Executive Summary
In mid-2025, a sophisticated data extortion campaign targeted high-end retail organizations leveraging Salesforce environments. Threat actors—identified as UNC6040 (responsible for access and reconnaissance) and Bling Libra (aka ShinyHunters, handling extortion)—gained initial access through voice-based phishing (vishing) techniques. After establishing a foothold, they conducted in-depth reconnaissance to collect sensitive customer data, including names, birthdates, contact details, and account metadata, which was then exfiltrated. The attackers threatened public disclosure unless the victim organizations paid a ransom, all while leaving minimal forensic traces due to a lack of malware deployment and custom tools.
This incident highlights the increasing sophistication of financially motivated cybercrime operations and an industry-wide shift towards data theft extortion without ransomware. There is an urgent need for retail and cloud-reliant enterprises to reassess their security controls, as social engineering vectors bypass traditional perimeter defenses and regulatory scrutiny around cloud data protections intensifies.
Why This Matters Now
Data extortion using social engineering and cloud platform attack paths is escalating, particularly against high-profile retailers managing valuable customer data. The urgency is compounded by the difficulty of defending against vishing and reconnaissance-driven attacks, regulatory exposure, and the continuous evolution of threat actors, even following arrests. Proactive cloud security and detection of social engineering are more critical than ever.
Attack Path Analysis
Attackers leveraged voice-based phishing to gain initial access to cloud SaaS environments, escalating permissions via valid credentials or misconfigurations. They conducted extensive internal reconnaissance to locate and enumerate sensitive customer data, then moved laterally across internal cloud services and possibly multi-cloud platforms to maximize data discovery. C2 was established via stealthy, low-noise techniques using authorized connections, evading detection. Data was systematically exfiltrated to attacker-controlled infrastructure using encrypted or legitimate channels. The impact phase involved extortion, where attackers threatened public exposure or ransom demands, focusing on business disruption and reputational harm rather than system destruction.
Kill Chain Progression
Initial Compromise
Description
Attackers used social engineering, specifically voice-based phishing (vishing), to obtain valid credentials and access cloud-based SaaS platforms (e.g., Salesforce).
Related CVEs
CVE-2025-61882
CVSS 9.8A remote code execution vulnerability in Oracle E-Business Suite allows unauthenticated attackers to execute arbitrary code.
Affected Products:
Oracle E-Business Suite – 12.2.10 and earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing
Gather Victim Identity Information
Valid Accounts
Account Discovery
Data from Information Repositories
Exfiltration Over Web Service
Data Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Access Controls for Users and Administrators
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Supply Chain and Asset Security
Control ID: Article 21(2)(d)
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – User and Entity Behavior Analytics
Control ID: IDENTITY-3
GDPR – Security of Processing
Control ID: Article 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
High-end retailers face targeted data theft extortion via social engineering, compromising customer PII through cloud platforms, requiring enhanced egress security and anomaly detection.
Financial Services
Banking and financial institutions vulnerable to vishing attacks targeting Salesforce data, necessitating zero trust segmentation and encrypted traffic protection for customer information.
Luxury Goods/Jewelry
Premium jewelry retailers specifically targeted for customer data exfiltration, requiring multicloud visibility and threat detection capabilities to prevent extortion campaigns.
Airlines/Aviation
Aviation sector impacted by data theft operations targeting customer databases, needing enhanced east-west traffic security and policy enforcement for cloud-native environments.
Sources
- Data Is the New Diamond: Heists in the Digital Agehttps://unit42.paloaltonetworks.com/retail-hospitality-heists-in-the-digital-age/Verified
- FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attackshttps://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.htmlVerified
- The Cost of a Call: From Voice Phishing to Data Extortion | Google Cloud Bloghttps://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortionVerified
- ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hackshttps://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust Segmentation, egress security, encrypted traffic controls, and multicloud visibility would have limited attacker ability to move, exfiltrate data, and remain undetected. Distributed enforcement of identity-based policies and traffic inspection would have detected anomalies, isolated unauthorized actions, and blocked data theft pathways.
Control: Multicloud Visibility & Control
Mitigation: Anomalous access attempts or logins could be centrally detected and flagged.
Control: Zero Trust Segmentation
Mitigation: Least privilege access and segmentation would contain privilege abuse.
Control: East-West Traffic Security
Mitigation: Lateral movement attempts would be blocked or alerted on internal network boundaries.
Control: Threat Detection & Anomaly Response
Mitigation: Realtime anomaly detection would generate alerts on covert remote operations.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved outbound data transfers are blocked or logged.
Comprehensive visibility and real-time policy enforcement limit breach impact and support timely response.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management
- Sales Operations
- Marketing
Estimated downtime: 7 days
Estimated loss: $5,000,000
Exposure of sensitive customer data including names, email addresses, phone numbers, and account details, leading to potential identity theft and reputational damage.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and least privilege controls to restrict movement and limit the blast radius of compromised identities.
- • Deploy continuous egress policy enforcement and encrypted traffic inspection to detect and prevent unauthorized data exfiltration from cloud and SaaS environments.
- • Enhance multicloud and workload-to-workload visibility to rapidly detect anomalous behaviors, unusual access, and internal reconnaissance attempts.
- • Automate incident response workflows with real-time threat detection and embedded analytics to quickly identify and contain emerging threats.
- • Regularly audit remote access methods, credential hygiene, and segmentation policies to maintain proactive Zero Trust defenses against sophisticated extortion and data theft campaigns.
