Hundreds of technology vendors have been impacted by a widespread supply chain attack exploiting an integration between Salesforce and Salesloft Drift, an AI chatbot app.
The attackers aimed to exfiltrate data from customer’s Salesforce instances, including credentials like AWS access keys, passwords, and Snowflake-related access tokens.
Austin Larsen, a principal threat analyst at Google told Cybersecurity Dive they believed over 700 organizations could potentially have been impacted by the breach.
Several of the companies affected, including Palo Alto Networks and Zscaler, have stressed the attacks did not impact any internal networks or products.
Zooming In
On August 26, Salesloft, a revenue optimization provider, issued a notification that a threat actor had been able to exploit a security issue in an integration between their Drift chatbot app and Salesforce.
Salesloft has over 5,000 customers including well-known names like Citrix, Shopify, 3M, IBM, and Stripe.
Initially the breach was believed to be limited to just the Drift-Salesforce interaction – but in an advisory, Google’s Threat Intelligence Group said “The scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”
Salesloft say they took immediate action to proactively revoke all active access and refresh tokens for the Drift application. All impacted customers were notified and told to re-authenticate their Salesforce connection.
They also said they are working in collaboration with Salesforce and Google’s Mandiant threat researchers to provide all customers with detailed information regarding attacker actions in their respective environments.
The Methodology
Earlier this week, Google’s Threat Intelligence Group published a detailed advisory outlining how the attack played out, and who is behind it.
The threat actors were able to breach corporate Salesforce instances by compromising OAuth tokens associated with the Salesloft Drift third-party application.
It’s unclear precisely how this worked technically, but once in the system, the attacker was able to export large volumes of data from Salesforce.
Once stolen, the attacker used a Python script to hunt for sensitive credentials such as AWS access keys (AKIA), passwords, and Snowflake-related access tokens.
To cover their tracks the attacker deleted query jobs. However, Google says that logs were not impacted, so organizations should review relevant logs for evidence of data exposure.
Google has linked the attack to the APT (Advanced Persistent Threat) group UNC6395.
Who was affected?
Since the initial news broke, several well-known brands including popular security vendors have confirmed they have been impacted.
In an advisory, Zscaler wrote: “Zscaler was made aware of a campaign targeted at Salesloft Drift (marketing software-as-a-service) and impacting a large number of Salesforce customers. … The scope of the incident is confined to Salesforce and does not involve access to any of Zscaler’s products, services or underlying systems and infrastructure.”
Similarly, Palo Alto Networks confirmed they had been impacted. In a statement they wrote: “Our investigation confirms the incident was isolated to our CRM platform; no Palo Alto Networks products or services were impacted, and they remain secure and fully operational. The data involved includes mostly business contact information, internal sales account and basic case data related to our customers.”
Charles Carmakal, Google Mandiant’s CTO, said in a post on LinkedIn that Mandiant were “aware of hundreds of organizations impacted by the threat campaign.”
This incident is entirely separate to another recent spate of Salesforce instance compromises linked to the threat actor group: “Scattered Spider/Shiny Hunters”.
This gang (or possibly several gangs) is known for using voice phishing campaigns to target Salesforce instances for widespread data theft and extortion.
Those campaigns affected several well-known brands, including Google, Cisco, Adidas, and Louis Vuitton.
Read More:
