The attackers, dubbed UNC6040, have repeatedly been successful in recent months in breaching networks through social engineering schemes, GTIG said in a Wednesday blog post.
UNC6040’s operators contact companies by telephone, impersonate IT support personnel, and trick employees into granting the attackers access or sharing credentials that can be used to steal the organization’s Salesforce data, according to the post.
“In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce,” the post said.
Once they have compromised the Salesforce instance, the attackers steal data on a large scale and then try to extort the targeted company, per the post.
“In some instances, extortion activities haven’t been observed until several months after the initial UNC6040 intrusion activity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data,” the post said.
A Salesforce spokesperson told Bloomberg on Wednesday, in response to the Google post, “There’s no indication the issue described stems from any vulnerability inherent to our services. Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.”
Salesforce provided tips on how to guard against social engineering threats in a March 12 blog post.
GTIG suggested in its blog post that companies defend against social engineering threats by adhering to the principle of least privilege, managing access to connected applications rigorously, enforcing IP-based access restrictions, leveraging advanced security monitoring and policy enforcement with Salesforce Shield, and enforcing multifactor authentication universally.
“While platforms like Salesforce provide robust, enterprise-grade security controls, it’s essential for customers to configure and manage access, permissions and user training according to best practices,” the post said.
Social engineering fraud has increased by 56% in the past year, according to the PYMNTS Intelligence report, “The State of Fraud and Financial Crime in the U.S. 2024: What FIs Need to Know.”
The report found that fraudsters now rely on “customer-centric” tactics that leverage trust to bypass the robust security systems financial institutions have built around digital payments.
