Salesforce warned that it had detected “anomalous activity” related to Gainsight published applications connected to its platform.
“Our investigation revealed that this activity may have allowed unauthorized access to certain customers’ Salesforce data through app connections,” the company said in its advisory.
The cloud services company announced that it has taken steps to revoke all active access and refresh tokens associated with Gainsight published applications connected to Salesforce. We have also temporarily removed these applications from AppExchange as we continue our investigation.
Salesforce did not say how many customers were affected by the incident, but said it had notified them.
“There is no indication that this issue is due to a vulnerability in the Salesforce platform,” the company added. “This activity appears to be related to your application’s external connection to Salesforce.”
Out of an abundance of caution, the Gainsight app has been temporarily removed from the HubSpot Marketplace. “This may also impact Oauth access for customer connections while the review is ongoing,” Gainsight said. “At this time, we have not observed any suspicious activity related to Hubspot.”
In a post shared on LinkedIn, Austin Larsen, lead threat analyst at Google Threat Intelligence Group (GTIG), described this as a “new campaign” targeting Gainsight published applications connected to Salesforce.
This activity is assessed to be associated with threat actors associated with the ShinyHunters (aka UNC6240) group and mirrors a similar series of attacks targeting Salesloft Drift instances in early August of this year.
According to DataBreaches.Net, ShinyHunters acknowledged the campaign and said that the Salesloft and Gainsight attack waves were able to steal data from approximately 1,000 organizations.
Interestingly, Gainsight previously stated that it was also one of the Salesloft Drift customers affected in the previous attack. However, it is not clear at this stage whether previous infringements were involved in this incident.
In this hack, attackers accessed company contact details for Salesforce-related content, including name, company email address, phone number, region/location details, product license information, and support case content (no attachments).
“Attackers are increasingly targeting OAuth tokens from trusted third-party SaaS integrations,” Larsen noted.
In light of this malicious activity, organizations are encouraged to review all third-party applications connected to Salesforce, revoke tokens for unused or suspicious applications, and rotate credentials if an integration reports anomalies.
Source link
