Identity & Access Management,
Security Operations
Salesloft Reports GitHub Repository Compromised by Cyber Attackers
Salesloft has confirmed that hackers gained unauthorized access to its GitHub repository, leading to a significant breach affecting several companies, including cybersecurity firms Tenable and Qualys. This incident stems from a series of ongoing cyberattacks that exploit stolen OAuth tokens from a commonly integrated third-party tool associated with Salesforce.
In recent blog posts dated September 3 and September 6, Tenable and Qualys disclosed that they had become targets of a supply chain attack, which occurred after the compromised access tokens were lifted from Salesloft’s Drift AI chat application. The breach has already impacted a number of organizations, including Zscaler, Palo Alto Networks, and CyberArk, all of which have reported data losses due to vulnerabilities in their Salesforce instances integrated with Drift.
Salesloft revealed that the malicious activity occurred between March and June, during which hackers accessed its GitHub account before breaching the Drift Amazon Web Services environment to extract OAuth tokens. Google Mandiant, tasked with investigating the breach, attributes the attack to a group designated as UNC6395, although it has not yet identified any links between this group and known cybercriminal organizations or nation-states. Initial claims by the ShinyHunters extortion group regarding responsibility for the attacks were later retracted.
Cybersecurity experts have outlined the methodology used by attackers, indicating that breaking into GitHub accounts to search for tokens is a tactic previously executed by groups such as ShinyHunters and Lapsus$. Will Thomas, a threat intelligence adviser at Team Cymru, pointed out that the IP addresses linked to the attackers appear to be part of the Tor network, suggesting inadequate security controls at some organizations involved.
Tenable’s detection on September 3 revealed an unauthorized entity gaining extensive access to customer information stored on its Salesforce server, including personal details like email addresses and phone numbers collected during support requests. Similarly, Qualys acknowledged that the stolen OAuth token credentials provided limited access to sensitive data within its Salesforce environment.
Both firms have reassured their customers that their products and services remain unaffected and operational following the breach. Additionally, they have taken steps to disable the Salesloft Drift application and revoke the pertinent system integrations in the aftermath of the incident.
This breach illustrates the evolving landscape of cybersecurity threats and highlights the critical need for robust identity and access management strategies in safeguarding sensitive data. The incident serves as a reminder of the importance of monitoring third-party integrations that could expose organizations to significant vulnerabilities, aligning with tactics outlined in the MITRE ATT&CK framework, such as Initial Access and Privilege Escalation.
Reporting by Information Security Media Group’s Mathew Schwartz in Scotland and David Perera in Northern Virginia.
