Stellantis, one of the world’s largest automakers, confirmed that it was hit by a data breach, but the company says the breach was limited to customer contact information.
The Stellantis announcement appears much less damaging in scope.
Stellantis said in a September 21 statement that it “recently detected unauthorized access to a third-party service provider’s platform that supports our North American customer service operations.”
The automaker didn’t name the third-party platform, but the threat group ShinyHunters has apparently claimed credit for the attack, saying they accessed data from the company’s Salesforce instance. ShinyHunters has also been connected to other recent Salesloft and Salesforce attacks.
Stellantis Says No Financial Data Accessed in Attack
Stellantis said that after discovering the cyberattack, “we immediately activated our incident response protocols, initiated a comprehensive investigation, and took prompt action to contain and mitigate the situation. We are also notifying the appropriate authorities and directly informing affected customers.”
The company said the personal data compromised “was limited to contact information. Importantly, the affected platform does not store financial or sensitive personal information, and none was accessed.”
Stellantis, whose brands include Alfa Romeo, Chrysler, Citroen, Dodge, Fiat, Jeep, Maserati, Opel and Peugeot, among other brands, is the fifth-largest automaker by sales volume.
The company urged its customers to be wary of potential phishing attempts and to avoid “clicking on suspicious links or sharing personal information in response to unexpected emails, texts, or calls.” Customers should verify communications by contacting Stellantis through official channels.
FBI Warns About Salesforce Attack Campaigns
A recent FBI advisory warned about UNC6040 and UNC6395, the threat groups allegedly behind recent Salesforce and Salesloft breaches. The FBI advisory also noted a connection between UNC6040 and ShinyHunters.
“Some UNC6040 victims have subsequently received extortion emails allegedly from the ShinyHunters group, demanding payment in cryptocurrency to avoid publication of exfiltrated data,” the FBI said. “These extortion demands have varied in time following UNC6040 threat actors’ access and data exfiltration, ranging from a period of days to months.”
Three months after French authorities claimed to arrest prominent BreachForums member IntelBroker and members of the ShinyHunters collective, the group appears to be going strong.
The FBI advisory includes IP addresses, URLs and other indicators of compromise (IoCs) for the Salesforce attack campaigns.
The advisory includes a number of defensive measures to help protect against attacks by the groups, including:
- Training call center employees to recognize and report phishing attempts.
- Requiring phishing-resistant multi-factor authentication (MFA) “for as many services as possible.”
- Applying the principle of Least Privilege and implementing authentication, authorization, and accounting (AAA) systems to limit actions users can perform.
- Enforcing IP-based access restrictions and monitoring API usage for malicious behavior.
- Monitoring network logs and browser activity for anomalous activity and signs of data exfiltration.
- Reviewing all third-party integrations to third-party software instances, and rotating API keys, credentials, and authentication tokens.
