Salesloft Drift Breach Rolls Up Cloudflare Palo Alto Zscaler and Others Security Boulevard

pThe Home of the Security Bloggers NetworkppHome Cybersecurity Data Security Salesloft Drift Breach Rolls Up Cloudflare Palo Alto Zscaler and OthersppThe everwidening series of supply chain attacks on Salesforce instances linked to the Salesloft Drift app has claimed several new victims in recent days including Cloudflare Palo Alto Networks and ZscalerppCybersecurity firms SpyCloud and PagerDuty also said they were hit by the UNC6395 threat group that exploited a vulnerability in Salesloft Drift OAuth integration with Salesforce to steal sensitive information from reportedly hundreds of organizationsppAccording to the Google Threat Intelligence Group GTIC UNC6395 targeted Salesforce customers instances from August 8 through at least August 18 via compromised OAuth tokens associated with the Salesloft Drift app which is used by sales and marketing groups to automate sales workflowsppSalesloft bought Drift early last yearppIn a blog post this week security executives with Cloudflare said bad actors accessed the companys Salesforce instance that it uses for customer support and case management While most of the information contained in the instance is customer contact information and support case data some customer support interactions may reveal information about a customers configuration and could contain sensitive information like access tokens they wroteppGiven that Salesforce support case data contains the contents of support tickets with Cloudflare any information that a customer may have shared with Cloudflare in our support system including logs tokens or passwords should be considered compromised and we strongly urge you to rotate any credentials that you may have shared with us through this channel they wroteppThey also found 104 Cloudflare API tokens that had been compromised and have since rotated outppCloudflare which tracks the threat group as GRUB1 said the attackers ran an initial reconnaissance on Cloudflare on August 9 then compromised and exfiltrated data from its Salesforce tenant between August 12 and 17 with the exposure limited to Salesforce case objects primarily holding customer support tickets and related datappCloudflare does not request or require customers to share secrets credentials or API keys in support cases they wrote However in some troubleshooting scenarios customers may paste keys logs or other sensitive information into the case text fields Anything shared through this channel should now be considered compromisedppPalo Alto Networks CISO Marc Benoit this week wrote that the company was among hundreds of others impacted by the thirdparty vulnerability The attack was isolated to its customer relationship management CRM platform with the exposed data mostly involving business contact information internal sales accounts and basic case data related to customersppThe company disconnected from the Salesforce tenant after learning of the breachppLike others SpyCloud another security firm this week wrote that the data accessed by the threat actor was standard CRM information and that it disconnected the OAuth token connecting Salesloft Drift to Salesforce was disconnectedppZscaler and PagerDuty reported similar incidents late last weekppWhile most victims report that the exfiltrated data primarily involved CRM and other customer data like contact information GTIG researchers noted that UNC6395 also targeted sensitive credentials such as Amazon Web Services AWS access keys AKIA passwords and Snowflakerelated access tokensppThey also pushed back at Saleslofts statement that the threat was limited to Saleslofts integration with Salesforce saying that the attacker also compromised OAuth tokens for Drift Email integrations and used such tokens to access email from a small number of Google Workspace accountsppWe now advise all Salesloft Drift customers to treat any authentication tokens stored in or connected to the Drift platform as potentially compromised the researchers wroteppIn an increasingly distributed and cloudbased business environment the central role played by APIs continues to grow according to Mayur Upadhyaya CEO at API monitoring firm APIContextppWhen OAuthbased APIs serve as bridges between vendors customers and CRMs the risk of lateral data exposure rises sharply Upadhyaya said adding that the Salesloft Drift situation wasnt a vulnerability in core infrastructure it was a gap in visibility and scoped access across the digital supply chain Enterprises need to treat these integrations as part of their operational backbone not as pluginsppThey need to include proactive API conformance testing and continuous monitoring of automation and thirdparty flows is becoming more critical to both resilience and regulatory readiness he saidppThreat researchers with Grip Security wrote in a blog post that the Salesloft Drift breaches are different from other recent socialengineeringbased attacks run by the ShinyHunters threat groupppThe spotlight has finally swung toward the integration layer and whats emerging should worry every SaaS security leader the researchers wrote This one isnt just another credential theft story its more calculated Attackers didnt just gain access they systematically exported sensitive data from hundreds of Salesforce instances However because the initial compromise involved OAuth tokens not credentials attackers bypassed logins slipped past MFA multifactor authentication and operated undetected until the data was long goneppThe Salesloft Drift attacks are a shift in tactics they wroteppThis wasnt about tricking users but exploiting the connection and permissions between applications the researchers wrote pointing to GTIGs finding that the attacks werent limited to Salesforce Other Driftconnected integrations including email were also impacted That token once issued became a master key used to quietly unlock Salesforce data across multiple tenants No phishing required Just a compromised integration and an exposed tokenppWhen talking about SaaS security most conversations focus on the apps themselves However more attention needs to be paid to exposures between apps that are found in the integrations permissions and trust relationshipsppThe rise of these attacks points to a blind spot according to Grip Security Its not just about shadow SaaS anymore Its about shadow integrations the connected web of app relationships that no one is monitoring Sales teams connect Drift to Salesforce Marketing layers in analytics tools Customer support installs help desk apps One misconfigured integration one breached app and your Salesforce tenant becomes the exit ramp for exfiltrationppThe Salesloft breach underscores how vulnerable SaaS environments become when integrations arent monitored scoped or continuously reviewed they wroteppGoogles recommendations to organizations include running scanning tools across Salesforce data to detect exposed secrets and hardcoded credentials GitGuardian on Wednesday published a guide for doing soppThe breach demonstrates that attackers are systematically harvesting credentials from compromised business systems and as Cloudflare discovered theyre finding them wrote Guillaume Valadon staff cybersecurity researcher for GitGuardian noting that attackers on August 9 unsuccessfully tried to verify a token against a Cloudflare customer tenant This shows that hardcoded secrets discovered in previous attacks were already being weaponized against other targetsppJeffrey Burt has been a journalist for more than three decades writing about technology since 2000 Hes written for a variety of outlets including eWEEK The Next Platform The Register The New Stack eSecurity Planet and Channel Insiderppjeffreyburt has 606 posts and countingSee all posts by jeffreyburtppppppExecutive Security as a Strategic Priority
ppppStep 1 of 8
ppΔdocumentgetElementById akjs1 setAttribute value new Date getTime p