Strategies for Identifying Salesforce Breaches and Preventing Hacker Invasions
The Federal Bureau of Investigation (FBI) has issued a FLASH alert regarding escalating threats to enterprises using Salesforce. According to the alert, two criminal hacker groups, UNC6040 and UNC6395, have significantly increased their focus on Salesforce customers. UNC6040 has been primarily using social engineering techniques, such as vishing, to target enterprises since October 2024. The group poses as IT support employees addressing enterprise-wide connectivity issues to trick customer support employees into granting access or sharing credentials. Once they've gained access, UNC6040 threat actors request user credentials and multifactor authentication codes to authenticate and add the Salesforce Data Loader application. On the other hand, UNC6395 has been observed using compromised OAuth tokens for the Salesloft Drift application to access and extract data from Salesforce systems. The Salesloft Drift breaches have impacted numerous organizations globally, including Google, Zscaler, Palo Alto Networks, and Cloudflare. To mitigate the threat posed by these groups, the FBI recommends several measures. Firstly, enterprises should investigate and vet indicators prior to taking action, such as blocking. They should also train call center employees to recognize and report phishing attempts. The FBI also suggests implementing Multi-Factor Authentication (MFA) for as many services as possible and implementing authentication, authorization, and accounting (AAA) systems. Additionally, enterprises should apply the Principle of Least Privilege to user accounts and groups, limiting actions users can perform. Other recommendations include enforcing IP-based access restrictions and monitoring API usage, monitoring network logs and browser sessions for anomalous activity and indicators of data exfiltration, and conducting reviews of third-party integrations connected to third-party software instances. In a separate development, the FBI has warned of the Salt Typhoon hacking campaign that has affected organizations in over 80 countries. The FBI has provided a list of IPs associated with UNC6040, with UNC6040 commanding the lion's share. The FBI advises enterprises to stay vigilant and proactive in protecting their Salesforce environments from these threats. By following these recommendations, enterprises can significantly reduce their risk of falling victim to these cyberattacks.
