A threat actor managed to obtain Salesforce OAuth tokens from a third-party integration called Salesloft Drift and used the tokens to download large volumes of data from impacted Salesforce instances. One of the attacker’s goals was to find and extract additional credentials stored in Salesforce records that could expand their access.
“After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments,” the Google Threat Intelligence Group (GTIG) said in an advisory. “GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.”
Salesloft, a company that operates a sales engagement and revenue orchestration platform, has already identified and notified impacted customers who linked their Salesforce instances with the Salesloft Drift AI-powered live chat tool. While those users already had their Salesforce authentication tokens invalidated, they should immediately launch internal investigations to determine what other credentials stored in their Salesforce instances might have been compromised and if other external assets have been accessed as a result.
SaaS-to-SaaS integrations are a security blind spot
OAuth provides an easy way for applications to authenticate to each other and many platforms take advantage of this mechanism to integrate with other services. However, such integrations extend the attack surface becoming an additional potential point of entry.
Salesloft detected the unauthorized activity on its Drift platform on August 20, but the abuse of OAuth tokens to access Salesforce data happened between 8 and 18 August. Google’s Mandiant incident response team noted that the threat actor, which it tracks as UNC6395, exported large volumes of data from “numerous corporate Salesforce instances.”
Salesforce noted that the unauthorized access was not caused by any vulnerability in its own platform and has removed Salesloft Drift from its AppExchange pending further investigation, in addition to invalidating the impacted access tokens.
The attackers executed SOQL queries to retrieve information associated with Salesforce objects such as Cases, Accounts, Users, and Opportunities and to extract data from them, after which they deleted the query jobs. However, the logs were not impacted so organizations can review their logs to determine what queries were executed and what data attackers stole.
What Salesloft Drift users should do next
The GTIG report and the Salesloft advisories include indicators of compromise such as IP addresses used by the attackers and User-Agent strings for the tools they used to access the data. Mandiant advises companies to also search logs for any activity from known Tor exit nodes in addition to the IP addresses listed in the IOCs and to open a Salesforce support ticket to receive a full list of queries executed by the attackers.
Organizations should search their own Salesforce objects for any stored credentials and should rotate those, especially those containing the terms AKIA (AWS), Snowflake, password, secret and key. Strings related to organizational login URLs, including VPN and SSO pages should also be searched. An open-source tool called TruffleHog can also be used to search data for hardcoded secrets and credentials.
“We regularly see the compromise and abuse of OAuth2 tokens and SaaS-to-SaaS integrations,” Cory Michal, CSO of AppOmni, told CSO. “They’ve long been a known blind spot in most enterprise security programs. What did surprise me was the sheer scale and the methodical discipline the attackers demonstrated. This wasn’t opportunistic, it looked highly coordinated, with a level of planning and execution that suggests a state-sponsored adversary pursuing a broader mission.”
BleepingComputer reports that a representative of the extortion group ShinyHunters claimed they are behind the attack. ShinyHunters has been operating for a number of years, being responsible for reported breaches at AT&T, Ticketmaster and other organizations. The group has targeted Snowflake and AWS accounts before, as well as Salesforce accounts recently in a vishing campaign involving fake IT support calls.
No Responses