TL;DR
The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert warning organizations about cybercriminal groups UNC6040 and UNC6395, which are actively targeting Salesforce platforms for data theft and extortion. These groups employ different initial access mechanisms to compromise systems, posing significant risks to businesses. Organizations are urged to review their security measures and monitor for indicators of compromise (IoCs).
---
FBI Issues Warning About Cybercriminal Groups Targeting Salesforce Platforms
The U.S. Federal Bureau of Investigation (FBI) has released a flash alert detailing the activities of two cybercriminal groups, UNC6040 and UNC6395, which have been linked to a series of data theft and extortion attacks targeting organizations' Salesforce platforms[^1].
Who Are UNC6040 and UNC6395?
UNC6040 and UNC6395 are cybercriminal groups known for their sophisticated tactics in exploiting vulnerabilities within cloud-based platforms. According to the FBI, these groups have recently been observed targeting Salesforce environments, leveraging unique initial access methods to infiltrate systems and steal sensitive data.
How Are They Exploiting Salesforce Platforms?
The FBI's alert highlights that both groups employ distinct techniques to gain unauthorized access to Salesforce platforms:
- UNC6040 is believed to use phishing campaigns and credential harvesting to compromise user accounts.
- UNC6395, on the other hand, may exploit misconfigured security settings or unpatched vulnerabilities within the Salesforce ecosystem.
Once inside, these groups exfiltrate data and, in some cases, demand ransom payments from victims to prevent the release of stolen information.
Why Is This a Concern for Organizations?
Salesforce is a widely used customer relationship management (CRM) platform, hosting vast amounts of sensitive customer and business data. A breach in such systems can lead to:
- Financial losses due to extortion demands.
- Reputational damage from exposed customer data.
- Regulatory penalties for failing to protect user information.
Indicators of Compromise (IoCs)
The FBI's alert includes specific IoCs to help organizations detect potential breaches. These may include:
- Suspicious IP addresses linked to the groups.
- Unusual login patterns from compromised accounts.
- Unauthorized data access or export activities.
Organizations are advised to monitor their systems for these indicators and implement robust security measures to mitigate risks.
---
How Can Organizations Protect Themselves?
To defend against attacks by UNC6040, UNC6395, and similar threat actors, organizations should:
1. Enforce Multi-Factor Authentication (MFA):
- Require MFA for all Salesforce accounts to prevent unauthorized access.
2. Regularly Audit Security Settings:
- Review and update access controls and permissions to minimize exposure.
3. Educate Employees on Phishing Risks:
- Conduct cybersecurity training to help staff recognize and avoid phishing attempts.
4. Monitor for Unusual Activity:
- Use advanced threat detection tools to identify and respond to suspicious behavior.
5. Patch Known Vulnerabilities:
- Ensure all software and systems are up-to-date with the latest security patches.
---
Conclusion
The FBI's warning about UNC6040 and UNC6395 underscores the growing threat posed by cybercriminal groups targeting cloud-based platforms like Salesforce. Organizations must proactively strengthen their defenses to prevent data breaches and extortion attempts. By implementing robust security measures and staying vigilant, businesses can reduce their risk and protect their sensitive information.
For more details, refer to the [FBI's flash alert][^1].
---
Additional Resources
For further insights on cybersecurity best practices and threat intelligence, explore:
- [Salesforce Security Best Practices](https://www.salesforce.com/products/platform/best-practices/security/)
- [CISA's Guide to Protecting Against Ransomware](https://www.cisa.gov/topics/cyber-threats-and-advisories/ransomware)
---
[^1]: The Hacker News (2025). ["FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks"](https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html). Retrieved 2025-09-13.