Latest news with #GTIG
Forbes
05-06-2025
- Business
- Forbes
Never Answer These Calls On Your Smartphone, Google Warns
Beware the UNC6040 smartphone threat. Google's Threat Intelligence Group has issued a new warning about a dangerous cyberattack group known only as UNC6040, which is succeeding in stealing data, including your credentials, by getting victims to answer a call on their smartphone. There are no vulnerabilities to exploit, unless you include yourself: these attackers 'abuse end-user trust,' a Google spokesperson said, adding that the UNC6040 campaign 'began months ago and remains active.' Here's what you need to know and do. TL;DR: Don't answer that call, and if you do, don't act upon it. If you still need me to warn you about the growing threat from AI-powered cyberattacks, particularly those involving calls to your smartphone — regardless of whether it's an Android or iPhone — then you really haven't been paying attention. It's this lack of attention, on the broadest global cross-industry scale, that has left attackers emboldened and allowed the 'vishing' threat to evolve and become ever-increasingly more dangerous. If you won't listen to me, perhaps you'll take notice of the cybersecurity and hacking experts who form the Google Threat Intelligence Group. A June 4 posting by GTIG, which has a motto of providing visibility and context on the threats that matter most, has detailed how it's been tracking a threat group known only as UNC6040. This group is financially motivated and very dangerous indeed. 'UNC6040's operators impersonate IT support via phone,' the GTIG report stated, 'tricking employees into installing modified (not authorized by Salesforce) Salesforce connected apps, often Data Loader variants.' The payload? Access to sensitive data and onward lateral movement to other cloud services beyond the original intrusion for the UNC67040 hackers. Google's threat intelligence analysts have designated UNC6040 as opportunistic attackers, and the broad spectrum of that opportunity has been seen across hospitality, retail and education in the U.S. and Europe. One thought is that the original attackers are working in conjunction with a second group that acts to monetize the infiltrated networks and stolen data, as the extortion itself often doesn't start for some months following the initial intrusion itself. To mitigate the UNC6040 attack risk, GITG said that organisations should consider the following steps: And, of course, as Google has advised in previous scam warnings, don't answer those phone calls from unknown sources. If you do, and it's someone claiming to be an IT support person, hang up and use the established methods within your organization to contact them for verification.
Scoop
05-06-2025
- Scoop
UNC6040 Hacks Salesforce Via Vishing And Malicious Data Loader Apps, Google Warns
Press Release – Google Threat Intelligence Group – GTIG According to Google, attackers impersonate IT support on live calls, directing users to approve unauthorised Data Loader apps via Salesforce's connected app interface. These apps, often disguised with innocuous names like My Ticket Portal, grant … A new Google Cloud Threat Intelligence report has revealed a sophisticated vishing campaign targeting Salesforce environments, enabling large-scale data theft and extortion. The operation, attributed to threat cluster UNC6040, leverages modified versions of Salesforce's Data Loader and malicious connected apps to compromise organisations—without exploiting any Salesforce vulnerabilities. According to Google, attackers impersonate IT support on live calls, directing users to approve unauthorised Data Loader apps via Salesforce's connected app interface. These apps, often disguised with innocuous names like 'My Ticket Portal,' grant direct access to sensitive CRM data. No legitimate Salesforce systems are compromised in the attacks, the bad actors exploit end-user trust to infiltrate other systems. Once initial access is secured, attackers use harvested credentials to move laterally into platforms such as Okta and Microsoft 365. In some cases, exfiltration went undetected for months before extortion attempts occurred—sometimes under the banner of groups like ShinyHunters. UNC6040's infrastructure included Okta phishing panels and commercial VPN services such as Mullvad. The group's techniques overlap with those seen in campaigns linked to 'The Com', a loosely affiliated cybercriminal collective. GTIG advises defenders to implement strict access controls, limit API privileges, and use Salesforce Shield for anomaly detection. IP-based restrictions and rigorous app allowlisting are also critical, given the threat actors' reliance on human manipulation rather than technical exploits. 'This campaign demonstrates how modern attackers exploit trust and routine admin functions to bypass even hardened cloud environments,' GTIG noted.
Scoop
05-06-2025
- Scoop
UNC6040 Hacks Salesforce Via Vishing And Malicious Data Loader Apps, Google Warns
A new Google Cloud Threat Intelligence report has revealed a sophisticated vishing campaign targeting Salesforce environments, enabling large-scale data theft and extortion. The operation, attributed to threat cluster UNC6040, leverages modified versions of Salesforce's Data Loader and malicious connected apps to compromise organisations—without exploiting any Salesforce vulnerabilities. According to Google, attackers impersonate IT support on live calls, directing users to approve unauthorised Data Loader apps via Salesforce's connected app interface. These apps, often disguised with innocuous names like 'My Ticket Portal,' grant direct access to sensitive CRM data. No legitimate Salesforce systems are compromised in the attacks, the bad actors exploit end-user trust to infiltrate other systems. Once initial access is secured, attackers use harvested credentials to move laterally into platforms such as Okta and Microsoft 365. In some cases, exfiltration went undetected for months before extortion attempts occurred—sometimes under the banner of groups like ShinyHunters. UNC6040's infrastructure included Okta phishing panels and commercial VPN services such as Mullvad. The group's techniques overlap with those seen in campaigns linked to "The Com", a loosely affiliated cybercriminal collective. GTIG advises defenders to implement strict access controls, limit API privileges, and use Salesforce Shield for anomaly detection. IP-based restrictions and rigorous app allowlisting are also critical, given the threat actors' reliance on human manipulation rather than technical exploits. 'This campaign demonstrates how modern attackers exploit trust and routine admin functions to bypass even hardened cloud environments,' GTIG noted.
Mint
30-05-2025
- Mint
Google uncovers malware campaign by China-linked hackers using Calendar events in a sophisticated cyberattack
In a concerning revelation, Google's Threat Intelligence Group (GTIG) has uncovered that a group of hackers linked to China used Google Calendar as a tool to steal sensitive information from individuals. The group, known as APT41 or HOODOO, is believed to have ties to the Chinese government. According to GTIG, the attack began with a spear phishing campaign. This method involves sending carefully crafted emails to specific targets. These emails included a link to a ZIP file hosted on a compromised government website. Once the victim opened the ZIP file, they would find a shortcut file disguised as a PDF and a folder with several images of insects and spiders. However, two of these image files were fake and actually contained malicious software. When the victim clicked the shortcut, it triggered the malware and even replaced itself with a fake PDF that appeared to be about species export regulations, likely to avoid suspicion. The malware worked in three steps. First, it decrypted and ran a file named PLUSDROP in the computer's memory. Then, it used a known Windows process to secretly run harmful code. In the final stage, a program called TOUGHPROGRESS carried out commands and stole data. What made this attack unusual was the use of Google Calendar as a communication tool. The malware created short, zero-minute events on specific dates. These events included encrypted data or instructions hidden in their description field. The malware regularly checked these calendar events for new commands from the hacker. After completing a task, it would create another event with the stolen information. Google said the campaign was discovered in October 2024 after it found malware spreading from a compromised government website. The tech company has since shut down the calendar accounts used by the hackers and removed other parts of their online infrastructure. To stop similar attacks in the future, Google has improved its malware detection systems and blocked the harmful websites involved. It also alerted organisations that may have been affected and shared technical details to help them respond and protect themselves.
Yahoo
11-05-2025
- Yahoo
Google exposes new Russian spyware virus LostKeys linked to FSB
Google has announced (via Android Headlines) the discovery of new Russian spyware called LostKeys, which is used by the ColdRiver hacker group linked to the Russian Federal Security Service (FSB). The software is designed to steal files and system data from Western organisations. Source: Mezha Media, a technology and IT news platform within Ukrainska Pravda's holding company Details: The Google Threat Intelligence Group (GTIG) reports that LostKeys is used in targeted ClickFix attacks, based on social engineering and beginning with a fake CAPTCHA. Victims are deceived into running malicious PowerShell scripts, allowing additional malware to be downloaded and executed. The primary aim is to install LostKeys, which functions like a digital vacuum cleaner, extracting files, directories and system information. Hackers also deploy other malware, particularly SPICA, to retrieve documents. The ColdRiver Group has been active since 2017 and is known by other names such as Star Blizzard and Callisto Group. It has reportedly become more active in recent years, especially since Russia invaded Ukraine. The group specialises in cyber-espionage, targeting government and defence institutions, think tanks, politicians, journalists and non-governmental organisations. The United States has imposed sanctions on individual group members and announced a US$10 million reward for information leading to their arrest. Google experts emphasise the need to strengthen cybersecurity, especially for organisations that could become potential victims of ColdRiver attacks. They recommend using Google's advanced protection and regularly updating security systems to counter such threats. Support Ukrainska Pravda on Patreon!
