Cybercriminals exploit Salesforce Application in High-Profile Data Breach

Credited by Freepik

VTA-004536 – Cybercriminals exploit Salesforce Application in High-Profile Data Breach

Cybercriminal group ShinyHunters, previously known for their ties to the BreachForums website and their attacks on AWS infrastructure, resurfaced in June 2025 to continue their data theft operations. Their latest campaign involved a data breach affecting major companies such as Google, Adidas, and Louis Vuitton.

The campaign began with social engineering through vishing, where attackers posed as IT support personnel within the targeted companies. They exploited the Salesforce application’s OAuth system by tricking victims into downloading modified versions of the software and guiding them to enter attacker-supplied verification codes, effectively bypassing MFA.

Once access was established, the attackers maintained long-term persistence and conducted queries to locate high-value data objects. Scripts were used to automate these queries, enabling the rapid retrieval and exfiltration of large volumes of customer information. The stolen data was routed through VPN IP addresses and Tor networks, complicating attribution efforts.

Beyond exfiltration, the attackers also attempted lateral movement into other platforms within the organizations, including Microsoft 365, Okta, and Meta Workplace. Credential harvesting and privilege escalation tactics were actively employed during this phase.

Severity:
Medium

Attack Surface:
Cloud Service, Content Management System, Database

Tactics:
Credential Access, Exfiltration, Initial Access, Lateral Movement, Privilege Escalation, Reconnaissance

Techniques:
TA0001 – Initial Access
T1078 – Valid Accounts
T1598 – Reconnaissance
TA0007 – Discovery
TA0009 – Collection
TA0010 – Exfiltration

References:
1. https://cybersecuritynews.com/shinyhunters-breaches/

SuperPRO’s Threat Countermeasures Procedures:
1. Educate Staff on Vishing & Social Engineering: conduct regular exercises to simulate social engineering attempts.
2. Apply least privilege access policy so that only essential staff can access confidential data.
3. Disable end-user app installation to avoid the installation of modified software.
4. Monitor installed applications and endpoints to catch suspicious behavior and signs of data exfiltration.
5. Block IP addresses related to bad reputation VPNs and Tor networks.
6. Use phishing-resistant MFA such as hardware keys to prevent attackers from easily bypassing MFA.

Contributed by: Esther