Google is warning of a potential rise in extortion campaigns tied to the cybercriminal group ShinyHunters, following recent intrusions into Salesforce customer environments by the group, also tracked as UNC6040.
The alert follows a series of attacks in June that targeted Salesforce CRM platforms. According to Google’s Threat Intelligence Group (GTIG), the financially motivated threat actors, who specialize in voice phishing, may be preparing to launch a data leak site (DLS) to intensify pressure on victims.
“In addition, we believe threat actors using the ‘ShinyHunters’ brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS). These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches. We continue to monitor this actor and will provide updates as appropriate,” GTIG stated in a blog post.
GTIG said its analysis revealed that while the data accessed by the attackers was limited, it still included basic contact information and notes related to small and medium-sized businesses. The group was able to retrieve the data during a narrow window of access before mitigation efforts cut off their entry.
The attackers, according to GTIG, are conducting extortion attempts “sometimes several months after the initial data theft,” targeting employees of compromised organisations with threats and bitcoin payment demands.
“The extortion involves calls or emails to employees of the victim organisation demanding payment in bitcoin within 72 hours. During these communications, UNC6240 has consistently claimed to be the threat group ShinyHunters,” GTIG said.
Google also warned that the group has evolved its tactics, techniques, and procedures (TTPs), shifting from Salesforce’s Dataloader application to custom Python-based tools. These tools allow attackers to automate data exfiltration while remaining harder to detect.
“While the group initially relied on the Salesforce Dataloader application, they have since shifted to using custom applications. These custom applications are typically Python scripts that perform a similar function to the Dataloader app,” GTIG noted.
“The updated attack chain involves a voice call to enrol a victim, which the threat actor initiates while using Mullvad VPN IPs or TOR. Following this initial engagement, the data collection is automated and through TOR IPs, a change that further complicates attribution and tracking efforts,” it added.
GTIG also observed a shift in how the attackers gain access to Salesforce systems. Rather than registering with new trial accounts using webmail addresses, they are now leveraging compromised accounts from unrelated organisations to establish malicious apps.
“A prevalent tactic in UNC6040’s operations involves deceiving victims into authorizing a malicious connected app to their organization’s Salesforce portal. This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce,” the blog post continued.
“During a vishing call, the actor guides the victim to visit Salesforce’s connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version. This step inadvertently grants UNC6040 significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.”
This tactic is consistent with Salesforce’s own recent guidance to protect systems from the misuse of its Data Loader functionality.
In some cases, GTIG noted that extortion attempts occurred long after initial intrusions, suggesting potential collaboration between UNC6040 and other threat actors that monetize access to stolen data.
“In some instances, extortion activities haven’t been observed until several months after the initial UNC6040 intrusion activity, which could suggest that UNC6040 has partnered with a second threat actor that monetizes access to the stolen data,” GTIG said. “During these extortion attempts, the actor has claimed affiliation with the well-known hacking group ShinyHunters, likely as a method to increase pressure on their victims.”
