On August 26th, Google's Threat Intelligence Group (GTIG) confirmed a widespread data theft event that affected Salesforce customers. A hacking group, tracked as UNC6395, performed the attack.
They used compromised OAuth tokens from a popular third-party application called Salesloft Drift.
Salesloft found a security issue on August 20. The company then revoked the connections between its Drift application and Salesforce as a precaution. The breach happened between August 8 and August 18. The full extent of the incident was not clear until Google released its report.
What Does This Breach Mean for SaaS Businesses?
This incident is the latest in a series of attacks directed at the Salesforce ecosystem. This specific attack used compromised tokens.
Other attacks have used different methods, such as vishing. For example, the group Shiny Hunters recently targeted businesses like Farmers Insurance and Breached Google via Salesforce. This shows that threats are varied and dangerous.
The potential impact is massive. Some experts suggest hundreds of customers may have been affected by the Salesloft breach. The attack was coordinated and disciplined. This has led some to suspect a nation-state actor was involved.
This trend is alarming for businesses that depend on interconnected cloud platforms. It shows that trusting a third-party application requires constant checking and a strong security setup. A third party's weaknesses can become your own.
The situation is serious. Google has issued a clear warning. Any Salesforce customer who used the Drift app should assume their data is compromised. They should also take immediate action.
Who is UNC6395?
UNC6395 is the name for the threat actor behind this widespread attack on Salesforce customers. Their main goal is to steal data. They then carefully search through it for secrets. These secrets can be used to cause more security breaches in their victims' systems.
This group has shown advanced skills and an awareness of security procedures.
The Attack Method of UNC6395:
- Token Compromise: The group first used stolen OAuth tokens from the Salesloft Drift application. This gave them access to their targets' Salesforce accounts.
- Data Exfiltration: Once inside, UNC6395 methodically ran structured database searches to copy out huge amounts of data. They looked for specific sensitive credentials. These included Amazon Web Services (AWS) access keys, passwords, and Snowflake access tokens.
- Covering Their Tracks: The group showed advanced skill by deleting their database search jobs. This was an attempt to hide their activity. However, system logs were not affected by this action.
Experts call this a classic attack on non-human identities, or NHIs. NHIs are the service accounts and tokens that work in the background without direct human supervision.
How to Prevent OAuth Token and NHI Breaches With Infisign
The breach happened because a non-human identity, an OAuth token, was compromised. To avoid this, it is necessary to manage and monitor these NHIs from their creation to their deletion.
With AI access assistance to improve the removal and management of non-human identities, Infisign makes breaches a lot less likely.
Moreover, a plan to prevent future issues for long-term security is a lot easier with privileged access management. adaptive MFA and zero-trust authentication that also looks at the circumstances before granting access to both users and Non-Human Identities through tokens.
Many companies do not have a basic list of the NHIs they are using. These are what attackers target. A modern security plan must include the following points:
- Complete Visibility: Create and keep a complete list of all non-human identities. This includes API keys and OAuth tokens. It is also important to understand their permissions.
- Threat Detection: Set up advanced monitoring using an IAM like Infisign to find unusual activity related to NHIs. This helps you spot a compromised token before a large amount of data can be stolen.
- Least Privilege Access: Apply a policy of least privilege for all third-party applications. An app should only have access to the data and resources it absolutely needs to work. This lessens the potential damage if a compromise happens.
Ready to see and manage your non-human identities better? Book a free demo with the Infisign team.
