Palo Alto Networks suffered a data breach that uncovered buyer information and help instances after attackers abused compromised OAuth tokens from the Salesloft Drift breach to entry its Salesforce occasion.
The corporate states that it was one in all lots of of firms affected by a supply-chain assault disclosed final week, during which risk actors abused the stolen authentication tokens to exfiltrate information.
BleepingComputer discovered of the breach this weekend from Palo Alto Networks’ prospects, who expressed concern that the breach uncovered delicate data, resembling IT data and passwords, shared in help tickets.
Palo Alto Networks later confirmed to BleepingComputer that the incident was restricted to its Salesforce CRM and didn’t have an effect on any merchandise, methods, or providers.
“Palo Alto Networks confirms that it was one in all lots of of shoppers impacted by the widespread provide chain assault concentrating on the Salesloft Drift utility that uncovered Salesforce information,” Palo Alto Networks advised BleepingComputer.
“We shortly contained the incident and disabled the applying from our Salesforce atmosphere. Our Unit 42 investigation confirms that this case didn’t have an effect on any Palo Alto Networks merchandise, methods, or providers.”
“The attacker extracted primarily enterprise contact and associated account data, together with inner gross sales account information and primary case information. We’re within the strategy of straight notifying any impacted prospects.”
The marketing campaign, first tracked by Google’s Menace Intelligence workforce as UNC6395, particularly focused help instances to establish delicate information, resembling authentication tokens, passwords, and cloud secrets and techniques, that might be used to pivot into different cloud providers and steal information.
“Our observations point out that the risk actor carried out mass exfiltration of delicate information from numerous Salesforce objects, together with Account, Contact, Case and Alternative information,” Palo Alto Networks warned in an advisory shared with BleepingComputer.
“Following exfiltration, the actor gave the impression to be actively scanning the acquired information for credentials, doubtless with the intent to facilitate additional assaults or develop their entry. We have now noticed that the risk actor deleted queries to cover proof of the roles they run, doubtless as an anti-forensics method.
Palo Alto Networks stories that the attackers had been trying to find secrets and techniques, together with AWS entry keys (AKIA), Snowflake tokens, VPN and SSO login strings, and generic key phrases resembling “password,” “secret,” or “key.”
These credentials may then be used to breach further cloud platforms to steal information for extortion assaults.
Google and Palo Alto Networks say that the risk actors used automated instruments to steal information, with user-agent strings indicating that customized Python instruments had been used:
python-requests/2.32.4
Python/3.11 aiohttp/3.12.15
Salesforce-Multi-Org-Fetcher/1.0
Salesforce-CLI/1.0
As a part of these assaults, the risk actors mass-exfiltrated information from the Account, Contact, Case and Alternative Salesforce objects.
To evade detection, the risk actors deleted logs and used Tor to obfuscate their origin.
Palo Alto Networks states that it has revoked the related tokens, and rotated the credentials following the incident.
The corporate recommends Salesloft Drift prospects deal with the incident with “speedy urgency” and carry out the next actions:
- Examine Salesforce, identification supplier, and community logs for potential compromise.
- Evaluation all Drift integrations for suspicious connections.
- Revoke and rotate authentication keys, credentials, and secrets and techniques.
- Use automated instruments, like Trufflehog and Gitleaks, to scan code repositories for embedded authentication keys or tokens.
- If information was confirmed to be exfiltrated, it needs to be reviewed for the presence of credentials.
Palto Alto Networks, Salesforce, and Google have now disabled Drift integrations whereas the investigation into how the OAuth tokens had been stolen continues.
The provision chain assault has impacted different firms, together with Zscaler and Google.
Salesforce information theft assaults
Because the starting of the 12 months, Salesforce has been the goal of information theft assaults performed by members related to the ShinyHunters extortion group.
In previous assaults, the risk actors performed voice phishing (vishing) to trick staff into linking a malicious OAuth app with their firm’s Salesforce situations.
As soon as linked, the risk actors used the connection to obtain and steal the databases, which had been then used to extort the corporate by e mail.
Nonetheless, with the Salesloft breach, the risk actors had been in a position to steal information utilizing the stolen OAuth tokens.
Since Google first reported the assaults in June, quite a few data breaches have been tied to the social engineering assaults, together with Google itself, Cisco, Farmers Insurance coverage, Workday, Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
Whereas some researchers have advised BleepingComputer that they consider the Salesloft provide chain assaults contain the identical risk actors, Google says there isn’t a conclusive proof that they’re linked.
“We have not seen any compelling proof connecting them at the moment,” Austin Larsen, Principal Menace Analyst. Google Menace Intelligence Group, advised BleepingComputer.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration developments.
