Google Reports Rising Threat from Vishing Group Targeting Corporate Data

A new report from Google’s Threat Intelligence Group (GTIG) has revealed an evolving and sophisticated cybercrime operation known as “UNC6040.” This financially motivated threat cluster specializes in voice phishing (vishing) campaigns, where attackers impersonate IT support staff to trick employees into granting access to their company’s Salesforce data. This method has proven particularly effective against English-speaking employees in multinational corporations.

How the Attacks Work

The vishing attacks involve a malicious actor calling an employee and socially engineering them to authorize a fraudulent application within their company’s Salesforce portal. This application, often a modified version of Salesforce’s legitimate Data Loader tool, gives the attackers the ability to access, query, and steal large volumes of sensitive data. In a recent update, Google disclosed that a similar attack in June impacted one of its own corporate Salesforce instances, leading to the theft of basic business information for small and medium-sized businesses before the breach was contained.

Evolving Tactics and Extortion

Google’s report also highlights that the group’s tactics are changing. The attackers, now using custom Python scripts instead of the Data Loader app, have moved to using anonymized services like Mullvad VPN and TOR to initiate vishing calls and exfiltrate data, making them more difficult to track.

Following the data theft, a related threat group, UNC6240, is extorting victims by demanding a bitcoin payment within 72 hours. During these communications, the group often claims to be the well-known hacking group ShinyHunters to increase pressure on the victims. Google Threat Intelligence believes that these new tactics, including the potential launch of a data leak site, are likely being prepared to intensify the pressure on victims.

Strengthening Your Defenses

To counter these threats, Google recommends that organizations implement a multi-layered security approach:

• Enforce the Principle of Least Privilege: Limit user permissions, especially for powerful data access tools like Data Loader.
• Rigorously Manage Connected Apps: Control which applications can interact with your Salesforce environment and restrict the ability to install new ones.
• Enforce IP-Based Restrictions: Block logins and app authorizations from unknown IP addresses or commercial VPNs.
• Leverage Security Monitoring: Use tools within Salesforce Shield to monitor for large data downloads and other unusual activity.
• Require Multi-Factor Authentication (MFA): Ensure MFA is universally enforced and educate employees about vishing tactics designed to bypass it.

The success of these campaigns shows that vishing remains a major threat vector, and organizations must prioritize user training and robust security measures to protect against these sophisticated social engineering attacks.