Hackers have stolen Salesloft Drift data, prompting a cautionary notice to Salesforce users

Hackers have stolen Salesloft Drift data, prompting a cautionary notice to Salesforce users

In a concerning turn of events, a widespread campaign targeting Salesforce customer instances has been uncovered by Google's Threat Intelligence Group (GTIG). The attack, dubbed UNC6395, is believed to be the work of a state-sponsored actor, as suggested by the sophistication of the operation.

Over 700 organizations, including well-known cybersecurity firms like Proofpoint, SpyCloud, Tanium, Tenable, Cloudflare, Palo Alto Networks, and Zscaler, as well as prominent companies such as Adidas, Pandora, Allianz, Tiffany & Co., Dior, Louis Vuitton, and Workday, were affected by this breach.

The attacker, UNC6395, targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. After gaining access, the attacker ran structured SOQL queries, primarily targeting high-value data like credentials, and attempted to cover their tracks by deleting jobs.

Salesforce has responded to the breach by removing the Drift application from the Salesforce AppExchange until further notice, pending further investigation. Salesloft, in collaboration with Salesforce, has also revoked all active access and refresh tokens within the Drift application.

Researchers advise organizations to investigate whether any secrets have been abused and to review relevant logs for evidence of data exposure. If data was exfiltrated, it's likely that connected systems such as AWS, Snowflake, or VPNs have already been compromised.

The risk is compounded if organizations are insecurely storing secrets, API keys, or credentials in Salesforce objects. The techniques used in this campaign weren't novel, as the attacker abused OAuth tokens from a widely used and trusted third-party integration to gain access.

The UNC6395 attacks are notable for their scale, focus, and tradecraft. Although UNC6395 deleted query jobs, the data exfiltrated by the attacker included sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.

It's important to note that the report does not identify UNC6395. Organizations affected by this breach are urged to take immediate action to secure their systems and investigate any potential data exposure.

Read also:

• Peptide YY (PYY): Exploring its Role in Appetite Suppression, Intestinal Health, and Cognitive Links
• House Infernos: Deadly Hazards Surpassing the Flames
• Rare Genetic Disease Affecting a Child: Lend a Hand to Those in Need
• Aspergillosis: Recognizing Symptoms, Treatment Methods, and Knowing When Medical Attention is Required