Google and Cisco confirm data breaches linked to vishing attacks

Breaches linked to the ShinyHunters group

Google and Cisco, have disclosed separate data breaches stemming from voice phishing (vishing) attacks that compromised customer information stored in cloud-based CRM systems.

Both companies say the attackers used social engineering techniques to trick employees and gain access to Salesforce instances. The breaches are the latest in a wave of attacks attributed to threat actors with alleged links to the ShinyHunters cyber extortion group.

Google breach traced to Salesforce CRM instance

Google confirmed on Tuesday that it had been targeted in June. The attackers gained access to one of its Salesforce CRM instances used for managing small and medium-sized business contacts. According to the company, the intruders accessed: “basic and largely publicly available business information,” including company names and contact details, before access was cut off.

The notification was issued as an update to a 4 June blog post by Google’s Threat Intelligence Group (GTIG), which had warned of an uptick in vishing and extortion activity targeting Salesforce customers. GTIG tracks the campaign under the codename UNC6040.

Cisco Hit by similar voice phishing tactics

Cisco disclosed its own incident last Friday, revealing that an attacker used voice phishing to access and export data from its CRM system, following an incident identified on 24 July.

The compromised data included customer names, organisation names, Cisco-assigned user IDs, email addresses, phone numbers and account metadata such as creation dates. The company stressed that no sensitive data, passwords or Cisco products were affected.

The company said it is strengthening defences against vishing and re-educating staff on how to recognise social engineering attempts.

UNC6040 tactics include lateral movement

Google’s Threat Intelligence Group (GTIG) has observed attackers using vishing techniques to manipulate IT help desks into granting access to Salesforce environments. Once inside, the attackers can run queries and exfiltrate data. In some cases, credentials obtained via vishing or infostealer malware have been used to move laterally into other platforms such as Okta and Microsoft 365.

While attackers have claimed affiliation with ShinyHunters – sometimes using email addresses such as shinygroup@tuta[.]com – Google believes they more broadly share tactics, techniques and procedures (TTPs) with the cybercrime collective known as “The Com,” which is also associated with groups like Scattered Spider.

GTIG warned that UNC6040 regularly extorts victims months after the breach, demanding ransoms in bitcoin within 72 hours. There are indications the group may be preparing a data leak site to pressure victims into payment, echoing ransomware gang tactics.

As vishing and data extortion tactics continue to evolve, security experts say firms must strengthen employee awareness, review access controls, and closely monitor cloud-based systems for signs of unauthorised activity.

Jamie Akhtar, CEO and Co-Founder of CyberSmart commented:

“Google has long been one of the leading companies in the world when it comes to cybersecurity, illustrating that no one is immune to cybercrime. If it can happen to one of the wealthiest and best-defended companies in the world, it can happen to anyone.

“This again illustrates that the best technical defences in the world won’t protect you if a member of staff clicks on something they shouldn’t or is artfully duped by social engineering.

“However, it is worth sounding a note of caution. While any breach at Google is shocking, there’s no indication as yet that any of the data stolen is particularly sensitive or places customers in real peril. Google has stated that the data is a Salesforce instance containing publicly available information. As such, our advice to businesses is to be cautious but don’t panic.”