Increase in Menace from Vishing Organisation Exploiting Corporate Data, According to Google
In a recent development, cybersecurity experts at Google Threat Intelligence have identified a new threat, known as UNC6040, specializing in voice phishing (vishing) campaigns. This operation targets English-speaking employees in multinational corporations, using sophisticated social engineering tactics to gain access to sensitive Salesforce data.
The attacks often involve impersonating IT support staff, tricking employees into granting access to their company's Salesforce data. The fraudulent application, often a modified version of Salesforce's Data Loader tool, gives attackers the ability to query and steal large volumes of sensitive data.
Google advises leveraging Security Monitoring tools within Salesforce Shield to monitor for large data downloads and other unusual activity. The company also recommends requiring Multi-Factor Authentication (MFA) and educating employees about vishing tactics designed to bypass it.
The success of these vishing campaigns highlights the need for user training and robust security measures. Key recommended measures include enforcing MFA on all access points, conducting employee awareness and training, implementing robust identity and access management policies, using monitoring and alerting tools, regularly reviewing and tightening endpoint security, and applying established cyber security best practices as recommended by Salesforce.
These measures aim to reduce human exploitation vulnerabilities that UNC6040 targets with vishing, while strengthening technical controls on credentials, authentication, and monitoring to prevent and detect unauthorized Salesforce access and data exfiltration.
Recent updates reveal that a similar attack in June impacted one of Google's corporate Salesforce instances. To prevent such incidents, Google recommends rigorously managing connected apps and restricting the ability to install new ones. The company also suggests enforcing IP-Based Restrictions, blocking logins and app authorizations from unknown IP addresses or commercial VPNs.
Interestingly, the attackers are now using anonymized services like Mullvad VPN and TOR to initiate vishing calls and exfiltrate data. To counter this, Google recommends enforcing the Principle of Least Privilege to limit user permissions, especially for powerful data access tools like Data Loader.
It's also worth noting that the attackers associated with UNC6040 have started using custom Python scripts instead of the Data Loader app. Another related threat group, UNC6240, is extorting victims by demanding a bitcoin payment within 72 hours.
In conclusion, organizations must prioritize protecting against these sophisticated social engineering attacks. By implementing the recommended security measures, businesses can significantly reduce their vulnerability to vishing attacks and protect their Salesforce data from unauthorized access and data exfiltration.
- The fraudulent application, often a modified version of Salesforce's Data Loader tool, gives attackers the ability to query and steal large volumes of sensitive data, highlighting the need for rigorously managing connected apps in Salesforce instances.
- Google advises educating employees about vishing tactics designed to bypass Multi-Factor Authentication (MFA) and enforcing the Principle of Least Privilege to limit user permissions, especially for powerful data access tools like Data Loader, as a way to reduce human exploitation vulnerabilities.
- Interestingly, the attackers associated with UNC6040 have started using anonymized services like Mullvad VPN and TOR to initiate vishing calls and exfiltrate data, underscoring the importance of enforcing IP-Based Restrictions, blocking logins and app authorizations from unknown IP addresses or commercial VPNs.
- To prevent such incidents and protect their finance and business operations, organizations must prioritize adopting cybersecurity best practices, such as enforcing MFA, implementing robust identity and access management policies, using monitoring and alerting tools, regularly reviewing and tightening endpoint security, and applying cybersecurity best practices as recommended by Salesforce.
