FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks

byMovieEntertainment -
0
FBI Alert: UNC6040 & UNC6395 Cyber Attacks on Salesforce

FBI Flash Alert: UNC6040 & UNC6395 Cyber Attacks on Salesforce

🔥 Key Highlights

  • FBI issued flash alert about UNC6040 & UNC6395 cybercriminal groups.
  • Both groups target Salesforce platforms for data theft & extortion.
  • UNC6395 used stolen OAuth tokens from Salesloft Drift app.
  • UNC6040 used vishing + phishing panels to hack Salesforce.
  • ShinyHunters, LAPSUS$, and Scattered Spider formed alliance, later claimed shutdown.
  • Experts warn: shutdown may be temporary, threats still active.

FBI Alert: Salesforce Cyber Attacks

The U.S. Federal Bureau of Investigation (FBI) has released a flash alert about two cybercriminal groups – UNC6040 & UNC6395 – responsible for data theft and extortion attacks targeting Salesforce platforms.

Group 1: UNC6395 Attack on Salesloft Drift

  • In August 2025, UNC6395 launched a large data theft campaign.
  • They exploited compromised OAuth tokens linked to the Salesloft Drift app.
  • Root cause: a GitHub account breach (March–June 2025).

Salesloft’s response:

  • Isolated Drift infrastructure.
  • Took AI chatbot app offline.
  • Implemented multi-factor authentication & GitHub security hardening.

⚠️ Advisory: All Drift customers should treat integrations & data as compromised.

Group 2: UNC6040 Vishing & Phishing Attacks

  • Active since October 2024.
  • Used vishing calls + phishing panels to gain access.
  • Hijacked Salesforce portals using a modified Data Loader app and custom Python scripts.
  • Stole bulk data with API queries.
  • Later used extortion tactics (sometimes months after theft).
  • Extortion linked to another group: UNC6240 (ShinyHunters brand).

ShinyHunters, LAPSUS$, and Scattered Spider Alliance

Cybercriminal groups ShinyHunters, LAPSUS$, and Scattered Spider teamed up to strengthen cyberattacks. But on September 12, 2025, they claimed shutdown on Telegram under the name “scattered LAPSUS$ hunters 4.0” and announced going “dark.”

Experts Warn: Threat Still Alive ⚠️

Cybersecurity experts warn this shutdown is likely temporary. Such groups often splinter, rebrand, and resurface under new names.

Risks remain:

  • Stolen data may reappear.
  • Undetected backdoors could still exist.
  • Threat actors may re-emerge later.

👉 Organizations must stay vigilant and assume the threat still exists.

Post a Comment

Previous Post Next Post