The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks.
“Both groups have recently been observed targeting organizations’ Salesforce platforms via different initial access mechanisms,” the FBI said.
UNC6395 is a threat group that has been attributed a widespread data theft campaign targeting Salesforce instances in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift application. In an update issued this week, Salesloft said the attack was made possible due to the breach of its GitHub account from March through June 2025.
As a result of the breach, Salesloft has isolated the Drift infrastructure and taken the artificial intelligence (AI) chatbot application offline. The company also said it’s in the process of implementing new multi-factor authentication processes and GitHub hardening measures.
“We are focused on the ongoing hardening of the Drift Application environment,” the company said. “This process includes rotating credentials, temporarily disabling certain parts of the Drift application and strengthening security configurations.” “At this time, we are advising all Drift customers to treat any and all Drift integrations and related data as potentially compromised.”
The second group the FBI has called attention to is UNC6040. Assessed to be active since October 2024, UNC6040 is the name assigned by Google to a financially motivated threat cluster that has engaged in vishing campaigns to obtain initial access and hijack Salesforce instances for large-scale data theft and extortion.
These attacks have involved the use of a modified version of Salesforce’s Data Loader application and custom Python scripts to breach victims’ Salesforce portals and exfiltrate valuable data. At least some of the incidents have involved extortion activities following UNC6040 intrusions, with them taking place months after the initial data theft.
“UNC6040 threat actors have utilized phishing panels, directing victims to visit from their mobile phones or work computers during the social engineering calls,” the FBI said. “After obtaining access, UNC6040 threat actors have then used API queries to exfiltrate large volumes of data in bulk.”
The extortion phase has been attributed by Google to another uncategorized cluster tracked as UNC6240, which has consistently claimed to be the ShinyHunters group in emails and calls to employees of victim organizations.
“In addition, we believe threat actors using the ‘ShinyHunters’ brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” Google noted last month. “These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches.”
Since then, there have been a flurry of developments, the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
