The FBI has issued a warning about two cybercriminal groups, UNC6040 and UNC6395, that are exploiting Salesforce environments to steal data and extort organizations. These groups have employed various tactics, including social engineering and the use of compromised OAuth tokens, impacting many well-known companies and revealing sensitive information in their attacks. The FBI has released indicators of compromise to help organizations bolster their defenses against these threats.

Scattered Lapsus$ Hunters has initiated a crowdsourced extortion scheme, offering $10 in Bitcoin to individuals who will pressure executives of organizations they claim to have breached into paying ransoms. The group has already reportedly paid out $1,000 and lists 39 alleged victims on its data leak site, threatening further action if demands are not met by a specified deadline. Despite claims of a breach, Salesforce has stated that there is no indication of compromise on its platform.

Law enforcement in the U.S. and France has seized domains associated with the BreachForums hacking forum, known for selling stolen data and hacked credentials. Despite this action, a dark web version of BreachForums remains active, and the Scattered LAPSUS$ Hunters group claims it will still leak one billion Salesforce customer records. The ongoing struggle against cybercrime infrastructure emphasizes the resilience of such underground networks.