Google Exposes OAuth Token Theft Linked to UNC6395 in Salesforce Breach

A recent advisory from Google and Mandiant has uncovered a significant data breach involving Salesforce, where the threat actor UNC6395 deployed stolen OAuth tokens to bypass Multi-Factor Authentication (MFA). Organizations are urged to take steps to protect non-human identities to prevent similar breaches.

According to the advisory from the Google Threat Intelligence Group (GTIG) and Mandiant, the breach was part of a broader data theft initiative targeting Salesforce accounts, running from August 8 to August 18, 2025. The actors behind this breach, identified as UNC6395, executed their plans without exploiting existing vulnerabilities within Salesforce’s core platform.

Utilizing Digital Access Keys

The breach was facilitated through compromised OAuth tokens from the third-party application, Salesloft Drift, which allowed the attackers to gain unauthorized access without needing passwords. OAuth tokens function as a digital key, and by manipulating these non-human identities (NHIs), the attackers effectively circumvented conventional security measures like MFA, which are designed to defend against straightforward password theft.

Once inside the Salesforce ecosystem, UNC6395 methodically extracted large quantities of data from various corporate accounts. Their objective appeared to center on gathering credentials and identifying high-value “secrets” that could serve as a launchpad for subsequent attacks.

Specifically, the attackers focused their efforts on harvesting sensitive information, including AWS access keys and tokens from Snowflake, thereby targeting customer accounts and associated user data. Notably, the advisory highlighted that Google Cloud customers were not directly affected by this wave of attacks.

Swift Countermeasures

Both companies, along with GTIG, have made efforts to notify organizations impacted by the breach. Observations made by Astrix Security highlight this incident as a reflection of a concerning trend where attackers exploit NHIs, which tend to have persistent access and elevated privileges.

Astrix also characterized this incident as a textbook example of such vulnerabilities, emphasizing that this type of attack provides a reliable avenue for data exfiltration, particularly for high-value NHIs, such as cloud infrastructure keys.

In light of the findings, organizations are advised to implement robust security protocols. GTIG recommends strengthening access controls, including limiting Connected App scopes, searching for exposed secrets within Salesforce data, rotating any compromised credentials, and introducing IP restrictions to mitigate future risks.

Jonathan Sander, Field CTO at Astrix Security, noted that this breach exemplified a conventional NHI attack strategy, where attackers exploit vulnerabilities that typically go unnoticed. He stressed that many organizations remain unaware of their NHIs, suggesting the necessity of establishing even a basic inventory of these identities to bolster security as a defensive measure.

Source

Related Posts

Urgent: Microsoft Releases Security Patches for 97 Vulnerabilities, Including Active Ransomware Threat

April 12, 2023
Patch Tuesday / Software Updates

On the second Tuesday of the month, Microsoft has issued security updates addressing a total of 97 vulnerabilities within its software. Notably, one of these flaws is currently being exploited in active ransomware attacks. Of the 97 issues, seven are classified as Critical and 90 as Important. The updates notably include 45 remote code execution flaws and 20 elevation of privilege vulnerabilities. This release follows previous fixes for 26 vulnerabilities found in the Edge browser over the past month. The actively exploited flaw is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation vulnerability within the Windows Common Log File System (CLFS) Driver. According to Microsoft’s advisory, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” with credit given to researchers Boris Larin, Genwei Jiang, and Quan Jin for their discovery. CVE-2023-28252 represents the fourth privilege escalation flaw recently identified…

Lazarus Hacker Group Adapts Tactics, Tools, and Targets in DeathNote Campaign

The North Korean cyber threat group known as Lazarus has been observed changing its strategies and rapidly enhancing its tools within its ongoing DeathNote campaign. While historically focused on the cryptocurrency sector, recent attacks have also expanded to include the automotive, academic, and defense sectors in Eastern Europe and beyond. This shift is seen as a major change in approach. Kaspersky researcher Seongsu Park noted that the group has switched its decoy documents to job descriptions for defense contractors and diplomatic services, marking a strategic pivot that began in April 2020. This campaign is also identified by other names such as Operation Dream Job or NukeSped, with Google-owned Mandiant linking certain activities to this evolving threat.

RTM Locker: A Rising Cybercrime Collective Targeting Enterprises with Ransomware

April 13, 2023
Ransomware / Cyber Attack

Cybersecurity experts have revealed insights into the tactics of a burgeoning cybercriminal organization known as “Read The Manual” (RTM) Locker. This group operates as a private ransomware-as-a-service (RaaS) provider, executing opportunistic attacks to illicitly generate profits. According to a report from cybersecurity firm Trellix shared with The Hacker News, “The RTM Locker gang employs affiliates to extort victims, all of whom must adhere to the gang’s stringent rules.” The structured nature of the group, where affiliates are expected to remain active or inform the gang of their departure, highlights its organizational maturity, akin to that seen in other sophisticated groups like Conti. Originally documented by ESET in February 2017, RTM began in 2015 as a banking malware targeting businesses in Russia through methods such as drive-by downloads, spam, and phishing emails. The group’s attack strategies have since evolved to include ransomware deployment.

Critical Vulnerabilities in Android and Novi Survey Under Ongoing Exploitation

April 14, 2023
Mobile Security / Cyber Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation evidence. The vulnerabilities include:

  • CVE-2023-20963 (CVSS score: 7.8) – Android Framework Privilege Escalation Vulnerability
  • CVE-2023-29492 (CVSS score: TBD) – Novi Survey Insecure Deserialization Vulnerability

CISA’s advisory for CVE-2023-20963 notes that the Android Framework contains an unspecified vulnerability that enables privilege escalation when an app is updated to a higher Target SDK without requiring additional execution privileges. Google acknowledged in its March 2023 Android Security Bulletin that there are signs of limited, targeted exploitation of CVE-2023-20963. This revelation follows a report from Ars Technica that Android apps digitally signed by a Chinese e-commerce entity may be affected.