A cybercrime group, describing itself as ‘Scattered LAPSUS$ Hunters’, claims to have taken over nearly one billion data records belonging to Salesforce customers. However, the attack did not directly breach the cloud giant’s infrastructure. Instead, the hackers relied on social engineering, targeting the weakest link – employees of companies using the platform.
The attackers admitted that they did not breach the security of Salesforce itself. Their method was based on voice phishing (vishing), involving telephone impersonation of IT support staff. In this way, they convinced employees to install a modified version of the legitimate Salesforce Data Loader tool, which is used to import data in bulk. After installing the malware, they gained access to company resources.
Salesforce has strongly denied that its platform has been compromised. The company stressed that the incident is not linked to any known vulnerability in its technology and relates to actions directly against its customers.
The ‘Scattered LAPSUS$ Hunters’ group also took responsibility for ransomware attacks earlier this year on well-known UK brands such as Marks & Spencer, the Co-op and Jaguar Land Rover. It published a list of around 40 other allegedly attacked companies on its darknet page.
The group’s activity is part of a wider trend observed by security analysts. Back in June, the Google Threat Intelligence Group team described a campaign by a group tracked as ‘UNC6040′, which used identical techniques to get employees to install fake tools. Researchers link the attackers’ technical infrastructure to a loosely connected cybercrime ecosystem known as ‘The Com’.
The case already has a thread in the real world. British police in July arrested four people under the age of 21 in connection with an investigation into cyber attacks on retail chains. The incident proves once again that even the most secure cloud platforms are helpless when the human factor fails.
