Google’s Mandiant has published guidance on defending against an ongoing wave of social engineering attacks targeting organizations’ Salesforce instances.
The organized criminal gang tracked by Google as “UNC6040” has been using voice phishing attacks to trick employees into granting access.
“Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements,” the researchers write.
“This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organizations’ Salesforce data. In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.”
Mandiant recommends that organizations use a defense-in-depth strategy with measures to ensure that callers are who they say they are. In some cases, the attackers impersonate support personnel from third-party vendors in an attempt to gain access. Help desk employees who receive these calls should do the following:
- “End the inbound call without providing any access or information.
- “Independently contact the company’s designated account manager for that vendor using trusted, on-file contact information.
- “Require explicit verification from the account manager before proceeding with any request.”
Additionally, employees should be wary of unsolicited requests that ask them to log into services used by their employer’s organization. These may be phishing attacks designed to steal their credentials.
“Mandiant has observed the threat actor UNC6040 targeting end-users who have elevated access to SaaS applications,” the researchers write. “Posing as vendors or support personnel, UNC6040 contacts these users and provides a malicious link. Once the user clicks the link and authenticates, the attacker gains access to the application to exfiltrate data. To mitigate this threat, organizations should rigorously communicate to all end-users the importance of verifying any third-party requests.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
Google has the story.
