CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns

First reported
Last updated
πŸ“° 3 unique sources, 3 articles

Summary

Hide β–²

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

Timeline

  1. 13.09.2025 12:04 πŸ“° 3 articles Β· ⏱ 4d ago

    UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns

    The FBI issued an alert about UNC6040 and UNC6395 targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools. The ShinyHunters group, along with Scattered Spider and LAPSUS$, announced they are going dark, but experts warn that the threat persists. UNC6395's attack was made possible by a breach of Salesloft's GitHub account from March through June 2025. Salesloft has taken the Drift AI chatbot application offline and is implementing new security measures. UNC6040 has been active since October 2024, using vishing campaigns to gain initial access to Salesforce instances and exfiltrate data. UNC6240, linked to the ShinyHunters group, has been involved in extortion activities following UNC6040 intrusions. UNC6040 impersonated corporate IT support personnel using renamed versions of the Salesforce Data Loader application called "My Ticket Portal." UNC6040 targeted the "Accounts" and "Contacts" database tables, which store data about a company's customers. UNC6040's data theft attacks impacted large and well-known companies, including Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, and Tiffany & Co. UNC6395 targeted Salesforce customers using stolen Salesloft Drift OAuth and refresh tokens between August 8th and 18th. UNC6395 exfiltrated data included AWS keys, passwords, and Snowflake tokens, which could be used to pivot to other cloud environments. Salesloft revoked all Drift tokens and required customers to reauthenticate to the platform. UNC6395 also stole Drift Email tokens, which were used to access emails for a small number of Google Workspace accounts. UNC6395's data theft attacks impacted numerous companies, including Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, and Palo Alto Networks. The ShinyHunters extortion group claimed to have gained access to the FBI's E-Check background check system and Google's Law Enforcement Request system. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments. UNC6040 used social engineering to trick employees into granting access or sharing credentials. UNC6040 tricked organizations into authorizing malicious apps to connect to their Salesforce portals. UNC6040 used modified versions of Salesforce's Data Loader to exfiltrate data. UNC6040 created malicious apps via Salesforce trial accounts to bypass authentication requirements. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled. The campaigns were not limited to Salesloft's Drift integration and impacted other integrations. The campaigns do not involve any vulnerability in the Salesforce platform.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Threat Actors Exploit VPS Infrastructure for SaaS Account Compromises

Threat actors, including the China-linked APT41 group and the newly identified TA415, are exploiting commercial virtual private server (VPS) infrastructure to quickly and stealthily set up attack infrastructure. This tactic has been observed in coordinated SaaS account compromises across multiple customer environments and in targeted cyber espionage campaigns against U.S. trade officials. The abuse of VPS services allows attackers to bypass geolocation-based defenses, evade IP reputation checks, and blend into legitimate behavior. The attacks involved brute-force attempts, anomalous logins, phishing campaign-related inbox rule creation, and impersonation tactics. In notable incidents, attackers successfully compromised accounts by exploiting VPS services from providers such as Hyonix, Host Universal, Mevspace, and Hivelocity. The attackers deleted phishing emails and created obfuscated email rules to conceal their activities. The use of VPS infrastructure enables attackers to rapidly deploy infrastructure, making it difficult for defenders to track and respond to threats. The impersonation of U.S. Rep. John Moolenaar was part of a larger espionage campaign targeting U.S. trade officials. The campaign involved spear-phishing attacks impersonating a U.S. Congressman to gain unauthorized access to systems and sensitive information. The attacks exploited developer tools to create hidden pathways and siphon data to attacker-controlled servers. In July and August 2025, the attacks attempted to establish a Visual Studio (VS Code) remote tunnel for persistent remote access to the compromised environments, instead of relying on conventional malware. The threat actor sent email messages spoofing the US-China Business Council, allegedly inviting the recipients to a closed-door briefing regarding the United States’ affairs with China and Taiwan. Subsequent emails impersonated John Moolenaar, the Chair of the Select Committee on Strategic Competition between the US and the Chinese Communist Party, requesting feedback on draft legislation regarding sanctions against China. The phishing messages contained links to password-protected archives hosted on known cloud services, containing a shortcut (LNK) file and a hidden subfolder. Launching the LNK file executed a batch script stored in the hidden folder and a decoy PDF file hosted on OneDrive. The script’s execution triggers a multi-stage infection process in which the VSCode Command Line Interface (CLI) is downloaded from Microsoft’s servers, a scheduled task is created for persistence, and a VS Code remote tunnel authenticated via GitHub is established. The script also collects system information and the contents of various user directories and sends it to the attackers. In recent attacks, the script also sends a VS Code remote tunnel verification code that the threat actor then uses to access the victim’s computer remotely and execute arbitrary commands using the system’s built-in Visual Studio terminal.

Open in new tab