Overview
- UNC6040 hackers place voice calls that trick employees into approving a counterfeit Salesforce Data Loader connected app
- Once installed, the malicious tool grants attackers broad rights to access, query and exfiltrate sensitive information and move laterally across networks
- Approximately 20 companies in Europe and the Americas have been targeted, with some experiencing successful data theft followed by delayed extortion demands
- Attackers hide their infrastructure behind Mullvad VPN addresses and maintain ties to the loosely organized Com cybercrime ecosystem
- Salesforce stresses its platform remains secure and advises clients to restrict API permissions, block untrusted VPNs and enhance employee cybersecurity training