Clever Deception, Securing Security, Weaving Priorities, Another Door Slammed, Slinking in the Shadows, 24-7 Service, and Picking Data Pockets. It's CISO Intelligence for Wednesday, 11th June 2025.

Table of Contents

1. The Cost of a Call: From Voice Phishing to Data Extortion
2. Unlocking Business Access... Securely: How to Navigate the Windows Hello for Business Requirements
3. Redefining Cyber Value: Why Business Impact Should Lead the Security Conversation
4. Operation Endgame Closes the Cryptopath!
5. BladedFeline: Whispering in the Dark
6. Ransomware: It's Not a Vacation, Even in the Travel Industry
7. The BADBOX 2.0 Malware Menace: The IoT You Never Knew Could Attack

The Cost of a Call: From Voice Phishing to Data Extortion

"It's not what you say, it's who you pretend to be.

What You Need to Know

The Google Threat Intelligence Group (GTIG) has detected a threat cluster, UNC6040, engaging in sophisticated voice phishing (vishing) attacks targeting Salesforce environments for data extortion. These threats are executed through impersonation, leading to significant breaches. The executive management group should prioritize reinforcing employee training on social engineering and consider implementing additional security measures to protect Salesforce infrastructure.

CISO Focus: Social Engineering and Data Protection
Sentiment: Strong Negative
Time to Impact: Immediate to Short-Term

Highlighting the Threat – UNC6040's Modus Operandi

UNC6040 has refined their vishing techniques, often imitating IT support to deceive employees, especially within English-speaking sectors of multinational companies. This malicious cluster does not exploit technical vulnerabilities but capitalizes on human error, persuading staff to approve unauthorized applications. Through such social engineering tactics, attackers gain unprecedented access to Salesforce environments, inflating the potential for extensive data theft and subsequent extortion attempts.

Key Points:

• Impersonation Strategy: Attackers impersonate IT personnel, gaining trust during phone calls.
• Malicious Connected Apps: Victims unknowingly authorize a fraudulent Salesforce app, allowing data exfiltration.
• Delayed Extortion Tactics: Although initial breaches occur quickly, the extortion phase may be delayed, indicating possible collaboration with other malicious actors for monetization.

Anatomy of an Attack

The operation commences with an orchestrated call where the scammer, pretending to be a trusted IT entity, persuades the target to enable a seemingly harmless version of Salesforce’s Data Loader, a tool often manipulated to exfiltrate data silently. Shape-shifting in its approach, UNC6040 ensures the stolen data is monetized effectively, sometimes months post-breach, reportedly under the guise of larger hacking collectives like ShinyHunters.

• Step-by-step Manipulation: Calls direct employees to the Salesforce app setup, subtly leading them to permit full access to sensitive data.
• Data Loader Exploitation: The fraudulent tool mimics Salesforce’s legitimate applications but functions as an exfiltration channel.

Mitigation Measures and Employee Awareness

Organizations can curtail such vishing assaults by bolstering awareness programs, emphasizing caution against suspicious calls and verifying identities of internal requests. Deploying multiple authentication layers and regular audits of connected applications to Salesforce can thwart such unauthorized accesses.

Proactive Measures Include:

• Comprehensive Training: Routine workshops focused on identifying phishing scams.
• Robust Authentication: Introduce multi-factor authentication on all Salesforce accesses.
• Regular Compliance Checks: Frequent reviews of all connected apps’ legitimacy and necessity.

Economic and Reputational Impact

The implications of UNC6040’s operations are far-reaching, affecting both financial standings and brand trust. With attackers continuously evolving, the capacity to counteract vishing initiatives must leverage technological advancements alongside strengthened human vigilance.

• Costs of Data Breaches: Financial repercussions from data loss and potential ransom payments.
• Erosion of Trust: Customer confidence may wane due to mishandling of personal and corporate data.

Understanding the nuances of victim manipulation is paramount, recognizing that the weakest link often lies not in technology itself, but in human interactions.

Vendor Diligence

Questions

1. What security measures are in place to protect against unauthorized Salesforce application authentications?
2. Can you provide a walkthrough of your incident response protocols if a Salesforce intrusion is suspected?
3. How do you keep up with emerging phishing techniques targeting connected apps?

Action Plan

The CISO's team should take immediate steps:

• Initiate Security Campaigns: Educate the workforce on recognizing vishing attempts.
• Enhance Access Controls: Implement stringent verification processes for Salesforce connected applications.
• Collaborate with IT and Compliance: Conduct security audits focusing on identifying and mitigating risks in data access and application permissions.

Source: The Cost of a Call: From Voice Phishing to Data Extortion