A cyber gang known as **Scattered LAPSUS$ Hunters** (linked to UNC6040 and UNC6240) has resurfaced, threatening to leak **around a billion customer records** from **40 companies** using Salesforce’s CRM platform unless a **$989 million ransom** is paid by October 10. The attack leverages **telephone social engineering (vishing)**, where criminals impersonate IT staff to trick users into authorizing malicious applications within Salesforce, granting access to sensitive customer data without exploiting technical vulnerabilities. While Salesforce denies a direct platform breach, the group claims to have exfiltrated data via the Salesforce API using custom Python tools, hiding their tracks via VPNs and TOR.Google’s Threat Intelligence Group confirmed a similar **June 2024 breach** in its own Salesforce environment, involving **basic SMB data**, which was swiftly contained. The attackers now employ a **double-extortion model**, with UNC6240 demanding ransoms months post-breach under the guise of **ShinyHunters**, a known data leak collective. The tactics mirror those of **Lapsus$** and **Scattered Spider**, suggesting shared methodologies within the broader cybercriminal network **‘The Com.’** Authorities and external specialists are assisting Salesforce, but the incident underscores persistent threats from financially motivated groups despite prior disruptions.Recommended mitigations include **restricting Data Loader permissions, enforcing MFA, IP-based access controls, and stricter app authorization policies** to prevent unauthorized data exfiltration.
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal4932949100625",
"linkid": "salesforce",
"type": "Cyber Attack",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '~40 companies using Salesforce '
'CRM (indirectly affecting ~1 '
'billion customer records)',
'industry': 'Cloud Computing / CRM',
'location': 'San Francisco, California, USA',
'name': 'Salesforce',
'size': 'Large (Enterprise)',
'type': 'Corporation'},
{'customers_affected': 'Basic information of small and '
'medium-sized businesses '
'(resolved in June)',
'industry': 'Technology',
'location': 'Mountain View, California, USA',
'name': 'Google',
'size': 'Large (Enterprise)',
'type': 'Corporation'},
{'customers_affected': '~1 billion customer records '
'collectively',
'name': '40 unnamed companies',
'type': ['Corporations', 'Businesses']}],
'attack_vector': ['Telephone Social Engineering (Vishing)',
'Malicious Application Authorization via Salesforce API'],
'customer_advisories': ['Salesforce is supporting potentially affected '
'customers',
'Organizations urged to tighten Salesforce security '
'settings'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '~1 billion (claimed)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (customer data, potentially PII)',
'type_of_data_compromised': ['Customer records',
'Sensitive customer information',
'Basic business information (for '
'Google breach)']},
'description': 'A cyber gang previously known as LAPSUS$, now rebranded as '
'Scattered LAPSUS$ Hunters, has resurfaced with a massive '
'extortion threat. The group claims to have accessed data from '
'~40 companies using Salesforce CRM and demands $989 million '
'to prevent the leak of ~1 billion customer records. The '
'threat involves telephone social engineering (vishing) '
'attacks, where criminals pose as IT staff to trick users into '
'authorizing malicious applications within Salesforce, '
'granting access to sensitive data without exploiting '
'technical vulnerabilities. Salesforce denies its platform was '
'hacked and is assisting affected customers. The group is '
'linked to UNC6040 and UNC6240, with tactics overlapping those '
'of Lapsus$ and Scattered Spider.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Salesforce and affected companies',
'data_compromised': ['Customer records (~1 billion)',
'Sensitive customer information'],
'identity_theft_risk': 'High (due to compromised customer data)',
'systems_affected': ['Salesforce CRM environments of ~40 '
'companies']},
'initial_access_broker': {'entry_point': 'Telephone social engineering '
'(vishing) to trick users into '
'authorizing malicious Salesforce '
'apps',
'high_value_targets': ['Salesforce CRM data',
'Customer records']},
'investigation_status': 'Ongoing (Salesforce working with external '
'specialists and authorities)',
'lessons_learned': 'Financially motivated cyber groups can reemerge despite '
'arrests or disbandment claims. Social engineering (e.g., '
'vishing) remains a critical attack vector, bypassing '
'technical safeguards by exploiting human trust. '
'Organizations must enforce stricter access controls, '
'including MFA, IP restrictions, and app permissions.',
'motivation': 'Financial gain (extortion)',
'post_incident_analysis': {'corrective_actions': ['Enhanced MFA and access '
'controls for Salesforce',
'Stricter monitoring of API '
'data exports',
'Employee training on '
'vishing and social '
'engineering'],
'root_causes': ['Successful vishing attacks '
'exploiting human trust',
'Lack of strict controls on '
'Salesforce app authorizations',
'Insufficient employee awareness '
'of social engineering tactics']},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': '$989 million'},
'recommendations': ['Limit rights for Data Loader use',
'Enforce strict control of connected apps in Salesforce',
'Implement IP-based access restrictions',
'Mandate multi-factor authentication (MFA)',
'Educate employees on social engineering tactics (e.g., '
'vishing)',
'Monitor for unauthorized API access or data exports',
'Restrict permissions for third-party applications'],
'references': [{'source': 'The Register'},
{'source': 'Google Threat Intelligence Group (GTIG)'}],
'response': {'communication_strategy': ['Public denial of platform hack',
'Advisories to customers'],
'containment_measures': ['Supporting potentially affected '
'customers',
'Investigating claims'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': ['External specialists',
'Authorities']},
'stakeholder_advisories': ['Salesforce denies platform hack; claims are based '
'on previous/unconfirmed incidents',
'Google confirmed a resolved breach in June '
'affecting basic SMB data'],
'threat_actor': ['Scattered LAPSUS$ Hunters', 'UNC6040', 'UNC6240'],
'title': 'Scattered LAPSUS$ Hunters Extortion Threat Targeting Salesforce CRM '
'Users',
'type': ['Extortion', 'Data Breach', 'Social Engineering (Vishing)'],
'vulnerability_exploited': 'Human vulnerability (tricking users into '
'authorizing malicious apps)'}