A cyberattack exploiting a third-party application has resulted in data breaches across multiple Salesforce instances, according to Google’s Threat Intelligence Group. The attacks, attributed to a group tracked as UNC6395, leveraged compromised OAuth tokens associated with the Salesloft Drift application to exfiltrate sensitive data.
Google’s Threat Intelligence Group (GTIG) identified UNC6395 as the perpetrator of a “widespread data theft” campaign. This campaign, which commenced around August 8 and continued through at least August 18, targeted Salesforce instances by exploiting authentication tokens belonging to the Salesloft Drift application. This application, designed to automate sales processes, integrates with Salesforce databases for communication, analysis, and customer engagement purposes. The compromised tokens facilitated unauthorized access to sensitive information stored within the targeted systems.
The primary objective of UNC6395 was the systematic extraction of large volumes of data from numerous corporate Salesforce instances. GTIG researchers indicated that the actor’s intent was to harvest sensitive credentials, focusing on Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. Once extracted, this information could be leveraged to gain unauthorized access to various systems and services.
Following the exfiltration of data, UNC6395 conducted searches within the stolen information to identify secrets that could potentially be used to compromise victim environments. GTIG stated that the actor used specific queries to identify these credentials. To conceal their activities, the group subsequently deleted query jobs, attempting to erase evidence of the data theft. The removal of these logs made tracing the full extent of the breach more difficult, though GTIG has provided guidance for investigating potential data exposure.
GTIG issued recommendations for remediation and mitigation, emphasizing that the campaign’s impact appears to be limited to Salesloft customers who integrate their solutions with the Salesforce service. There is no evidence suggesting a direct impact on Google Cloud customers. However, GTIG advised that any customers utilizing Salesloft Drift should review their Salesforce objects for any Google Cloud Platform service account keys, as these may have been exposed during the data theft.
Given the nature of the attack, GTIG urged organizations using Drift integrated with Salesforce to consider their Salesforce data compromised and to take immediate remediation steps. These steps are designed to contain the breach and prevent further unauthorized access.
To address the situation, Salesloft collaborated with Salesforce to revoke all active access and refresh tokens associated with the Drift application. This action aimed to prevent ongoing unauthorized access through the compromised tokens. Additionally, Salesforce removed the Drift application from the Salesforce AppExchange pending further investigation, making it unavailable for new installations until the security concerns are resolved. GTIG, Salesforce, and Salesloft have notified organizations believed to be impacted by the data theft.
Prior to this incident, multiple high-profile companies, including Adidas, Pandora, Allianz, Tiffany & Co., Dior, Louis Vuitton, Workday, and Google, reported breaches via a third-party platform, which was reportedly Salesforce. The threat group ShinyHunters claimed responsibility for many of these attacks, with vishing attacks cited as the primary method of compromise. These earlier breaches underscored the vulnerability of systems relying on third-party integrations.
In June, Google reported that a financially motivated threat group, tracked as UNC6040, was impersonating IT support staff in vishing attacks to gain access to organizations’ Salesforce environments. Google stated that UNC6040 claimed to be ShinyHunters. Using these tactics, UNC6040 breached one of Google’s own Salesforce instances. The report highlighted the increasing sophistication of threat actors in targeting Salesforce environments using social engineering techniques.
While the timeline of these earlier Salesforce breaches overlaps with the UNC6395 Salesloft Drift activity, Google clarified that the methods of compromise are distinctly different. Google has stated that the UNC6395 Salesloft Drift activity is separate from the vishing attacks attributed to UNC6040. A GTIG spokesperson affirmed that there is no compelling evidence connecting the two campaigns, thus indicating that the breaches are independent events carried out by different threat actors.
In addition to the remediation steps already taken, Google recommended that impacted organizations search for sensitive information and secrets contained within Salesforce objects and take appropriate action. These actions include revoking API keys, rotating credentials, and conducting further investigations to determine if the secrets were abused by UNC6395. Organizations should also investigate for compromise and scan for exposed secrets, using indicators of compromise (IOCs) provided by GTIG, such as IP addresses and User-Agent strings identified in the Mandiant blog post. A broader search for activity originating from Tor exit nodes is also advised.
Further mitigation steps include reviewing Salesforce Event Monitoring logs for unusual activity associated with the Drift connection user, authentication activity from the Drift Connected App, and UniqueQuery events that log executed SOQL queries. Organizations can also open a Salesforce support case to obtain specific queries used by the threat actor and search Salesforce objects for potential secrets. Immediate revocation and rotation of discovered keys or secrets, resetting passwords, and configuring session timeout values in Session Settings to limit the lifespan of a compromised session are also recommended.
Google also advised organizations to harden access controls by ensuring that applications have the minimum necessary permissions, enforcing IP restrictions on the connected app, and defining login IP ranges to allow access only from trusted networks. These measures aim to reduce the attack surface and limit the potential impact of future compromises.
