A wave of data breaches impacting companies like Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion group, which has been using voice phishing attacks to steal data from Salesforce CRM instances.
In June, Google's Threat Intelligence Group (GTIG) warned that threat actors tracked as UNC6040 were targeting Salesforce customers in social engineering attacks.
In these attacks, the threat actors impersonated IT support staff in phone calls to targeted employees, attempting to persuade them into visiting Salesforce's connected app setup page. On this page, they were told to enter a "connection code", which linked a malicious version of Salesforce's Data Loader OAuth app to the target's Salesforce environment.
In some cases, the Data Loader component was renamed to "My Ticket Portal," to make it more convincing in the attacks.
Prompt to enter connection code
Source: Google
GTIG says that these attacks were usually conducted through vishing (voice phishing), but credentials and MFA tokens were also stolen through phishing pages that impersonated Okta login pages.
Around the time of this report, multiple companies reported data breaches involving third-party customer service or cloud-based CRM systems.
LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. each disclosed unauthorized access to a customer information database, with Tiffany Korea notifying customers the attackers breached a "vendor platform used for managing customer data."
Adidas, Qantas, and Allianz Life also reported breaches involving third-party systems, with Allianz confirming it was a third-party customer relationship management platform.
... continue reading