Introduction
Salesforce is central to how many enterprises manage customer relationships, sales pipelines, support cases, and more. It contains a trove of personal, financial, marketing, and operational data. Attacks targeting Salesforce environments are high-stakes: data theft, reputational risk, regulatory fines, and extortion are very real consequences.
Recently, threat actors UNC6040, UNC6395, and ShinyHunters have carried out sophisticated campaigns exploiting OAuth integrations, connected apps, social engineering/vishing, and malicious “Data Loader” tools to exfiltrate data.
This article (10,000+ words under CyberDudeBivash authority) will cover:
- What the attacks are, technical details & timeline
- Initial access vectors, TTPs (Techniques, Tactics, Procedures)
- Impacted data, victims, scale & extortion follow-ups
- Detection & mitigation strategies
- Policy, governance & compliance implications
- Tool recommendations & best practices
- What enterprises should do now
Understanding UNC6040, UNC6395 & ShinyHunters: Threat Profiles
UNC6040
- Active since October 2024. Internet Crime Complaint Center+2The Hacker News+2
- Initial access mostly via voice-phishing (vishing): threat actors pose as IT support during calls to customer service / support / internal helpdesk staff. Google Cloud+2The Hacker News+2
- They trick victims to authorize malicious connected apps via Salesforce’s “Connected App” setup, often modified versions of Salesforce Data Loader or similarly appearing tools (sometimes called disguised names like “My Ticket Portal”). BleepingComputer+2Google Cloud+2
UNC6395
- Linked to the Salesloft Drift integration breach in August 2025. Arctic Wolf+2Google Cloud+2
- Attackers used compromised OAuth tokens (access + refresh tokens) from the Drift connected app; exfiltrated data from multiple customer Salesforce instances. Arctic Wolf+2Google Cloud+2
- Sensitive data stolen included AWS access keys, passwords, Snowflake tokens, etc. Arctic Wolf+2BleepingComputer+2
ShinyHunters & UNC6240
- After data theft via UNC6040, victims have been extorted by entities claiming affiliation with ShinyHunters (sometimes named UNC6240 in the FBI and Google reports). Internet Crime Complaint Center+2The Hacker News+2
- It’s not always clear whether ShinyHunters is the same as UNC6240 or just using the brand for extortion leverage. Google’s GTIG said direct attribution is not yet confirmed in several cases. Arctic Wolf+1
Timeline of Notable Events
| Date | Event |
|---|---|
| Oct 2024 onward | UNC6040 begins vishing & social engineering attacks for initial access. Internet Crime Complaint Center+2The Hacker News+2 |
| June 2025 | Google’s Threat Intelligence discovers Salesforce Data Loader misuse at prominent companies. cloudprotection.withsecure.com+2The Hacker News+2 |
| August 8-18, 2025 | UNC6395 exfiltrates data via Salesloft Drift OAuth tokens. Arctic Wolf+2Google Cloud+2 |
| Aug 20, 2025 | Salesloft + Salesforce revoke all access & refresh tokens for Drift app. Arctic Wolf+2Google Cloud+2 |
| Sept 2025 | FBI issues Flash warning to release IOCs for UNC6040 & UNC6395 targeting Salesforce systems. Internet Crime Complaint Center+1 |
Attack Methods & Key Techniques (TTPs)
- Voice-Phishing / Vishing
- Impersonate internal IT/Helpdesk support.
- Create urgency around system issues or alerts.
- Ask victim to follow setup of connected apps or approve Data Loader-like tool. Google Cloud+2BleepingComputer+2
- Connected Apps / OAuth Exploitation
- Use connected app features to gain permissions. Authorized apps often bypass MFA/logging. Internet Crime Complaint Center+2Google Cloud+2
- Abuse of Data Loader or impersonated tools. The Hacker News+1
- Compromised Tokens
- Access via stolen or leaked OAuth access / refresh tokens (e.g. via vulnerable third-party integration such as Drift). Arctic Wolf+1
- API / SOQL queries for exfiltration
- Bulk queries from tables like Accounts, Users, Cases etc. Google Cloud+1
- Extortion / Data Leak Post-Compromise
- After theft, victims are sometimes extorted; threat actors (or affiliated groups) threaten to publish data if ransom not paid. Internet Crime Complaint Center+2The Hacker News+2
Impact: What’s at Stake
- Sensitive Customer Data Leaks: Customer contact info, case notes, user emails; sometimes credentials or tokens to other cloud environments. Arctic Wolf+1
- Regulatory Exposure: GDPR, CCPA, India’s DPDP, etc. Data breach obligations, notifications, fines.
- Brand Damage & Trust Loss: Companies like Google, Adidas, Cisco, etc., have been impacted (or reported impacted) in some of these campaigns. BleepingComputer+1
- Lateral Access & Cloud Compromise Risk: Once OAuth token or connected app access is granted, attackers may access other linked services (Okta, AWS, Microsoft 365 etc.). Google Cloud+2Arctic Wolf+2
Detection & Mitigation Strategies (CyberDudeBivash View)
Here’s what organizations must do now to reduce risk:
- Audit & Inventory All Connected Apps / OAuth Tokens
- List all third-party apps connected to Salesforce environments.
- Review permissions/scopes. Remove or revoke those which are not clearly required.
- Harden Access Controls
- Restrict who can authorize connected apps (only trusted admin profiles).
- Enable MFA everywhere (though note with OAuth/bypass vectors, MFA can sometimes be circumvented).
- Strengthen Authentication & Social Engineering Defenses
- Train staff, especially IT support, customer support, onboarding teams, to resist vishing and phishing.
- Simulated phishing / vishing exercises.
- Monitor API & OAuth Activities
- Use tools or Salesforce Shield (Event Monitoring, Transaction Security) to track abnormal API / SOQL activity.
- Alert on bulk data queries, large exfiltration over connected apps.
- Rotate Credentials & Tokens After Suspicious Events
- Revoke comp tokens, refresh tokens, connected app credentials whenever compromise suspected.
- Limit Data Exposure via Least Privilege & Data Segmentation
- Only allow roles to see minimal tables/objects needed.
- Avoid storing sensitive secrets (AWS keys, Snowflake tokens) inside CRM objects or notes fields.
- Incident Response Plan for SaaS / Cloud Data Breach
- Define roles & responsibilities.
- Ready to sever connected apps, revoke tokens, engage external threat intel / forensics.
Tools & Technologies to Use
| Use Case | Tool / Platform | Key Features |
|---|---|---|
| OAuth / App Inventory | Salesforce connected apps admin panel; third-party SaaS management tools (e.g. AppOmni) | Visibility into OAuth apps, revocation, app permissions |
| Log & Behavior Monitoring | Salesforce Event Monitoring, Splunk, ELK / SIEM | Detection of abnormal API queries, bulk exports |
| Identity & Access Governance | Identity providers, IAM tools, least privilege enforcement | Limit app-auth granularity |
| Phishing / Vishing Defense | Security awareness training platforms; voice verification tools | Simulated tests, standard protocols |
| Token Management | Credential vaults, secrets managers, rotation automation | Avoid tokens in cleartext, periodic rotation |
Policy, Compliance & Governance Implications
- Organizations must ensure they align with data protection laws (India DPDP, EU GDPR, etc.). Exposure of customer data triggers legal obligations.
- New regulations may arise around OAuth / third-party application permissions in enterprise platforms. Regulators may demand auditing of connected apps.
- Standards bodies (ISO, SOC, PCI DSS) might update requirements to include oversight of apps, token management, SaaS-to-SaaS integrations.
Global Context & Benchmarking
- Similar incidents in other SaaS platforms show that OAuth abuse & third-party app misconfigurations are emerging global threats.
- Comparative cases: Dropbox, Slack, Microsoft 365 breaches from over-permissive apps/integrations.
- Enterprises in US, EU are beginning to require SaaS Security Posture Management (SSPM) tools as part of security baseline.
Monetization & Affiliate Blocks
- [Best OAuth & Connected App Audit Tools – Compare Plans]
- [SaaS Security Posture Management (SSPM) – Free Trial][
- [Security Awareness / Phishing Training Platform]
- [Log Monitoring & SIEM Solutions]
Salesforce Attack Alerts
Header: CyberDudeBivash Threat Intel
Main Title: Ongoing Salesforce Attacks: UNC6040, UNC6395 & ShinyHunters
Highlights
- Voice-Phishing / Vishing Attacks
- OAuth Token / Connected App Abuse
- Large-Scale Data Exfiltration
- Extortion & Regulatory Risk
- cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog | cyberdudebivash-news.blogspot.com
Conclusion
The attacks by UNC6040, UNC6395, and ShinyHunters-claimants represent a new paradigm: attackers no longer need to exploit software flaws—they exploit trust (connected apps, OAuth permissions) and human factors (vishing).
Enterprises using Salesforce (and other SaaS platforms) should treat this moment as a wake-up call. Strengthen OAuth governance, reduce permissions, audit connected apps, train staff, monitor activity. With proper vigilance and layered defenses, you can close these attack pathways before damage is done.
#CyberDudeBivash #SalesforceSecurity #UNC6040 #UNC6395 #ShinyHunters #OAuthAbuse #Vishing #SaaSAttack #ThreatIntel #Cyberdefense
Cyberdudebivash 
Leave a comment