Google cyber researchers were tracking the ShinyHunters group's Salesforce attacks - then realized they'd also fallen victim
Briefly

The Google Threat Intelligence Group (GTIC) reported a breach of a Salesforce database used to store small business customer information. This breach occurred when the ShinyHunters cyber criminal group accessed the database, targeting it through social engineering methods. The retrieved data mainly consisted of publicly available business information like names and contact details. Investigations revealed that ShinyHunters typically employs tactics that involve deceiving victims into granting access to a malicious app mimicking Salesforce's Data Loader, enabling them to exfiltrate data from customer environments.
"Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off," Google said.
"The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details."
"A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal," the firm explained.
"During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version."
Read at IT Pro
[
|
]