Google Urges 2.5 Billion Gmail Users to Reset Passwords After Salesforce Breach

Voice phishing (vishing) campaigns have reached unprecedented levels of sophistication, with threat actors leveraging OAuth-based authentication and API exploitation to execute large-scale data exfiltration operations.

The emergence of UNC6040 represents a paradigm shift in social engineering tactics, where cybercriminals systematically target enterprise Customer Relationship Management (CRM) platforms to establish persistent access channels for subsequent extortion activities.

Sponsored

class="wp-block-heading" id="advanced-social-engineering-through-technical-mani">Social Engineering Through Technical Manipulation

UNC6040 employs sophisticated social engineering protocols that exploit the trust inherent in IT support interactions.

The threat actors utilize Session Initiation Protocol (SIP) spoofing techniques to mask their caller identification, often routing calls through Voice over Internet Protocol (VoIP) services connected to Tor exit nodes or Mullvad VPN infrastructure.

This approach enables them to maintain operational security while conducting real-time manipulation of victims.

The technical execution involves guiding targets to Salesforce’s Connected Apps authorization endpoint (/oauth2/authorize), where victims unknowingly grant API access tokens to malicious applications.

These applications, masquerading as legitimate Data Loader instances, request elevated permissions including api, refresh_token, and full scopes within the OAuth 2.0 framework.

Once authorized, the threat actors gain programmatic access to SOQL (Salesforce Object Query Language) capabilities, enabling comprehensive data extraction through REST API calls.

The attackers frequently modify legitimate Data Loader applications by injecting custom Python scripts that automate the exfiltration process.

These scripts utilize bulk API endpoints (/services/data/v58.0/jobs/query) to extract large datasets while implementing rate-limiting mechanisms to avoid detection by security monitoring systems.

Infrastructure and Attribution Complexities

UNC6040’s operational infrastructure demonstrates sophisticated network segmentation strategies.

The group maintains separate command and control (C2) infrastructure for different phases of their operations, utilizing Tor hidden services for initial reconnaissance and commercial VPN services like Mullvad for data exfiltration activities.

This dual-infrastructure approach complicates attribution efforts and provides resilience against takedown operations.

The connection between UNC6040 and UNC6240 suggests a threat-as-a-service model, where initial access operations are monetized through partnerships with extortion specialists.

UNC6240 operates dedicated Bitcoin wallet addresses for ransom payments and maintains ProtonMail and Tutanota accounts for victim communication, utilizing domains registered through privacy-protected WHOIS services to maintain anonymity.

Recent indicators suggest these threat actors are preparing to deploy a Data Leak Site (DLS) infrastructure, potentially hosted on bulletproof hosting services or distributed file systems like IPFS (InterPlanetary File System).

This evolution represents a significant escalation in their extortion methodology, transitioning from private negotiations to public pressure campaigns.

Technical Countermeasures and API Security Hardening

Defending against UNC6040’s sophisticated tactics requires implementing Zero Trust Architecture principles specifically targeting API security.

Organizations should deploy Web Application Firewalls (WAF) configured with rate-limiting rules that monitor for anomalous API call patterns, particularly bulk data operations exceeding baseline thresholds.

Security Information and Event Management (SIEM) systems should be configured to correlate OAuth authorization events with subsequent API usage patterns.

Implementing User and Entity Behavior Analytics (UEBA) can identify deviations from normal access patterns, such as data queries originating from geographically anomalous IP addresses or exhibiting temporal access patterns inconsistent with business operations.

Organizations should implement Conditional Access Policies that restrict OAuth app authorizations based on IP geolocation, device compliance status, and risk scoring algorithms.

Additionally, deploying Certificate Authority Authorization (CAA) records and DNS-based Authentication of Named Entities (DANE) can help prevent domain spoofing attempts commonly used in vishing operations.

The implementation of Hardware Security Modules (HSM) for API key management and Perfect Forward Secrecy (PFS) for all authentication tokens can limit the impact of credential compromise incidents, ensuring that historical communications remain secure even if current keys are compromised.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Google Urges 2.5 Billion Gmail Users to Reset Passwords After Salesforce Breach appeared first on Cyber Security News.