UNC6040 executed a highly sophisticated **vishing (voice phishing) campaign** targeting enterprise **Customer Relationship Management (CRM) platforms**, particularly **Salesforce**, to perform **large-scale data exfiltration**. The attack leveraged **OAuth 2.0 exploitation**, tricking victims into granting malicious apps **elevated API permissions** (including `api`, `refresh_token`, and full scopes) via spoofed IT support calls. Using **SIP spoofing, VoIP routing via Tor/Mullvad VPN**, and modified **Data Loader applications with custom Python scripts**, the threat actors automated **bulk data extraction** via **SOQL queries and REST API calls**, bypassing detection through rate-limiting. The compromised data likely included **customer records, financial details, and sensitive corporate information**, enabling **persistent access for extortion**. The group’s infrastructure—segmented across **Tor hidden services, commercial VPNs, and bulletproof hosting**—hinted at preparations for a **Data Leak Site (DLS)**, escalating from private ransom demands to **public pressure tactics**. Partnerships with **UNC6240 (ransomware/extortion specialists)** suggest potential **follow-on ransomware or data auction threats**.
Source: https://cyberpress.org/google-urges-2-5-billion-gmail-users/
TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal815090225",
"linkid": "salesforce",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': ['Multiple (Targeting CRM Users)'],
'type': ['Enterprise Organizations']}],
'attack_vector': ['Voice Phishing (Vishing)',
'SIP Spoofing',
'OAuth 2.0 Exploitation',
'API Abuse (Salesforce SOQL)',
'Malicious Connected Apps',
'VoIP/Tor Routing'],
'customer_advisories': ['Warn Users About Unsolicited IT Support Calls '
'Requesting OAuth Approvals'],
'data_breach': {'data_exfiltration': ['Automated via Bulk API Endpoints',
'Python Scripts with Rate-Limiting to '
'Evade Detection'],
'personally_identifiable_information': ['Likely (Dependent on '
'CRM Data Structure)'],
'sensitivity_of_data': ['High (Includes Salesforce Object '
'Data via SOQL)'],
'type_of_data_compromised': ['CRM Data',
'Customer Records',
'Business Intelligence',
'Potentially PII']},
'description': 'Voice phishing (vishing) campaigns by UNC6040 have reached '
'unprecedented sophistication, leveraging OAuth-based '
'authentication and API exploitation to execute large-scale '
'data exfiltration. The group targets enterprise CRM platforms '
'(e.g., Salesforce) via SIP spoofing, VoIP/Tor routing, and '
'malicious Connected Apps to gain persistent access for '
'extortion. Their infrastructure uses segmented C2 channels '
'(Tor for recon, VPNs like Mullvad for exfiltration) and '
'collaborates with UNC6240 for ransom operations. '
'Countermeasures include Zero Trust API security, WAF '
'rate-limiting, UEBA, and HSM-based key management.',
'impact': {'brand_reputation_impact': ['Risk of Public Data Leak via DLS '
'(Data Leak Site)',
'Loss of Customer Trust'],
'data_compromised': ['CRM Data (Salesforce)',
'Customer Records',
'Sensitive Business Information'],
'identity_theft_risk': ['High (PII likely exposed via CRM data)'],
'operational_impact': ['Persistent Unauthorized Access',
'Automated Data Exfiltration via API',
'Potential Extortion Leverage'],
'systems_affected': ['Salesforce CRM Platforms',
'Connected Apps Infrastructure',
'VoIP/Tor Communication Channels']},
'initial_access_broker': {'backdoors_established': ['Persistent API Access '
'via Malicious Connected '
'Apps'],
'data_sold_on_dark_web': ['Potential (via UNC6240 '
'Extortion Partnerships)'],
'entry_point': ['Vishing Calls Spoofing IT Support',
'SIP Spoofing via VoIP/Tor'],
'high_value_targets': ['Salesforce CRM Data',
'Customer Relationship '
'Records'],
'reconnaissance_period': ['Likely Extended '
'(Targeted CRM Platform '
'Mapping)']},
'investigation_status': 'Ongoing (Threat Actor Infrastructure Still Active)',
'lessons_learned': ['OAuth 2.0 Connected Apps Require Stricter Permission '
'Scoping and Monitoring',
'API Security Must Extend Beyond Authentication to '
'Include Behavioral Analysis',
'VoIP/Tor-Based Vishing Attacks Bypass Traditional '
'Phishing Defenses',
'Segmented C2 Infrastructure (Tor + VPN) Complicates '
'Attribution and Takedown'],
'motivation': ['Financial Gain',
'Data Extortion',
'Initial Access Brokerage (Threat-as-a-Service)'],
'post_incident_analysis': {'corrective_actions': ['Redesign OAuth App '
'Permission Model (Least '
'Privilege by Default)',
'Deploy Dedicated API '
'Security Gateways with '
'Behavioral Analysis',
'Mandate MFA for All OAuth '
'App Authorizations',
'Integrate Threat '
'Intelligence Feeds for '
'Tor/VPN-Based Call Origins',
'Establish Cross-Functional '
'Incident Response for CRM '
'Compromises'],
'root_causes': ['Over-Permissive OAuth Scopes for '
'Connected Apps',
'Lack of API-Specific Anomaly '
'Detection (e.g., Bulk SOQL '
'Queries)',
'Insufficient User Training on '
'Vishing + OAuth Risks',
'Gaps in Conditional Access '
'Policies for High-Risk Auth '
'Flows']},
'ransomware': {'data_exfiltration': ['Primary Focus (Extortion via Data Leak '
'Threats)']},
'recommendations': ['Implement Zero Trust Principles for API Access (Least '
'Privilege, Continuous Authentication)',
'Deploy WAF Rules to Detect Bulk API Queries (e.g., SOQL '
'via REST Endpoints)',
'Enforce Multi-Factor Authentication (MFA) for OAuth App '
'Authorizations',
'Monitor for Anomalous OAuth Token Usage (e.g., '
'Geographically Inconsistent Access)',
'Restrict Connected Apps to Pre-Approved IP Ranges/Device '
'Postures',
'Conduct Regular Red Team Exercises Simulating Vishing + '
'OAuth Abuse',
'Adopt Hardware-Backed Key Storage (HSM) for Critical API '
'Credentials',
'Prepare Incident Response Playbooks for CRM-Specific '
'Extortion Scenarios'],
'references': [{'source': 'Article on UNC6040 Vishing Campaigns'}],
'response': {'adaptive_behavioral_waf': ['Rate-Limiting for Bulk API '
'Operations (e.g., '
'/services/data/v58.0/jobs/query)'],
'containment_measures': ['Web Application Firewall (WAF) with '
'Rate-Limiting for API Calls',
'SIEM Correlation of OAuth Events with '
'API Usage',
'User and Entity Behavior Analytics '
'(UEBA) Deployment',
'Conditional Access Policies for OAuth '
'Apps (IP/Device/Risk-Based)'],
'enhanced_monitoring': ['Real-Time API Call Anomaly Detection',
'Geofencing for OAuth Authorizations'],
'network_segmentation': ['Isolate CRM API Endpoints from '
'Untrusted Networks'],
'remediation_measures': ['Revoke Compromised OAuth Tokens',
'Audit and Restrict Connected Apps '
'Permissions',
'Implement Hardware Security Modules '
'(HSM) for API Keys',
'Enforce Perfect Forward Secrecy (PFS) '
'for Authentication Tokens',
'Deploy CAA Records and DANE for Domain '
'Spoofing Prevention']},
'threat_actor': ['UNC6040', 'UNC6240 (associated extortion specialists)'],
'title': 'Sophisticated Vishing Campaigns by UNC6040 Exploiting OAuth and '
'Salesforce APIs for Large-Scale Data Exfiltration',
'type': ['Social Engineering',
'Vishing',
'Data Exfiltration',
'API Abuse',
'Extortion'],
'vulnerability_exploited': ['Trust in IT Support Interactions',
'Salesforce Connected Apps OAuth Endpoint '
'(/oauth2/authorize)',
'Elevated OAuth Scopes (api, refresh_token, full)',
'Lack of API Rate-Limiting Detection',
'Insufficient User Behavior Analytics (UBA/UEBA)',
'Weak Conditional Access Policies for OAuth Apps']}