#dataextortion — Public Fediverse posts

FBI Warns Law Firms of Silent Ransom Group's In-Person Data Heists

The FBI is sounding the alarm for US-based law firms after the Silent Ransom Group, a notorious data-extortion gang, claimed over 100 attacks - with a recent surge in activity that's left experts on high alert. This group's twist? They're using in-person tactics, combined with social engineering, to get their hands on sensitive data.

https://osintsights.com/fbi-warns-law-firms-of-silent-ransom-groups-in-person-data-heists?utm_source=mastodon&utm_medium=social

#SilentRansomGroup #Ransomware #DataExtortion #LawFirms #Russia

FBI Warns Law Firms of In-Person Extortion Tactics by Silent Ransom Group

The FBI is sounding the alarm for US law firms, warning them of a growing threat from the Silent Ransom Group, which targets the legal industry for its highly sensitive data and uses in-person extortion tactics. This group has been linked to a string of incidents, and the FBI is urging law firms to be vigilant.

https://osintsights.com/fbi-warns-law-firms-of-in-person-extortion-tactics-by-silent-ransom-group?utm_source=mastodon&utm_medium=social

#SilentRansomGroup #LawFirms #DataExtortion #InpersonExtortion #EmergingThreats

ShinyHunters Targets Canvas in High-Stakes Data Extortion Bid

ShinyHunters has made a brazen move, claiming to have stolen a massive 3.65 terabytes of data from Canvas, putting 275 million records across 8,809 school systems at risk. The cybercriminal group is now demanding an undisclosed ransom from Instructure, escalating threats by hijacking login pages at hundreds of institutions.

https://osintsights.com/shinyhunters-targets-canvas-in-high-stakes-data-extortion-bid?utm_source=mastodon&utm_medium=social

#DataExtortion #Shinyhunters #EducationSector #Ransomware #EmergingThreats

Germany Faces Resurgence in Cyber Extortion Attacks

Germany has taken a concerning leap to the forefront of Europe's cyber extortion crisis, with a 92% surge in data leak victims listed in 2025 - nearly triple the European average. This alarming trend highlights the country's growing vulnerability to targeted cyber attacks.

https://osintsights.com/germany-faces-resurgence-in-cyber-extortion-attacks?utm_source=mastodon&utm_medium=social

#CyberExtortion #Germany #Europe #DataExtortion #EmergingThreats

Germany Faces Resurgence in Cyber Extortion Attacks

Germany has taken a concerning leap to the forefront of Europe's cyber extortion crisis, with a 92% surge in data leak victims listed in 2025 - nearly triple the European average. This alarming trend highlights the country's growing vulnerability to targeted cyber attacks.

https://osintsights.com/germany-faces-resurgence-in-cyber-extortion-attacks?utm_source=mastodon&utm_medium=social

#CyberExtortion #Germany #Europe #DataExtortion #EmergingThreats

Analysis: Two World Leaks claims surfaced alongside transit information outages in Blacksburg and Los Angeles #WorldLeaks #DataExtortion #LAMetro #Virginia #BlacksburgTransit #HuntersInternational https://dysruptionhub.com/world-leaks-blacksburg-los-angeles-transit-analysis/

Analysis: Two World Leaks claims surfaced alongside transit information outages in Blacksburg and Los Angeles #WorldLeaks #DataExtortion #LAMetro #Virginia #BlacksburgTransit #HuntersInternational https://dysruptionhub.com/world-leaks-blacksburg-los-angeles-transit-analysis/

Colombia’s CNSC Targeted in 2.9 TB Data Extortion Attack https://dailydarkweb.net/colombias-cnsc-targeted-in-2-9-tb-data-extortion-attack/ #NationalCivilServiceCommissionofColombia #dataextortion #DataBreaches #PublicSector #databreach #government #ransomware #Colombia #CNSC

Colombia’s CNSC Targeted in 2.9 TB Data Extortion Attack https://dailydarkweb.net/colombias-cnsc-targeted-in-2-9-tb-data-extortion-attack/ #NationalCivilServiceCommissionofColombia #dataextortion #DataBreaches #PublicSector #databreach #government #ransomware #Colombia #CNSC

Colombia’s CNSC Targeted in 2.9 TB Data Extortion Attack https://dailydarkweb.net/colombias-cnsc-targeted-in-2-9-tb-data-extortion-attack/ #NationalCivilServiceCommissionofColombia #dataextortion #DataBreaches #PublicSector #databreach #government #ransomware #Colombia #CNSC

Colombia’s CNSC Targeted in 2.9 TB Data Extortion Attack https://dailydarkweb.net/colombias-cnsc-targeted-in-2-9-tb-data-extortion-attack/ #NationalCivilServiceCommissionofColombia #dataextortion #DataBreaches #PublicSector #databreach #government #ransomware #Colombia #CNSC

Defensoría del Pueblo de Colombia Hit by Data Breach https://dailydarkweb.net/defensoria-del-pueblo-de-colombia-hit-by-data-breach/ #DefensoríadelPueblodeColombia #dataextortion #DataBreaches #cyberattack #HumanRights #databreach #government #ransomware #Colombia

Defensoría del Pueblo de Colombia Hit by Data Breach https://dailydarkweb.net/defensoria-del-pueblo-de-colombia-hit-by-data-breach/ #DefensoríadelPueblodeColombia #dataextortion #DataBreaches #cyberattack #HumanRights #databreach #government #ransomware #Colombia

Defensoría del Pueblo de Colombia Hit by Data Breach https://dailydarkweb.net/defensoria-del-pueblo-de-colombia-hit-by-data-breach/ #DefensoríadelPueblodeColombia #dataextortion #DataBreaches #cyberattack #HumanRights #databreach #government #ransomware #Colombia

Defensoría del Pueblo de Colombia Hit by Data Breach https://dailydarkweb.net/defensoria-del-pueblo-de-colombia-hit-by-data-breach/ #DefensoríadelPueblodeColombia #dataextortion #DataBreaches #cyberattack #HumanRights #databreach #government #ransomware #Colombia

Doctor Alliance Hit by Ransomware Attack and Data Breach https://dailydarkweb.net/doctor-alliance-hit-by-ransomware-attack-and-data-breach/ #HealthcareTechnology #DoctorAlliance #dataextortion #DataBreaches #UnitedStates #databreach #Healthcare #ransomware #Dallas

Doctor Alliance Hit by Ransomware Attack and Data Breach https://dailydarkweb.net/doctor-alliance-hit-by-ransomware-attack-and-data-breach/ #HealthcareTechnology #DoctorAlliance #dataextortion #DataBreaches #UnitedStates #databreach #Healthcare #ransomware #Dallas

Doctor Alliance Hit by Ransomware Attack and Data Breach https://dailydarkweb.net/doctor-alliance-hit-by-ransomware-attack-and-data-breach/ #HealthcareTechnology #DoctorAlliance #dataextortion #DataBreaches #UnitedStates #databreach #Healthcare #ransomware #Dallas

Doctor Alliance Hit by Ransomware Attack and Data Breach https://dailydarkweb.net/doctor-alliance-hit-by-ransomware-attack-and-data-breach/ #HealthcareTechnology #DoctorAlliance #dataextortion #DataBreaches #UnitedStates #databreach #Healthcare #ransomware #Dallas

Gerson & Schwartz Law Firm Hit by Pear Ransomware Attack https://dailydarkweb.net/gerson-schwartz-law-firm-hit-by-pear-ransomware-attack/ #Gerson&Schwartz #RansomwareNews #PEARRansomware #dataextortion #legalservices #databreach #ransomware #lawfirm #PHI #PII #USA

Victorian Chemical Hit by RansomHouse Ransomware Attack https://dailydarkweb.net/victorian-chemical-hit-by-ransomhouse-ransomware-attack/ #ChemicalManufacturing #IndustrialChemicals #VictorianChemical #RansomwareNews #dataextortion #RansomHouse #databreach #ransomware #australia #Vicchem

Gerson & Schwartz Law Firm Hit by Pear Ransomware Attack https://dailydarkweb.net/gerson-schwartz-law-firm-hit-by-pear-ransomware-attack/ #Gerson&Schwartz #RansomwareNews #PEARRansomware #dataextortion #legalservices #databreach #ransomware #lawfirm #PHI #PII #USA

Gerson & Schwartz Law Firm Hit by Pear Ransomware Attack https://dailydarkweb.net/gerson-schwartz-law-firm-hit-by-pear-ransomware-attack/ #Gerson&Schwartz #RansomwareNews #PEARRansomware #dataextortion #legalservices #databreach #ransomware #lawfirm #PHI #PII #USA

Gerson & Schwartz Law Firm Hit by Pear Ransomware Attack https://dailydarkweb.net/gerson-schwartz-law-firm-hit-by-pear-ransomware-attack/ #Gerson&Schwartz #RansomwareNews #PEARRansomware #dataextortion #legalservices #databreach #ransomware #lawfirm #PHI #PII #USA

Victorian Chemical Hit by RansomHouse Ransomware Attack https://dailydarkweb.net/victorian-chemical-hit-by-ransomhouse-ransomware-attack/ #ChemicalManufacturing #IndustrialChemicals #VictorianChemical #RansomwareNews #dataextortion #RansomHouse #databreach #ransomware #australia #Vicchem

Victorian Chemical Hit by RansomHouse Ransomware Attack https://dailydarkweb.net/victorian-chemical-hit-by-ransomhouse-ransomware-attack/ #ChemicalManufacturing #IndustrialChemicals #VictorianChemical #RansomwareNews #dataextortion #RansomHouse #databreach #ransomware #australia #Vicchem

Victorian Chemical Hit by RansomHouse Ransomware Attack https://dailydarkweb.net/victorian-chemical-hit-by-ransomhouse-ransomware-attack/ #ChemicalManufacturing #IndustrialChemicals #VictorianChemical #RansomwareNews #dataextortion #RansomHouse #databreach #ransomware #australia #Vicchem

Israeli IT Firm Sensory Hit by Major Data Extortion Attack https://dailydarkweb.net/israeli-it-firm-sensory-hit-by-major-data-extortion-attack/ #municipalities #CyberSecurity #dataextortion #DataBreaches #cyberattack #databreach #ITservices #PIILeak #Sensory #Israel #govil

Israeli IT Firm Sensory Hit by Major Data Extortion Attack https://dailydarkweb.net/israeli-it-firm-sensory-hit-by-major-data-extortion-attack/ #municipalities #CyberSecurity #dataextortion #DataBreaches #cyberattack #databreach #ITservices #PIILeak #Sensory #Israel #govil

Israeli IT Firm Sensory Hit by Major Data Extortion Attack https://dailydarkweb.net/israeli-it-firm-sensory-hit-by-major-data-extortion-attack/ #municipalities #CyberSecurity #dataextortion #DataBreaches #cyberattack #databreach #ITservices #PIILeak #Sensory #Israel #govil

Israeli IT Firm Sensory Hit by Major Data Extortion Attack https://dailydarkweb.net/israeli-it-firm-sensory-hit-by-major-data-extortion-attack/ #municipalities #CyberSecurity #dataextortion #DataBreaches #cyberattack #databreach #ITservices #PIILeak #Sensory #Israel #govil

Crimson Collective Breaches Loteria de Medellin, Leaks Winner Data https://dailydarkweb.net/crimson-collective-breaches-loteria-de-medellin-leaks-winner-data/ #CrimsonCollective #LoteriadeMedellin #CyberSecurity #dataextortion #DataBreaches #databreach #Colombia #Lottired #Nintendo #RedHat #PII

Crimson Collective Breaches Loteria de Medellin, Leaks Winner Data https://dailydarkweb.net/crimson-collective-breaches-loteria-de-medellin-leaks-winner-data/ #CrimsonCollective #LoteriadeMedellin #CyberSecurity #dataextortion #DataBreaches #databreach #Colombia #Lottired #Nintendo #RedHat #PII

Crimson Collective Breaches Loteria de Medellin, Leaks Winner Data https://dailydarkweb.net/crimson-collective-breaches-loteria-de-medellin-leaks-winner-data/ #CrimsonCollective #LoteriadeMedellin #CyberSecurity #dataextortion #DataBreaches #databreach #Colombia #Lottired #Nintendo #RedHat #PII

Crimson Collective Breaches Loteria de Medellin, Leaks Winner Data https://dailydarkweb.net/crimson-collective-breaches-loteria-de-medellin-leaks-winner-data/ #CrimsonCollective #LoteriadeMedellin #CyberSecurity #dataextortion #DataBreaches #databreach #Colombia #Lottired #Nintendo #RedHat #PII

I find the ShinyHunters (UNC6040/UNC6240) Salesforce Campaign really interesting, because it highlights the impact of two key threat vectors/types that - in my conversations , at least - aren't being accounted for by traditional TI teams.

1. Data Theft & Extorsion Actors
2. Actors capitalising on 3rd Party Platform Applications

Curious to know - do your orgs track and threat model opportunistic Data Theft and Extorsion Actors, or just focus on the APTs and ransomware groups of the world?

The largest ransom payment in history was $75 million to the Dark Angels Ransomware group in 2024, purportedly by pharma giant Cencora. With 27TB of corporate data stolen from the org and no mention of ransomware being deployed, the eye-watering payment was to prevent leaking/sale of the stolen data which included customer "names, addresses, dates of birth, diagnoses, prescriptions and medications."

https://www.bloomberg.com/news/articles/2024-09-18/gang-got-75-million-for-cencora-hack-in-largest-known-ransom

The group weren't well known prior to the attack, and the absence of ransomware being deployed highlights the need to prioritise the identification and protection of sensitive data and customer PII - agnostic of whatever group might seek to target it.

Also, we're all aware of Malicious OAuth applications in o365, but are your orgs aware of; monitoring, and locking down 3rd party platform integrations?

For those unaware of the campaign, here's the AI-generated TLDR of a Google report in the activity: Https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion

Threat Summary: UNC6040/ShinyHunters Voice Phishing and Data Extortion Campaign

Key Points & Technical Summary:

A financially motivated threat cluster, tracked by Google as UNC6040, has been conducting a widespread campaign targeting organizations' Salesforce CRM instances. The campaign's primary objective is large-scale data theft for the purpose of extortion, which is carried out by a related cluster, UNC6240. This group often uses the moniker ShinyHunters in their communications with victims.

The core of the attack vector is a sophisticated voice phishing (vishing) campaign. The threat actors impersonate corporate IT support personnel in phone calls to employees of the targeted organization.

The primary technical steps of the attack are as follows:
* Social Engineering: The actor guides the targeted employee to Salesforce's connected app setup page.
* Malicious App Authorization: The employee is convinced to authorize a malicious version of the "Data Loader" application. This is done by having the employee enter a connection code provided by the attacker, which links the attacker-controlled application to the victim's Salesforce environment.
* Data Exfiltration: Once the malicious app is authorized, UNC6040 gains significant API access, allowing them to query and exfiltrate sensitive data from the Salesforce instance. While initially leveraging modified versions of the Salesforce Data Loader, the group has evolved its tooling to include custom Python-based scripts for data extraction.
* Anonymization: The attackers utilize services like Mullvad VPN and TOR exit nodes to initiate the vishing calls and for data exfiltration, complicating attribution and tracking efforts.
* Extortion: Following the data theft, UNC6240 initiates contact with the victim organization, demanding a ransom payment in Bitcoin, typically within a 72-hour timeframe, to prevent the public release of the stolen data. The group is also reportedly preparing to launch a dedicated data leak site to increase pressure on victims.

Additional Context & Related Activity

Activity Cluster:

The activity is attributed to the cluster pair UNC6040 (initial access and data theft) and UNC6240 (extortion). This group leverages the reputation of the well-known ShinyHunters extortion group to intimidate victims. The cluster is financially motivated and has demonstrated a growing sophistication in its social engineering tactics and technical tooling.

Other Compromises & Targets:

This campaign has impacted numerous high-profile organizations across various sectors. Besides Google, other publicly confirmed victims of this campaign include:
* Cisco
* Chanel
* Adidas

The targeting appears to be opportunistic, focusing on multinational corporations that are heavy users of Salesforce CRM. There has been an initial focus on English-speaking employees.

Techniques & TTPs:

Beyond the core vishing-to-malicious-app-authorization chain, other observed Tactics, Techniques, and Procedures (TTPs) include:
* Credential Targeting: In some cases, the actors have targeted Okta credentials, likely obtained through prior infostealer malware infections or separate phishing campaigns.
* Lateral Movement: Using compromised credentials, the actors have been observed moving laterally within victim networks to access and exfiltrate data from other systems, including Microsoft 365.
* Reconnaissance: The group conducts thorough reconnaissance to craft convincing narratives, identifying internal application names and IT support procedures to make their vishing calls more credible.

Timeline:
* June 4, 2025: Google's Threat Intelligence Group (GTIG) first publishes a warning about the rise in vishing and extortion activity targeting Salesforce customers, designating the threat actor as UNC6040.
* June 2025: Google becomes a victim of the same campaign, with one of its own corporate Salesforce instances being breached. The compromised data was related to small and medium-sized business contacts.
* July 24, 2025: Cisco identifies a similar breach of its CRM system resulting from a vishing attack.
* Early August 2025: Google, Cisco, and other victims publicly disclose the breaches. Google updates its original blog post to include the fact that it was also a victim. Extortion demands from UNC6240/ShinyHunters follow these disclosures.

#CyberSecurity #ThreatIntelligence #ShinyHunters #DataExtortion #SalesforceSecurity #Vishing #ThirdPartyRisk #ThreatModeling #IncidentResponse #UNC6040 #UNC6240 #Ransomware #Salesforce #InformationSecurity #Infosec #Cybersec #ThreatIntel
#Cisco #Google #CyberAttack

I find the ShinyHunters (UNC6040/UNC6240) Salesforce Campaign really interesting, because it highlights the impact of two key threat vectors/types that - in my conversations , at least - aren't being accounted for by traditional TI teams.

1. Data Theft & Extorsion Actors
2. Actors capitalising on 3rd Party Platform Applications

Curious to know - do your orgs track and threat model opportunistic Data Theft and Extorsion Actors, or just focus on the APTs and ransomware groups of the world?

The largest ransom payment in history was $75 million to the Dark Angels Ransomware group in 2024, purportedly by pharma giant Cencora. With 27TB of corporate data stolen from the org and no mention of ransomware being deployed, the eye-watering payment was to prevent leaking/sale of the stolen data which included customer "names, addresses, dates of birth, diagnoses, prescriptions and medications."

https://www.bloomberg.com/news/articles/2024-09-18/gang-got-75-million-for-cencora-hack-in-largest-known-ransom

The group weren't well known prior to the attack, and the absence of ransomware being deployed highlights the need to prioritise the identification and protection of sensitive data and customer PII - agnostic of whatever group might seek to target it.

Also, we're all aware of Malicious OAuth applications in o365, but are your orgs aware of; monitoring, and locking down 3rd party platform integrations?

For those unaware of the campaign, here's the AI-generated TLDR of a Google report in the activity: Https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion

Threat Summary: UNC6040/ShinyHunters Voice Phishing and Data Extortion Campaign

Key Points & Technical Summary:

A financially motivated threat cluster, tracked by Google as UNC6040, has been conducting a widespread campaign targeting organizations' Salesforce CRM instances. The campaign's primary objective is large-scale data theft for the purpose of extortion, which is carried out by a related cluster, UNC6240. This group often uses the moniker ShinyHunters in their communications with victims.

The core of the attack vector is a sophisticated voice phishing (vishing) campaign. The threat actors impersonate corporate IT support personnel in phone calls to employees of the targeted organization.

The primary technical steps of the attack are as follows:
* Social Engineering: The actor guides the targeted employee to Salesforce's connected app setup page.
* Malicious App Authorization: The employee is convinced to authorize a malicious version of the "Data Loader" application. This is done by having the employee enter a connection code provided by the attacker, which links the attacker-controlled application to the victim's Salesforce environment.
* Data Exfiltration: Once the malicious app is authorized, UNC6040 gains significant API access, allowing them to query and exfiltrate sensitive data from the Salesforce instance. While initially leveraging modified versions of the Salesforce Data Loader, the group has evolved its tooling to include custom Python-based scripts for data extraction.
* Anonymization: The attackers utilize services like Mullvad VPN and TOR exit nodes to initiate the vishing calls and for data exfiltration, complicating attribution and tracking efforts.
* Extortion: Following the data theft, UNC6240 initiates contact with the victim organization, demanding a ransom payment in Bitcoin, typically within a 72-hour timeframe, to prevent the public release of the stolen data. The group is also reportedly preparing to launch a dedicated data leak site to increase pressure on victims.

Additional Context & Related Activity

Activity Cluster:

The activity is attributed to the cluster pair UNC6040 (initial access and data theft) and UNC6240 (extortion). This group leverages the reputation of the well-known ShinyHunters extortion group to intimidate victims. The cluster is financially motivated and has demonstrated a growing sophistication in its social engineering tactics and technical tooling.

Other Compromises & Targets:

This campaign has impacted numerous high-profile organizations across various sectors. Besides Google, other publicly confirmed victims of this campaign include:
* Cisco
* Chanel
* Adidas

The targeting appears to be opportunistic, focusing on multinational corporations that are heavy users of Salesforce CRM. There has been an initial focus on English-speaking employees.

Techniques & TTPs:

Beyond the core vishing-to-malicious-app-authorization chain, other observed Tactics, Techniques, and Procedures (TTPs) include:
* Credential Targeting: In some cases, the actors have targeted Okta credentials, likely obtained through prior infostealer malware infections or separate phishing campaigns.
* Lateral Movement: Using compromised credentials, the actors have been observed moving laterally within victim networks to access and exfiltrate data from other systems, including Microsoft 365.
* Reconnaissance: The group conducts thorough reconnaissance to craft convincing narratives, identifying internal application names and IT support procedures to make their vishing calls more credible.

Timeline:
* June 4, 2025: Google's Threat Intelligence Group (GTIG) first publishes a warning about the rise in vishing and extortion activity targeting Salesforce customers, designating the threat actor as UNC6040.
* June 2025: Google becomes a victim of the same campaign, with one of its own corporate Salesforce instances being breached. The compromised data was related to small and medium-sized business contacts.
* July 24, 2025: Cisco identifies a similar breach of its CRM system resulting from a vishing attack.
* Early August 2025: Google, Cisco, and other victims publicly disclose the breaches. Google updates its original blog post to include the fact that it was also a victim. Extortion demands from UNC6240/ShinyHunters follow these disclosures.

#CyberSecurity #ThreatIntelligence #ShinyHunters #DataExtortion #SalesforceSecurity #Vishing #ThirdPartyRisk #ThreatModeling #IncidentResponse #UNC6040 #UNC6240 #Ransomware #Salesforce #InformationSecurity #Infosec #Cybersec #ThreatIntel
#Cisco #Google #CyberAttack

I find the ShinyHunters (UNC6040/UNC6240) Salesforce Campaign really interesting, because it highlights the impact of two key threat vectors/types that - in my conversations , at least - aren't being accounted for by traditional TI teams.

1. Data Theft & Extorsion Actors
2. Actors capitalising on 3rd Party Platform Applications

Curious to know - do your orgs track and threat model opportunistic Data Theft and Extorsion Actors, or just focus on the APTs and ransomware groups of the world?

The largest ransom payment in history was $75 million to the Dark Angels Ransomware group in 2024, purportedly by pharma giant Cencora. With 27TB of corporate data stolen from the org and no mention of ransomware being deployed, the eye-watering payment was to prevent leaking/sale of the stolen data which included customer "names, addresses, dates of birth, diagnoses, prescriptions and medications."

https://www.bloomberg.com/news/articles/2024-09-18/gang-got-75-million-for-cencora-hack-in-largest-known-ransom

The group weren't well known prior to the attack, and the absence of ransomware being deployed highlights the need to prioritise the identification and protection of sensitive data and customer PII - agnostic of whatever group might seek to target it.

Also, we're all aware of Malicious OAuth applications in o365, but are your orgs aware of; monitoring, and locking down 3rd party platform integrations?

For those unaware of the campaign, here's the AI-generated TLDR of a Google report in the activity: Https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion

Threat Summary: UNC6040/ShinyHunters Voice Phishing and Data Extortion Campaign

Key Points & Technical Summary:

A financially motivated threat cluster, tracked by Google as UNC6040, has been conducting a widespread campaign targeting organizations' Salesforce CRM instances. The campaign's primary objective is large-scale data theft for the purpose of extortion, which is carried out by a related cluster, UNC6240. This group often uses the moniker ShinyHunters in their communications with victims.

The core of the attack vector is a sophisticated voice phishing (vishing) campaign. The threat actors impersonate corporate IT support personnel in phone calls to employees of the targeted organization.

The primary technical steps of the attack are as follows:
* Social Engineering: The actor guides the targeted employee to Salesforce's connected app setup page.
* Malicious App Authorization: The employee is convinced to authorize a malicious version of the "Data Loader" application. This is done by having the employee enter a connection code provided by the attacker, which links the attacker-controlled application to the victim's Salesforce environment.
* Data Exfiltration: Once the malicious app is authorized, UNC6040 gains significant API access, allowing them to query and exfiltrate sensitive data from the Salesforce instance. While initially leveraging modified versions of the Salesforce Data Loader, the group has evolved its tooling to include custom Python-based scripts for data extraction.
* Anonymization: The attackers utilize services like Mullvad VPN and TOR exit nodes to initiate the vishing calls and for data exfiltration, complicating attribution and tracking efforts.
* Extortion: Following the data theft, UNC6240 initiates contact with the victim organization, demanding a ransom payment in Bitcoin, typically within a 72-hour timeframe, to prevent the public release of the stolen data. The group is also reportedly preparing to launch a dedicated data leak site to increase pressure on victims.

Additional Context & Related Activity

Activity Cluster:

The activity is attributed to the cluster pair UNC6040 (initial access and data theft) and UNC6240 (extortion). This group leverages the reputation of the well-known ShinyHunters extortion group to intimidate victims. The cluster is financially motivated and has demonstrated a growing sophistication in its social engineering tactics and technical tooling.

Other Compromises & Targets:

This campaign has impacted numerous high-profile organizations across various sectors. Besides Google, other publicly confirmed victims of this campaign include:
* Cisco
* Chanel
* Adidas

The targeting appears to be opportunistic, focusing on multinational corporations that are heavy users of Salesforce CRM. There has been an initial focus on English-speaking employees.

Techniques & TTPs:

Beyond the core vishing-to-malicious-app-authorization chain, other observed Tactics, Techniques, and Procedures (TTPs) include:
* Credential Targeting: In some cases, the actors have targeted Okta credentials, likely obtained through prior infostealer malware infections or separate phishing campaigns.
* Lateral Movement: Using compromised credentials, the actors have been observed moving laterally within victim networks to access and exfiltrate data from other systems, including Microsoft 365.
* Reconnaissance: The group conducts thorough reconnaissance to craft convincing narratives, identifying internal application names and IT support procedures to make their vishing calls more credible.

Timeline:
* June 4, 2025: Google's Threat Intelligence Group (GTIG) first publishes a warning about the rise in vishing and extortion activity targeting Salesforce customers, designating the threat actor as UNC6040.
* June 2025: Google becomes a victim of the same campaign, with one of its own corporate Salesforce instances being breached. The compromised data was related to small and medium-sized business contacts.
* July 24, 2025: Cisco identifies a similar breach of its CRM system resulting from a vishing attack.
* Early August 2025: Google, Cisco, and other victims publicly disclose the breaches. Google updates its original blog post to include the fact that it was also a victim. Extortion demands from UNC6240/ShinyHunters follow these disclosures.

#CyberSecurity #ThreatIntelligence #ShinyHunters #DataExtortion #SalesforceSecurity #Vishing #ThirdPartyRisk #ThreatModeling #IncidentResponse #UNC6040 #UNC6240 #Ransomware #Salesforce #InformationSecurity #Infosec #Cybersec #ThreatIntel
#Cisco #Google #CyberAttack

I find the ShinyHunters (UNC6040/UNC6240) Salesforce Campaign really interesting, because it highlights the impact of two key threat vectors/types that - in my conversations , at least - aren't being accounted for by traditional TI teams.

1. Data Theft & Extorsion Actors
2. Actors capitalising on 3rd Party Platform Applications

Curious to know - do your orgs track and threat model opportunistic Data Theft and Extorsion Actors, or just focus on the APTs and ransomware groups of the world?

The largest ransom payment in history was $75 million to the Dark Angels Ransomware group in 2024, purportedly by pharma giant Cencora. With 27TB of corporate data stolen from the org and no mention of ransomware being deployed, the eye-watering payment was to prevent leaking/sale of the stolen data which included customer "names, addresses, dates of birth, diagnoses, prescriptions and medications."

https://www.bloomberg.com/news/articles/2024-09-18/gang-got-75-million-for-cencora-hack-in-largest-known-ransom

The group weren't well known prior to the attack, and the absence of ransomware being deployed highlights the need to prioritise the identification and protection of sensitive data and customer PII - agnostic of whatever group might seek to target it.

Also, we're all aware of Malicious OAuth applications in o365, but are your orgs aware of; monitoring, and locking down 3rd party platform integrations?

For those unaware of the campaign, here's the AI-generated TLDR of a Google report in the activity: Https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion

Threat Summary: UNC6040/ShinyHunters Voice Phishing and Data Extortion Campaign

Key Points & Technical Summary:

A financially motivated threat cluster, tracked by Google as UNC6040, has been conducting a widespread campaign targeting organizations' Salesforce CRM instances. The campaign's primary objective is large-scale data theft for the purpose of extortion, which is carried out by a related cluster, UNC6240. This group often uses the moniker ShinyHunters in their communications with victims.

The core of the attack vector is a sophisticated voice phishing (vishing) campaign. The threat actors impersonate corporate IT support personnel in phone calls to employees of the targeted organization.

The primary technical steps of the attack are as follows:
* Social Engineering: The actor guides the targeted employee to Salesforce's connected app setup page.
* Malicious App Authorization: The employee is convinced to authorize a malicious version of the "Data Loader" application. This is done by having the employee enter a connection code provided by the attacker, which links the attacker-controlled application to the victim's Salesforce environment.
* Data Exfiltration: Once the malicious app is authorized, UNC6040 gains significant API access, allowing them to query and exfiltrate sensitive data from the Salesforce instance. While initially leveraging modified versions of the Salesforce Data Loader, the group has evolved its tooling to include custom Python-based scripts for data extraction.
* Anonymization: The attackers utilize services like Mullvad VPN and TOR exit nodes to initiate the vishing calls and for data exfiltration, complicating attribution and tracking efforts.
* Extortion: Following the data theft, UNC6240 initiates contact with the victim organization, demanding a ransom payment in Bitcoin, typically within a 72-hour timeframe, to prevent the public release of the stolen data. The group is also reportedly preparing to launch a dedicated data leak site to increase pressure on victims.

Additional Context & Related Activity

Activity Cluster:

The activity is attributed to the cluster pair UNC6040 (initial access and data theft) and UNC6240 (extortion). This group leverages the reputation of the well-known ShinyHunters extortion group to intimidate victims. The cluster is financially motivated and has demonstrated a growing sophistication in its social engineering tactics and technical tooling.

Other Compromises & Targets:

This campaign has impacted numerous high-profile organizations across various sectors. Besides Google, other publicly confirmed victims of this campaign include:
* Cisco
* Chanel
* Adidas

The targeting appears to be opportunistic, focusing on multinational corporations that are heavy users of Salesforce CRM. There has been an initial focus on English-speaking employees.

Techniques & TTPs:

Beyond the core vishing-to-malicious-app-authorization chain, other observed Tactics, Techniques, and Procedures (TTPs) include:
* Credential Targeting: In some cases, the actors have targeted Okta credentials, likely obtained through prior infostealer malware infections or separate phishing campaigns.
* Lateral Movement: Using compromised credentials, the actors have been observed moving laterally within victim networks to access and exfiltrate data from other systems, including Microsoft 365.
* Reconnaissance: The group conducts thorough reconnaissance to craft convincing narratives, identifying internal application names and IT support procedures to make their vishing calls more credible.

Timeline:
* June 4, 2025: Google's Threat Intelligence Group (GTIG) first publishes a warning about the rise in vishing and extortion activity targeting Salesforce customers, designating the threat actor as UNC6040.
* June 2025: Google becomes a victim of the same campaign, with one of its own corporate Salesforce instances being breached. The compromised data was related to small and medium-sized business contacts.
* July 24, 2025: Cisco identifies a similar breach of its CRM system resulting from a vishing attack.
* Early August 2025: Google, Cisco, and other victims publicly disclose the breaches. Google updates its original blog post to include the fact that it was also a victim. Extortion demands from UNC6240/ShinyHunters follow these disclosures.

#CyberSecurity #ThreatIntelligence #ShinyHunters #DataExtortion #SalesforceSecurity #Vishing #ThirdPartyRisk #ThreatModeling #IncidentResponse #UNC6040 #UNC6240 #Ransomware #Salesforce #InformationSecurity #Infosec #Cybersec #ThreatIntel
#Cisco #Google #CyberAttack

I find the ShinyHunters (UNC6040/UNC6240) Salesforce Campaign really interesting, because it highlights the impact of two key threat vectors/types that - in my conversations , at least - aren't being accounted for by traditional TI teams.

1. Data Theft & Extorsion Actors
2. Actors capitalising on 3rd Party Platform Applications

Curious to know - do your orgs track and threat model opportunistic Data Theft and Extorsion Actors, or just focus on the APTs and ransomware groups of the world?

The largest ransom payment in history was $75 million to the Dark Angels Ransomware group in 2024, purportedly by pharma giant Cencora. With 27TB of corporate data stolen from the org and no mention of ransomware being deployed, the eye-watering payment was to prevent leaking/sale of the stolen data which included customer "names, addresses, dates of birth, diagnoses, prescriptions and medications."

https://www.bloomberg.com/news/articles/2024-09-18/gang-got-75-million-for-cencora-hack-in-largest-known-ransom

The group weren't well known prior to the attack, and the absence of ransomware being deployed highlights the need to prioritise the identification and protection of sensitive data and customer PII - agnostic of whatever group might seek to target it.

Also, we're all aware of Malicious OAuth applications in o365, but are your orgs aware of; monitoring, and locking down 3rd party platform integrations?

For those unaware of the campaign, here's the AI-generated TLDR of a Google report in the activity: Https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion

Threat Summary: UNC6040/ShinyHunters Voice Phishing and Data Extortion Campaign

Key Points & Technical Summary:

A financially motivated threat cluster, tracked by Google as UNC6040, has been conducting a widespread campaign targeting organizations' Salesforce CRM instances. The campaign's primary objective is large-scale data theft for the purpose of extortion, which is carried out by a related cluster, UNC6240. This group often uses the moniker ShinyHunters in their communications with victims.

The core of the attack vector is a sophisticated voice phishing (vishing) campaign. The threat actors impersonate corporate IT support personnel in phone calls to employees of the targeted organization.

The primary technical steps of the attack are as follows:
* Social Engineering: The actor guides the targeted employee to Salesforce's connected app setup page.
* Malicious App Authorization: The employee is convinced to authorize a malicious version of the "Data Loader" application. This is done by having the employee enter a connection code provided by the attacker, which links the attacker-controlled application to the victim's Salesforce environment.
* Data Exfiltration: Once the malicious app is authorized, UNC6040 gains significant API access, allowing them to query and exfiltrate sensitive data from the Salesforce instance. While initially leveraging modified versions of the Salesforce Data Loader, the group has evolved its tooling to include custom Python-based scripts for data extraction.
* Anonymization: The attackers utilize services like Mullvad VPN and TOR exit nodes to initiate the vishing calls and for data exfiltration, complicating attribution and tracking efforts.
* Extortion: Following the data theft, UNC6240 initiates contact with the victim organization, demanding a ransom payment in Bitcoin, typically within a 72-hour timeframe, to prevent the public release of the stolen data. The group is also reportedly preparing to launch a dedicated data leak site to increase pressure on victims.

Additional Context & Related Activity

Activity Cluster:

The activity is attributed to the cluster pair UNC6040 (initial access and data theft) and UNC6240 (extortion). This group leverages the reputation of the well-known ShinyHunters extortion group to intimidate victims. The cluster is financially motivated and has demonstrated a growing sophistication in its social engineering tactics and technical tooling.

Other Compromises & Targets:

This campaign has impacted numerous high-profile organizations across various sectors. Besides Google, other publicly confirmed victims of this campaign include:
* Cisco
* Chanel
* Adidas

The targeting appears to be opportunistic, focusing on multinational corporations that are heavy users of Salesforce CRM. There has been an initial focus on English-speaking employees.

Techniques & TTPs:

Beyond the core vishing-to-malicious-app-authorization chain, other observed Tactics, Techniques, and Procedures (TTPs) include:
* Credential Targeting: In some cases, the actors have targeted Okta credentials, likely obtained through prior infostealer malware infections or separate phishing campaigns.
* Lateral Movement: Using compromised credentials, the actors have been observed moving laterally within victim networks to access and exfiltrate data from other systems, including Microsoft 365.
* Reconnaissance: The group conducts thorough reconnaissance to craft convincing narratives, identifying internal application names and IT support procedures to make their vishing calls more credible.

Timeline:
* June 4, 2025: Google's Threat Intelligence Group (GTIG) first publishes a warning about the rise in vishing and extortion activity targeting Salesforce customers, designating the threat actor as UNC6040.
* June 2025: Google becomes a victim of the same campaign, with one of its own corporate Salesforce instances being breached. The compromised data was related to small and medium-sized business contacts.
* July 24, 2025: Cisco identifies a similar breach of its CRM system resulting from a vishing attack.
* Early August 2025: Google, Cisco, and other victims publicly disclose the breaches. Google updates its original blog post to include the fact that it was also a victim. Extortion demands from UNC6240/ShinyHunters follow these disclosures.

#CyberSecurity #ThreatIntelligence #ShinyHunters #DataExtortion #SalesforceSecurity #Vishing #ThirdPartyRisk #ThreatModeling #IncidentResponse #UNC6040 #UNC6240 #Ransomware #Salesforce #InformationSecurity #Infosec #Cybersec #ThreatIntel
#Cisco #Google #CyberAttack

‼️ Google’s Threat Intelligence Group identified a campaign by threat actors tracked as UNC6040 and tied to ShinyHunters that uses voice phishing to get employees to install a spoofed Salesforce Data Loader app. 😳 This grants the attackers direct access to Salesforce environments, enabling large-scale data theft and later extortion. Victim organizations span Europe and the Americas, and even Google’s own Salesforce instance was compromised.

TL;DR
⚠️ Modified Data Loader via connected app grants CRM access
🔐 Vishing calls impersonate IT support to trick users
🧠 Affects about 20 organizations, including major brands
🔍 Salesforce confirms no platform flaw, blames social engineering

https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/
#Cybersecurity #SocialEngineering #DataExtortion #SalesforceSecurity #security #privacy #cloud #infosec

‼️ Google’s Threat Intelligence Group identified a campaign by threat actors tracked as UNC6040 and tied to ShinyHunters that uses voice phishing to get employees to install a spoofed Salesforce Data Loader app. 😳 This grants the attackers direct access to Salesforce environments, enabling large-scale data theft and later extortion. Victim organizations span Europe and the Americas, and even Google’s own Salesforce instance was compromised.

TL;DR
⚠️ Modified Data Loader via connected app grants CRM access
🔐 Vishing calls impersonate IT support to trick users
🧠 Affects about 20 organizations, including major brands
🔍 Salesforce confirms no platform flaw, blames social engineering

https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/
#Cybersecurity #SocialEngineering #DataExtortion #SalesforceSecurity #security #privacy #cloud #infosec

‼️ Google’s Threat Intelligence Group identified a campaign by threat actors tracked as UNC6040 and tied to ShinyHunters that uses voice phishing to get employees to install a spoofed Salesforce Data Loader app. 😳 This grants the attackers direct access to Salesforce environments, enabling large-scale data theft and later extortion. Victim organizations span Europe and the Americas, and even Google’s own Salesforce instance was compromised.

TL;DR
⚠️ Modified Data Loader via connected app grants CRM access
🔐 Vishing calls impersonate IT support to trick users
🧠 Affects about 20 organizations, including major brands
🔍 Salesforce confirms no platform flaw, blames social engineering

https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/
#Cybersecurity #SocialEngineering #DataExtortion #SalesforceSecurity #security #privacy #cloud #infosec

‼️ Google’s Threat Intelligence Group identified a campaign by threat actors tracked as UNC6040 and tied to ShinyHunters that uses voice phishing to get employees to install a spoofed Salesforce Data Loader app. 😳 This grants the attackers direct access to Salesforce environments, enabling large-scale data theft and later extortion. Victim organizations span Europe and the Americas, and even Google’s own Salesforce instance was compromised.

TL;DR
⚠️ Modified Data Loader via connected app grants CRM access
🔐 Vishing calls impersonate IT support to trick users
🧠 Affects about 20 organizations, including major brands
🔍 Salesforce confirms no platform flaw, blames social engineering

https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/
#Cybersecurity #SocialEngineering #DataExtortion #SalesforceSecurity #security #privacy #cloud #infosec

‼️ Google’s Threat Intelligence Group identified a campaign by threat actors tracked as UNC6040 and tied to ShinyHunters that uses voice phishing to get employees to install a spoofed Salesforce Data Loader app. 😳 This grants the attackers direct access to Salesforce environments, enabling large-scale data theft and later extortion. Victim organizations span Europe and the Americas, and even Google’s own Salesforce instance was compromised.

TL;DR
⚠️ Modified Data Loader via connected app grants CRM access
🔐 Vishing calls impersonate IT support to trick users
🧠 Affects about 20 organizations, including major brands
🔍 Salesforce confirms no platform flaw, blames social engineering

https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/
#Cybersecurity #SocialEngineering #DataExtortion #SalesforceSecurity #security #privacy #cloud #infosec

Tech Giant Dell Allegedly Hit by WorldLeaks Ransomware – 1.3 TB of Data at Risk https://dailydarkweb.net/tech-giant-dell-allegedly-hit-by-worldleaks-ransomware-1-3-tb-of-data-at-risk/ #HuntersInternational #RansomwareNews #AllegedAttack #CyberSecurity #dataextortion #databreach #ransomware #technology #WorldLeaks #Dell

Tech Giant Dell Allegedly Hit by WorldLeaks Ransomware – 1.3 TB of Data at Risk https://dailydarkweb.net/tech-giant-dell-allegedly-hit-by-worldleaks-ransomware-1-3-tb-of-data-at-risk/ #HuntersInternational #RansomwareNews #AllegedAttack #CyberSecurity #dataextortion #databreach #ransomware #technology #WorldLeaks #Dell

Tech Giant Dell Allegedly Hit by WorldLeaks Ransomware – 1.3 TB of Data at Risk https://dailydarkweb.net/tech-giant-dell-allegedly-hit-by-worldleaks-ransomware-1-3-tb-of-data-at-risk/ #HuntersInternational #RansomwareNews #AllegedAttack #CyberSecurity #dataextortion #databreach #ransomware #technology #WorldLeaks #Dell

Tech Giant Dell Allegedly Hit by WorldLeaks Ransomware – 1.3 TB of Data at Risk https://dailydarkweb.net/tech-giant-dell-allegedly-hit-by-worldleaks-ransomware-1-3-tb-of-data-at-risk/ #HuntersInternational #RansomwareNews #AllegedAttack #CyberSecurity #dataextortion #databreach #ransomware #technology #WorldLeaks #Dell

Ransomware without the ransomware?

In this new episode of Cyberside Chats, @sherridavidoff and @MDurrin unpack the evolving trend of data-only extortion, where threat actors skip the encryption and go straight to blackmail.

From the rebrand of Hunters International to World Leaks, and the rise of extortion-as-a-service, this episode reveals how modern cybercriminals are getting more efficient—and more ruthless.
Watch or listen for strategies to reduce your risk!

📽️ Watch the video: https://youtu.be/eCQXhhdyC-s
🎧 Listen to the podcast: https://www.chatcyberside.com/e/the-rise-of-ransomware-less-extortion-a-new-cyber-threat/

#Cybersecurity #DataExtortion #Ransomware #IncidentResponse #RiskManagement #CISO #LMGSecurity #CybersideChats #CyberInsurance #ThreatIntelligence #InfoSec