Cybercriminals Use Modified Salesforce Data Loader for Data Theft
The Google Threat Intelligence Group (GTIG) has uncovered a cybercriminal group, tracked as UNC6040, that uses sophisticated voice phishing to trick employees into installing a modified Salesforce Data Loader. This allows them to steal large amounts of sensitive data from approximately 20 organizations across various sectors in the Americas and Europe. The attackers convincingly impersonate IT support, guiding victims through the connection process to link the malicious Data Loader. Following data exfiltration from Salesforce, UNC6040 often laterally moves through the network, accessing and stealing data from other platforms like Okta, Workplace, and Microsoft 365. In some cases, extortion attempts followed months later, suggesting potential partnerships with other threat actors. Salesforce has issued guidance to help customers protect themselves against similar attacks.