A new cyber incident could have affected Salesforce customer data three months after the Salesloft Drift hack.
On November 20, customer support platform provider Gainsight said it identified connection failures resulting from Salesforce revoking active access for Gainsight SFDC Connector, which allows Gainsight applications to connect to Salesforce.
In a Salesforce security advisory, also published on November 20, the firm noted it had identified unusual activity involving Gainsight-published applications connected to Salesforce.
This prompted the company to revoke access to all Gainsight applications and temporarily removed them from its AppExchange.
Salesforce assessed that malicious activity may have enabled unauthorized access to its customers’ data through the app’s connection.
“There is no indication that this issue resulted from any vulnerability in the Salesforce platform. The activity appears to be related to the app’s external connection to Salesforce,” the Salesforce advisory reads.
Gainsight also disabled its connections with Hubspot and Zendesk as a precaution measure.
In a later update, the customer support provider said it has engaged Google Cloud-owned Mandiant to assist in the forensic investigation.
Scattered Lapsus$ Hunters Claim the Gainsight Hack
In the blog DataBreaches.net, the author known as ‘Dissent’ said they asked individuals behind the Scattered Spider-ShinyHunters-Lapsus$ collective (sometimes referred to as ‘Scattered Lapsus$ Hunters’), who confirmed they were responsible for the attack targeting Gainsight.
The threat actors also told Dissent they plan to launch another dedicated leak site if Salesforce does not comply with them.
This data leak site (DLS) will contain the data of the Salesloft and Gainsight campaigns. In total this is almost 1000 companies according to the cybercriminal’s claims.
“Only actual companies, mainly Fortune 500 will be listed or things I feel would be worth it. From the Gainsight campaign the large companies were: Verizon, Gitlab, F5, Sonicwall, and others,” the treat actor told DataBreaches.net.
Finally, the group advertised an upcoming ransomware as-a-service (RaaS) offering, allegedly launching on November 24.
Ferhat Dikbiyik, chief research and intelligence Officer (CRIO) at Black Kite, commented: "Gainsight has already acknowledged exposure in a previous campaign involving Salesloft Drift, where stolen OAuth tokens were used to access Salesforce data across many organizations. In that earlier case, Gainsight disconnected the Salesloft app and confirmed that only customer relationship management-layer (CRM) data, mostly business contact info and some Salesforce case text, had been accessed."
"Fast-forward to today, and we’re seeing the same playbook again: OAuth tokens + over-permissioned apps + integrated vendors = a perfect attack chain. This isn’t about one vendor or one platform. This is about how modern software-as-a-service (SaaS) ecosystems operate: wide, connected, and often over-trusted," he added.
Infosecurity contacted Gainsight for comment but did not receive a response by the time of publication.
Photo credits: Jonathan Weiss / gguy / Shutterstock.com