Hasty Briefsbeta

The Cost of a Call: From Voice Phishing to Data Extortion

18 days ago
https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
Copy Link
  • #Phishing
  • #DataBreach
  • #Cybersecurity
  • Google's corporate Salesforce instance was compromised by UNC6040, leading to data theft.
  • UNC6240 conducts extortion activities, demanding bitcoin payments under the guise of ShinyHunters.
  • Threat actors may escalate tactics by launching a data leak site (DLS).
  • UNC6040 evolved from using Salesforce Dataloader to custom Python scripts for attacks.
  • Attackers use voice phishing (vishing) to impersonate IT support and gain access.
  • Malicious connected apps are used to exfiltrate data from Salesforce environments.
  • UNC6040 leverages stolen credentials to move laterally across cloud platforms like Okta and Microsoft 365.
  • Attack infrastructure includes phishing panels and Mullvad VPN IPs for anonymity.
  • Data Loader abuse involves tricking victims into connecting malicious apps via social engineering.
  • Mitigation strategies include least privilege access, IP restrictions, MFA, and advanced monitoring.
AboutLogin