I’m thrilled to sit down with Maryanne Baines, a renowned authority in cloud technology with extensive experience evaluating cloud providers, their tech stacks, and applications across various industries. With the recent FBI FLASH alert highlighting the growing threats to Salesforce environments by sophisticated threat groups, Maryanne is the perfect person to help us understand the implications for businesses and how they can protect themselves. In this interview, we’ll explore the nature of these attacks, the tactics used by the identified threat actors, the vulnerabilities in third-party integrations, and practical steps companies can take to safeguard their data.
How significant is the FBI’s FLASH alert for businesses relying on Salesforce, and what prompted its release now?
The FBI’s FLASH alert is a critical wake-up call for businesses using Salesforce. It signals that there’s a coordinated and escalating threat targeting these environments, which are often central to customer relationship management and hold sensitive data. The urgency of the alert likely stems from the recent spike in attacks by two specific threat groups, tracked as UNC6040 and UNC6395, since at least October 2024. The FBI wants to maximize awareness and provide actionable indicators of compromise to help companies respond before more damage is done. It’s a sign that these attacks aren’t isolated but part of a broader campaign affecting major organizations globally.
Can you break down the differences between the two threat groups, UNC6040 and UNC6395, in how they target Salesforce users?
Absolutely. UNC6040 primarily relies on social engineering to gain access. They’re known for tactics like vishing, or voice-based phishing, where they impersonate IT support staff to trick employees into handing over credentials or granting access to Salesforce accounts. On the other hand, UNC6395 takes a more technical approach, exploiting compromised OAuth tokens tied to third-party apps like Salesloft Drift. Their method focuses on leveraging these tokens to infiltrate Salesforce instances and extract data. While UNC6040 manipulates human behavior, UNC6395 exploits systemic vulnerabilities in app integrations.
Focusing on UNC6040, how are they using social engineering tactics like vishing to deceive employees?
UNC6040’s use of vishing is particularly insidious because it preys on trust. They often call company call centers, posing as IT support resolving supposed connectivity issues. Under the pretense of closing a ticket, they convince employees to either share credentials or take actions that grant access to Salesforce accounts. It works because it feels urgent and legitimate—most people don’t suspect a friendly voice on the phone asking for help with a technical issue. This tactic bypasses many technical defenses by targeting the human element, which is often the weakest link in security.
What role do fake login pages or phishing panels play in UNC6040’s strategy to steal data?
These fake login pages, or phishing panels, are a key tool for UNC6040. They direct victims to what looks like a legitimate Salesforce login portal, but it’s actually a trap designed to capture usernames, passwords, and even multifactor authentication codes. Once the employee enters their information, the attackers have everything they need to log in and start siphoning data. It’s a classic phishing tactic, but tailored specifically for Salesforce users, often paired with their vishing efforts to make the fake page seem part of a legitimate support process.
Turning to UNC6395, how are they exploiting compromised OAuth tokens through apps like Salesloft Drift?
UNC6395 has found a clever way to exploit OAuth tokens, which are essentially digital keys that allow third-party apps like Salesloft Drift to interact with Salesforce on a user’s behalf. If these tokens are compromised—through a breach or poor security practices—the attackers can use them to access a company’s Salesforce instance without needing direct credentials. In this case, they’ve used these tokens to connect through Salesloft Drift, infiltrate systems, and pull out valuable data. It’s a silent attack, often unnoticed until the damage is done, because it leverages trusted integrations.
How have major companies been impacted by these breaches, and what does this mean for trust in Salesforce and third-party apps?
The impact on major companies like Google, Zscaler, Palo Alto Networks, and Cloudflare shows just how pervasive and serious these breaches are. When household names in tech fall victim, it shakes confidence not just in Salesforce but in the entire ecosystem of connected third-party apps. These incidents highlight that even well-resourced organizations can be vulnerable if they don’t scrutinize their integrations or secure their OAuth tokens. For other businesses, it’s a stark reminder that using third-party tools with Salesforce can open doors to attackers if not managed carefully. Trust can be rebuilt, but only with transparency and stronger security measures.
What are some practical signs that a business might have been targeted or compromised by these threat groups?
Businesses should be on the lookout for unusual activity in their Salesforce environments. For instance, unexpected login attempts from unfamiliar IP addresses or locations could indicate a breach. Employees might also report suspicious calls or emails asking for credentials, which could point to UNC6040’s vishing tactics. Additionally, check for unauthorized changes in app permissions or integrations, especially with third-party tools like Salesloft Drift, as that’s a hallmark of UNC6395’s approach. Monitoring network logs for odd data transfers or API usage is also crucial—these could be signs of data being siphoned off.
What steps can companies take right now to protect their Salesforce platforms from these kinds of attacks?
First, training is key—especially for call center staff who are prime targets for social engineering. Teach them to recognize phishing attempts, whether by phone or email, and to verify identities before sharing information. Implementing multifactor authentication across all services adds another layer of defense. Companies should also adopt the Principle of Least Privilege, meaning users only get access to what they absolutely need. Beyond that, monitor API usage, enforce IP-based access restrictions, and regularly review third-party integrations to ensure they’re secure. The FBI’s list of indicators of compromise, like suspicious IPs, is a good starting point for audits as well.
Looking ahead, what is your forecast for the evolution of threats targeting cloud platforms like Salesforce?
I expect these threats to become even more sophisticated as attackers adapt to new defenses. We’ll likely see a blend of social engineering and technical exploits, with threat actors targeting not just Salesforce but other interconnected cloud platforms. The use of AI could amplify social engineering, making vishing calls or phishing emails harder to spot. At the same time, attackers will continue exploiting third-party apps and integrations, as these are often the soft underbelly of cloud ecosystems. Businesses will need to stay proactive, investing in both technology and employee awareness to keep pace with these evolving risks.