{"id":6914,"date":"2025-09-14T10:03:27","date_gmt":"2025-09-14T10:03:27","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/09\/14\/fbi-unveils-iocs-for-cyber-attacks-targeting-salesforce-instances-for-data-exfiltration\/"},"modified":"2025-09-14T10:03:27","modified_gmt":"2025-09-14T10:03:27","slug":"fbi-unveils-iocs-for-cyber-attacks-targeting-salesforce-instances-for-data-exfiltration","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/09\/14\/fbi-unveils-iocs-for-cyber-attacks-targeting-salesforce-instances-for-data-exfiltration\/","title":{"rendered":"FBI Unveils IOCs for Cyber Attacks Targeting Salesforce Instances for Data Exfiltration"},"content":{"rendered":"

FBI Unveils IOCs for Cyber Attacks Targeting Salesforce Instances for Data Exfiltration
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

The Federal Bureau of Investigation (FBI) has released a flash alert detailing the activities of two cybercriminal groups, UNC6040 and UNC6395<\/a>, that are actively compromising Salesforce environments to steal data for extortion purposes. <\/p>\n

The advisory, published by the FBI on September 12, 2025, provides indicators of compromise (IOCs) and defensive measures to help organizations protect against these ongoing campaigns that leverage distinct tactics to achieve their objectives.<\/p>\n

Here is the detailed coverage of Lessons from Salesforce\/Salesloft Drift Data Breaches \u2013 Detailed Case Study<\/a>.<\/p>\n

UNC6040\u2019s Social Engineering Campaign<\/strong><\/h2>\n

Since at least October 2024, the group tracked as UNC6040<\/a> has been using social engineering, particularly voice phishing (vishing), to gain initial access.<\/p>\n

The threat actors call an organization\u2019s help desk, posing as IT support staff, attempting to resolve a fake technical issue. During these calls, they persuade employees to either share their credentials or grant the attackers access to the company\u2019s Salesforce instance.<\/p>\n

A key tactic involves tricking employees into authorizing a malicious \u201cconnected app\u201d within the Salesforce portal. This app is often a modified version of the legitimate Salesforce Data Loader tool.<\/p>\n

By convincing a user with sufficient privileges to approve the application, UNC6040 gains persistent access via OAuth tokens<\/a> issued by Salesforce.<\/p>\n

This method can bypass security controls like multi-factor authentication (MFA) and password resets, as the activity appears to originate from a trusted, integrated application.<\/p>\n

The attackers then use API queries to exfiltrate large volumes of data. Following the data theft, some victims have received extortion emails from the notorious \u201cShinyHunters\u201d group, demanding payment to prevent the public release of the stolen information.<\/p>\n

UNC6395 Exploits Third-Party Integration<\/strong><\/h2>\n

The second group, UNC6395, employed a different method to breach Salesforce instances. In August 2025, these actors exploited compromised OAuth tokens associated with the Salesloft Drift application, an AI-powered chatbot that integrates with Salesforce.<\/p>\n

By using these compromised third-party tokens, the group was able to access and exfiltrate data from the victim\u2019s Salesforce environment, highlighting the security risks posed by third-party application integrations.<\/p>\n

In response to this campaign, Salesloft and Salesforce collaborated to revoke all active access and refresh tokens for the Drift application on August 20, 2025. This action successfully terminated the threat actors\u2019 access to the compromised Salesforce platforms through this specific vector.250912.pdf<\/p>\n

The FBI has released<\/a> an extensive list of IOCs, including IP addresses, malicious URLs, and user-agent strings associated with both UNC6040 and UNC6395, to help network defenders detect and block related activity. The agency strongly recommends that organizations take several steps to mitigate the risk of compromise.<\/p>\n

Of course, here is the table with the Indicators of Compromise, with the IP addresses formatted as requested.<\/p>\n

UNC6040 Indicators of Compromise<\/strong><\/h4>\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
IoC Type<\/th>\nIndicator<\/th>\n<\/tr>\n<\/thead>\n
IP Address<\/td>\n13.67.175[.]79<\/td>\n<\/tr>\n
IP Address<\/td>\n20.190.130[.]40<\/td>\n<\/tr>\n
IP Address<\/td>\n20.190.151[.]38<\/td>\n<\/tr>\n
IP Address<\/td>\n20.190.157[.]160<\/td>\n<\/tr>\n
IP Address<\/td>\n20.190.157[.]98<\/td>\n<\/tr>\n
IP Address<\/td>\n23.145.40[.]165<\/td>\n<\/tr>\n
IP Address<\/td>\n23.145.40[.]167<\/td>\n<\/tr>\n
IP Address<\/td>\n23.145.40[.]99<\/td>\n<\/tr>\n
IP Address<\/td>\n23.162.8[.]66<\/td>\n<\/tr>\n
IP Address<\/td>\n23.234.69[.]167<\/td>\n<\/tr>\n
IP Address<\/td>\n23.94.126[.]63<\/td>\n<\/tr>\n
IP Address<\/td>\n31.58.169[.]85<\/td>\n<\/tr>\n
IP Address<\/td>\n31.58.169[.]92<\/td>\n<\/tr>\n
IP Address<\/td>\n31.58.169[.]96<\/td>\n<\/tr>\n
IP Address<\/td>\n34.86.51[.]128<\/td>\n<\/tr>\n
IP Address<\/td>\n35.186.181[.]1<\/td>\n<\/tr>\n
IP Address<\/td>\n37.19.200[.]132<\/td>\n<\/tr>\n
IP Address<\/td>\n37.19.200[.]141<\/td>\n<\/tr>\n
IP Address<\/td>\n37.19.200[.]154<\/td>\n<\/tr>\n
IP Address<\/td>\n37.19.200[.]167<\/td>\n<\/tr>\n
IP Address<\/td>\n37.19.221[.]179<\/td>\n<\/tr>\n
IP Address<\/td>\n38.22.104[.]226<\/td>\n<\/tr>\n
IP Address<\/td>\n45.83.220[.]206<\/td>\n<\/tr>\n
IP Address<\/td>\n51.89.240[.]10<\/td>\n<\/tr>\n
IP Address<\/td>\n64.95.11[.]225<\/td>\n<\/tr>\n
IP Address<\/td>\n64.95.84[.]159<\/td>\n<\/tr>\n
IP Address<\/td>\n66.63.167[.]122<\/td>\n<\/tr>\n
IP Address<\/td>\n67.217.228[.]216<\/td>\n<\/tr>\n
IP Address<\/td>\n68.235.43[.]202<\/td>\n<\/tr>\n
IP Address<\/td>\n68.235.46[.]22<\/td>\n<\/tr>\n
IP Address<\/td>\n68.235.46[.]202<\/td>\n<\/tr>\n
IP Address<\/td>\n68.235.46[.]151<\/td>\n<\/tr>\n
IP Address<\/td>\n68.235.46[.]208<\/td>\n<\/tr>\n
IP Address<\/td>\n68.63.167[.]122<\/td>\n<\/tr>\n
IP Address<\/td>\n69.246.124[.]204<\/td>\n<\/tr>\n
IP Address<\/td>\n72.5.42[.]72<\/td>\n<\/tr>\n
IP Address<\/td>\n79.127.217[.]44<\/td>\n<\/tr>\n
IP Address<\/td>\n83.147.52[.]41<\/td>\n<\/tr>\n
IP Address<\/td>\n87.120.112[.]134<\/td>\n<\/tr>\n
IP Address<\/td>\n94.156.167[.]237<\/td>\n<\/tr>\n
IP Address<\/td>\n96.44.189[.]109<\/td>\n<\/tr>\n
IP Address<\/td>\n96.44.191[.]141<\/td>\n<\/tr>\n
IP Address<\/td>\n96.44.191[.]157<\/td>\n<\/tr>\n
IP Address<\/td>\n104.223.118[.]62<\/td>\n<\/tr>\n
IP Address<\/td>\n104.193.135[.]221<\/td>\n<\/tr>\n
IP Address<\/td>\n141.98.252[.]189<\/td>\n<\/tr>\n
IP Address<\/td>\n146.70.165[.]47<\/td>\n<\/tr>\n
IP Address<\/td>\n146.70.168[.]239<\/td>\n<\/tr>\n
IP Address<\/td>\n146.70.173[.]60<\/td>\n<\/tr>\n
IP Address<\/td>\n146.70.185[.]47<\/td>\n<\/tr>\n
IP Address<\/td>\n146.70.189[.]47<\/td>\n<\/tr>\n
IP Address<\/td>\n146.70.189[.]111<\/td>\n<\/tr>\n
IP Address<\/td>\n146.70.198[.]112<\/td>\n<\/tr>\n
IP Address<\/td>\n146.70.211[.]55<\/td>\n<\/tr>\n
IP Address<\/td>\n146.70.211[.]119<\/td>\n<\/tr>\n
IP Address<\/td>\n146.70.211[.]183<\/td>\n<\/tr>\n
IP Address<\/td>\n147.161.173[.]90<\/td>\n<\/tr>\n
IP Address<\/td>\n149.22.81[.]201<\/td>\n<\/tr>\n
IP Address<\/td>\n151.242.41[.]182<\/td>\n<\/tr>\n
IP Address<\/td>\n151.242.58[.]76<\/td>\n<\/tr>\n
IP Address<\/td>\n163.5.149[.]152<\/td>\n<\/tr>\n
IP Address<\/td>\n185.141.119[.]136<\/td>\n<\/tr>\n
IP Address<\/td>\n185.141.119[.]138<\/td>\n<\/tr>\n
IP Address<\/td>\n185.141.119[.]151<\/td>\n<\/tr>\n
IP Address<\/td>\n185.141.119[.]166<\/td>\n<\/tr>\n
IP Address<\/td>\n185.141.119[.]168<\/td>\n<\/tr>\n
IP Address<\/td>\n185.141.119[.]181<\/td>\n<\/tr>\n
IP Address<\/td>\n185.141.119[.]184<\/td>\n<\/tr>\n
IP Address<\/td>\n185.141.119[.]185<\/td>\n<\/tr>\n
IP Address<\/td>\n185.209.199[.]56<\/td>\n<\/tr>\n
IP Address<\/td>\n191.96.207[.]201<\/td>\n<\/tr>\n
IP Address<\/td>\n192.198.82[.]235<\/td>\n<\/tr>\n
IP Address<\/td>\n195.54.130[.]100<\/td>\n<\/tr>\n
IP Address<\/td>\n196.251.83[.]162<\/td>\n<\/tr>\n
IP Address<\/td>\n198.44.129[.]56<\/td>\n<\/tr>\n
IP Address<\/td>\n198.44.129[.]88<\/td>\n<\/tr>\n
IP Address<\/td>\n198.244.224[.]200<\/td>\n<\/tr>\n
IP Address<\/td>\n198.54.130[.]100<\/td>\n<\/tr>\n
IP Address<\/td>\n198.54.130[.]108<\/td>\n<\/tr>\n
IP Address<\/td>\n198.54.133[.]123<\/td>\n<\/tr>\n
IP Address<\/td>\n205.234.181[.]14<\/td>\n<\/tr>\n
IP Address<\/td>\n206.217.206[.]14<\/td>\n<\/tr>\n
IP Address<\/td>\n206.217.206[.]25<\/td>\n<\/tr>\n
IP Address<\/td>\n206.217.206[.]26<\/td>\n<\/tr>\n
IP Address<\/td>\n206.217.206[.]64<\/td>\n<\/tr>\n
IP Address<\/td>\n206.217.206[.]84<\/td>\n<\/tr>\n
IP Address<\/td>\n206.217.206[.]104<\/td>\n<\/tr>\n
IP Address<\/td>\n206.217.206[.]124<\/td>\n<\/tr>\n
IP Address<\/td>\n208.131.130[.]53<\/td>\n<\/tr>\n
IP Address<\/td>\n208.131.130[.]71<\/td>\n<\/tr>\n
IP Address<\/td>\n208.131.130[.]91<\/td>\n<\/tr>\n
URL<\/td>\nLogin[.]salesforce[.]com\/setup\/connect?user_code=aKYF7V5N<\/td>\n<\/tr>\n
URL<\/td>\nLogin.salesforce.com\/setup\/connect?user_code=8KCQGTVU<\/td>\n<\/tr>\n
URL<\/td>\nhttps:\/\/help[victim][.]com<\/td>\n<\/tr>\n
URL<\/td>\nhttps:\/\/login[.]salesforce[.]com\/setup\/connect<\/td>\n<\/tr>\n
URL<\/td>\nhttp:\/\/64.95.11[.]112\/hello.php<\/td>\n<\/tr>\n
URL<\/td>\n91.199.42.164\/login<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

UNC6395 Indicators of Compromise<\/strong><\/h4>\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
IoC Type<\/th>\nIndicator<\/th>\n<\/tr>\n<\/thead>\n
IP Address<\/td>\n208.68.36[.]90<\/td>\n<\/tr>\n
IP Address<\/td>\n44.215.108[.]109<\/td>\n<\/tr>\n
IP Address<\/td>\n154.41.95[.]2<\/td>\n<\/tr>\n
IP Address<\/td>\n176.65.149[.]100<\/td>\n<\/tr>\n
IP Address<\/td>\n179.43.159[.]198<\/td>\n<\/tr>\n
IP Address<\/td>\n185.130.47[.]58<\/td>\n<\/tr>\n
IP Address<\/td>\n185.207.107[.]130<\/td>\n<\/tr>\n
IP Address<\/td>\n185.220.101[.]33<\/td>\n<\/tr>\n
IP Address<\/td>\n185.220.101[.]133<\/td>\n<\/tr>\n
IP Address<\/td>\n185.220.101[.]143<\/td>\n<\/tr>\n
IP Address<\/td>\n185.220.101[.]164<\/td>\n<\/tr>\n
IP Address<\/td>\n185.220.101[.]167<\/td>\n<\/tr>\n
IP Address<\/td>\n185.220.101[.]169<\/td>\n<\/tr>\n
IP Address<\/td>\n185.220.101[.]180<\/td>\n<\/tr>\n
IP Address<\/td>\n185.220.101[.]185<\/td>\n<\/tr>\n
IP Address<\/td>\n192.42.116[.]20<\/td>\n<\/tr>\n
IP Address<\/td>\n192.42.116[.]179<\/td>\n<\/tr>\n
IP Address<\/td>\n194.15.36[.]117<\/td>\n<\/tr>\n
IP Address<\/td>\n195.47.238[.]83<\/td>\n<\/tr>\n
IP Address<\/td>\n195.47.238[.]178<\/td>\n<\/tr>\n
User-Agent<\/td>\nSalesforce-Multi-Org-Fetcher\/1.0<\/td>\n<\/tr>\n
User-Agent<\/td>\nSalesforce-CLI\/1.0<\/td>\n<\/tr>\n
User-Agent<\/td>\npython-requests\/2.32.4<\/td>\n<\/tr>\n
User-Agent<\/td>\nPython\/3.11 aiohttp\/3.12.15<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
    <\/ol>\n

    Key recommendations include training employees, especially call center staff, to recognize and report phishing<\/a> and vishing attempts.<\/p>\n

    The FBI also advises enforcing phishing-resistant MFA across all possible services, applying the principle of least privilege to user accounts, and implementing strict IP-based access restrictions.<\/p>\n

    Furthermore, organizations should continuously monitor network logs and API usage for anomalous behavior indicative of data exfiltration and regularly review all third-party application integrations connected to their software platforms, rotating API keys and credentials frequently.<\/p>\n

    Find this Story Interesting! Follow us on Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n

    The post FBI Unveils IOCs for Cyber Attacks Targeting Salesforce Instances for Data Exfiltration<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

    \t

    \n
    <\/BR>
    \n Guru Baran
    \n \t

    \n
    <\/BR>
    \n    Go to cyber-security-news<\/a>
    \n \t

    \n
    <\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

    FBI Unveils IOCs for Cyber Attacks Targeting Salesforce Instances for Data Exfiltration The Federal Bureau of Investigation (FBI) has released a flash alert detailing the activities of two cybercriminal groups, UNC6040 and UNC6395, that are actively compromising Salesforce environments to steal data for extortion purposes. The advisory, published by the FBI on September 12, 2025, […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-6914","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6914"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=6914"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6914\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=6914"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=6914"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=6914"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}