Cybercrime
,
Fraud Management & Cybercrime
Cybercrime Group ShinyHunters Claims to Steal Data From 300 Organizations
Hackers who took responsibility for stealing Salesforce data through integrated customer relationship software published by Gainsight claimed to have robbed more than 300 organizations.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
In a post to a new Telegram channel launched Friday, cybercrime group Scattered Lapsus$ Hunters asserted that victims include F5, GitLab, SonicWall and Verizon (see: ShinyHunters Hack Salesforce Instances Via Gainsight Apps).
Members of the Scattered Lapsus$ Hunters collective, largely comprised of Western adolescents, said that when combined with data stolen this past summer from users of the Salesloft Drift app, a forthcoming data leak site will feature information stolen from 1,000 organizations.
Gainsight hasn’t confirmed how many customer organizations’ data was stolen. The company said that when Salesforce first detected signs of the attack on Wednesday, it was tied to “suspicious access attempts” targeting three customers.
Salesforce said it revoked the Gainsight app’s access tokens and temporarily removed the publisher’s software from its AppExchange cloud marketplace.
Salesforce first publicly warned customers with Gainsight integrations on Thursday that attackers may have stolen their customer data. “There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce,” it said.
Austin Larsen, a principal threat analyst at Google, said Thursday that the company “observed threat actors, tied to ShinyHunters, compromising third-party OAuth tokens to potentially gain unauthorized access to Salesforce customer instances.” ShinyHunters’ activities overlap with a threat activity the company tracks as UNC6395.
Gainsight told customers early Thursday that Salesforce revoked all access for the Gainsight SFDC Connector, resulting in connection failures, after detecting “unusual activity” tied to the tool. Affected products include Customer Education Solution, Community, Northpass, Skilljar and Staircase. “While these products are operational, their ability to read and write from Salesforce is unavailable temporarily,” it said.
A probe into the attack and data theft remains ongoing. “We continue to work closely with Salesforce on the ongoing investigation into the incident. In parallel, a forensic analysis is continuing as part of a comprehensive and independent review,” Gainsight said in a Sunday update. It recommended customers open a support ticket to request logs, but said customers should first rotate their Gainsight S3 – for Amazon Simple Storage Service – keys, in case the attacker previously compromised them.
Known threat activity traced to an Amazon Web Services IP address on Oct. 23 that involved “reconnaissance against customers” by an attacker who used a “compromised Gainsight access token,” Salesforce said.
Further reconnaissance and unauthorized access to Salesforce systems continued again from Nov. 8 onward, before surging on Tuesday and Wednesday with a flurry of HTTP requests authored by Python scripts. From Tuesday to Wednesday, Salesforce said the attacker used the Salesforce-Multi-Org-Fetcher/1.0 Python script to gain further unauthorized access to Gainsight data, using the same script “observed in Salesloft Drift activity” in an August attack that used stolen OAuth tokens for the Drift tool.
Repeat Supply Chain Attacks
How attackers stole the Gainsight OAuth tokens isn’t yet clear. Hackers in the earlier Salesloft attack obtained tokens after first breaching a GitHub repository containing source code for Salesloft Drift’s chatbot, which they combed for OAuth tokens. This allowed them to access software integrated with Drift, including for 760 Salesforce instances.
Such supply chain attacks are notable in part for the roundabout path taken to obtain customers’ data. “It underlines a recurring tactic: attackers gaining access through trusted third-party integrations by misappropriating tokens or leveraging support-case secrets rather than exploiting direct product vulnerabilities,” said cybersecurity firm SOCRadar on Friday.
Based on the group’s previous attacks, the next step in the hackers’ playbook would appear to be extortion (see: Madman Theory Spurs Crazy Scattered Lapsus$ Hunters Playbook).
Following the theft of Salesforce data from Drift customers, the extortionists claimed that they would automatically leak the data for any company that failed to pay them a ransom. Those plans faced multiple hurdles, including U.S. and French authorities knocking offline the clearnet and darknet versions of the BreachForums data leak and extortion site being run by the group, as well as a darknet site listing 39 affected Salesforce customers.
Ultimately, the cybercrime group leaked data stolen from six customers (see: Salesforce Extortion Group Leaks Data After FBI Disruption).
Following from the Gainsight attack and ShinyHunters’ repeat targeting of Salesforce data, “more supply chain events” seem likely, not least because the group has signaled its plans “to keep pushing content to their public channels to stay relevant,” SOCRadar said.
Hardening Advice Against Persistent Hackers
Gainsight hired Google’s Mandiant incident response team to conduct that investigation, and referred customers to hardening advice issued by Mandiant following the attack against Salesloft Drift, updated Friday in the wake of the Gainsight attacks.
Mandiant said its advice details “comprehensive hardening, logging and detection recommendations for programmatic credentials such as API keys, OAuth tokens, service accounts and access keys.”
Salesforce on Saturday recommended “customers conduct a comprehensive review of all available logs when investigating potential compromise.” Gainsight application’s OAuth tokens have been revoked, but this “does not delete your historical audit trails or hinder customers’ ability to investigate this incident.”
A late August report into the Scattered Lapsus$ Hunters attack on Salesforce via the Salesloft authentication tokens by Mandiant detailed how “the actor systematically exported large volumes of data from numerous corporate Salesforce instances” thanks in part to wielding that “malicious user-agent string.”
Cybersecurity experts have lauded the level of detail being shared by Salesforce’s security team with customers, which has included both indicators of compromise as well as time stamps.
“This level of granularity is massively helpful to threat hunt and SOC teams to determining if activity was potentially malicious,” said Eli Woodward, a senior cyber threat intelligence adviser at Team Cymru, in a Sunday post to LinkedIn. He urged other organizations to adopt this level of post-attack information sharing as an “industry standard.”
Other major hacks by the group this year have included the targeting of major retailers, financial services firms and disrupting automaker Jaguar Land Rover, leading the company to report a loss of roughly $260 million.
The criminals have been previewing a new ransomware-as-a-service operation called ShinySp1d3r, and a sample of their crypto-locking malware has appeared in the wild. Cybersecurity firm ZeroFox said Scattered Lapsus$ Hunters likely “built this RaaS to keep ransom profits in-house, eliminating the need to share ransom proceeds with third-party providers.”
