Salesforce Data Exfiltration
TheSalesforce Data Exfiltration campaign began in October 2024 with financially-motivated threat actor UNC6040 usingSpearphishing Voice (vishing) to compromise corporate Salesforce instances for large-scale data theft and extortion. Following the initial data theft, victim organizations received extortion demands from a separate threat actor, UNC6240, who claimed to be the "ShinyHunters" group. The observed infrastructure and TTPs used during theSalesforce Data Exfiltration campaign overlap with those used by threat groups with suspected ties to the broader collective known as "The Com." These overlaps could plausibly be the result of associated actors operating within the same communities and are not necessarily an indication of a direct operational relationship.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1020 | Automated Exfiltration | DuringSalesforce Data Exfiltration, threat actors used API queries to automatically exfiltrate large volumes of data.[1] | |
| Enterprise | T1671 | Cloud Application Integration | DuringSalesforce Data Exfiltration, threat actors deceived victims into authorizing malicious connected apps to their organization's Salesforce portal.[1][2] | |
| Enterprise | T1059 | .006 | Command and Scripting Interpreter:Python | DuringSalesforce Data Exfiltration, threat actors used custom applications developed in python.[2] |
| Enterprise | T1586 | .002 | Compromise Accounts:Email Accounts | DuringSalesforce Data Exfiltration, threat actors used compromised emails to create Salesforce trial accounts.[2] |
| Enterprise | T1213 | .004 | Data from Information Repositories:Customer Relationship Management Software | DuringSalesforce Data Exfiltration, threat actors accessed and exfiltrated sensitive information from compromised Salesforce instances.[2] |
| Enterprise | T1587 | .001 | Develop Capabilities:Malware | DuringSalesforce Data Exfiltration, threat actors created malicious applications within Salesforce trial accounts, typically Python scripts with similar function to the Salesforce Data Loader.[1][2] |
| Enterprise | T1585 | Establish Accounts | DuringSalesforce Data Exfiltration, threat actors created Salesforce trial accounts to register their malicious applications.[2] | |
| .002 | Email Accounts | DuringSalesforce Data Exfiltration, threat actors registered emails shinycorp@tuta[.]com and shinygroup@tuta[.]com to send victims extortion demands.[2] | ||
| Enterprise | T1567 | Exfiltration Over Web Service | DuringSalesforce Data Exfiltration, threat actors exfiltrated data via legitimate Salesforce API communication channels including the Salesforce Data Loader application.[2][1] | |
| Enterprise | T1083 | File and Directory Discovery | DuringSalesforce Data Exfiltration, threat actors queried customers' Salesforce environments to identify sensitive information for exfiltration.[1] | |
| Enterprise | T1656 | Impersonation | DuringSalesforce Data Exfiltration, threat actors impersonated IT support personnel in voice calls with victims at times claiming to be addressing enterprise-wide connectivity issues.[2][1] | |
| Enterprise | T1036 | Masquerading | DuringSalesforce Data Exfiltration, threat actors used voice calls to socially engineer victims into authorizing a modified version of the Salesforce Data Loader app.[2] | |
| Enterprise | T1588 | .002 | Obtain Capabilities:Tool | DuringSalesforce Data Exfiltration, threat actors initially relied on the legitimate Salesforce Data Loader app for data exfiltration.[2][1] |
| Enterprise | T1598 | .004 | Phishing for Information:Spearphishing Voice | DuringSalesforce Data Exfiltration, threat actors initiated voice calls with victims to socially engineer them into authorizing malicious applications or divulging sensitive credentials.[1][2] |
| Enterprise | T1090 | Proxy | DuringSalesforce Data Exfiltration, threat actors used Mullvad VPN IPs to proxy voice phishing calls.[2] | |
| .003 | Multi-hop Proxy | DuringSalesforce Data Exfiltration, threat actors usedTor IPs for voice calls and for the collection of stolen data.[2] | ||
| Enterprise | T1608 | .005 | Stage Capabilities:Link Target | DuringSalesforce Data Exfiltration, threat actors established an Okta phishing panel which victims were tricked into accessing from mobile phones or work computers during social engineering calls.[1][2] |
| Enterprise | T1078 | .002 | Valid Accounts:Domain Accounts | DuringSalesforce Data Exfiltration, threat actors used compromised credentials for lateral movement.[1][2] |
Software
| ID | Name | Description |
|---|---|---|
| S0183 | Tor | DuringSalesforce Data Exfiltration, threat actors usedTor IPs for voice calls and data collection.[2] |