Google detected activity during a small window of time before the access was cut off.
Google had information from some of its small- and medium-sized business clients exfiltrated after one of its Salesforce instances was compromised by the ShinyHunters-linked UNC6040 threat operation in June.
In an update to its blog from June, it said this week that one of its corporate Salesforce instances was impacted by UNC6040 activity.
“Google responded to the activity, performed an impact analysis and began mitigations,” it said. “Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off. The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.”
Extortion Tactics
It also said it believes threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site. “These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches.”
In the June blog, it described UNC6040 as a “financially motivated threat cluster that specialises in voice phishing (vishing) campaigns specifically designed to compromise organisations' Salesforce instances for large-scale data theft and subsequent extortion.”
William Wright, CEO of Closed Door Security, said: “While Google’s update provides an overview of how these attacks unfolded, it does not state whether the impacted organisations have been informed, or, if they have been informed, when they were informed. This could mean these organisations are only finding out about the breach now, meaning the criminals could have held on to the data, unknown to victims, for almost two months.
ShinyHunters has recently executed a huge volume of attacks via Salesforce and it is essential organisations take note of these. The threat actors have also claimed many attacks are still unreported, so we can expect more victims to be announced in coming weeks.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
