Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks

Salesloft was breached when OAuth tokens from SalesDrift were stolen
Google tracked the threat actors as UNC6395
ShinyHunters claimed responsibility for the attack

Revenue workflow platform Salesloft suffered a cyberattack which saw threat actors break in through a third-party and steal sensitive information.

The company is using Drift, a conversational marketing and sales platform that uses live chat, chatbots, and AI, to engage visitors in real time, alongside its own SalesDrift, a third-party platform which links Drift’s AI chat functionality to Salesforce, syncing conversations, leads, and cases, into the CRM via the Salesloft ecosystem.

Starting around August 8, and lasting for about ten days, adversaries managed to steal OAuth and refresh tokens from SalesDrift, pivoting to customer environments, and successfully exfiltrating sensitive data.

Attack attribution

“Initial findings have shown that the actor’s primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens,” Salesloft said in an advisory.

“We have determined that this incident did not impact customers who do not use our Drift-Salesforce integration. Based on our ongoing investigation, we do not see evidence of ongoing malicious activity related to this incident.”

In its write-up, Google’s Threat Intelligence Group (GTIG) said the attack was conducted by a threat actor known as UNC6395.

“After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments,” the researchers said.

“GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure.”

Google seems to believe this is a unique threat actor, which is why it gave it a unique moniker UNC6395.

However, hackers known as ShinyHunters told BleepingComputer the attack was actually their doing – although Google begs to differ, telling the site, “We’ve not seen any compelling evidence connecting them at this time.”