Threat hunters and a collection of unconfirmed victims are responding to a series of attacks targeting Salesforce customers, which the vendor disclosed in a security advisory Saturday.
“Salesforce is actively monitoring threat activity targeting public-facing Experience Cloud sites, including attempts to take advantage of overly permissive guest user configurations,” the company said in the alert.
The campaign marks the third widespread attack spree targeting Salesforce customers in about six months.
The number of victims ensnared by the latest attacks is unverified, but ShinyHunters, the threat group asserting responsibility for the attacks, claims about 100 companies have already been impacted.
Researchers told CyberScoop they are confident the threat group behind the campaign is associated with ShinyHunters, an outfit that’s previously stolen data from Salesforce instances for extortion attempts.
Salesforce did not attribute the attacks, but pinned blame on a “known threat actor group,” adding that the issue is not due to a vulnerability in the company’s platform.
The company said the threat activity reflects a broader trend of identity-based targeting, in this case customer-configured guest user settings that expose publicly accessible Experience Cloud sites to potential attacks.
“We are aware of a threat actor attempting to identify misconfigurations within Salesforce Experience Cloud instances,” Charles Carmakal, chief technology officer at Mandiant Consulting, said in a statement. “We are working closely with Salesforce and our customers to provide the necessary telemetry and detection rules to mitigate potential risk.”
Salesforce said the threat actor is using a modified version of the Mandiant-developed open-source tool AuraInspector to scan for public-facing Experience Cloud sites and steal data from instances with a guest user profile.
This setting is designed to provide unauthenticated users access to data intended for public consumption. Yet, guest profiles with excessive permissions allow attackers to view additional data by directly querying Salesforce CRM objects without logging in, the company explained.
Salesforce did not say when or how it became aware of the latest campaign targeting its customers, nor how many companies have already been impacted. “We don’t have anything further to add at this time,” said Nicole Aranda, senior manager of corporate communications at Salesforce.
The company advised customers to ensure guest user configurations are properly restricted.
“Any system exposed to the internet must be configured with the expectation that it will be continuously scanned,” Shane Barney, chief information security officer, at Keeper Security, said in an email.
“At its core, this is an access governance issue,” he added. “Guest accounts, service accounts and API integrations must be treated with the same discipline as privileged users. Applying least privilege, restricting API access and continuously auditing permissions are foundational security controls.”
Salesforce customers confronted a pair of attack sprees involving third-party vendors last year. Google Threat Intelligence Group at the time said it was aware of more than 200 potentially affected Salesforce instances linked to malicious activity in Gainsight applications connected to Salesforce customer environments in November.
A more extensive downstream attack spree discovered in August impacted more than 700 companies who integrated the AI chat agent Salesloft Drift into their Salesforce environments. ShinyHunters or threat clusters affiliated with the extortion group were involved in both of those campaigns as well.
