An extortion group has published a new leak site containing the data of 39 well-known brands, including Disney/Hulu, Google, Cisco, McDonald’s, FedEx, Chanel, and IKEA. They are demanding that Salesforce pay a ransom to protect these companies’ data.
The actors behind the site claim to be part of the Scattered Spider and ShinyHunters groups, and the leaked data was allegedly stolen during the wave of Salesforce breaches that took place over the summer, for which the groups claimed responsibility.
In these attacks, the financially motivated threat actors used voice phishing (“Vishing”) techniques to manipulate employees of Salesforce customers into connecting their company’s Salesforce instance to a malicious OAuth application. Once connected, the attackers could allegedly access and steal company data, which they then used as leverage in extortion attempts.
Each data entry includes samples of data that the group claim to have stolen from their victims’ Salesforce instances, with approximately 1 billion records containing personal information. The threat actors have demanded that the victims get in touch with them to prevent “public disclosure” of the data before October 10th.
“We highly advise you proceed into the right decision, your organisation can prevent the release of this data, regain control over the situation and all operations remain stable as always,” they posted on the leak site.
The actors are also attempting to extort Salesforce itself, promising not to leak the victims’ data if the company pays a ransom, and threatening to help law firms pursue legal action against Salesforce for failing to protect their customers’ data in line with GDPR requirements.
“Should you comply, we will withdraw from any active or pending negotiation individually from your customers. Your customers will not be attacked again nor will they face a ransom from us again, should you pay.”
In response to the launch of the leak site, Salesforce released the following statement:
“We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.
“At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
The company also encouraged their customers to follow best practices to protect against social engineering attempts, and to reach out through the Salesforce Help portal for more support if needed.
A Short-Lived Retirement
The launch of the leak site comes shortly after the ShinyHunters group claimed responsibility for a large-scale ransomware attack on auto giant, Stellantis, and Scattered Spider claimed responsibility for the attack on Jaguar Land Rover, which caused the car manufacturer to cease operations for almost one month.
According to a post on breachforums[.]hn last month by the Scattered Lapsus$ Hunters collective, the two groups had planned to shut down operations—but with the attacks continuing and the launch of the new leak site, it seems that retirement was short-lived.
The Big Picture
The key takeaway from these attacks is the importance of securing the supply chain.
“Typically, when we think about a third party, we think of them as a trusted party and we give them access to sensitive assets or data, or share this data with them,” CyberGRX CISO Dave Stapleton told Expert Insights. “We depend on them for significant services that are critical to the mission of our organization.
“And that means that compromising a third party can provide a threat actor with privileged access that would otherwise require significant effort to gain if they were to go directly for their primary target.”
To protect against supply chain attacks, also sometimes referred to as “island hopping” attacks, organizations should:
- Create an up-to-date software asset inventory.
- Identify and remediate shadow IT infrastructure.
- Continuously assess their vendors’ security posture.
- Implement a strong Endpoint Detection and Response (EDR) tool to prevent attacks spreading from third-party software to the endpoint itself, and then to other areas of the network.
Read More
