Full Report
Details about the attack are scattered, and discrepancies remain about the number of companies impacted and the extent to which they are compromised. The post Gainsight CEO downplays impact of attack that spread to Salesforce environments appeared first on CyberScoop.
Analysis Summary
# Incident Report: Gainsight Token Compromise Spreading to Salesforce Environments
## Executive Summary
An unknown intrusion affecting Gainsight's customer management software has resulted in the compromise of customer OAuth tokens used to access connected services, primarily Salesforce environments. While the full scope is under investigation by Mandiant, the initial impact appears related to token access, leading to affected customers being notified and remediation steps initiated by both Gainsight and Salesforce. Discrepancies remain regarding the final number of compromised companies.
## Incident Details
- Discovery Date: Not explicitly stated, but indications exist from Salesforce notification/advisory. Earliest malicious activity linked to the campaign was **Oct. 23**.
- Incident Date: Earliest malicious activity linked to the campaign occurred on **Oct. 23**.
- Affected Organization: **Gainsight** (Primary target/vector), with impact observed in **Salesforce** environments of their customers. Other revoked tokens mentioned Hubspot, Zendesk, and Gong.io.
- Sector: Customer Management Software / SaaS Provider.
- Geography: Global (Implied by broad usage of Salesforce/Gainsight).
## Timeline of Events
### Initial Access
- Date/Time: **Oct. 23** (Earliest malicious activity linked to the campaign).
- Vector: Compromise of Gainsight systems leading to the exposure/compromise of customer OAuth access tokens.
- Details: Attackers leveraged Gainsight customer access tokens to breach additional systems, specifically Salesforce environments.
### Lateral Movement
- Details: Attackers utilized compromised customer access tokens to potentially breach interconnected third-party applications (Salesforce environment, Hubspot, Zendesk, Gong.io). Mandiant is analyzing token behavior and connector activity to map penetration extent.
### Data Exfiltration/Impact
- Details: Data breach impact is maintained by Gainsight to be limited and largely contained, affecting a "handful of customers." Salesforce identified **compromised customer tokens** belonging to customers. The full extent of data exfiltration is currently under investigation.
### Detection & Response
- Detection: Salesforce began notifying affected customers after identifying compromised tokens. Google Threat Intelligence was aware of potentially over *200 Salesforce instances* affected last week (relative to the article date).
- Response Actions: Salesforce proactively notified affected customers. Gainsight reached out to provide support. Hubspot, Zendesk, and Gong.io temporarily revoked Gainsight customer tokens "out of an abundance of caution."
## Attack Methodology
- Initial Access: **Compromise of Gainsight customer access tokens (OAuth tokens)**.
- Persistence: Not detailed, but assumed to be via maintained access through the compromised tokens/connectors.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: **Theft/Compromise of OAuth Access Tokens.**
- Discovery: Not detailed.
- Lateral Movement: Utilizing the compromised **Gainsight OAuth tokens** to gain access via integrated platforms like Salesforce via API calls and authentication attempts.
- Collection: Not detailed, likely focusing on data accessible via the compromised integration tokens.
- Exfiltration: Not detailed, but implied potential data theft from Salesforce environments.
- Impact: Unauthorized access to customer data within connected services.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: **Customer tokens compromised**. Discrepancies exist between Salesforce's findings (compromised tokens) and Gainsight's assessment (limited data affected in only a handful of customers). Google Threat Intelligence noted over 200 potentially affected Salesforce instances.
- Operational: Affected third-party integrations (Hubspot, Zendesk, Gong.io) temporarily revoked tokens as a precaution, causing potential minor disruption. Gainsight logs were reportedly of limited use for client investigations.
- Reputational: Negative publicity due to scattered reporting and discrepancies between vendor communications.
## Indicators of Compromise
- Network Indicators: Salesforce shared **malicious IP addresses** linked to observed activities (Specific IPs defanged and omitted per instruction).
- File Indicators: Not publicly detailed in the summary.
- Behavioral Indicators: **Suspicious authentication attempts and API calls** originating from connections associated with the Gainsight application within Salesforce logs.
## Response Actions
- Containment Measures: Salesforce identified and notified affected customers regarding compromised tokens. Hubspot, Zendesk, and Gong.io revoked Gainsight customer OAuth tokens.
- Eradication Steps: Investigation ongoing, led by Mandiant, to analyze token behavior and connector activity.
- Recovery Actions: Salesforce advised customers to review all available logs for activity post-Oct. 23. Gainsight is providing direct support to affected customers.
## Lessons Learned
- Supply-Chain risk is high when third-party access tokens facilitate downstream access across multiple sensitive platforms (e.g., Salesforce).
- Information fragmentation makes incident assessment difficult when primary vendors (Gainsight) and platform providers (Salesforce) communicate updates independently.
- Trust derived from access tokens must be scrutinized, as revocation of the OAuth token does not erase the customer's relevant investigation logs.
## Recommendations
- Implement strict scope limitations and granular permissions for third-party OAuth tokens connecting systems like Salesforce.
- Establish a unified communication protocol for security incidents impacting integrated supply chains between vendors.
- Mandate comprehensive logging capabilities for key integration points, especially when primary service logs (like Gainsight's) are deemed "not material" for client risk assessment.
- Organizations should proactively hunt for suspicious authentication attempts and API calls in Salesforce logs dating back to late October, focusing on activity originating from integrated applications.