When three prominent vendors, Palo Alto Networks, ZScaler, and Cloudflare, announced on Tuesday that they were hit by a cyber attack targeting Salesloft Drift, it was a stark reminder that today’s interconnected enterprise environment means that one vendor’s security hole can hurt users globally.
Palo Alto’s Tuesday statement said, “this supply chain attack impacted hundreds of organizations, including Palo Alto Networks” and that it had confirmed that the incident “was isolated to our CRM platform; no Palo Alto Networks products or services were impacted, and they remain secure and fully operational. The data involved includes mostly business contact information, internal sales account and basic case data related to our customers.”
However, one detail reported by Palo Alto showed that some end users will be hurt more than others, given their choice to place sensitive data in insecure notes fields within Salesforce.
“Most of the exfiltrated data was business contact information. However, a small number of customers who included sensitive information, such as credentials, in their recent case notes might also have had that data compromised,” said a Palo Alto spokesperson in an email to CSO, in response to a request for clarification.
“In the case of Zscaler and Palo Alto, because they sell solutions in the SASE space, their compromise can be particularly problematic since this may end up unfolding into a third-party or even fourth-party compromise,” said Flavio Villanustre, SVP and CISO for LexisNexis Risk Solutions. “Keep in mind that they are in the authentication loop for their customers’ secure access. Regarding most incidents affecting Salesforce deployments, they seem to be related to either compromised identities, stolen tokens and open endpoints, so these two may fall under that umbrella.”
Some customers may have more data exposed
Zscaler’s statement was similar and said, “this incident involved the theft of OAuth tokens connected to Salesloft Drift, a third-party application used for automating sales workflows that integrates with Salesforce databases to manage leads and contact information.”
Zscaler specified the type of information potentially grabbed: names, email addresses, job titles, phone numbers, regional/location details, Zscaler product licensing and commercial information and “plain text content from certain support cases. This does not include attachments, files [or] images.”
Palo Alto issued a separate statement that talked in more detail about the attack and recommended defenses.
“The threat actor performed mass exfiltration of sensitive data from various Salesforce objects, including Account, Contact, Case and Opportunity records. Following exfiltration, the actor appeared to be actively scanning the acquired data for credentials, likely with the intent to facilitate further attacks or expand their access,” the Palo Alto blog post said. “We have observed that the threat actor deleted queries to hide evidence of the jobs they run, likely as an anti-forensics technique.” It also stressed, “Palo Alto Networks highly recommends rotating credentials and following the [provided] guidance to validate authentication activity for Drift integrations.”
Defense suggestions
Palo Alto suggested that customers “conduct a thorough review of Salesforce login history, audit trails and API access logs for the period of August 8 to present. Specifically, examine Salesforce Event Monitoring logs, if enabled, for unusual activity associated with the Drift connection user and review authentication activity from the Drift Connected App. Look for suspicious login attempts, unusual data access patterns, and the indicators mentioned in the Hunting Guidance section, such as the Python/3.11 aiohttp/3.12.15 user agent string and activity from known threat actor IP addresses. Also, review UniqueQuery events that log executed Salesforce Object Query Language (SOQL) queries to identify which Salesforce objects e.g., Account, Contact, Opportunity, Case, etc. and which fields within those objects the attacker queried.”
The blog post from Cloudflare differed markedly from the posts by Palo Alto and Zscaler in that Cloudflare accepted some responsibility for the incident. They also stressed that the breach came from a third party, but Cloudflare took the blame for having enabled the services of that third party.
“We are responsible for the choice of tools we use in support of our business,” Cloudflare said. “This breach has let our customers down. For that, we sincerely apologize.”
Cloudflare also wrote about the leakage of data that they had never intended to be entered.
“Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system—including logs, tokens or passwords—should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel,” Cloudflare’s blog said.
Cory Michal, CSO at SaaS app security vendor AppOmni, applauded the way Cloudflare described its role.
“Cloudflare’s disclosure of the Salesloft/Drift incident stands out as an excellent example of transparency and accountability in cybersecurity reporting. Their blog not only provides clear technical detail, but also openly accepts responsibility for the risks posed by third party integrations,” Michal said. “By committing to strengthen their SaaS environments and toolchain security going forward, Cloudflare demonstrated both maturity and leadership in incident response, setting a high bar for how organizations should communicate, remediate, and reinforce trust in the aftermath of supply chain compromises.”
Revoking OAuth tokens
Erik Avakian, technical counselor at Info-Tech Research Group and former state CISO for the Commonwealth of Pennsylvania, recommended that users should “be periodically revoking unused OAuth tokens and refreshing them, and enforcing expiration where possible, all of which are practices in line with foundational zero trust principles.”
“This incident also highlights why this type of attack demonstrates the rise in SaaS risk. When we’re trusting third-party apps with direct API access, we’re really trusting them to safeguard our auth tokens as carefully as we would our passwords,” Avakian said. “But if we focus on and employ a zero trust mindset across our environment, we really should be treating third-party applications and SaaS like any other external network.”
Avakian also recommended “periodically revisiting third-party contracts to ensure the right level of security language is included in areas including breach notification, right to audit, data handling, and sub-processor transparency, the latter of which will help organizations ensure which subcontractors and sub-processors are part of the overall application landscape.”
Will Townsend, a VP/principal analyst for Moor Insights & Strategy, said this attack “begs the question: How was it compromised? It appears to be API level integrations that are difficult to monitor given the enormous number of calls. This incident could serve as a valuable learning moment given the expected interaction of thousands of agents within future agentic AI frameworks. Managing identity and access will become even more challenging in that regard, and I expect API security will keep pace to thwart future attacks.”
Paddy Harrington, a senior analyst with Forrester, described this incident as “just another OAuth token attack” and it shows “the dangers that are inherent with the interconnected software supply chain. Not to sound blasé about it, but this has happened enough over the years and shown that all it takes is a little misconfiguration and you’re breached.”
Hardest work just beginning
Harrington said the hardest work for CISOs is just beginning.
“Salesforce customers need to be combing through their customer records to not only see who was exposed, but what details could have gotten out,” Harrington said. “[Sales] reps may have stored multiple connection types such as secondary email, phone numbers, etc., for contacts so that could lead to a whole lot of phishing/smishing/vishing with those business contacts, impersonating someone from the Zscaler, Palo Alto, or the hundreds of others who got breached.”
Harrington also stressed that upcoming phishing attacks may be more effective than usual.
“The social engineering attacks will have more power behind them because it’s not random info they have against the target,” Harrington said. “They will have valid sales information from what was exported, so it’s going to be a lot harder to discern a scam from a valid call/message.”
No Responses