FBI Alert: UNC6040 and UNC6395 Target Salesforce Orgs for Data Theft and Extortion

What the FBI alert says

The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal data and extort victims.

The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal data and extort victims.

The agency’s notification is intended to raise immediate operational awareness among network defenders and incident response teams about active exploitation of cloud-hosted customer relationship management (CRM) systems. The alert emphasizes that attackers are treating SaaS administration planes and integrations as high-value targets because they can yield broad, sensitive datasets and insider-like access.

Why this matters — background and context

Salesforce is one of the most widely used CRM platforms in enterprise environments. It often contains personally identifiable information (PII), financial records, sales pipelines, customer contracts, and integrations to downstream systems. Compromise of a Salesforce org can therefore expose sensitive corporate and customer data and can provide attackers with rich material for extortion, fraud, and targeted follow-on attacks.

Across the cybersecurity landscape, attackers have shifted focus from traditional on-premises servers to cloud-first and SaaS resources. Historical industry reporting and breach analyses have repeatedly shown that stolen credentials, misconfigured integrations and abused API credentials are recurring root causes of data exposure in cloud services. The FBI’s alert places Salesforce explicitly in that risk category and signals that nation-state and criminal clusters continue to prioritize SaaS access for data exfiltration and monetization.

Tactics, techniques and practitioner analysis

The FBI alert identifies the actor clusters and the objective — access and exfiltration of Salesforce data followed by extortion. For practitioners, the operational details to watch for mirror well-understood attack patterns against SaaS platforms:

• Compromise of privileged or integration accounts — attackers often target API users, service accounts and administrators because these accounts have broad read/export rights.
• Abuse of OAuth-connected apps and long-lived tokens — persistent tokens can allow access even after password rotation unless tokens are revoked.
• Creation or misuse of custom code and automations — where permitted, attackers may deploy scripts, scheduled jobs or Apex code (in Salesforce environments that allow it) to automate data collection and export.
• Data exfiltration via bulk queries and exports — large SOQL queries, bulk API exports, or scheduled data exports are common methods to pull significant datasets without system owners noticing immediately.
• Extortion and double-extortion playbooks — after exfiltration, attackers may threaten release of data publicly or attempt to sell it unless a ransom is paid.

For incident responders this combination of techniques means that detection and containment must address both identity compromise and the downstream data movement. Visibility gaps — such as disabled logging, short log retention, or lack of integrated monitoring — materially increase attacker dwell time.

Comparable incidents and wider trends

While the FBI alert is specific to UNC6040 and UNC6395, the activity fits broader, well-documented trends: attackers increasingly exploit credentials and OAuth integrations rather than targeting infrastructure vulnerabilities. Many published industry reports and breach analyses have identified compromised credentials and abused integrations as primary vectors in cloud and SaaS breaches. Separately, extortion-oriented data theft — where stolen data is used to coerce payment — has become commonplace in ransomware and crimeware ecosystems.

Organisations that rely heavily on SaaS applications are a repeating target set because one compromised admin or integration account can yield access across business functions and geographies. The alert underscores that CRM systems, in particular, are valuable for threat actors due to the richness of customer and commercial data they contain.

Practical recommendations and containment steps

The FBI alert is a signal to act quickly. The following prioritized actions can reduce immediate risk and provide defenders with options to detect, contain, and investigate potential compromise of Salesforce environments:

• Immediate incident triage:
  • Inventory privileged and integration accounts and identify recent anomalous activity (unfamiliar logins, new connected apps, or unexplained data exports).
  • If compromise is suspected, revoke active sessions and OAuth tokens for impacted accounts, reset credentials and rotate API keys for service accounts.
  • Preserve logs and configuration snapshots before wide-scale changes to support forensic analysis (Login History, Setup Audit Trail, and event logs where available).
• Hardening and prevention:
  • Enforce multi-factor authentication (MFA) for all interactive and admin accounts and require it for API and integration users where supported.
  • Apply least-privilege principles to profiles and permission sets; remove or restrict broad data export privileges from non-essential accounts.
  • Limit and review connected apps and OAuth scopes; implement approval workflows for new integrations.
• Visibility and monitoring:
  • Enable and centralize Salesforce logging and Event Monitoring data (or equivalent) into your SIEM or cloud-monitoring platform to detect unusual bulk exports, high-volume SOQL queries, or novel automation components.
  • Implement anomaly detection for large or out-of-pattern data exports and alert on newly created automation scripts or scheduled jobs.
• Long-term resilience:
  • Use security features such as Security Health Check, IP restrictions, session timeout policies and transaction security policies to reduce risk exposure.
  • Adopt an integrated identity governance approach for SaaS, including regular access reviews, dedicated admin accounts, and separation of duties for integration development versus production administration.
  • Consider a cloud access security broker (CASB) or similar controls to monitor data flows between Salesforce and other environments.
• Response playbook:
  • Maintain an incident response plan that includes SaaS-specific steps—how to preserve evidence, how to coordinate with the SaaS provider, and when to engage law enforcement.
  • If extortion occurs, document all actor communications, preserve exfiltrated samples and follow organizational and legal guidance on ransom negotiations; involve legal counsel and law enforcement early.

Conclusion

The FBI FLASH alert about UNC6040 and UNC6395 targeting Salesforce environments is a timely reminder that attackers treat SaaS platforms as high-value targets. Defenders should prioritize identity and integration hygiene, expand logging and monitoring of data access and exports, and ensure incident response plans explicitly cover SaaS compromise scenarios. Rapid detection, token/session revocation, and forensic preservation are the immediate priorities if there is any indication of compromise.

Source: www.bleepingcomputer.com