A recent cybersecurity incident has raised alarm. The threat actor group UNC6395 would go on to engage in a highly systematic campaign to breach the Salesforce instances of certain organizations. Global Threat Intelligence Group (GTIG) researchers returned from the field recently and made these important findings. Austin Larsen, Matt Lin, Tyler McLellan and Omar ElAhdan noticed that UNC6395 showed amazing operational discipline while carrying out attacks. That’s because the group used these stolen OAuth tokens to clobber the security of hundreds of Salesforce tenants. This unprecedented action shocked the assurance of cloud-based service providers to a whole new level.
The attack was caused by targeted queries specifically designed to pull NPI credentials from Salesforce environments. UNC6395 showed a sophistication that was alarming, by systematically and methodically querying/exporting information related to all of the different Salesforce objects. This meant Cases, Accounts, Users and Opportunities. The campaign is directly aimed at security and technology companies, as part of a broader offensive. If adopted, this approach would likely lead to even more widespread supply chain attacks.
Operational Discipline and Targeting Strategy
The tactics used by UNC6395 show a very high level of sophistication and calculation in regards to cyber intrusion. Not merely hacking systems, the collective ran specific queries on databases to gather useful information. This meant deep exploration on certain Salesforce objects that are the lifeblood of any organization’s operations.
Cory Michal, a member of the cybersecurity enforcement arm of the Department of Justice, emphasized the importance of UNC6395’s operational discipline.
“They demonstrated a high level of operational discipline, running structured queries, searching specifically for credentials, and even attempting to cover their tracks by deleting jobs. The combination of scale, focus, and tradecraft makes this campaign stand out.” – Cory Michal
The attackers were extremely methodical. As they exfiltrated data, they took tremendous efforts to cover their digital tracks. By erasing jobs after an attack, they could avoid being tracked down and continue to have access to their targeted environments.
Impact on Salesforce Customers
Though the breach impacted a small subset of Salesforce customers, the stakes are high. With the stolen OAuth credentials UNC6395 was able to gain unauthorized access to sensitive customer data. Salesloft acknowledged that a threat actor used these OAuth credentials to exfiltrate data from the impacted customers’ Salesforce instances.
“A threat actor used OAuth credentials to exfiltrate data from our customers’ Salesforce instances,” – Salesloft
Salesloft acted quickly upon discovering the breach. They collaborated with Salesforce to revoke active access and refresh tokens. Further, they recently withdrew the Drift AI Chat Agent from AppExchange. Those customers impacted were immediately informed of the incident.
The incident highlights vulnerabilities within cloud services and emphasizes the need for organizations to strengthen their security measures against potential threats.
Potential for Broader Implications
Many experts fear that UNC6395’s inaugural campaign is only the start. They worry it might be a signal of a big picture strategy aimed at weaponizing those trust relationships through the technology supply chain. Michal underscored that the attackers’ targets were known vendors and service providers. This strategy left them open to even greater breaches into downstream customers and partners.
“By first infiltrating vendors and service providers, the attackers put themselves in position to pivot into downstream customers and partners,” – Cory Michal
In the meantime, Salesforce is staying closely tuned to developments. So far, they have been unable to find any credible evidence connecting UNC6395 to any other identified threat actors at this point.
“We have not observed any compelling evidence connecting them to other groups at this time,” – Austin Larsen