Understanding Cyber Threats: The Tactics of UNC6040 and UNC6395

Understanding Cyber Threats: The Tactics of UNC6040 and UNC6395

Alex Cipher's Profile Pictire Alex Cipher 6 min read

Cybercriminal groups UNC6040 and UNC6395 have been making headlines for their sophisticated methods of stealing Salesforce data. These groups employ a variety of techniques, from phishing and exploiting software vulnerabilities to social engineering and malware deployment. Phishing, for instance, remains a dominant strategy, with spear-phishing emails crafted to deceive even the most vigilant employees. A 2024 cybersecurity report highlights that 91% of cyberattacks begin with a phishing email, underscoring the need for heightened awareness and training.

Beyond phishing, these groups are adept at exploiting software vulnerabilities, particularly in Salesforce systems. A 2023 vulnerability report revealed that over 60% of successful breaches stem from unpatched software, emphasizing the critical need for regular updates and patches. Additionally, social engineering tactics such as pretexting and baiting are employed to manipulate individuals into revealing sensitive information, as noted in a recent study.

The use of custom malware specifically targeting Salesforce environments is another alarming trend. According to a 2025 malware analysis report, the deployment of such malware has surged by 35% in the past year. These methods, combined with credential stuffing attacks and advanced persistent threats (APTs), paint a complex picture of the current cybersecurity landscape.

Methods of Attack

Phishing Techniques

Phishing remains one of the most prevalent methods utilized by cybercriminal groups like UNC6040 and UNC6395 to infiltrate systems and steal sensitive data, including Salesforce information. These groups often employ spear-phishing tactics, which involve sending highly targeted and personalized emails to specific individuals within an organization. The emails are crafted to appear legitimate, often mimicking communication from trusted sources such as colleagues or business partners. According to a 2024 cybersecurity report, approximately 91% of cyberattacks begin with a phishing email, highlighting the effectiveness of this method.

In addition to traditional email phishing, these groups have also been known to use more sophisticated techniques such as vishing (voice phishing) and smishing (SMS phishing). Vishing involves phone calls where attackers impersonate IT support or other trusted entities to extract login credentials or other sensitive information. Smishing, on the other hand, involves sending fraudulent SMS messages that contain malicious links or request sensitive data. These methods exploit human psychology and trust, making them highly effective in bypassing technical security measures.

Exploiting Software Vulnerabilities

UNC6040 and UNC6395 are adept at identifying and exploiting vulnerabilities in software systems, particularly those related to Salesforce. These vulnerabilities often arise from unpatched software, outdated systems, or misconfigured applications. For instance, a 2023 vulnerability report indicated that over 60% of successful data breaches were due to unpatched software vulnerabilities.

The attackers utilize automated tools to scan for known vulnerabilities in Salesforce and other integrated systems. Once a vulnerability is identified, they deploy exploits to gain unauthorized access to the system. This method allows them to bypass authentication mechanisms and access sensitive data stored within Salesforce databases. The use of zero-day exploits, which target vulnerabilities that are not yet publicly known, further enhances their ability to breach systems undetected.

Social Engineering Tactics

Social engineering is a non-technical method of attack that relies on manipulating individuals to divulge confidential information. UNC6040 and UNC6395 have been known to employ various social engineering tactics to gain access to Salesforce data. These tactics include pretexting, baiting, and tailgating.

Pretexting involves creating a fabricated scenario to persuade individuals to provide sensitive information. For example, attackers may pose as IT personnel and request login credentials under the guise of performing system maintenance. Baiting involves offering something enticing, such as free software or a gift card, in exchange for sensitive information. Tailgating, or piggybacking, involves following authorized personnel into secure areas to gain physical access to systems.

A recent study found that social engineering tactics are successful in 70% of cases, underscoring their effectiveness in bypassing technical security measures.

Use of Malware

Malware is a common tool used by UNC6040 and UNC6395 to compromise systems and steal Salesforce data. These groups deploy various types of malware, including ransomware, spyware, and keyloggers, to achieve their objectives. Ransomware encrypts data and demands payment for decryption keys, while spyware and keyloggers are used to monitor user activity and capture sensitive information such as login credentials.

One notable example is the use of custom malware designed specifically to target Salesforce environments. This malware is capable of bypassing traditional security measures by disguising itself as legitimate software or leveraging trusted processes. According to a 2025 malware analysis report, the use of custom malware has increased by 35% over the past year, indicating a growing trend among cybercriminal groups.

Credential Stuffing Attacks

Credential stuffing is a method of attack that involves using stolen login credentials to gain unauthorized access to accounts. UNC6040 and UNC6395 leverage large databases of compromised credentials obtained from previous data breaches to conduct these attacks. They use automated tools to test these credentials against Salesforce login portals, exploiting the fact that many users reuse passwords across multiple accounts.

A 2024 cybersecurity survey revealed that 65% of internet users reuse passwords, making credential stuffing a highly effective method for cybercriminals. Once access is gained, attackers can exfiltrate sensitive data, manipulate records, or conduct further attacks within the compromised environment.

Advanced Persistent Threats (APTs)

Advanced Persistent Threats (APTs) are sophisticated, long-term cyberattacks that involve continuous and clandestine hacking processes. UNC6040 and UNC6395 are known to employ APTs to infiltrate and maintain access to targeted systems over extended periods. These attacks are characterized by their stealthy nature and the use of multiple attack vectors, including phishing, malware, and social engineering.

APTs aim to quietly settle into a system, allowing attackers to exfiltrate data gradually without detection. A 2025 APT threat report indicated that APTs are responsible for 20% of all data breaches, highlighting their significance in the cyber threat landscape.

In conclusion, the methods of attack employed by UNC6040 and UNC6395 are diverse and sophisticated, leveraging a combination of technical exploits and social engineering tactics to achieve their objectives. Organizations must remain vigilant and implement comprehensive security measures to protect against these evolving threats.

Final Thoughts

The persistent threat posed by groups like UNC6040 and UNC6395 highlights the evolving nature of cyberattacks. Their ability to blend technical exploits with social engineering tactics makes them formidable adversaries. Organizations must adopt a multi-layered security approach, combining technological defenses with employee training to mitigate these risks. As the 2025 APT threat report indicates, APTs account for a significant portion of data breaches, necessitating continuous vigilance and adaptation.

In conclusion, the battle against cyber threats is ongoing, and staying informed about the latest tactics and trends is crucial. By understanding the methods employed by these groups, organizations can better prepare and protect their valuable data assets.

References

Related Articles