FBI Alert: UNC6040 and UNC6395 Threat Actors Now Targeting Salesforce Platforms

In light of the rapidly changing nature of the digital threat landscape, the FBI has issued a critical warning regarding two highly skilled threat actors, UNC6040 and UNC6395, who are currently actively targeting corporate networks, financial institutions, and telecommunications providers, with a particular emphasis on compromising Salesforce platforms. These organizations use extremely sophisticated technical and social engineering techniques to breach systems, steal confidential information, and cause serious operational and financial harm.

Using their knowledge of social engineering, UNC6040 and UNC6395 are taking advantage of Salesforce, one of the most popular customer relationship management (CRM) systems worldwide. They use techniques including SIM-swapping assaults, multi-factor authentication (MFA) bombing, and vishing (voice phishing) to get beyond security measures and enter targeted Salesforce environments without authorization. Once inside, they alter data, steal private client information, and create enduring access for assaults in the future.

How These Threat Actors are Attacking Salesforce Platforms

• Attackers who use MFA bombing repeatedly target Salesforce users in the hopes that the victim will unintentionally accept one, allowing them to access the CRM system.

• Vishing Posing as IT or Salesforce Support: They deceive staff members into disclosing login information or setting up remote access tools by assuming the identity of reputable IT or Salesforce support representatives.

• SIM Swapping: They can intercept authentication codes needed for MFA bypass and Salesforce login by persuading telecom providers to move a victim's phone number to an attacker-controlled SIM.

• Data Exfiltration: After breaking into Salesforce, hackers extract confidential client information, financial records, and intellectual property, which they frequently resell on the dark web or use as leverage in subsequent extortion attempts.

These approaches illustrate a potentially dangerous move toward targeting trusted SaaS platforms like Salesforce, which are crucial to business operations but often inadequately guarded against social engineering.

Why use Salesforce?

Salesforce's abundance of sensitive data, including transaction history, customer information, and company plans, makes it a desirable target. Although many businesses believe their cloud platforms are safe by default, configuration errors and human error can lead to vulnerabilities. UNC6040 and UNC6395 are taking advantage of this slackness.

Safeguarding Your Salesforce Environment

A proactive, multi-layered security approach is necessary for enterprises to reduce the risks posed by organizations such as UNC6040 and UNC6395:

• Implement FIDO2 security keys or comparable technologies for Salesforce access in place of SMS-based codes to enforce Phishing-Resistant MFA.

• Employee Education: Consistently instruct employees, particularly Salesforce users, on how to spot social engineering techniques and steer clear of providing login credentials.

• Keep an eye out for suspicious activity by tracking login attempts, data exports, and configuration modifications using third-party solutions and Salesforce's integrated security features.

• Limit Privileged Access: To lessen the effect of a breach, use the least privilege approach to Salesforce roles and permissions.

• Create and evaluate an incident response strategy tailored to attacks centered

How Bayon Technologies Group Can Help

At Bayon Technologies Group, we specialize in defending against advanced threats targeting critical platforms like Salesforce. Our tailored cybersecurity services include:

• Salesforce-Security Assessments: Identifying misconfigurations, overly permissive settings, and user vulnerabilities.

• 24/7 Threat Monitoring: Detecting and responding to suspicious activity in real time.

• Security Awareness Programs: Training your team to recognize and report Salesforce-specific social engineering attacks.

• Incident Response: Rapid containment and recovery strategies to minimize damage.

Don’t wait until your Salesforce platform becomes a target. Partner with Bayon Technologies Group to fortify your defenses and stay ahead of cyber adversaries.

Learn more about our Salesforce protection services and safeguard your business today!