FBI Alerts on UNC6040 and UNC6395 Targeting Salesforce for Data Theft

September 13, 2025
Cyber Attack / Data Breach

The FBI has released a flash alert highlighting indicators of compromise linked to two cybercriminal groups, UNC6040 and UNC6395, known for their recent data theft and extortion campaigns. Both groups have been reported to target organizations’ Salesforce platforms using various initial access methods.

UNC6395 has been notably associated with a significant data theft operation in August 2025, where compromised OAuth tokens from the Salesloft Drift application were exploited. This vulnerability stemmed from a breach of Salesloft’s GitHub account between March and June 2025. In response, Salesloft has isolated the Drift infrastructure and temporarily disabled the AI chatbot application while implementing enhanced multi-factor authentication measures.

FBI Issues Alert on Cybercriminal Groups Targeting Salesforce Platforms

September 13, 2025

In a concerning development, the Federal Bureau of Investigation (FBI) has issued a flash alert regarding two cybercriminal factions, referred to as UNC6040 and UNC6395, who are orchestrating a series of data theft and extortion attacks. This alert highlights significant vulnerabilities in Salesforce platforms, which these groups have been actively exploiting using various initial access methods.

Recently, UNC6395 has been linked to a widespread campaign targeting Salesforce instances, with notable activity reported in August 2025. The group leveraged compromised OAuth tokens associated with the Salesloft Drift application to gain unauthorized access to sensitive data. A subsequent investigation revealed that this breach originated from a compromise of Salesloft’s GitHub account that occurred between March and June 2025. In response, Salesloft has taken decisive actions by isolating the affected Drift infrastructure and temporarily deactivating their AI chatbot application.

Salesloft’s actions follow a broader trend observed by the FBI, as cybercriminals increasingly focus on exploiting popular business platforms. The use of compromised tokens to penetrate Salesforce environments indicates a sophisticated understanding of the platform’s security architecture. This incident underscores the importance of robust security measures, particularly in light of attack vectors that utilize previous breaches of third-party systems.

The tactics employed by UNC6395 align with several methods identified within the MITRE ATT&CK framework, suggesting a calculated approach to their operations. The initial access tactic, primarily through social engineering and exploitation of vulnerable third-party services, is evident in this scenario. Moreover, the persistent nature of the breach could indicate ongoing attempts to maintain access to compromised environments, thereby posing a continuous threat to affected organizations.

As businesses increasingly rely on cloud-based applications such as Salesforce, the potential for these types of attacks only grows. Organizations are urged to enhance their security postures by implementing multi-factor authentication and regularly reviewing access controls to sensitive applications. Ongoing security training for employees can also serve as a crucial line of defense against social engineering attacks that often precede such breaches.

The FBI’s alert serves as a crucial reminder of the evolving landscape of cyber threats. As cybercriminals refine their tactics, business owners must remain vigilant in safeguarding their data and systems. The importance of understanding the attack vectors highlighted by this incident cannot be overstated, as it provides critical insight into the necessary steps for preventing similar occurrences in the future.

Source link

Related Posts

⚡ Weekly Roundup: Evolving Threats—Bootkit Malware, AI-Enhanced Attacks, Supply Chain Vulnerabilities, Zero-Day Exploits & More

Sep 15, 2025
Cybersecurity / Hacking News

In today’s landscape of relentless threats, the role of the modern CISO extends beyond mere technology security—it’s about safeguarding institutional trust and ensuring business continuity. This week revealed a disturbing trend: adversaries are increasingly targeting the intricate networks that connect businesses, from supply chains to strategic partnerships. As new regulations emerge and AI-driven attacks escalate, the choices you make now will define your organization’s resilience for years to come. This report isn’t just a list of threats; it’s a strategic framework for effective leadership. Here’s your comprehensive weekly recap, filled with insights to keep you ahead in the game.

⚡ Threat of the Week

New HybridPetya Ransomware Bypasses UEFI Secure Boot — A new variant of the notorious Petya/NotPetya malware, named HybridPetya, has been identified. While there is currently no data indicating its deployment in the wild, it stands out for its ability to compromise the secure boot feature.

New Phoenix RowHammer Attack Overcomes DDR5 Memory Protections in Just 109 Seconds

A research team from ETH Zürich and Google has unveiled a new variant of the RowHammer attack, named Phoenix, specifically targeting DDR5 memory chips produced by SK Hynix. This attack (CVE-2025-6202, CVSS score: 7.1) effectively circumvents advanced security measures designed to protect against such vulnerabilities. “Our findings confirm that it is possible to consistently trigger RowHammer bit flips on a wider scale with SK Hynix’s DDR5 devices,” stated ETH Zürich’s Computer Security Group (COMSEC). “We also demonstrated that on-die ECC fails to prevent RowHammer attacks, making end-to-end RowHammer exploits feasible on DDR5.” RowHammer is a critical hardware vulnerability where repetitive access to a memory row can induce bit flips in neighboring rows, leading to data corruption that malicious actors can exploit to access sensitive information or elevate privileges.