…
The FBI has issued a FLASH alert warning about two cybercriminal groups, UNC6040 and UNC6395, that are actively compromising Salesforce instances for large-scale data theft and extortion.
UNC6040 has been targeting organizations since October 2024 through sophisticated vishing campaigns, tricking call center employees into granting access or approving malicious Salesforce connected apps. Once inside, they use API queries and modified Data Loader applications to exfiltrate bulk customer data, followed by extortion attempts, sometimes under the ShinyHunters name.
Meanwhile, UNC6395 launched a major campaign in August 2025 by exploiting compromised OAuth tokens tied to the Salesloft Drift application, allowing access to Salesforce environments until Salesforce and Salesloft revoked all tokens. Both groups have been linked to extensive infrastructure, including malicious IP addresses, domains, and custom user-agent strings.
The FBI has shared indicators of compromise and urges organizations to review third-party integrations, monitor API activity, and strengthen defenses.
RECOMMENDATIONS:
1. Train call center and support staff to identify vishing tactics, especially those involving urgent IT-related requests.
2. Regularly review and rotate OAuth tokens, API keys, and third-party app integrations, removing unused or suspicious connections.
Also in today's cybersecurity news…
A recent post by vx-underground on the X platform revealed an exchange between major ransomware groups—LockBit, DragonForce, and Qilin—discussing potential strategic cooperation among the groups.
DragonForce proposed a truce to reduce infighting and public conflicts among ransomware operators, advocating for fair competition, clear agreements, and market coordination to maximize profits. The message explicitly called for no undercutting on pricing, no public insults, and mutual respect, comparing the collaboration to a cartel.
LockBit responded positively, expressing interest and willingness to cooperate, and even exchanged secure contact details (Tox ID) to facilitate further communication. This alliance seems to aim at increasing operational efficiency, reducing exposure, and presenting a united front against external threats, especially law enforcement.
…
Visit our blog for more daily Intel ➜ https://cyderes.com/blog
See our newsletter for deeper monthly insights ➜ https://cyderes.com/newsletter
Catch our podcast for brief cyber updates ➜ / @beeverydayready
Follow our story ➜ / cyderes
…
#beeverydayready #cybersecurity #cyderes
Информация по комментариям в разработке