Lateral movement for further extortion: After breaching Salesforce, the group moves laterally across cloud services, targeting tools like Okta, Microsoft 365, and Workplace to widen the scope of the breach.Researchers point out that, in some cases, extortion attempts have surfaced months after the initial intrusion, with the threat actors even claiming ties to the infamous group ShinyHunters, likely as a pressure tactic.The delay in extortion demands also hints that UNC6040 might be selling or handing off stolen data to other threat actors, who then use it for extortion, resale, or further attacks.GTIG findings suggest that UNC6040 may be a part of a larger criminal network, where different groups handle different stages of an attack. This is based on observed similarities in tactics, techniques, and procedures (TTPs) between UNC6040 and other threat actors linked to a loosely connected collective known as “The Com”, which Scattered Spider is part of.
GTIG recommended steps under ‘shared responsibility’: GTIG noted that while platforms like Salesforce offer strong built-in protections, it’s up to the customers to properly configure access, manage permissions, and ensure users are trained according to best practices.A few cloud shared-responsibility best practices to consider include adhering to the principle of least privilege, monitoring access to connected applications, enforcing IP-based Access restrictions, and Multi-factor Authentication (MFA). UNC6040’s tactics aren’t isolated. Similar voice-driven social engineering campaigns have surfaced in recent months, including Scattered Spider’s hybrid Vishing attacks observed in May 2024, and the Letscall malware campaign in South Korea.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4001744/hackers-use-vishing-to-breach-salesforce-customers-and-swipe-data.html
