Hackers stole user credentials from Salesforce customers in a widespread campaign earlier this month, according to researchers at Google Threat Intelligence Group, who warned that the thefts could lead to follow-up attacks.
A threat actor that Google tracks as UNC6395 targeted Salesforce instances using compromised OAuth tokens that were associated with the customer engagement vendor Salesloft’s Drift AI chat agent.
Researchers believe the hackers’ primary goal was to harvest credentials, as they stole large amounts of data from numerous Salesforce instances.
Google’s Threat Intelligence Group “is aware of over 700 potentially impacted organizations,” Austin Larsen, a principal threat analyst at the company, told Cybersecurity Dive in a statement. “The threat actor used a Python tool to automate the data theft process for each organization that was targeted.”
The attacks did not involve any vulnerability in the Salesforce platform, according to researchers.
After stealing the data, the hackers looked for sensitive credentials, including access keys and passwords for Amazon Web Services as well as access tokens for the Snowflake cloud platform.
The attacks largely occurred between Aug. 8 and Aug. 18, researchers said. By Aug. 20, Salesloft had begun working with Salesforce to revoke all active access and refresh Drift tokens, according to Google.
Salesloft issued a security alert on Aug. 20 asking Drift administrators to reauthenticate their Salesforce connections.
Salesforce said in a statement Tuesday that its security teams detected usual activity that may have led to unauthorized access to a small number of customers’ instances.
The company has removed Salesloft Drift from its AppExchange marketplace pending further investigation.
“We’re continuing to work with Salesloft as part of our investigation and provide updates as appropriate, including notifying and supporting affected customers with remediation,” Salesforce said in the alert.
The hackers demonstrated an awareness of operational security by deleting query jobs, Google said, but this activity did not directly affect event logs, so the company encouraged security personnel to check their logs for evidence of data exposure.
Users that have been notified of a compromise by Salesforce or Salesloft should follow Mandiant guidance on how to remediate, Charles Carmakal, CTO Mandiant Consulting said in a LinkedIn post.
Researchers said organizations should consider their Salesforce data compromised if they used Drift in their Salesforce instance. Affected companies should revoke API keys, rotate credentials and harden access controls, they said.
Source link
