Hackers stole user credentials from Salesforce customers in a widespread campaign earlier this month, according to researchers at Google Threat Intelligence Group, who warned that the thefts could lead to follow-up attacks.
A threat actor that Google tracks as UNC6395 targeted Salesforce instances using compromised OAuth tokens that were associated with the customer engagement vendor Salesloft’s Drift AI chat agent.
Researchers believe the hackers’ primary goal was to harvest credentials, as they stole large amounts of data from numerous Salesforce instances.
Google’s Threat Intelligence Group “is aware of over 700 potentially impacted organizations,” Austin Larsen, a principal threat analyst at the company, told Cybersecurity Dive in a statement. “The threat actor used a Python tool to automate the data theft process for each organization that was targeted.”
The attacks did not involve any vulnerability in the Salesforce platform, according to researchers.
After stealing the data, the hackers looked for sensitive credentials, including access keys and passwords for Amazon Web Services as well as access tokens for the Snowflake cloud platform.
The attacks largely occurred between Aug. 8 and Aug. 18, researchers said. By Aug. 20, Salesloft had begun working with Salesforce to revoke all active access and refresh Drift tokens, according to Google.
Salesloft issued a security alert on Aug. 20 asking Drift administrators to reauthenticate their Salesforce connections.
Read the Full Story Here
Source: Cybersecurity Dive