Salesforce data breach orchestrated through Salesloft application
In a concerning turn of events, a data breach targeting Salesforce customers has been uncovered, with the threat actor UNC6395 systematically exfiltrating large volumes of data from numerous Salesforce instances.
The campaign, carried out via compromised OAuth tokens associated with the third-party Salesloft Drift application, has raised alarm bells in the cybersecurity community. According to Google Threat Intelligence Group (GTIG), hundreds of customers may have been impacted.
Jonathan Sander, field CTO at Astrix Security, argues that the Salesloft Drift token breach is a classic example of a Non-Human Identity (NHI) attack, where attackers steal assets that humans don't notice and operate in the shadows. Most organizations, Sander notes, lack a basic inventory of what their NHIs are, making it difficult to protect them effectively.
The primary intent of the threat actor, as assessed by GTIG, is to harvest credentials. Admins will need to reauthenticate their Salesforce connection due to Salesloft revoking all active access and refresh tokens for the Drift app. Impacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation.
Salesforce has removed the Drift app from its Salesforce AppExchange during an ongoing investigation. Salesloft, the company behind the Drift application, has hired an incident response specialist to carry out an investigation.
Cory Michal, CSO of AppOmni, suspects that the Salesloft attacks could be the work of a nation state due to the scale of the compromise and the coordinated nature of the campaign. After the data was exfiltrated, UNC6395 searched through the data to look for secrets that could be potentially used to compromise victim environments.
The identity of the mastermind behind the data theft campaign against Salesforce has not been publicly disclosed. However, it is known that the ShinyHunters group is reportedly involved in a parallel data extortion campaign targeting Salesforce instances via vishing attacks.
Notably, US insurer Farmers Insurance is the latest victim in this campaign, with their website being offline at the time of writing.
The UNC6395 attacks demonstrate a high level of operational discipline, running structured queries, searching specifically for credentials, and attempting to cover their tracks. This underscores the need for organizations to prioritise the protection of their NHIs and to maintain vigilance against such stealthy attacks.
