Photo: Andrew Brookes/Getty Images
The FBI has sent a letter to Salesforce customers warning that hackers have been targeting its platforms, and the American Hospital Association is telling hospitals to be on alert.
Salesforce is a cloud-based platform for customer relationship management (CRM), which unifies sales, marketing, commerce and IT into a single application.
Since October 2024, threat actors gained initial access into Salesforce systems by leveraging social engineering attacks, in particular phishing, to gain access to organizations’ accounts, the FBI said.
According to the AHA, the cybercriminal groups UNC6040 and UNC6395 are responsible for an increasing number of data theft and extortion attempts.
WHAT’S THE IMPACT
Threat actors from the UNC6040 group called their victims’ call centers posing as IT support addressing enterprise-wide connectivity issues. Under the guise of closing an auto-generated ticket, they fooled employees into essentially giving them access to employee credentials, which then allowed them to pull customer data.
Salesforce allows organizations to integrate with third-party applications, often called connected apps, and the hackers deceived victims into authorizing malicious connected apps to their organization’s Salesforce portal, the FBI said.
That in turn gave the threat actors the ability to access customer information by bypassing traditional defenses such as password resets and login monitoring.
Some UNC6040 victims have subsequently received extortion emails allegedly from the ShinyHunters group, demanding payment in cryptocurrency to avoid publication of exfiltrated data, the FBI said.
Separately, the UNC6395 group utilized a different initial access mechanism, instead targeting the Salesforce Drift app, an AI chatbot that can be integrated with Salesforce.
The AHA is pointing people and healthcare businesses to John Riggi, AHA national advisor for cybersecurity and risk, at jriggi@aha.org for inquiries about the incidents.
THE LARGER TREND
The FBI offered a number of recommendations, including requiring phishing-resistant multi-factor authentication for as many services as possible.
The agency also suggested implementing authentication, authorization and accounting (AAA) systems to limit the actions that users can perform, and to enforce IP-based access restrictions and monitor and detect API usage, looking for unusual or malicious behavior.
Other recommendations include monitoring network logs and browser session activity for anomalous activity, and to review all third-party integrations connecting to third-party software.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.