Threat actors claiming to be ShinyHunters have begun extorting victims whose Salesforce environments were compromised in earlier intrusions, Google has confirmed.
The extortion phase, tracked by Google's Threat Intelligence Group (GTIG) as UNC6240, has intensified in recent weeks, with some victims receiving threatening emails or calls demanding Bitcoin payments within 72 hours.
In an update to its original post, Google revealed that one of its own internal Salesforce instances was impacted by UNC6040 activity in June. The affected instance contained contact information and notes related to small and medium-sized businesses. Although the exposure was limited to largely public business data and the intrusion window was brief, the confirmation highlights the reach and precision of the campaign.
GTIG has been tracking UNC6040 as a financially motivated threat cluster that relies on voice phishing (vishing) to manipulate employees into granting OAuth access to malicious “connected apps” inside Salesforce environments. These apps, often disguised or modified versions of Salesforce's Data Loader tool, allow attackers to exfiltrate large volumes of data without exploiting any inherent vulnerabilities in Salesforce itself.
UNC6240, a related cluster responsible for the extortion phase, has contacted breached organizations months after the initial intrusion, demanding payment under the alias ShinyHunters. The extortion messages are sent from addresses like shinycorp@tuta[.]com and shinygroup@tuta[.]com, and often include threats to leak stolen data unless victims comply. While the affiliation between UNC6240 and the original ShinyHunters group remains unverified, the branding appears to be used as a psychological pressure tactic, leveraging ShinyHunters' notoriety in past high-profile breaches.
GTIG warns that a data leak site (DLS) may be in development by UNC6240, signaling a potential escalation in tactics. If launched, this would place additional pressure on victims and mark a new phase of public exposure risk for affected organizations.
Salesforce, the cloud-based customer relationship management (CRM) platform at the center of the campaign, offers tools like Data Loader for bulk data operations. Attackers have exploited these features by convincing users, through carefully scripted vishing calls, to authorize connected applications posing as support utilities, such as one labeled “My Ticket Portal.” Once access is granted, the exfiltration is conducted via Python-based scripts, with attacker infrastructure leveraging anonymization services like Mullvad VPN and TOR to avoid attribution.
Google observed that UNC6040 has improved its methods, shifting from registering apps with webmail accounts to using compromised enterprise accounts to deploy custom applications. Attackers also employ Okta phishing panels, often delivered mid-call, to steal credentials and bypass multi-factor authentication (MFA).
The campaign bears similarities to tactics used by threat groups loosely connected to the cybercrime community known as “The Com,” including the impersonation of IT support personnel and targeting of cloud authentication platforms like Okta and Microsoft 365.
To mitigate these attacks, GTIG recommends enforcing least-privilege access to Data Loader and APIs, tightly controlling connected apps, restricting access by IP range, enabling Salesforce Shield for anomaly detection, and ensuring strong, organization-wide MFA with user education on social engineering tactics.
Leave a Reply