Google: Salesforce Attacks Stemmed From Third-Party App

SDym Photography via Alamy Stock Photo

A threat group has committed a spate of data breaches of organizations' Salesforce instances by compromising OAuth tokens associated with the Salesloft Drift third-party application, Google has revealed. The activity appears to be unrelated to previous vishing attacks attributed to ShinyHunters that also led to breaches of the widely used CRM service across multiple companies.

A threat actor tracked by Google Threat Intelligence Group (GTIG) as UNC6395 has been carrying out a "widespread data theft" campaign by targeting Salesforce instances beginning as early as Aug. 8 through at least Aug. 18, GTIG researchers said via the Mandiant blog on Tuesday. The actor abused authentication tokens in the app, which uses AI to automate various sales processes — including communications, analysis, and engagement — and integrates with Salesforce databases.

UNC6395 "systematically exported large volumes of data from numerous corporate Salesforce instances" for the purpose of harvesting sensitive credentials, such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens, according to the blog post.

Once these credentials were exfiltrated, "the actor then searched through the data to look for secrets that could be potentially used to compromise victim environments," and then covered its tracks by deleting query jobs, according to GTIG.

Related:Nevada's State Agencies Shutter in Wake of Cyberattack

While there is no evidence that logs were impacted, "organizations should still review relevant logs for evidence of data exposure," according to the post.

Remediation and Mitigation Guidance

The campaign is limited to Salesloft customers who integrate their own solutions with the Salesforce service. Moreover, there is no evidence that the breaches directly impacted Google Cloud customers, though any of them that use Salesloft Drift "should review their Salesforce objects for any Google Cloud Platform service account keys," GTIG said.

"Organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and are urged to take immediate remediation steps," according to GTIG.

To remediate the situation, Salesloft worked with Salesforce to revoke all active access and refresh tokens with the Drift application, according to GTIG. Salesforce also removed the Drift application from the Salesforce AppExchange "until further notice and pending further investigation," according to the post. GTIG, Salesforce, and Salesloft also have notified organizations impacted.

The GITG report follows disclosures from several high-profile companies — including Adidas, Pandora, Allianz, Tiffany & Co., Dior, Louis Vuitton, Workday, and even Google itself — regarding breaches via a third-party platform, reportedly Salesforce, throughout July and August. The threat group ShinyHunters claimed responsibility for many of those attacks, and vishing attacks have been cited as the means of compromise.

Related:China Hijacks Captive Portals to Spy on Asian Diplomats

News of these attacks followed a report by Google in June that a financially motivated threat group tracked as UNC6040 — which Google said claimed to be ShinyHunters — was impersonating IT support staff in vishing attacks to gain access to organizations' Salesforce environments. Earlier this month, Google disclosed that UNC6040 breached one of its Salesforce instances using these tactics. 

While some of these Salesforce breaches fit into the similar timeline GITG outlined in its findings, the means of compromise differ between the two, and Google said the UNC6395 Salesloft Drift activity is separate from the vishing attacks attributed to UNC6040. 

"We've not seen any compelling evidence connecting them," a GITG spokesperson tells Dark Reading.

Recommendations for Defenders

In addition to the guidance already mentioned, impacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by UNC6395, according to Google.

Related:African Law Enforcement Agencies Nab Cybercrime Syndicates

Organizations also should investigate for compromise and scan for exposed secrets, the company said. They can do this by searching for the IP addresses and User-Agent strings provided by GTIG in an Indicators of Compromise section in the Mandiant blog post, as well as implement "a broader search for any activity originating from Tor exit nodes."

Other mitigation steps include the review of Salesforce Event Monitoring logs for unusual activity associated with the Drift connection user, authentication activity from the Drift Connected App, and UniqueQuery events that log executed SOQL queries.

Organizations can also open a Salesforce support case to obtain specific queries used by the threat actor and search Salesforce objects for potential secrets, according to Google. They also should rotate credentials by immediately revoking and rotating any discovered keys or secrets, resetting passwords, and configuring session timeout values in Session Settings to limit the lifespan of a compromised session.

Google also recommended hardening access controls by ensuring that applications have the minimum necessary permissions, enforcing IP restrictions on the connected app, and defining login IP ranges to allow access only from trusted networks.