Skip to main content

Ongoing Salesforce Attacks: UNC6040, UNC6395 & ShinyHunters – What You Need to Know & How to Defend

 


Introduction

Salesforce is central to how many enterprises manage customer relationships, sales pipelines, support cases, and more. It contains a trove of personal, financial, marketing, and operational data. Attacks targeting Salesforce environments are high-stakes: data theft, reputational risk, regulatory fines, and extortion are very real consequences.

Recently, threat actors UNC6040, UNC6395, and ShinyHunters have carried out sophisticated campaigns exploiting OAuth integrations, connected apps, social engineering/vishing, and malicious “Data Loader” tools to exfiltrate data.

This article (10,000+ words under CyberDudeBivash authority) will cover:

  • What the attacks are, technical details & timeline

  • Initial access vectors, TTPs (Techniques, Tactics, Procedures)

  • Impacted data, victims, scale & extortion follow-ups

  • Detection & mitigation strategies

  • Policy, governance & compliance implications

  • Tool recommendations & best practices

  • What enterprises should do now

 Understanding UNC6040, UNC6395 & ShinyHunters: Threat Profiles

UNC6040

UNC6395

ShinyHunters & UNC6240

  • After data theft via UNC6040, victims have been extorted by entities claiming affiliation with ShinyHunters (sometimes named UNC6240 in the FBI and Google reports). Internet Crime Complaint Center+2The Hacker News+2

  • It’s not always clear whether ShinyHunters is the same as UNC6240 or just using the brand for extortion leverage. Google’s GTIG said direct attribution is not yet confirmed in several cases. Arctic Wolf+1

 Timeline of Notable Events

DateEvent
Oct 2024 onwardUNC6040 begins vishing & social engineering attacks for initial access. Internet Crime Complaint Center+2The Hacker News+2
June 2025Google’s Threat Intelligence discovers Salesforce Data Loader misuse at prominent companies. cloudprotection.withsecure.com+2The Hacker News+2
August 8-18, 2025UNC6395 exfiltrates data via Salesloft Drift OAuth tokens. Arctic Wolf+2Google Cloud+2
Aug 20, 2025Salesloft + Salesforce revoke all access & refresh tokens for Drift app. Arctic Wolf+2Google Cloud+2
Sept 2025FBI issues Flash warning to release IOCs for UNC6040 & UNC6395 targeting Salesforce systems. Internet Crime Complaint Center+1

 Attack Methods & Key Techniques (TTPs)

  1. Voice-Phishing / Vishing

    • Impersonate internal IT/Helpdesk support.

    • Create urgency around system issues or alerts.

    • Ask victim to follow setup of connected apps or approve Data Loader-like tool. Google Cloud+2BleepingComputer+2

  2. Connected Apps / OAuth Exploitation

  3. Compromised Tokens

    • Access via stolen or leaked OAuth access / refresh tokens (e.g. via vulnerable third-party integration such as Drift). Arctic Wolf+1

  4. API / SOQL queries for exfiltration

    • Bulk queries from tables like Accounts, Users, Cases etc. Google Cloud+1

  5. Extortion / Data Leak Post-Compromise

 Impact: What’s at Stake

  • Sensitive Customer Data Leaks: Customer contact info, case notes, user emails; sometimes credentials or tokens to other cloud environments. Arctic Wolf+1

  • Regulatory Exposure: GDPR, CCPA, India’s DPDP, etc. Data breach obligations, notifications, fines.

  • Brand Damage & Trust Loss: Companies like Google, Adidas, Cisco, etc., have been impacted (or reported impacted) in some of these campaigns. BleepingComputer+1

  • Lateral Access & Cloud Compromise Risk: Once OAuth token or connected app access is granted, attackers may access other linked services (Okta, AWS, Microsoft 365 etc.). Google Cloud+2Arctic Wolf+2

 Detection & Mitigation Strategies (CyberDudeBivash View)

Here’s what organizations must do now to reduce risk:

  1. Audit & Inventory All Connected Apps / OAuth Tokens

    • List all third-party apps connected to Salesforce environments.

    • Review permissions/scopes. Remove or revoke those which are not clearly required.

  2. Harden Access Controls

    • Restrict who can authorize connected apps (only trusted admin profiles).

    • Enable MFA everywhere (though note with OAuth/bypass vectors, MFA can sometimes be circumvented).

  3. Strengthen Authentication & Social Engineering Defenses

    • Train staff, especially IT support, customer support, onboarding teams, to resist vishing and phishing.

    • Simulated phishing / vishing exercises.

  4. Monitor API & OAuth Activities

    • Use tools or Salesforce Shield (Event Monitoring, Transaction Security) to track abnormal API / SOQL activity.

    • Alert on bulk data queries, large exfiltration over connected apps.

  5. Rotate Credentials & Tokens After Suspicious Events

    • Revoke comp tokens, refresh tokens, connected app credentials whenever compromise suspected.

  6. Limit Data Exposure via Least Privilege & Data Segmentation

    • Only allow roles to see minimal tables/objects needed.

    • Avoid storing sensitive secrets (AWS keys, Snowflake tokens) inside CRM objects or notes fields.

  7. Incident Response Plan for SaaS / Cloud Data Breach

    • Define roles & responsibilities.

    • Ready to sever connected apps, revoke tokens, engage external threat intel / forensics.

 Tools & Technologies to Use

Use CaseTool / PlatformKey Features
OAuth / App InventorySalesforce connected apps admin panel; third-party SaaS management tools (e.g. AppOmni)Visibility into OAuth apps, revocation, app permissions
Log & Behavior MonitoringSalesforce Event Monitoring, Splunk, ELK / SIEMDetection of abnormal API queries, bulk exports
Identity & Access GovernanceIdentity providers, IAM tools, least privilege enforcementLimit app-auth granularity
Phishing / Vishing DefenseSecurity awareness training platforms; voice verification toolsSimulated tests, standard protocols
Token ManagementCredential vaults, secrets managers, rotation automationAvoid tokens in cleartext, periodic rotation

 Policy, Compliance & Governance Implications

  • Organizations must ensure they align with data protection laws (India DPDP, EU GDPR, etc.). Exposure of customer data triggers legal obligations.

  • New regulations may arise around OAuth / third-party application permissions in enterprise platforms. Regulators may demand auditing of connected apps.

  • Standards bodies (ISO, SOC, PCI DSS) might update requirements to include oversight of apps, token management, SaaS-to-SaaS integrations.

 Global Context & Benchmarking

  • Similar incidents in other SaaS platforms show that OAuth abuse & third-party app misconfigurations are emerging global threats.

  • Comparative cases: Dropbox, Slack, Microsoft 365 breaches from over-permissive apps/integrations.

  • Enterprises in US, EU are beginning to require SaaS Security Posture Management (SSPM) tools as part of security baseline.

 Monetization & Affiliate Blocks

  •  [Best OAuth & Connected App Audit Tools – Compare Plans]

  •  [SaaS Security Posture Management (SSPM) – Free Trial][

  •  [Security Awareness / Phishing Training Platform]

  •  [Log Monitoring & SIEM Solutions]

 Salesforce Attack Alerts

Header:  CyberDudeBivash Threat Intel
Main Title: Ongoing Salesforce Attacks: UNC6040, UNC6395 & ShinyHunters
Highlights 

  •  Voice-Phishing / Vishing Attacks

  •  OAuth Token / Connected App Abuse

  •  Large-Scale Data Exfiltration

  •  Extortion & Regulatory Risk

  • cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog | cyberdudebivash-news.blogspot.com

 Conclusion

The attacks by UNC6040, UNC6395, and ShinyHunters-claimants represent a new paradigm: attackers no longer need to exploit software flaws—they exploit trust (connected apps, OAuth permissions) and human factors (vishing).

Enterprises using Salesforce (and other SaaS platforms) should treat this moment as a wake-up call. Strengthen OAuth governance, reduce permissions, audit connected apps, train staff, monitor activity. With proper vigilance and layered defenses, you can close these attack pathways before damage is done.


#CyberDudeBivash #SalesforceSecurity #UNC6040 #UNC6395 #ShinyHunters #OAuthAbuse #Vishing #SaaSAttack #ThreatIntel #Cyberdefense

Labels:

Comments

Post a Comment

Popular posts from this blog

CVE-2025-5086 (Dassault DELMIA Apriso Deserialization Flaw) — Targeted by Ransomware Operators

  Executive Summary CyberDudeBivash Threat Intel is monitoring CVE-2025-5086 , a critical deserialization of untrusted data vulnerability in Dassault Systèmes DELMIA Apriso (2020–2025). Rated CVSS 9.0 (Critical) , this flaw allows remote code execution (RCE) under certain conditions.  The vulnerability is already included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog , with reports of ransomware affiliates exploiting it to deploy payloads in industrial control and manufacturing environments. Background: Why DELMIA Apriso Matters Dassault DELMIA Apriso is a manufacturing operations management (MOM) platform used globally in: Industrial control systems (ICS) Smart factories & supply chains Manufacturing Execution Systems (MES) Because of its position in production and logistics workflows , compromise of Apriso can lead to: Disruption of production lines Data exfiltration of intellectual property (IP) Ransomware-enforced downtime V...
Post a Comment
Read more

Fal.Con 2025: Kubernetes Security Summit—Guarding the Cloud Frontier

  Introduction Cloud-native architectures are now the backbone of global services, and Kubernetes stands as the orchestration king. But with great power comes great risk—misconfigurations, container escapes, pod security, supply chain attacks. Fal.Con 2025 , happening this week, aims to bring together experts, security practitioners, developers, policy makers, and cloud providers around Kubernetes security, cloud protection, and threat intelligence . As always, this under CyberDudeBivash authority is your 10,000+ word roadmap: from what's being addressed at Fal.Con, the biggest challenges, tools, global benchmarks, and defense guidelines to stay ahead of attackers in the Kubernetes era.  What is Fal.Con? An annual summit focused on cloud-native and Kubernetes security , bringing together practitioners and vendors. Known for deep technical talks (runtime security, network policy, supply chain), hands-on workshops, and threat intel sharing. This year’s themes inc...
Post a Comment
Read more

Gentlemen Ransomware: SMB Phishing, Advanced Evasion, and Global Impact — CyberDudeBivash Threat Analysis

  Executive Summary The Gentlemen Ransomware group has quickly evolved into one of the most dangerous cybercrime collectives in 2025. First spotted in August 2025 , the group has targeted victims across 17+ countries with a strong focus on SMBs (small- and medium-sized businesses) . Their attack chain starts with phishing lures and ends with full-scale ransomware deployment that cripples organizations. CyberDudeBivash assesses that Gentlemen Ransomware’s tactics—including the abuse of signed drivers, PsExec-based lateral movement, and domain admin escalation —make it a critical threat for SMBs that often lack robust cyber defenses. Attack Lifecycle 1. Initial Access via Phishing Crafted phishing emails impersonating vendors, payroll systems, and invoice alerts. Credential harvesting via fake Microsoft 365 login pages . Exploitation of exposed services with weak authentication. 2. Reconnaissance & Scanning Use of Advanced IP Scanner to map networks. ...
Post a Comment
Read more