Pour yourself a glass of whiskey, because the security alarm has sounded again and your risk posture still looks like a punchline. The FBI’s flash alert about UNC6040 and UNC6395 reads like a card from the vendor sales deck — convincing enough to scare a junior analyst, not enough to stop the next breach. Salesforce remains a rollercoaster of APIs, OAuth tokens, and dashboards that look harmless until someone exports every record to a spreadsheet with a smile.
The report notes that UNC6040 and UNC6395 are using multiple initial access mechanisms to reach Salesforce platforms. That means phishing credentials, abusing stolen tokens, exploiting misconfigured integrations, and exploiting weak access controls. It is a reminder that you cannot outsource responsibility for identity and access management to a vendor’s login page or a quarterly risk assessment. The attackers do not need a zero-day when your cloud app lets them create, delete, or exfiltrate data with a few permissive roles. If your security program treats tokens like disposable napkins, this is your memo that you are responsible for the mess you created in the first place.
As always, the response is where the theater begins. Vendors push more telemetry, more dashboards, more rules that require three teams and a napkin full of policy references to interpret. CISOs chase the latest vendor-sponsored compliance checklist while the actual risk remains in the corner where secrets sit unrotated and API keys drift in a vault with a “temporary” tag that never actually expires. Yes, the same old cycle: alert fatigue, credential hygiene, and a few percent improvement that we celebrate like a championship win because we drank the Kool-Aid and forgot to test the controls during a live incident. Meanwhile the sales decks promise “zero trust everything” while your password policy still allows password1 for contractors in a dev sandbox.
What should you do if you actually want to prevent this from becoming your next headline? Enforce MFA across the Salesforce ecosystem, reduce API surface area, revoke unused credentials, and implement restricted, auditable integrations. Rotate secrets regularly and monitor for unusual API activity and anomalous login patterns. Ensure a robust incident response plan that does not rely on vendor dashboards alone and practice tabletop exercises until they stop feeling like a waste of time. If you must hire a consultant, at least make sure they can spell “least privilege” and can argue the case without selling you a new shiny appliance you will never deploy in production. And yes, pour a healthy dram of scotch as you read the IoCs—this stuff doesn’t fix itself with optimism or another late-night vendor webinar.
Read more about the case and the IoCs in the original coverage below, and pretend you were paying attention for once. Read the original article
