ShinyHunters told The Register that it has stolen data from about 100 high-profile companies in its latest Salesforce customer data heist, including Salesforce itself.
“Have stolen data from almost 400 websites and about 100 essential high profile companies Snowflake, Okta, Lastpass, Salesforce itself, Sony, AMD, and a lot more,” a ShinyHunters spokesperson told us, adding that the “recon and exploitation has been going on for several months now.”
This follows a Saturday warning from Salesforce that a “known threat actor group” is actively scanning for – and then breaking into and stealing data from – public-facing Experience Cloud sites using a modified version of a Mandiant-developed free scanning tool.
A Salesforce spokesperson declined to answer The Register‘s questions about the latest data-theft campaign, including how many customers are affected and if ShinyHunters is behind the illicit access.
“This issue is not due to any vulnerability inherent to the Salesforce platform, but rather Experience Cloud sites where a guest user profile has been inadvertently configured with overly broad permissions,” the spokesperson said, directing us and its customers to this security advisory site for updates on the threat activity.
“We have provided customers with guidance to restrict guest user access to help safeguard their sites,” the spokesperson added.
The Register also reached out to Snowflake, Okta, LastPass, Sony, and AMD for comment, and will update this story as we hear back from them.
Salesforce has been a longtime target of the extortion crew, which has stolen data from hundreds of the CRM giant’s customers in a series of attacks over the past year. ShinyHunters was also the crew behind the 2024 Snowflake customers’ database intrusions.
A LastPass spokesperson told us that they are aware of this campaign. “We are actively working with our contacts at Salesforce to investigate,” the spokesperson said, adding that there is “no evidence” that the Salesforce incident is related to last week’s phishing campaign.
The Salesforce blog also notes that the miscreants are using a modified version of an open source tool developed by Mandiant to perform mass scanning of public-facing Experience Cloud sites.
Mandiant, the Google-owned consulting and incident response biz, released this tool in January to help Salesforce admins detect misconfigurations within the Salesforce Aura framework that could expose sensitive data.
The original tool identifies vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint). ShinyHunters’ version, however, goes beyond this and exploits overly permissive guest user settings to extract data, according to Salesforce.
Experience Cloud sites act as a portal into Salesforce CRM databases, allowing customers, partners and employees to interact with data displayed on them. Publicly accessible Salesforce Experience sites use a dedicated “guest user profile” that allows unauthenticated users to view public pages, FAQs, or submit forms without logging in.
“However, if this profile is misconfigured with excessive permissions, data that is not intended to be made public may be accessible, allowing a threat actor to directly query Salesforce CRM objects without logging in,” the company warned.
Therein lies the issue: the attackers are using guest user profiles that have been configured to allow public access to objects and fields that should not be made publicly available, and then stealing info, such as names and phone numbers, for follow-on social engineering attacks and voice phishing campaigns, which are ShinyHunters’ and its affiliate criminals’ specialty.
“We are aware of a threat actor attempting to facilitate intrusions by misusing the AuraInspector open-source tool to automate vulnerability scans across Salesforce environments,” Mandiant Consulting CTO Charles Carmakal told The Register. “We are working closely with Salesforce and our customers to provide the necessary telemetry and detection rules to mitigate potential risk. It is important to note that detecting scanning activity in an organization’s logs does not indicate a compromise.”
Shiny told us they abused AuraInspector in this campaign.
“I fixed Google’s broken code so it can work in my use case to identify vulnerable targets, subsequently I made an entirely different tool to bypass the Guest User 2,000 limit and exfiltrate all available Salesforce Object records on a vulnerable target,” Shiny said.
To prevent data thieves from accessing sensitive data, Salesforce recommends customers immediately audit guest user permissions and enforce a least privilege access model to restrict access to the absolute minimum objects and fields required.
Users should also ensure that the default external access is set to “private” (in Setup > Sharing Settings) for all objects. Plus, uncheck “Allow guest users to access public APIs” in site settings and uncheck “API Enabled” in the guest user profile’s System Permissions. ®
First Appeared on
Source link
Leave feedback about this