Salesforce Customers Targeted: Gainsight Hack Exposed

In a near replica of a separate campaign this summer, hackers connected to the ShinyHunters extortion operation have once again breached many organizations’ Salesforce instances via a third-party integration.

Following a spring vishing campaign targeting organizations’ Salesforce environments, a ShinyHunters-adjacent threat group hit Salesforce again in August. The threat actors performed a supply chain breach through Salesloft’s Drift, an integrated application that uses artificial intelligence (AI) to automate marketing and sales processes. They broke into Salesloft, stole OAuth tokens that connect Drift and Salesforce, and used them to reach hundreds of organizations’ Salesforce environments, with all of the powers and permissions within Salesforce that those organizations had granted the Drift app.

For example, one of those impacted Salesforce Drift customers was Gainsight, a program for managing customer retention and satisfaction, and itself a Salesforce-connected app like Drift. The company admitted in a security alert that attackers accessed its Drift instance, and the business data associated with it, including business email addresses, product licensing information, and content from customer support cases.

Now, a new, related threat cluster has performed an attack just like the last, but in place of Drift they’ve used Gainsight, another third-party app widely integrated into Salesforce. And attackers have once again stolen OAuth tokens which they can use to compromise customers’ Salesforce instances.

Related:US Creates ‘Strike Force’ to Take Out SE Asian Scam Centers

Brian Soby, chief technology officer (CTO) and co-founder at AppOmni, marvels at how easy it has all looked. “I think they just saw the success of the Drift campaign and said, ‘Oh, we should do that instead,'” he says. “‘Phishing all of these users is way too much work. Let’s just go pop a supply chain and take all their credentials and then we’re good to go.'”

Researchers from the Google Threat Intelligence Group (GTIG) have publicly attributed the attack to hackers tied to ShinyHunters, and said that more than 200 customer instances have been impacted. DataBreaches.net directly contacted the group, which confirmed responsibility, claiming that between Drift and Gainsight the group has gained access to Salesforce data for nearly 1,000 organizations. 

Dark Reading has not independently confirmed that these organizations have been affected.

Salesforce’s Response: a Double-Edged Sword

Salesforce clarified in a security advisory that “there is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce.” Still, upon detecting the malicious activity, the company took two major steps to contain the damage. First, it revoked all active access and refresh tokens associated with apps published with Gainsight — and Salesforce did it so quickly that Gainsight was initially unaware and attributed the connection failure to a technical error. 

Related:Coyote, Maverick Banking Trojans Run Rampant in Brazil

Salesforce also temporarily removed those apps from its AppExchange app marketplace. Though its intentions may have been good, and these steps useful for stemming the attackers, Soby warns that it’s a double-edged sword.

“When Salesforce protected their customers legitimately, and deleted all of those tokens, they also deleted all the records of the organizations that they were connected to. So now you have no idea which users and activity you need to go investigate, to find out if something was stolen. And you have no idea what Gainsight used to have the ability to access, because that’s all been deleted. So it safeguards customers, but it puts them in a tough position.”

He recalls how Salesforce did the same thing in the case of Drift, leaving no records behind for investigations. “Is it net good? Yeah, it’s good that Salesforce removed the ongoing access of an active breach. Does it come with tradeoffs? Heavily.”

Related:GlassWorm Returns, Slices Back into VS Code Extensions

The Gainsight Breach Doesn’t End with Salesforce

What’s unfortunate is just how simply organizations could have protected themselves from both the Drift and Gainsight attacks, and any similar or follow-on attacks to come.

Soby points out how “with Drift, they came through the application, hit SaaS, and then they started scouring a bunch of different places looking for poorly managed credentials. Well, they shouldn’t have had access to 95% of that stuff, because it’s a sales intelligence app. Why are you giving Drift broad access to all of your environments?” 

The solution is that “organizations should [dictate] specifically that in Salesforce, it can access, accounts, opportunities, and contacts, and nothing else. That’s going to mitigate the problem,” he says.

More broadly, organizations need to rethink their relationship with their software-as-a-service (SaaS) platforms. “SaaS applications in general sell themselves on: it’s managed for you. It’s totally secure, you don’t have to do much, just let your business unit run with it. And as it turns out, that’s a terrible strategy, because your business units are not that incentivized around security. They’re trying to sell, or they’re trying to do customer support or marketing. That’s what’s top of mind. They’re not security-minded people,” he says.

“So you end up with these situations where the security team thinks that the business unit has it covered, and the business unit doesn’t even necessarily realize that’s their responsibility,” he continues. “There are vendor security teams this week saying: Do we use Gainsight? They’re going back to their procurement people and their legal people and they’re saying: ‘Hey, do we have a contract with a company called Gainsight?'”

In the scramble to identify and secure their Salesforce environments, organizations might also miss that Gainsight also integrates with a wide variety of other platforms, from Slack and Microsoft Teams to HubSpot, Zendesk, ServiceNow, Jira, Snowflake, and many more. All else being equal, there’s no reason why any software integrated with Gainsight would be at any less risk today than Salesforce.

Soby thinks that “if you [tell a company] that you need to unplug Gainsight right now, because it’s compromised, I bet 99% of companies don’t even know where to go. They’ll probably go into Salesforce. Do you realize it’s also plugged in a Snowflake? Do you realize it’s plugged into a workspace? Absolutely not.”