Data Theft Operation Aims Salesforce Through Salesloft Software

In a series of recent cyber attacks, several organizations have fallen victim to data breaches targeting their Salesforce instances. Two significant campaigns, UNC6395 and the ShinyHunters group, have been identified as the primary culprits.

Most organizations seem to lack a basic inventory of their Non-Human Identities (NHIs) and the bad actors targeting them, making it challenging to stay ahead of these threats.

The UNC6395 attacks, known for their scale, discipline, and coordinated nature, have targeted sensitive credentials such as Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens. The attacker demonstrated a high level of operational discipline, running structured queries, searching specifically for credentials, and attempting to cover their tracks.

In the UNC6395 campaign, the attacker systematically exfiltrated large volumes of data from these Salesforce instances. Google's Threat Intelligence Group (GTIG) has reported that this threat actor targeted numerous Salesforce customer instances between August 8 and August 18.

On the other hand, the ShinyHunters group is believed to be behind a parallel data extortion campaign, targeting Salesforce instances via vishing attacks. The hacking group Lapsus$ is apparently behind the data breach on Salesforce customers through infiltration using fake OAuth tokens from the third-party application Salesloft Drift.

Salesloft, a platform that integrates with Salesforce to help sales and marketing teams collaborate on projects, has been affected by these attacks. In response, Salesloft has hired an incident response specialist to carry out an investigation, and they issued a security alert on August 20, proactively revoking connections between Drift and Salesforce.

Google has warned Salesforce customers using Drift to assume their Salesforce data is now compromised and to take immediate steps to remediate. Impacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation.

Experts, including Cory Michal (CSO of AppOmni) and Jonathan Sander (field CTO at Astrix Security), suspect that the Salesloft attacks could be the work of a nation state. The ShinyHunters group is known for stealing NHI assets to carry out further attacks.

In a concerning development, US insurer Farmers Insurance is the latest company to fall victim to the ShinyHunters group. Salesforce has removed the Drift app from its Salesforce AppExchange during an ongoing investigation.

As the cybersecurity landscape continues to evolve, it's crucial for organizations to stay vigilant and proactive in protecting their data and NHIs.

Data Theft Operation Aims Salesforce Through Salesloft Software