Latest news with #DataLoader
Forbes
2 days ago
- Business
- Forbes
Never Answer These Calls On Your Smartphone, Google Warns
Beware the UNC6040 smartphone threat. Google's Threat Intelligence Group has issued a new warning about a dangerous cyberattack group known only as UNC6040, which is succeeding in stealing data, including your credentials, by getting victims to answer a call on their smartphone. There are no vulnerabilities to exploit, unless you include yourself: these attackers 'abuse end-user trust,' a Google spokesperson said, adding that the UNC6040 campaign 'began months ago and remains active.' Here's what you need to know and do. TL;DR: Don't answer that call, and if you do, don't act upon it. If you still need me to warn you about the growing threat from AI-powered cyberattacks, particularly those involving calls to your smartphone — regardless of whether it's an Android or iPhone — then you really haven't been paying attention. It's this lack of attention, on the broadest global cross-industry scale, that has left attackers emboldened and allowed the 'vishing' threat to evolve and become ever-increasingly more dangerous. If you won't listen to me, perhaps you'll take notice of the cybersecurity and hacking experts who form the Google Threat Intelligence Group. A June 4 posting by GTIG, which has a motto of providing visibility and context on the threats that matter most, has detailed how it's been tracking a threat group known only as UNC6040. This group is financially motivated and very dangerous indeed. 'UNC6040's operators impersonate IT support via phone,' the GTIG report stated, 'tricking employees into installing modified (not authorized by Salesforce) Salesforce connected apps, often Data Loader variants.' The payload? Access to sensitive data and onward lateral movement to other cloud services beyond the original intrusion for the UNC67040 hackers. Google's threat intelligence analysts have designated UNC6040 as opportunistic attackers, and the broad spectrum of that opportunity has been seen across hospitality, retail and education in the U.S. and Europe. One thought is that the original attackers are working in conjunction with a second group that acts to monetize the infiltrated networks and stolen data, as the extortion itself often doesn't start for some months following the initial intrusion itself. To mitigate the UNC6040 attack risk, GITG said that organisations should consider the following steps: And, of course, as Google has advised in previous scam warnings, don't answer those phone calls from unknown sources. If you do, and it's someone claiming to be an IT support person, hang up and use the established methods within your organization to contact them for verification.
Time of India
2 days ago
- Business
- Time of India
Hackers abuse modified Salesforce app to steal data, extort companies, Google says
By AJ Vicens Hackers are tricking employees at companies in Europe and the Americas into installing a modified version of a Salesforce-related app, allowing the hackers to steal reams of data, gain access to other corporate cloud services and extort those companies, Google said on Wednesday. The hackers - tracked by the Google Threat Intelligence Group as UNC6040 - have "proven particularly effective at tricking employees" into installing a modified version of Salesforce 's Data Loader, a proprietary tool used to bulk import data into Salesforce environments, the researchers said. The hackers use voice calls to trick employees into visiting a purported Salesforce connected app setup page to approve the unauthorized, modified version of the app, created by the hackers to emulate Data Loader. If the employee installs the app, the hackers gain "significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments," the researchers said. The access also frequently gives the hackers the ability to move throughout a customer's network, enabling attacks on other cloud services and internal corporate networks. Technical infrastructure tied to the campaign shares characteristics with suspected ties to the broader and loosely organized ecosystem known as "The Com," known for small, disparate groups engaging in cybercriminal and sometimes violent activity, the researchers said. A Google spokesperson did not share additional details about how many companies have been targeted as part of the campaign, which has been observed over the past several months. A Salesforce spokesperson told Reuters in an email that "there's no indication the issue described stems from any vulnerability inherent in our platform." The spokesperson said the voice calls used to trick employees "are targeted social engineering scams designed to exploit gaps in individual users' cybersecurity awareness and best practices." The spokesperson declined to share the specific number of affected customers, but said that Salesforce was "aware of only a small subset of affected customers," and said it was "not a widespread issue." Salesforce warned customers of voice phishing , or "vishing," attacks and of hackers abusing malicious, modified versions of Data Loader in a March 2025 blog post.
The Hindu
2 days ago
- Business
- The Hindu
Hackers abuse modified Salesforce app to steal data, extort companies, Google says
Hackers are tricking employees at companies in Europe and the Americas into installing a modified version of a Salesforce-related app, allowing the hackers to steal reams of data, gain access to other corporate cloud services and extort those companies, Google said on Wednesday. The hackers, tracked by the Google Threat Intelligence Group as UNC6040, have 'proven particularly effective at tricking employees' into installing a modified version of Salesforce's Data Loader, a proprietary tool used to bulk import data into Salesforce environments, the researchers said. The hackers use voice calls to trick employees into visiting a purported Salesforce connected app setup page to approve the unauthorised, modified version of the app, created by the hackers to emulate Data Loader. If the employee installs the app, the hackers gain 'significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments,' the researchers said. The access also frequently gives the hackers the ability to move throughout a customer's network, enabling attacks on other cloud services and internal corporate networks. Technical infrastructure tied to the campaign shares characteristics with suspected ties to the broader and loosely organized ecosystem known as 'The Com,' known for small, disparate groups engaging in cybercriminal and sometimes violent activity, the researchers said. A Google spokesperson told Reuters that roughly 20 organizations have been affected by the UNC6040 campaign, which has been observed over the past several months. A subset of those organisations had data successfully exfiltrated, the spokesperson said. A Salesforce spokesperson told Reuters in an email that 'there's no indication the issue described stems from any vulnerability inherent in our platform.' The spokesperson said the voice calls used to trick employees 'are targeted social engineering scams designed to exploit gaps in individual users' cybersecurity awareness and best practices.' The spokesperson declined to share the specific number of affected customers, but said that Salesforce was "aware of only a small subset of affected customers," and said it was "not a widespread issue." Salesforce warned customers of voice phishing, or "vishing," attacks and of hackers abusing malicious, modified versions of Data Loader in a March 2025 blog post.
Scoop
2 days ago
- Scoop
UNC6040 Hacks Salesforce Via Vishing And Malicious Data Loader Apps, Google Warns
Press Release – Google Threat Intelligence Group – GTIG According to Google, attackers impersonate IT support on live calls, directing users to approve unauthorised Data Loader apps via Salesforce's connected app interface. These apps, often disguised with innocuous names like My Ticket Portal, grant … A new Google Cloud Threat Intelligence report has revealed a sophisticated vishing campaign targeting Salesforce environments, enabling large-scale data theft and extortion. The operation, attributed to threat cluster UNC6040, leverages modified versions of Salesforce's Data Loader and malicious connected apps to compromise organisations—without exploiting any Salesforce vulnerabilities. According to Google, attackers impersonate IT support on live calls, directing users to approve unauthorised Data Loader apps via Salesforce's connected app interface. These apps, often disguised with innocuous names like 'My Ticket Portal,' grant direct access to sensitive CRM data. No legitimate Salesforce systems are compromised in the attacks, the bad actors exploit end-user trust to infiltrate other systems. Once initial access is secured, attackers use harvested credentials to move laterally into platforms such as Okta and Microsoft 365. In some cases, exfiltration went undetected for months before extortion attempts occurred—sometimes under the banner of groups like ShinyHunters. UNC6040's infrastructure included Okta phishing panels and commercial VPN services such as Mullvad. The group's techniques overlap with those seen in campaigns linked to 'The Com', a loosely affiliated cybercriminal collective. GTIG advises defenders to implement strict access controls, limit API privileges, and use Salesforce Shield for anomaly detection. IP-based restrictions and rigorous app allowlisting are also critical, given the threat actors' reliance on human manipulation rather than technical exploits. 'This campaign demonstrates how modern attackers exploit trust and routine admin functions to bypass even hardened cloud environments,' GTIG noted.
Scoop
2 days ago
- Scoop
UNC6040 Hacks Salesforce Via Vishing And Malicious Data Loader Apps, Google Warns
A new Google Cloud Threat Intelligence report has revealed a sophisticated vishing campaign targeting Salesforce environments, enabling large-scale data theft and extortion. The operation, attributed to threat cluster UNC6040, leverages modified versions of Salesforce's Data Loader and malicious connected apps to compromise organisations—without exploiting any Salesforce vulnerabilities. According to Google, attackers impersonate IT support on live calls, directing users to approve unauthorised Data Loader apps via Salesforce's connected app interface. These apps, often disguised with innocuous names like 'My Ticket Portal,' grant direct access to sensitive CRM data. No legitimate Salesforce systems are compromised in the attacks, the bad actors exploit end-user trust to infiltrate other systems. Once initial access is secured, attackers use harvested credentials to move laterally into platforms such as Okta and Microsoft 365. In some cases, exfiltration went undetected for months before extortion attempts occurred—sometimes under the banner of groups like ShinyHunters. UNC6040's infrastructure included Okta phishing panels and commercial VPN services such as Mullvad. The group's techniques overlap with those seen in campaigns linked to "The Com", a loosely affiliated cybercriminal collective. GTIG advises defenders to implement strict access controls, limit API privileges, and use Salesforce Shield for anomaly detection. IP-based restrictions and rigorous app allowlisting are also critical, given the threat actors' reliance on human manipulation rather than technical exploits. 'This campaign demonstrates how modern attackers exploit trust and routine admin functions to bypass even hardened cloud environments,' GTIG noted.
