3rd Party Risk Management,
Cybercrime,
Fraud Management & Cybercrime
Criminals Behind Salesloft Breach Continue to Target Salesforce Customers
Salesforce, the leading customer relationship management software provider, recently informed its clients that it will not comply with extortion demands from cybercriminals who have gained access to their data. The threat actors, operating under the name Scattered Lapsus$ Hunters, have launched a dark web site cataloging their alleged victims—totaling over 1.5 billion records pilfered from 760 companies.
The attackers are requiring payments in cryptocurrency from their victims as well as from Salesforce itself, promising to refrain from leaking sensitive data if their demands are met. A deadline for compliance was posted by the group, adding urgency to their threats.
In response, a Salesforce representative stated, “I can confirm Salesforce will not engage, negotiate with, or pay any extortion demand.” This statement comes after Bloomberg first disclosed that Salesforce had warned affected clients of a “credible threat intelligence” regarding data that was stolen in August from users of the Salesloft Drift artificial intelligence chatbot integrated with Salesforce.
The leaked data site lists 39 identifiable victims, encompassing notable corporations such as Cisco, Disney, and KFC, which together account for approximately 1 billion of the claimed 1.5 billion stolen records. The hackers are employing various tactics to exert pressure on their victims, including direct outreach and postings on several Telegram channels, while conspicuously withholding details on the exact amount of ransom they are seeking.
Cybersecurity experts and law enforcement agencies advise against paying ransomware demands, as capitulating to extortionistas only fuels their operations and encourages further attacks. This incident exemplifies typical adversary tactics, drawing on the MITRE ATT&CK framework’s emphasis on initial access and persistence, as these criminals have in the past exploited software vulnerabilities to gain footholds in organizations.
According to the FBI, attackers associated with two specific clusters used stolen OAuth tokens to mobilize the Salesloft Drift AI system in conjunction with Salesforce, facilitating extensive data retrieval. Google’s threat intelligence team has reported that the attacks began in early August, leading to the compromise of nearly 700 Salesloft clients, as well as other organizations utilizing the software.
Following the breach, Salesforce collaborated with Google Cloud’s Mandiant incident response team to invalidate access to the compromised Drift OAuth tokens. This action requires companies incorporating Drift to reauthenticate their integration, thereby adding a layer of security to mitigate further exploitation. Salesforce has since re-enabled integrations with SalesLoft technologies, although the Drift application remains suspended from the AppExchange marketplace pending additional scrutiny.
Market leaders in cybersecurity consistently recommend proactive detection and response measures to safeguard against such breaches. Salesforce, for its part, has reassured clients that its security teams are diligently monitoring the situation, emphasizing the priority placed on the protection of customer environments and sensitive data.
