Google’s Threat Intelligence Group (GTIG) has revealed that hackers harvested user credentials from Salesforce customers in a widespread campaign during the first half of this month.
The attacker, tracked as UNC6395, targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application.
"The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials," researchers said in an advisory.
"After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments."
These secrets included sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.
"The techniques used in this campaign weren’t novel in terms of exploitation. The attacker didn’t need to break Salesforce itself, they abused OAuth tokens from a widely used and trusted third-party integration to gain access," commented Cory Michal, CSO of AppOmni.
"They then used that foothold in a very disciplined and methodical way. They ran structured SOQL queries, targeted high-value data like credentials, and attempted to cover their tracks by deleting jobs."
Salesloft, working with Salesforce, has now revoked all active access and refresh tokens within the Drift application. Salesforce has also removed the Drift application from the Salesforce AppExchange until further notice, pending further investigation.
While UNC6395 demonstrated operational security awareness by deleting query jobs, researchers said logs weren't affected. As such, organizations should still review relevant logs for evidence of data exposure.
They should search for sensitive information and secrets contained within Salesforce objects and take appropriate action, such as immediately revoking API keys, resetting passwords, rotating credentials, and reviewing permissions.
Researchers also urged enterprises to carry out investigations to determine whether any secrets have been abused.
“This campaign underscores that highly permissioned OAuth and SaaS-to-SaaS integrations represent one of the largest risks and blind spots for organizations today. Once an integration is compromised, attackers can operate with the same level of access granted to that app, often bypassing traditional MFA controls," said Michal.
"The risk is compounded if organizations are insecurely storing secrets, API keys, or credentials in Salesforce objects. In those cases, if the data was exfiltrated, it’s very likely that connected systems such as AWS, Snowflake, or VPNs have already been compromised as well. That makes the blast radius of these attacks far larger than just the SaaS application itself."
The report doesn't identify UNC6395, but the sophistication of the operation implies a state-sponsored attacker, Michal said.
"What’s most noteworthy about the UNC6395 attacks is both the scale and the discipline. This wasn’t a one-off compromise; hundreds of Salesforce tenants of specific organizations of interest were targeted using stolen OAuth tokens, and the attacker methodically queried and exported data across many environments," said Michal.
"The combination of scale, focus, and tradecraft makes this campaign stand out."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A notorious hacker group is ramping up cloud-based ransomware attacks
- Hackers breached a 158 year old company by guessing an employee password
- Cyber criminals are abusing ConnectWise ScreenConnect, again
-
Google CEO Sundar Pichai says vibe coding has made software development ‘exciting again’News Google CEO Sundar Pichai claims software development has become “exciting again” since the rise of vibe coding, but some devs are still on the fence about using AI to code.
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
Salesforce customers face second third-party incident this year with Gainsight breachNews Customers impacted in the Gainsight breach have been contacted by Salesforce
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
