FBI Alert: Two Cybercriminal Groups Are Actively Compromising Salesforce
5 hours ago
- #FBI
- #cybersecurity
- #Salesforce
- FBI and DHS/CISA release FLASH Alert (FLASH-20250912-001) warning about cybercriminal groups UNC6040 and UNC6395 targeting Salesforce instances.
- UNC6040 uses vishing campaigns to trick call center employees into sharing Salesforce credentials, impersonating IT support staff.
- UNC6040 tactics include credential harvesting, API exploitation, and deploying malicious connected apps to bypass MFA.
- UNC6395 exploits compromised OAuth tokens linked to Salesloft Drift, an AI chatbot integrated with Salesforce, to exfiltrate data.
- Salesforce and Salesloft revoked all active Drift tokens on August 20, 2025, to cut off unauthorized access.
- FBI provides indicators of compromise (IOCs) including IP addresses, URLs, and user-agent strings tied to both groups.
- Defensive measures recommended: train call center staff, deploy phishing-resistant MFA, apply least-privilege access controls, monitor API usage, rotate API keys, and log network traffic.