Google warns of cybercriminals targeting Salesforce app to steal data, extort companies

The cybercriminal operation known as “The Com” is tricking companies into giving them widespread access to a popular Salesforce tool, allowing them to steal sensitive data and move through other parts of the organizations, according to researchers from Google.

The hackers are exploiting Data Loader, a legitimate Salesforce tool designed to help companies import, export and update large tranches of data within the Salesforce platform. The tool also allows for integrations with other apps. 

Austin Larsen, principal threat analyst at Google’s Threat Intelligence Group, told Recorded Future News the current campaign involving versions of the Salesforce tool has targeted about 20 organizations and is ongoing. 

Using the group’s Google designation of UNC6040, Larsen said they have seen them target hospitality, retail education and other sectors across the Americas and Europe. 

“A subset of organizations targeted by UNC6040 had data successfully exfiltrated. In some instances, extortion demands weren’t made until several months after the initial intrusion activity by UNC6040,” Larsen said. “This could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data.”

The campaign involves hackers impersonating IT support personnel over the phone, at times tricking employees into installing modified Salesforce connected apps, often disguised as versions of Data Loader.

The tactic gives the hackers extensive access to exfiltrate sensitive data directly from victim Salesforce environments and allows them to move laterally through an organization’s other cloud services and internal corporate networks. 

Google researchers stressed that this is not a Salesforce vulnerability but instead user manipulation. Salesforce itself has warned customers about social engineering attacks targeting their Salesforce environments. 

Google published a blog about the campaign on Wednesday, saying it began a few months ago. The company said infrastructure used in the attacks “shares characteristics with elements previously linked to UNC6040 and threat groups suspected of ties to the broader, loosely organized collective known as ‘The Com.’”

The Com, also known as “the Community,” is a loosely affiliated cybercriminal group best known for its English-speaking members and for frequent targeting of companies by posing as IT support. One of its best known offshoots, Scattered Spider, deployed this tactic in several high-profile attacks on casino giants MGM Resorts and Caesars Entertainment.

Google said it has seen overlapping tactics and techniques, including the tried and true method of social engineering via IT support and the targeting of credentials for login security company Okta. They added that the hackers have focused their efforts on scamming English speakers at multinational companies. 

Despite the overlaps, Google noted that it is plausible “that these similarities stem from associated actors operating within the same communities, rather than indicating a direct operational relationship between the threat actors.”

Over the last two months, the FBI and cybersecurity firms have warned of a campaign of attacks targeting retail companies and luxury brands in the U.K. and U.S., including recent attacks on Victoria’s Secret, Dior, Adidas and more. 

English ‘vishing’

The group’s English proficiency has increased its chances for success in phone-based social engineering, allowing them to bypass technical defenses in attacks known as “vishing” or voice phishing. 

“A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal. This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce,” the researchers explained. 

“During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version. This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.” 

Once the hackers gain access, they immediately exfiltrate data from the victim’s Salesforce environment using the Data Loader application. The hackers then move to steal data from other platforms like Okta, Workplace and Microsoft 365.

The researchers noted that the hackers’ proficiency with versions of Data Loader and capabilities by executed queries seems to differ from one intrusion to another.

“In one instance, a threat actor used small chunk sizes for data exfiltration from Salesforce but was only able to retrieve approximately 10% of the data before detection and access revocation. In another case, numerous test queries were made with small chunk sizes initially,” Google explained. “Once sufficient information was gathered, the actor rapidly increased the exfiltration volume to extract entire tables.”

During extortion attempts, the hackers have claimed to be affiliated with known cybercriminal groups like ShinyHunters in an attempt to burnish their credentials and pressure victims. 

Larsen added that they have not seen UNC6040 deploy ransomware during the current campaign and declined to say how much the group was demanding during extortion events. 

Google warned that given the extended timeframe between initial compromise and extortion, it is “possible that multiple victim organizations and potentially downstream victims could face extortion demands in the coming weeks or months.”