Google has now confirmed that it too was impacted by the Salesforce data theft attacks originally uncovered by its own threat intelligence group (GTIG) in June.
In an August 5 update to its June disclosure about an ongoing voice phishing (vishing) campaign targeting Salesforce customers, Google revealed that information related to some of its own customers was compromised.
“In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post,” Google said in the update to the June disclosure that revealed details of the “Voice Phishing to Data Extortion” attacks. “The instance was used to store contact information and related notes for small and medium businesses,” the post noted.
The campaign is attributed to a threat group Google tracks as UNC6040, which, after breaching Salesforce, moves laterally across cloud services, targeting tools like Okta, Microsoft 365, and Workplace to widen the scope of the breach.
According to David Stuart, cybersecurity Evangelist, Sentra, theft of Google-hosted data makes sense. “This breach is the latest in a string of attacks targeting Salesforce environments, from Qantas to Pandora and now Google,” he said. “It’s a clear signal that attackers are focusing on where data is most concentrated, and often least visible — within cloud SaaS applications.”
Stolen data is publicly available: Google
According to the update, the breach is likely to have a minimal impact due to the nature of the stolen data. “The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details,” the update said.
Google’s security team was able to contain the theft mid-process.“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google said. In the June disclosure, the cloud leader had said something similar without naming itself as the victim. “In one instance, a threat actor used small chunk sizes for data exfiltration from Salesforce but was only able to retrieve approximately 10% of the data before detection and access revocation,” it had noted.
Google did not comment on whether it was aware of the theft of its own data while disclosing the campaign.
The breach’s long-term consequences may be more serious, warned Ben McCarthy, lead cyber security engineer at Immersive. “A key issue is the personal information being accessed in these attacks, such as names and dates of birth, is information that can’t be changed,” he said. “These details, as well as email addresses, are weaponised by cybercriminals for phishing attacks.”
This concern is further amplified by the threat actors themselves, who have reportedly confirmed (partially) the breach and claimed they’re considering just leaking the data instead of extorting Google.
Attackers may have claimed a Google breach, too
GTIG had also disclosed extortion activities related to UNC6040 intrusions, sometimes carried out several months after the initial data theft, by another threat group, UNC6240, which identified themselves as the notorious BreachForums admin ‘ShinyHunters’.
At the time, the GTIG team had presumed the claim to be a stunt to put pressure on victims for speeding up payments, which were to be made in bitcoins within 72 hours.
While the attribution hasn’t been confirmed yet, a BleepingComputer report says it had a conversation with ShinyHunters on Monday, August 5, who claimed to have breached many Salesforce instances in an ongoing attack, including a trillion-dollar company, without confirming it to be Google. ShinyHunters also reportedly told BleepingComputers of their ‘just leaking the data’ plans for data stolen from this company.
This revelation is particularly interesting given reports of an alleged arrest of ShinyHunters, along with four other BreachForums admins, including IntelBroker, by the French Police in mid-June.
Concerns are likely to escalate if ShinyHunters are indeed behind these attacks. The former admin of the infamous BreachForums hack site has long been a fixture in the cyberthreat landscape. Among the group’s most high-profile claims are breaches involving PowerSchool, Oracle Cloud, Snowflake data-theft attacks, AT&T, and Microsoft’s private GitHub repositories.
No Responses