Hackers are tricking employees at companies in Europe and the Americas into installing a modified version o
f a Salesforce-related app, allowing the hackers to steal reams of data, gain access to other corporate cloud serv
ices and extort those companies, Google said on Wednesday.
The hackers—tracked by the Google Threat Intelligence Group a
s—have “proven particularly effective at tricking employees” into inst
alling a modified version of Salesforce’s Data Loader, a proprietary t
ool used to bulk import data into Salesforce environments, the researchers said.
The hackers use voice calls to trick employees into visiting a purported Salesforce connected app setup page to
approve the unauthorized, modified version of the app, created by the hackers to emulate Data Loader.
If the employee installs the app, the hackers gain “significant capabiliti
es to access, query, and exfiltrate sensitive information directly fr
om the compromised Salesforce customer environments,” the researchers said.
See more beautiful photo albums Here >>>
The access also frequently gives the hackers the ability to move throughout a customer’s network, enabling attacks on
oth
er cloud services and internal corporate networks.
Technical infrastructure tied to the campaign shares characteristics with suspected ties to the broader and loosely organized ecosystem known as “The Com,” known for s
mall, disparate groups engaging in cybercriminal and sometimes violent activity, the researchers said.
A Google spokesperson told Reuters that roughly 20 organizations have been affected by the UNC6040 campaign,
which has been observed over the past several months. A subset of those organizations had data successfully exfiltrated, the spokesperson said.
A Salesforce spokesperson told Reuters in an email that “there’s no indication the issue described stems from any vulnerability inherent in our platform.” The spokesperson said the voice calls used to trick employees “are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.”
The spokesperson declined to share the specific number of affected customers, b