Analysis

Google's Threat Intelligence Group has identified a hacking campaign by a group tracked as UNC6040, with suspected links to "The Com" ecosystem, targeting companies in Europe and the Americas. The hackers employ voice calls to socially engineer employees into installing a modified, unauthorized version of Salesforce's Data Loader application. This grants the attackers significant capabilities to access, query, and exfiltrate sensitive information from compromised Salesforce customer environments, and can lead to broader network infiltration and extortion. Approximately 20 organizations have been affected over several months, with a subset experiencing confirmed data exfiltration. Salesforce stated that the attacks do not stem from an inherent platform vulnerability but are social engineering scams exploiting user cybersecurity awareness. The company noted it had warned customers about such "vishing" attacks and malicious Data Loader versions in a March 2023 blog post, characterizing the impact as affecting "only a small subset of affected customers" and not a "widespread issue," while declining to specify the number of affected customers. The situation reflects a moderately negative sentiment for Salesforce (CRM), while Google (GOOGL), as the reporting entity, maintains a neutral sentiment.