FBI issued fresh alert major Hackers group mainly associated with cybercriminal groups tracked as UNC6040 and UNC6395 for orchestrating a string of data theft and extortion attacks on Salesforce stealing data. FBI released indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395.

“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions,” as per FBI’s advisory.

Federal Bureau of Investigation has issued a urgent alert detailing the activities of two sophisticated cybercriminal groups, UNC6040 and UNC6395, which have been aggressively targeting Salesforce platforms.

These actors, linked to data theft and extortion schemes, exploit vulnerabilities in OAuth tokens and employ social engineering tactics like vishing to breach high-value targets.

Data Exfiltration or Data extraction/Theft

Data exfiltration occurs in two ways, through outsider attacks and via insider threats. Both are major risks, and organizations must ensure their data is protected by detecting and preventing data exfiltration at all times.

An attack from outside the organization occurs when an individual infiltrates a network to steal corporate data and potentially user credentials. This typically is a result of a cyber criminal injecting malware onto a device, such as a computer or smartphone, that is connected to a corporate network. 

Some strands of malware are designed to spread across an organization’s network and infiltrate other devices, searching for sensitive corporate data in an attempt to exfiltrate information. Many malware will lay dormant on a network to avoid detection by organizations’ security systems until data is exfiltrated subversively or information is gradually collected over a period of time.

Attacks can result from malicious insiders stealing their own organization’s data and sending documents to their personal email address or cloud storage services, potentially to sell to cyber criminals. They can also be caused by careless employee behavior that sees corporate data fall into the hands of bad actors.

Threat monitoring through Intrusion Detection System

Intrusion Detection system often network and searches for known threats and suspicious or malicious traffic. When it detects a possible threat, the IDS sends an alert to the organization’s IT and security teams. IDS applications can be either software, which runs on hardware or network security solutions, or cloud-based, which protects data and resources in cloud environments.

Vishing Attack Lashed by Cyber Criminal

Vishing attacks, where perpetrators impersonate trusted IT support personnel to trick employees into granting access or revealing credentials. Once inside, they manipulate connected third-party applications, such as Salesloft’s Drift AI chatbot, to siphon sensitive data.

This method has proven alarmingly effective, as evidenced by the compromise of Google’s corporate Salesforce instance earlier this year, which exposed contact data for small and medium-sized businesses

UNC6040 & UNC6395 attack methodology

UNC6040, often associated with the notorious ShinyHunters collective, has refined a supply-chain attack vector that leverages OAuth token abuse. By compromising tokens from integrated apps, attackers gain persistent access without triggering immediate alarms.

As per FBI UNC6040, threat actors have utilized phishing panels, directing victims to visit from their mobile phones or work computers during the social engineering calls.

On the other hand UNC6395, has been attributed a widespread data theft campaign targeting Salesforce instances in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift application. They target third party application.

In an update issued this week, Salesloft said the attack was made possible due to the breach of its GitHub account from March through June 2025.

Salesloft has taken has separated the Drift infrastructure and kept in isolation, also taken the artificial intelligence (AI) chatbot application offline. 

Salesloft and Salesforce collaborated to revoke all active access and refresh tokens for the Drift application on August 20, 2025. This action successfully terminated the threat actors’ access to the compromised Salesforce platforms through this specific vector.250912.pdf

Cyber Experts reflect UNC6040’s operations extend beyond Salesforce, potentially linking to broader campaigns involving SaaS-to-SaaS connections.

Cybersecurity firms Proofpoint, SpyCloud, Tanium, and Tenable have confirmed that information in their Salesforce instances was compromised as part of the recent Salesforce–Salesloft Drift attack

Read more on cyber attacks: https://intruceptlabs.com/2025/09/tenable-more-cyber-vendors-impacted-by-third-party-salesforce-breach/

Posts on X from cybersecurity accounts, including shares from The Cyber Security Hub, underscore the real-time buzz around these threats, with users warning of the rapid spread of similar tactics across cloud ecosystems as of September 13, 2025.

IOC released from FBI include extensive list of IOCs, including IP addresses, malicious URLs, and user-agent strings associated with both UNC6040 and UNC6395.

This will assist network defenders detect and block related activity. The agency strongly recommends that organizations take several steps to mitigate the risk of compromise. Initially believed to only impact organizations that used the Drift integration, the campaign was later found to have affected other Salesforce customers as well.

(Sources: https://cybersecuritynews.com/fbi-iocs-salesforce-instances/)