Salesloft Drift hackers had access to company GitHub account for months before attacks
Dozens of large enterprises have been impacted by the Salesloft Drift breach
Hackers behind the Salesloft Drift breach had access to the company’s GitHub account for several months before waging a flurry of attacks, the company has revealed.
The breach, which has been attributed to the UNC6395 hacking group, led to a series of attacks this summer that affected hundreds of companies including Google, Zscaler, Cloudflare, and Palo Alto Networks.
Attackers were able to access secrets including AWS access keys, passwords, Snowflake-related access tokens, and sales data.
Mandiant was initially hired to investigate the root cause and scope of the incident, and to help Salesloft with containment and remediation – after which it was asked to verify the segmentation between the Drift and Salesloft environments.
Between March and June this year, Mandiant found the threat actor(s) accessed the Salesloft GitHub account, using this access to download content from multiple repositories, add a guest user, and establish workflows.
At the same time, the investigation found attackers were carrying out reconnaissance activities in Salesloft and Drift application environments.
The attackers then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations, which they then used to access data via Drift integrations.
"Based on the Mandiant investigation, the findings support the incident has been contained. The focus of Mandiant’s engagement has now transitioned to forensic quality assurance review," said Salesloft.
The company has now taken remediation measures and restored the integration between the Salesloft platform and Salesforce.
Salesloft security practices questioned
Cory Michal, CSO of AppOmni, is critical of Salesloft's security stance prior to the discovery of the attack. Michal said the length of exposure “strongly suggests there was little to no effective security monitoring” in place.
“A dwell time of several months, spanning from March to June, is a long time for an adversary to remain active in a source code repository without detection,” he said.
“In this case, not only was reconnaissance activity taking place, but a guest user was added and workflows were established, indicating the attacker was able to operate with persistence and intentionality.”
In retrospect, Salesloft should have been actively logging and alerting on anomalous activity, such as new external users or workflow creation. This, he added, would have allowed the intrusion to have been identified much earlier.
"One important point to add is that GitHub, like Salesforce or any other business platform, is ultimately just another SaaS application. A mature security program requires not only knowing which SaaS products are in use across the environment, but also hardening them against attacks and continuously monitoring for suspicious activity," he said.
"This incident underscores the risks of overlooking those fundamentals. Salesloft has unfortunately learned this lesson the hard way.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Tomorrow's fraud techniquesITPro Podcast Leaders need to proactive as attackers launch more consistent, sophisticated attacks
-
Met Office hails huge efficiency gains in first year of cloud supercomputing with Microsoft AzureNews In moving to the cloud, the Met Office has bolstered operational resilience and helped to deliver more accurate forecasts
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
-
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documentsNews Linwei Ding told Chinese investors he could build a world-class supercomputer
-
90% of companies are woefully unprepared for quantum security threats – analysts say they need to get a move onNews Quantum security threats are coming, but a Bain & Company survey shows systems aren't yet in place to prevent widespread chaos
