A financially motivated threat group called UNC6040 is being tracked by Google Threat Intelligence Group (GTIG). The group specializes in voice phishing (vishing) and focuses on compromising organizations’ Salesforce instances to enable data theft and extortion. 

Over the past few months, the group has demonstrated consistent success in breaching networks by impersonating IT support personnel in telephone calls. By deceiving employees, malicious actors are able to gain access to sensitive credentials. In all observed instances, malicious actors utilize social engineering techniques against end users rather than exploiting vulnerabilities. 

Adam Marrè, CISO at Arctic Wolf comments, “Last year, we talked about AI’s role in mis and disinformation and the likelihood that it would spread beyond just AI-approved phishing messages. We’ve talked about deepfakes of CEOs and key leadership to exploit an organization financially. A recent cyber trends report even showed that AI is a top cybersecurity concern according to a third of respondents.  

“We’re seeing firsthand how threat actors are leveraging AI to increase the speed, scale, and sophistication of their attacks. The news of threat actor group UNC6040 using vishing, or voice phishing, to impersonate IT workers and ultimately access Salesforce data shows the potential power LLMs could have in elevating phishing attacks, making them harder to detect and easier to fall for.   

“It’s also important to note that UNC6040 is believed to be part of a cluster within a group called The Com, a collective of threat actors which includes Scattered Spider. One of the challenges in tracking threat activity from entities affiliated with The Com is that they behave less like a monolithic entity and more like a loosely knit community of financially motivated threat actors. Members of this community are well known for their proficiency in conducting sophisticated social engineering campaigns.  

“Your CISOs and other cyber professionals may sound like a broken record, but this attack should serve as yet another reminder of the need to emphasize a culture of cybersecurity to have safeguards in place, particularly including implementing multi-factor authentication (MFA). The same report found that a staggering 56% of organizations that experienced a significant cyber attack had not implemented MFA — leaving a door wide open for threat actors to exploit their team. Ensuring MFA is in place can be the difference in defending against phishing and related identity-based attacks, and falling onto the victim list.”