Salesforce Data Missing? It Might Be Due To Salesloft Breach, Google Says

UPDATE Google says a recent spate of Salesforce-related breaches was caused by attackers stealing OAuth tokens from the third-party Salesloft Drift app.

Drift is used for automating sales processes, and it integrates with Salesforce databases, pulling relevant information such as leads and contact details into the platform to help coordinate pitches.

Crucially, the campaign is being treated separately from the attacks on high-profile organizations – including Google itself – that also involved Salesforce data thefts.

Attacks on the likes of Allianz Life, Workday, Qantas, LVMH brands, and more have been widely reported over the summer, but aren’t thought to be linked to the Salesloft compromise.

Instead, these incidents have widely been attributed to and claimed by the ShinyHunters group (UNC6240). Google says there isn’t enough evidence to suggest the same attackers are behind the Salesloft incidents.

While Salesforce customers have been targeted since May, it’s believed these were more a blend of social engineering and stolen credentials, whereas the Salesloft attacks saw attackers steal Drift OAuth tokens to access Salesforce databases.

Neither of the advisories from Salesloft or Google Threat Intelligence Group (GTIG) this week detailed exactly how the attacks transpired, or how the tokens were stolen, but we know they all took place between August 8 and 18.

Salesloft said: “Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens.”

GTIG’s advisory noted that once the attackers, tracked as UNC6395, gained access using stolen OAuth tokens, they ran queries for data associated with Salesforce objects such as cases, accounts, users, and opportunities.

The two companies worked together and have since revoked all active access and refresh tokens, meaning IT admins must re-authenticate their connections between the third-party sales app and Salesforce.

Salesforce also removed the Drift app from AppExchange until the investigation into the attacks concludes, pending Salesloft’s assurance that the platform is secure.

The pair released an extensive list of indicators of compromise (IOCs) for admins to examine, although the only Drift customers who need to investigate signs of malicious activity are those whose platforms integrated with Salesforce. All others are deemed safe.

However, although there is nothing to suggest that GCP is compromised as part of the attacks, all Drift customers are advised to review their Salesforce objects for any Google Cloud Platform service account keys. 

GTIG and Salesloft added that all potentially affected customers were notified directly.

“Given GTIG’s observations of data exfiltration associated with the campaign, organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and are urged to take immediate remediation steps,” GTIG said in its advisory.

“Impacted organizations should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as revoking API keys, rotating credentials, and performing further investigation to determine if the secrets were abused by the threat actor.”

Salesforce told The Register that the company had detected “unusual activity” on systems where Drift was installed and connected to its platform. The company confirmed that it then worked with Salesloft, which disabled Access and Refresh tokens and took Drift off of AppExchange.

“We’re continuing to work with Salesloft as part of our investigation and provide updates as appropriate, including notifying and supporting affected customers with remediation,” Salesforce said.

The Salesforce data theft also hit some Google Workspace accounts, according to an August 28 update to Google Threat Intelligence Group’s earlier advisory about the breach due to the Salesloft Drift integration.

As it continues working with Salesloft to investigate the massive data-stealing campaign, Google’s Mandiant confirmed that the attackers also compromised OAuth tokens for the Drift Email integration.

Drift Email integrates with Google Workspace, and on August 9, “a threat actor used these tokens to access email from a very small number of Google Workspace accounts,” according to the update. “The only accounts that were potentially accessed were those that had been specifically configured to integrate with Salesloft; the actor would not have been able to access any other accounts on a customer’s Workspace domain.”

The Chocolate Factory also clarified that neither Google Workspace or Alphabet itself have been compromised.

“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” the threat intel team said, and recommended organizations immediately “review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.” ®

Updated on Aug 28 at 1828 to include information about the attack hitting some Google Workspace accounts.

Original Source