Google has revealed that a threat group, identified as UNC6395, has been conducting a series of data breaches targeting organizations’ Salesforce instances by compromising OAuth tokens associated with the Salesloft Drift third-party application.
The Google Threat Intelligence Group (GTIG) reported that UNC6395 initiated a “widespread data theft” campaign starting around August 8 and continuing through at least August 18. The threat actors exploited authentication tokens within the Salesloft Drift application, an AI-powered tool designed to automate sales processes like communication, analysis, and engagement, which integrates with Salesforce databases. According to the GTIG, UNC6395 “systematically exported large volumes of data from numerous corporate Salesforce instances.”
The primary objective was to harvest sensitive credentials, including Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. After extracting the data, “the actor then searched through the data to look for secrets that could be potentially used to compromise victim environments.” To conceal their activities, the threat actors deleted query jobs.
Although there is no indication that logs were directly impacted, GTIG advises organizations to “review relevant logs for evidence of data exposure.” The scope of the campaign is limited to Salesloft customers who integrate their solutions with Salesforce. GTIG clarified that there is no evidence suggesting that Google Cloud customers were directly affected, but those utilizing Salesloft Drift “should review their Salesforce objects for any Google Cloud Platform service account keys.”
GTIG emphasized that “Organizations using Drift integrated with Salesforce should consider their Salesforce data compromised and are urged to take immediate remediation steps.” Salesloft collaborated with Salesforce to address the situation by revoking all active access and refresh tokens associated with the Drift application. Salesforce has also removed the Drift application from the Salesforce AppExchange “until further notice and pending further investigation.” GTIG, Salesforce, and Salesloft have all notified affected organizations.
The GTIG report follows disclosures from multiple prominent companies, including Adidas, Pandora, Allianz, Tiffany & Co., Dior, Louis Vuitton, Workday, and Google, concerning breaches via a third-party platform, reportedly Salesforce, during July and August. ShinyHunters claimed responsibility for many of these attacks, and vishing attacks have been identified as the method of compromise. In June, Google reported that a financially motivated threat group, UNC6040 (allegedly associated with ShinyHunters), was impersonating IT support staff in vishing attacks to infiltrate organizations’ Salesforce environments. Earlier in August, Google revealed that UNC6040 breached one of its Salesforce instances using these tactics.
While the timeline of some of these Salesforce breaches aligns with GTIG’s findings, the methods of compromise differ. Google stated that the UNC6395 Salesloft Drift activity is distinct from the vishing attacks attributed to UNC6040. A GTIG spokesperson confirmed, “We’ve not seen any compelling evidence connecting them.”
GTIG provided recommendations for defenders, advising impacted organizations to search for sensitive information and secrets within Salesforce objects and take appropriate actions, such as revoking API keys, rotating credentials, and conducting further investigations to determine if the secrets were misused by UNC6395. Organizations should also investigate for compromise and scan for exposed secrets by searching for the IP addresses and User-Agent strings provided by GTIG in an Indicators of Compromise section in the Mandiant blog post. It is also recommended to implement “a broader search for any activity originating from Tor exit nodes.”
Additional mitigation steps include reviewing Salesforce Event Monitoring logs for unusual activity linked to the Drift connection user, authentication activity from the Drift Connected App, and UniqueQuery events that log executed SOQL queries. Google also suggests that organizations open a Salesforce support case to obtain specific queries used by the threat actor and search Salesforce objects for potential secrets.
Google further recommended hardening access controls by ensuring that applications have the minimum necessary permissions, enforcing IP restrictions on the connected app, and defining login IP ranges to allow access only from trusted networks. Organizations are advised to rotate credentials by immediately revoking and rotating any discovered keys or secrets, resetting passwords, and configuring session timeout values in Session Settings to limit the lifespan of a compromised session.
