Prepare for potential extortion efforts by threat actors, which currently involve demands for bitcoin payments under tight deadlines; consider collaboration with law enforcement and cybersecurity experts to handle such incidents.
Because UNC6040 employs sophisticated social engineering rather than technical exploits, human-focused defenses combined with advanced Salesforce security capabilities are essential to protection against this ongoing vishing campaign targeting highly sensitive business and customer data stored in Salesforce.
The threats posed by vishing campaigns highlight the need for user training and robust security measures to protect against these sophisticated social engineering attacks. Organizations must remain vigilant and proactive in implementing these protective measures to safeguard their valuable data.
[1] Google Threat Intelligence Group (GTIG) Report on UNC6040 [2] Salesforce Security Recommendations for Vishing Attacks [3] Best Practices for Protecting Against UNC6040 Vishing Attacks [4] Salesforce Security Blog: Protecting Against UNC6040 Vishing Attacks [5] WithSecure Cloud Protection for Salesforce: Protecting Against UNC6040 Vishing Attacks
- The cybersecurity threats posed by UNC6040 emphasize the importance of training employees to identify social engineering techniques, such as vishing, which are often used to impersonate IT or Salesforce support staff.
- To safeguard sensitive business data, organizations must enforce multi-factor authentication (MFA) policies and restrict privileged access to Salesforce environments, limiting who can install or use connected apps and third-party tools.
- In addition to human-focused defenses, advanced Salesforce security tools, like WithSecure Cloud Protection for Salesforce, should be deployed to block malicious files, phishing links, and detect compromised credentials in real time across Salesforce workflows.
- To defend against ongoing vishing campaigns like UNC6040, it's crucial to maintain strict controls on downloading and running external tools within Salesforce environments, and to implement real-time monitoring and incident response plans to detect and mitigate suspicious activity quickly.
