FBI: UNC6040 and UNC6395 Target Salesforce Instances to Steal Data and Extort Victims

Summary of the FBI FLASH alert

The FBI has issued a FLASH warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal data and extort victims. The advisory raises immediate concern for enterprises that rely on Salesforce for customer records, sales pipelines, and integrations with downstream systems.

“The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal data and extort victims.”

Why this matters: context and background

Salesforce is one of the most widely deployed cloud-based customer relationship management (CRM) platforms. It houses high-value business information — customer PII, financial records, proprietary reports, contract data and third-party integrations — that attackers can monetize directly or use for follow-on intrusions. Compromise of a central SaaS platform like Salesforce can have outsized operational, regulatory and reputational impact because it often connects to other business systems and data flows.

In recent years, adversaries have increasingly shifted effort toward cloud and SaaS targets. Threat actors can exploit weak identity controls, misconfigured integrations, stale tokens, or over-permissive roles to access and exfiltrate data without the traditional footprints associated with on-premises breaches. The FBI alert underscores that cloud application compromise is not merely a theoretical risk but an active vector used by criminal groups to harvest sensitive business data and pursue extortion.

Practitioner analysis: likely attack patterns and attacker goals

The FBI advisory identifies two clusters conducting these intrusions. While the alert does not disclose full tactical details in public reporting, a practical, defensive analysis for practitioners should consider the following attacker objectives and common methods in similar incidents:

• Objectives: Obtain bulk access to business and customer data for resale, fraud, or public exposure; identify accounts and access tokens that enable persistent access; and use stolen data to extort victims or pressure payment.
• Common access vectors seen across cloud-targeting campaigns:
  • Credential theft or reuse (password spraying, credential stuffing) against accounts with high privileges.
  • Compromise of identity providers or SSO configurations that federate into Salesforce.
  • Exploitation of misconfigured third-party connected apps or integrations that hold long-lived tokens or excessive privileges.
  • Abuse of admin or API privileges to export reports, data extracts, or to create backdoor integrations.
• Indicators: unusual API call volumes, large data exports, creation of unfamiliar connected apps or users, anomalous OAuth token activity, and logins from unexpected geographies or IP ranges.

Comparable trends and industry context

Cloud-native incidents and SaaS compromises are a growing portion of enterprise security incidents observed by incident responders and industry reports. Enterprise defensive guidance increasingly emphasizes identity and access controls, monitoring of API and integration activity, and rigorous configuration hygiene for cloud platforms. While the FBI alert specifically names UNC6040 and UNC6395 targeting Salesforce, the pattern aligns with broader shifts in attacker tradecraft toward high-value cloud targets and extortion-driven monetization.

For organizations that have undergone cloud security assessments or incident response engagements in recent years, two broad lessons have repeatedly emerged: first, identity and token hygiene is the critical control plane; second, telemetry and rapid detection of anomalous API and admin behavior materially reduce dwell time and limit exfiltration.

Actionable recommendations for defenders

Below are concrete, prioritized actions practitioners should consider implementing immediately to mitigate risk to Salesforce environments. These recommendations map to defensive controls, detection strategies, and incident response preparedness.

• Review and harden identity controls
  • Require multifactor authentication (MFA) for all administrative and privileged accounts and, where possible, for standard users, especially those who can access sensitive data or integrations.
  • Validate SSO and identity provider (IdP) configurations; ensure certificate and metadata endpoints are secured and monitored for changes.
  • Limit the number of users with full administrative privileges; apply the principle of least privilege using permission sets and profiles.
• Audit integrations and connected apps
  • Inventory all connected apps, API integrations and third-party platforms with Salesforce access. Revoke stale or unused tokens and remove unused integrations.
  • Rotate client secrets and OAuth tokens on a planned schedule and immediately after any suspected compromise.
  • Restrict OAuth scopes to the minimum required and enforce IP allowlists for critical integrations where feasible.
• Increase telemetry and detection
  • Enable detailed logging and retain Event Monitoring or audit logs (API calls, data exports, login history) for sufficient retention to support incident investigations.
  • Create alerts for anomalous behaviors: large data exports, sudden spikes in API usage, creation of new admin users, unexpected changes to connected apps or permission sets, and logins from new geographies or devices.
  • Integrate Salesforce logs with central SIEM or security analytics tooling to correlate cloud activity with broader network and identity telemetry.
• Operational and incident response controls
  • Develop and rehearse SaaS-specific incident response plans that include rapid token revocation, disabling compromised accounts, and forensic preservation of audit logs.
  • Maintain a process for rapid credential and secret rotation, and for coordinating with legal and communications teams in extortion scenarios.
  • Establish escalation paths to law enforcement; the FBI advisory indicates these campaigns are being tracked and reported to national authorities.
• Preventive hygiene and governance
  • Perform periodic access reviews for all Salesforce roles and connected applications; remove orphaned permissions and inactive accounts.
  • Apply data minimization: limit the volume of sensitive data stored in any single SaaS tenant, and classify and protect the most sensitive records (PII, financial data, trade secrets).
  • Use granular DLP and data classification controls within Salesforce and in any integrated platforms to reduce the impact of a breach.

Operational considerations and legal/regulatory implications

Compromise of CRM data can trigger regulatory obligations depending on the type of data exposed and applicable privacy laws (for example, breach notification requirements under state or national data protection statutes). Organizations should coordinate legal, privacy, and communications functions early in an investigation. Preserve evidence, maintain chain of custody for forensic artifacts, and consult with counsel when considering ransom or extortion demands.

From an insurance and remediation standpoint, ensure cyber policies cover SaaS compromises and understand the requirements for notification, forensic vendor engagement, and preservation of evidence required by insurers and regulators.

Conclusion

Key takeaways for security leaders and practitioners:

• The FBI has publicly warned that two threat clusters, UNC6040 and UNC6395, are targeting Salesforce instances to steal data and extort victims. Treat the advisory as a call to assess exposure immediately.
• Prioritize identity hygiene, connected-app governance, and improved telemetry to detect anomalous API and admin activity that indicate compromise or exfiltration.
• Prepare SaaS-specific incident response playbooks that enable rapid token revocation, account disabling and coordinated reporting to law enforcement and regulators.
• Adopt least-privilege access models, enforce MFA, and continuously monitor third-party integrations to reduce the attack surface across your Salesforce estate.

Source: www.bleepingcomputer.com