TL;DR
Google Threat Intelligence Group profiles UNC6040 as a financially motivated cluster using voice phishing to trick employees into granting access to Salesforce environments, typically via malicious connected apps mimicking Data Loader. Mandiant’s guidance emphasizes stronger identity verification, help-desk controls, SaaS hardening, logging, and detection, and was updated to include protections for programmatic credentials.
What happened
GTIG and Mandiant analyzed a campaign by UNC6040, a financially motivated group that primarily uses telephone-based social engineering to compromise Salesforce instances and exfiltrate data. Operators impersonate IT or vendor support, coaxing employees to approve a malicious connected app — frequently a tampered version of Salesforce’s Data Loader — which then enables large-scale data access and extraction. These intrusions rely on manipulating users rather than exploiting a Salesforce product flaw. In many incidents, attackers later used harvested credentials to move laterally and access other cloud services such as Okta and Microsoft 365. UNC6040 commonly accessed victim environments through Mullvad VPN addresses. Mandiant’s advisory lays out prioritized controls across identity verification, help-desk processes, identity-provider protections, programmatic credential hardening, SaaS configuration, and logging/detection to reduce the likelihood and impact of these social-engineering driven intrusions. An update expanded guidance for API keys, OAuth tokens, service accounts, and access keys following a Salesforce advisory related to Gainsight.
Why it matters
- These intrusions are driven by social engineering, meaning technical patches alone are insufficient to prevent them.
- Approval of a malicious connected app can grant broad, programmatic access to sensitive customer data in SaaS platforms.
- Compromised credentials can enable lateral movement to other cloud services, expanding breach impact beyond a single application.
- Delays between initial access and extortion suggest stolen access may be monetized later or shared with other threat actors.
- Programmatic credentials (API keys, OAuth tokens, service accounts) require distinct hardening and logging to detect misuse.
Key facts
- Threat actor: UNC6040, financially motivated and tracked by GTIG and Mandiant.
- Primary tactic: voice phishing (vishing) to manipulate employees into granting access.
- Common technique: persuading users to approve a malicious connected app, often a modified Data Loader.
- Attackers relied on social engineering rather than exploiting inherent Salesforce vulnerabilities.
- Post-compromise activity included credential harvesting and lateral movement to Okta and Microsoft 365.
- Access infrastructure: observed use of Mullvad VPN IP addresses for data exfiltration.
- Mandiant’s recommendations are grouped into Identity, Help Desk and End User Verification, Identity Protections, Programmatic Credentials, SaaS Hardening, and Logging/Detections.
- Specific controls recommended: live video identity proofing, out-of-band verification for high-risk requests, rejecting easily discoverable identifiers, and requiring vendor account manager verification.
- Advisory updated (Nov. 21) to add comprehensive guidance for programmatic credentials following a Salesforce/Gainsight advisory.
What to watch next
- Monitor for unexpected approvals of connected apps and anomalous use of Data Loader or similar tools in your Salesforce logs.
- Watch for authentication and API activity originating from privacy VPN providers such as Mullvad IP ranges.
- Track use and access patterns of programmatic credentials (API keys, OAuth tokens, service accounts) and alert on unusual queries or bulk exports.
Quick glossary
- Vishing: Voice-based social engineering where attackers use phone calls to manipulate victims into revealing credentials or taking actions that grant access.
- Connected app: An integration registered within a SaaS platform that can request permissions and access data on behalf of users or services.
- Data Loader: A tool used to import, export, and manipulate data in Salesforce; adversaries can abuse similar tools when given elevated approvals.
- Programmatic credentials: Non-human credentials such as API keys, OAuth tokens, service account keys, and access keys used for automated access to services.
- Identity Provider (IdP): A centralized service that manages user authentication and single sign-on for applications and services.
Reader FAQ
How did UNC6040 gain access to Salesforce environments?
By using vishing to convince employees to approve a malicious connected app (often a modified Data Loader); the intrusions relied on social engineering rather than exploiting a Salesforce product flaw.
Did attackers exploit a Salesforce vulnerability?
No — Mandiant reports the group manipulated users to grant access; no inherent Salesforce vulnerability was the vector.
Does this threat affect only Salesforce customers?
UNC6040 primarily targeted Salesforce but was observed moving laterally to other cloud services such as Okta and Microsoft 365 after harvesting credentials.
Should organizations rotate API keys and service account credentials?
Mandiant updated guidance to cover programmatic credential hardening and logging; specific rotation practices are not detailed in the source.
Written by: Omar ElAhdan, Matthew McWhirt, Michael Rudden, Aswad Robinson, Bhavesh Dhake, Laith Al, Ravi Kumar Raja Update (Nov. 21): In response to the Salesforce advisory related to Gainsight applications,…
Sources
- Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations
- UNC6040 Breaches SaaS Apps at Google and Other Major …
- Detecting UNC6040 Vishing Attacks in SaaS
- Google Publishes Security Hardening Guide to Counter …
Related posts
- Oracle E-Business Suite Zero-Day Used in Large-Scale Extortion Campaign
- North Korea’s UNC5342 Uses EtherHiding to Deliver Malware via Blockchains
- UNC5142 Abuses BNB Smart Chain and EtherHiding to Spread Infostealers