Top Highlights
-
Security Breach Recurrence: Hackers linked to the ShinyHunters group have re-breached Salesforce via third-party integrations, specifically targeting Salesloft’s Drift and Gainsight, impacting nearly 1,000 organizations.
-
OAuth Token Exploitation: Attackers stole OAuth tokens enabling access to Salesforce environments, compromising sensitive data such as email addresses and customer support information.
-
Salesforce’s Response: Salesforce swiftly revoked access tokens and removed affected apps from its marketplace, but this action left organizations without crucial records for security investigations.
-
Need for Improved Security Practices: Organizations must restrict app permissions within Salesforce, particularly for third-party applications, to mitigate future risks and ensure security responsibilities are centralized.
[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘Salesforce Customers Hacked Again Via Gainsight’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘
In a near replica of a separate campaign this summer, hackers connected to the ShinyHunters extortion operation have once again breached many organizations’ Salesforce instances via a third-party integration.
Following a spring vishing campaign targeting organizations’ Salesforce environments, a ShinyHunters-adjacent threat group hit Salesforce again in August. The threat actors performed a supply chain breach through Salesloft’s Drift, an integrated application that uses artificial intelligence (AI) to automate marketing and sales processes. They broke into Salesloft, stole OAuth tokens that connect Drift and Salesforce, and used them to reach hundreds of organizations’ Salesforce environments, with all of the powers and permissions within Salesforce that those organizations had granted the Drift app.
For example, one of those impacted Salesforce Drift customers was Gainsight, a program for managing customer retention and satisfaction, and itself a Salesforce-connected app like Drift. The company admitted in a security alert that attackers accessed its Drift instance, and the business data associated with it, including business email addresses, product licensing information, and content from customer support cases.
Now, a new, related threat cluster has performed an attack just like the last, but in place of Drift they’ve used Gainsight, another third-party app widely integrated into Salesforce. And attackers have once again stolen OAuth tokens which they can use to compromise customers’ Salesforce instances.
Brian Soby, chief technology officer (CTO) and co-founder at AppOmni, marvels at how easy it has all looked. “I think they just saw the success of the Drift campaign and said, ‘Oh, we should do that instead,'” he says. “‘Phishing all of these users is way too much work. Let’s just go pop a supply chain and take all their credentials and then we’re good to go.'”
Researchers from the Google Threat Intelligence Group (GTIG) have publicly attributed the attack to hackers tied to ShinyHunters, and said that more than 200 customer instances have been impacted. DataBreaches.net directly contacted the group, which confirmed responsibility, claiming that between Drift and Gainsight the group has gained access to Salesforce data for nearly 1,000 organizations.
Dark Reading has not independently confirmed that these organizations have been affected.
Salesforce’s Response: a Double-Edged Sword
Salesforce clarified in a security advisory that “there is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce.” Still, upon detecting the malicious activity, the company took two major steps to contain the damage. First, it revoked all active access and refresh tokens associated with apps published with Gainsight — and Salesforce did it so quickly that Gainsight was initially unaware and attributed the connection failure to a technical error.
Salesforce also temporarily removed those apps from its AppExchange app marketplace. Though its intentions may have been good, and these steps useful for stemming the attackers, Soby warns that it’s a double-edged sword.
“When Salesforce protected their customers legitimately, and deleted all of those tokens, they also deleted all the records of the organizations that they were connected to. So now you have no idea which users and activity you need to go investigate, to find out if something was stolen. And you have no idea what Gainsight used to have the ability to access, because that’s all been deleted. So it safeguards customers, but it puts them in a tough position.”
He recalls how Salesforce did the same thing in the case of Drift, leaving no records behind for investigations. “Is it net good? Yeah, it’s good that Salesforce removed the ongoing access of an active breach. Does it come with tradeoffs? Heavily.”
The Gainsight Breach Doesn’t End with Salesforce
What’s unfortunate is just how simply organizations could have protected themselves from both the Drift and Gainsight attacks, and any similar or follow-on attacks to come.
Soby points out how “with Drift, they came through the application, hit SaaS, and then they started scouring a bunch of different places looking for poorly managed credentials. Well, they shouldn’t have had access to 95% of that stuff, because it’s a sales intelligence app. Why are you giving Drift broad access to all of your environments?”
The solution is that “organizations should [dictate] specifically that in Salesforce, it can access, accounts, opportunities, and contacts, and nothing else. That’s going to mitigate the problem,” he says.
More broadly, organizations need to rethink their relationship with their software-as-a-service (SaaS) platforms. “SaaS applications in general sell themselves on: it’s managed for you. It’s totally secure, you don’t have to do much, just let your business unit run with it. And as it turns out, that’s a terrible strategy, because your business units are not that incentivized around security. They’re trying to sell, or they’re trying to do customer support or marketing. That’s what’s top of mind. They’re not security-minded people,” he says.
“So you end up with these situations where the security team thinks that the business unit has it covered, and the business unit doesn’t even necessarily realize that’s their responsibility,” he continues. “There are vendor security teams this week saying: Do we use Gainsight? They’re going back to their procurement people and their legal people and they’re saying: ‘Hey, do we have a contract with a company called Gainsight?'”
In the scramble to identify and secure their Salesforce environments, organizations might also miss that Gainsight also integrates with a wide variety of other platforms, from Slack and Microsoft Teams to HubSpot, Zendesk, ServiceNow, Jira, Snowflake, and many more. All else being equal, there’s no reason why any software integrated with Gainsight would be at any less risk today than Salesforce.
Soby thinks that “if you [tell a company] that you need to unplug Gainsight right now, because it’s compromised, I bet 99% of companies don’t even know where to go. They’ll probably go into Salesforce. Do you realize it’s also plugged in a Snowflake? Do you realize it’s plugged into a workspace? Absolutely not.”
‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of
[/gpt3]
Stay Ahead with the Latest Tech Trends
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Access comprehensive resources on technology by visiting Wikipedia.
CyberRisk-V1
