FBI warns of cyber criminals targeting Salesforce platforms

Sep 12, 2025 - 04:03 PM
Cybersecurity Lock on Gold Wall

The FBI Sept. 12 released an alert warning of malicious activities by cybercriminal groups UNC6040 and UNC6395, which the agency said are responsible for an increasing number of data theft and extortion intrusions. The FBI said the groups have recently been observed targeting organizations’ Salesforce platforms using different methods to obtain account access. UNC6040 has been known to obtain initial access to Salesforce accounts through voice phishing. The FBI said UNC6395 in August was found to have exploited compromised access tokens for an artificial intelligence chatbot that can be integrated with Salesforce. The threat actors successfully compromised victims and exfiltrated data.

The FBI included a series of recommendations to help reduce the risk of compromise from cyber actors. For more information on this or other cyber and risk issues, contact John Riggi, AHA national advisor for cybersecurity and risk, at jriggi@aha.org. For the latest cyber and risk resources and threat intelligence, visit aha.org/cybersecurity.

Related News Articles

Headline
White House issues executive order addressing cybercrime by threat groups
The White House issued an executive order March 6 to combat cybercrimes by threat groups. The order highlights how such groups can receive willing or…
Headline
ASPR releases cybersecurity module to conduct risk assessments 
The Administration for Strategic Preparedness and Response has released a new cybersecurity module for organizations to conduct risk assessments. The free…
Perspective
Staying Cyber Alert and Cyber Ready
Public
As the world has learned in recent years, today’s conflicts are fought with many weapons, and cyber warfare is an integral part of the arsenal.As of this…
Headline
FBI reminds of potentially malicious activity by Iranian cyber actors
The FBI is reminding critical infrastructure organizations to implement mitigations from a June 2025 fact sheet on potential actions by Iranian-affiliated…
Headline
CISA report updates findings on RESURGE malware attacks
The Cybersecurity and Infrastructure Security Agency Feb. 26 released a report that updates findings from last year on RESURGE malware used to gain covert…
Headline
Agencies issue guidance on exploitation of Cisco systems by cyber actors 
U.S. and international agencies Feb. 25 released guidance on protecting Cisco Software-defined Wide-area Networking systems from exploitation by malicious…