Hackers behind the Salesloft Drift breach had access to the company’s GitHub account for several months before waging a flurry of attacks, the company has revealed.
The breach, which has been attributed to the UNC6395 hacking group, led to a series of attacks this summer that affected hundreds of companies including Google, Zscaler, Cloudflare, and Palo Alto Networks.
Attackers were able to access secrets including AWS access keys, passwords, Snowflake-related access tokens, and sales data.
Mandiant was initially hired to investigate the root cause and scope of the incident, and to help Salesloft with containment and remediation – after which it was asked to verify the segmentation between the Drift and Salesloft environments.
Between March and June this year, Mandiant found the threat actor(s) accessed the Salesloft GitHub account, using this access to download content from multiple repositories, add a guest user, and establish workflows.
At the same time, the investigation found attackers were carrying out reconnaissance activities in Salesloft and Drift application environments.
The attackers then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations, which they then used to access data via Drift integrations.
"Based on the Mandiant investigation, the findings support the incident has been contained. The focus of Mandiant’s engagement has now transitioned to forensic quality assurance review," said Salesloft.
The company has now taken remediation measures and restored the integration between the Salesloft platform and Salesforce.
Salesloft security practices questioned
Cory Michal, CSO of AppOmni, is critical of Salesloft's security stance prior to the discovery of the attack. Michal said the length of exposure “strongly suggests there was little to no effective security monitoring” in place.
“A dwell time of several months, spanning from March to June, is a long time for an adversary to remain active in a source code repository without detection,” he said.
“In this case, not only was reconnaissance activity taking place, but a guest user was added and workflows were established, indicating the attacker was able to operate with persistence and intentionality.”
In retrospect, Salesloft should have been actively logging and alerting on anomalous activity, such as new external users or workflow creation. This, he added, would have allowed the intrusion to have been identified much earlier.
"One important point to add is that GitHub, like Salesforce or any other business platform, is ultimately just another SaaS application. A mature security program requires not only knowing which SaaS products are in use across the environment, but also hardening them against attacks and continuously monitoring for suspicious activity," he said.
"This incident underscores the risks of overlooking those fundamentals. Salesloft has unfortunately learned this lesson the hard way.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
Microsoft Excel is still alive and kicking at 40News A recent survey found Gen Z and Millennial finance professionals have a strong “emotional attachment” to Microsoft Excel
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
