Zscaler has issued an advisory warning that its Salesforce instance was affected by a supply-chain attack, resulting in the exposure of customer information. This breach is linked to the compromise of Salesloft Drift, an AI chat agent, which was exploited by a threat actor to gain access to customer Salesforce environments. The stolen data includes names, business email addresses, job titles, phone numbers, and content from certain support cases. Zscaler emphasizes that its core products and infrastructure remain secure, with the breach limited to its Salesforce environment. The company has taken immediate action, revoking all Salesloft Drift integrations, rotating API tokens, and enhancing its customer authentication protocols to mitigate further risk.
The threat actor behind these attacks is tracked as UNC6395 by Google Threat Intelligence.
This group has been targeting support cases to harvest authentication tokens, passwords, and other secrets shared by customers. The attackers demonstrate operational security awareness by deleting query jobs, though logs remain unaffected. Google’s investigation revealed that the supply-chain attack extended beyond the Drift Salesforce integration to include Drift Email, which manages email replies and CRM databases. The attackers also used stolen OAuth tokens to access Google Workspace email accounts and read emails, underscoring the severity and scope of the campaign.
The Salesloft Drift compromise is believed by some researchers to overlap with recent Salesforce data theft attacks conducted by the ShinyHunters extortion group. This group has been conducting social engineering and voice phishing attacks to trick employees into linking malicious OAuth apps to their company’s Salesforce instances. This method allows them to download sensitive data from targeted organizations. The ongoing nature of these attacks highlights the persistent threat of social engineering and the need for robust security measures to protect against them.
In response to the widespread nature of the breach, both Google and Salesforce have temporarily disabled their Drift integrations. This action is a precautionary measure taken while investigations are ongoing to fully understand the scope and impact of the attack. Zscaler has also recommended that its customers remain vigilant against potential phishing and social engineering attacks that could leverage the stolen information. The incident serves as a critical reminder of the vulnerabilities inherent in third-party integrations and the importance of supply-chain security.
The attacks demonstrate a sophisticated understanding of how to exploit trusted integrations to move laterally within corporate environments and exfiltrate data. The use of compromised support cases to harvest credentials is a particularly insidious method, as it preys on the trust customers place in a company’s support process. The detailed information stolen, including licensing and commercial data, could be used for highly targeted social engineering campaigns. Organizations must therefore not only secure their own infrastructure but also carefully vet and monitor their third-party vendors and their integrations to prevent similar breaches in the future.
Reference: