Hackers exploiting Salesforce app to breach corporate networks, Google warns
A cybercriminal organization referred to as “The Com” is taking advantage of Salesforce’s Data Loader tool to breach corporate systems and steal confidential information, as reported by analysts from Google’s Threat Intelligence Group.
This group is utilizing Data Loader, a legitimate Salesforce application designed for importing, exporting, and updating large quantities of data. The application also facilitates integrations with other software, which attackers exploit to navigate through targeted companies.
Austin Larsen, the chief threat analyst at Google TAG, indicated that this campaign has already affected approximately 20 organizations and is still active.
Larsen mentioned that under the Google identifier UNC6040, the group has been seen targeting industries such as hospitality, retail, education, and others across both North America and Europe.
“A subset of organizations targeted by UNC6040 had data successfully exfiltrated. In some cases, extortion demands weren’t issued until several months after initial intrusion activities by UNC6040,” Larsen explained. “This may imply that UNC6040 has collaborated with another threat actor that profits from access to the stolen information.”
These hackers carry out a complex campaign by impersonating IT support personnel over the phone to trick employees into installing malicious applications linked to Salesforce. These applications are frequently masqueraded as legitimate tools like Data Loader.
Once these applications are in place, the attackers acquire significant access to extract sensitive information from Salesforce environments and can navigate into other cloud services and internal corporate networks.
Google researchers highlighted that the campaign takes advantage of human error rather than a vulnerability within Salesforce itself.
Salesforce has also alerted customers regarding increasing social engineering threats that are aimed at its platform.
In a blog post released on Wednesday, Google stated that the campaign has been running for several months, noting that the attackers’ infrastructure shares similarities with operations associated with UNC6040 and other threat actors believed to be linked to the loosely structured cybercriminal group identified as “The Com.”
Google noted that the attackers use overlapping strategies, including the well-known social engineering approach of impersonating IT support and targeting credentials for the login security company Okta.
Additionally, they observed that the hackers mainly focus on English-speaking employees at multinational firms.
Despite these similarities, Google suggested that it is likely “that these commonalities arise from linked actors functioning within the same circles, rather than indicating a direct operational connection between the threat actors.”
In recent months, the FBI and cybersecurity companies have issued alerts regarding a campaign targeting retail companies and luxury brands in both the U.K. and U.S., with recent assaults on Victoria’s Secret, Dior, Adidas, among others.
Leave A Comment