Google Cloud Blog
Follow
Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations
UNC6040 is a threat cluster using voice phishing to compromise Salesforce for data theft and extortion. They impersonate IT support to trick employees into granting access or sharing credentials. A common tactic involves convincing users to authorize a malicious, altered version of Salesforce's Data Loader.This unauthorized app allows attackers to access, query, and exfiltrate sensitive Salesforce data. Extortion attempts sometimes occur months later, with attackers claiming association with ShinyHunters. UNC6040 targets users with elevated SaaS access, often using Mullvad VPN for operations.To defend against these attacks, organizations should implement robust, multi-layered identity verification for support requests. This includes live video proofing and out-of-band verification for high-risk changes. For third-party vendor requests, help desks must independently verify the vendor through trusted contact information.End-users should be educated to rigorously verify any third-party requests and report suspicious communications. Organizations must enforce unified identity security controls through central identity providers like Entra ID or Okta. This includes implementing phishing-resistant multi-factor authentication and device trust policies.Single sign-on (SSO) should be mandated for all SaaS application access, with platform-native accounts only for emergency break-glass scenarios. Phishing-resistant MFA, such as FIDO2 keys, is crucial for all users accessing SaaS applications. Device compliance checks ensure that only secure devices can access corporate applications.