Fast Facts
- Salesloft attributes the root cause of its supply-chain attack to a threat group gaining access to its GitHub account as early as March, leading to extensive data theft across hundreds of organizations.
- The threat group, tracked as UNC6395 by Google, infiltrated Salesloft’s environment, downloaded content from repositories, added a guest user, and accessed Drift’s AWS environment to steal OAuth tokens over a month-long period.
- Key details remain undisclosed, including how the GitHub and AWS breaches occurred, raising concerns over the company’s security practices and transparency.
- Salesloft temporarily took Drift offline, rotated security keys, and is investigating ongoing impacts, but significant trust and branding issues remain, with experts doubting full transparency and potential rearchitecture.
Problem Explained
In mid-August, a sophisticated cyberattack compromised Salesloft, a sales engagement platform, leading to widespread data theft involving hundreds of organizations. The breach originated when an advanced threat group, tracked by Google as UNC6395, gained unauthorized access to Salesloft’s GitHub account as early as March, stealthily infiltrating its environment over several months. During this period, the attackers added a guest user, accessed multiple repositories, and set up workflows, ultimately exploiting the company’s AWS infrastructure to steal OAuth tokens linked to Drift, a third-party AI chat platform integrated with Salesloft. These tokens allowed the threat group to access and exfiltrate data from Drift’s integrations, impacting numerous customers.
Salesloft has publicly acknowledged the breach but has yet to disclose full details about how the initial breach occurred or how the attackers managed to access Drift’s AWS environment. The company’s response involved taking Drift offline to bolster security, rotating security keys, and emphasizing containment measures, yet many key questions about the attack’s methodology and scope remain unanswered. Experts suggest that the attack exploited vulnerable cloud security practices, notably the storage of OAuth tokens in the cloud, and note the damage to Drift’s reputation may be long-lasting, as the incident exposes significant weaknesses in Salesloft’s security defenses. The company, backed by an ongoing forensic investigation, is striving to regain trust amid the lingering uncertainties about the full extent of the compromise.
Risk Summary
The recent supply-chain attack on Salesloft exposed severe cyber risks, highlighting how cybercriminal groups can infiltrate and manipulate multiple organizations by exploiting vulnerabilities in third-party platforms. By gaining access to Salesloft’s GitHub account, the threat group—tracked as UNC6395 by Google—spent months lurking within the company’s environment, covertly downloading data, adding malicious guest users, and creating workflows, before ultimately breaching their AWS infrastructure and stealing OAuth tokens. These tokens, which grant access to customers’ integrations, were used to harvest vast amounts of sensitive data across hundreds of organizations during a widespread 10-day breach, revealing profound vulnerabilities in cloud security practices, such as storage of critical tokens and lax access controls. The incident has damaged trust, exposing the precariousness of supply-chain security, where an attacker’s foothold in a single component can cascade into broader system compromise, capturing valuable data and disrupting operations, while underscoring the need for more robust, transparent security measures to prevent such far-reaching breaches.
Fix & Mitigation
Understanding the importance of swift and effective remediation in the wake of a security incident involving Salesloft Drift—especially when it begins with undetected access through GitHub—is critical to safeguarding sensitive data and maintaining organizational trust. Early action can significantly reduce potential damage, prevent further breaches, and restore system integrity efficiently.
Immediate Containment
- Disable compromised GitHub accounts or access permissions.
- Revoke or rotate any exposed API keys or tokens.
- Isolate affected systems to prevent lateral movement.
Investigation
- Conduct a thorough audit of GitHub activity logs to identify unauthorized access points.
- Trace the source of access and determine the scope of exposure.
- Identify any compromised data or credentials.
Detection & Monitoring
- Deploy or enhance monitoring tools that alert on unusual activity.
- Set up real-time alerts for suspicious access or changes in GitHub repositories.
Remediation
- Patch vulnerabilities that allowed unauthorized access.
- Update all related credentials and enforce stronger security measures, such as multi-factor authentication.
- Remove malicious code or content introduced during the breach.
Communication & Reporting
- Notify affected stakeholders and comply with relevant legal or regulatory reporting requirements.
- Communicate transparently with users and customers about steps taken.
Prevention & Hardening
- Implement strict access controls and regular permission audits.
- Incorporate security best practices within development workflows.
- Conduct security training to raise awareness among team members.
Post-incident Review
- Analyze how the breach occurred to improve defenses.
- Document lessons learned and update security policies accordingly.
- Schedule regular security assessments to prevent recurrence.
Continue Your Cyber Journey
Stay informed on the latest Threat Intelligence and Cyberattacks.
Access world-class cyber research and guidance from IEEE.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
