Full Report
The widespread compromise is strikingly similar to a previous attack that originated at Salesloft Drift. The post Hundreds of Salesforce customers hit by yet another third-party vendor breach appeared first on CyberScoop.
Analysis Summary
# Incident Report: Gainsight Third-Party Vendor Breach Targeting Salesforce Customers
## Executive Summary
Salesforce detected unusual activity related to third-party vendor Gainsight applications connected to customer environments, leading to unauthorized access to potentially hundreds of Salesforce customer data instances. The incident shares substantial similarities, likely involving the same threat actor cluster, as a previous widespread breach originating through Salesloft Drift. Response actions by Salesforce primarily involved revoking access tokens for the affected third-party connections.
## Incident Details
- Discovery Date: Late Wednesday (Security advisory issued)
- Incident Date: Undisclosed prior to advisory
- Affected Organization: Hundreds of Salesforce customers utilizing Gainsight integrations.
- Sector: Technology/SaaS (Affecting various sectors utilizing Salesforce)
- Geography: Global (Implied, as Salesforce is a global platform)
## Timeline of Events
### Initial Access
- Date/Time: Undisclosed.
- Vector: Compromise via a third-party vendor integration (Gainsight).
- Details: Unauthorized activity detected in Gainsight applications connected to Salesforce customer environments via external connections/app access tokens.
### Lateral Movement
- Details: The article implies the attacker moved from the vendor integration into the connected Salesforce environments, similar to the prior Salesloft Drift attack where the threat actor lurked within the third-party application environment. Specific lateral movement within Salesforce is not detailed.
### Data Exfiltration/Impact
- Details: Unauthorized access to certain customers’ Salesforce data was enabled through the affected app connection. The potential scope suggests compromise extends to any service Gainsight customers connected to the platform.
### Detection & Response
- Date/Time: Late Wednesday (Salesforce advisory issued). Thursday (Gainsight status page update).
- Details: Google Threat Intelligence Group observed over 200 potentially affected Salesforce instances. Salesforce responded by revoking access tokens that allowed the third-party services to connect to Salesforce environments. Gainsight temporarily pulled its application from the Hubspot Marketplace as a precautionary measure.
## Attack Methodology
- Initial Access: Exploitation of the external connection/API access mechanism between Gainsight (a third-party vendor) and the Salesforce platform via customer-granted tokens.
- Persistence: Not explicitly detailed, but inferred to involve maintaining unauthorized connection privileges granted via the compromised vendor application tokens.
- Privilege Escalation: Not detailed. Assumed access was gained via the permissions granted to the authorized application connector.
- Defense Evasion: Not detailed. The attack leveraged legitimate integration pathways.
- Credential Access: Not detailed, though the similarity to the Salesloft attack suggests potential credential or access token theft within the vendor's environment.
- Discovery: Not detailed.
- Lateral Movement: Movement from Gainsight's context into the connected Salesforce customer environments via the established access token.
- Collection: Unauthorized access to Salesforce data.
- Exfiltration: Data theft occurred from affected Salesforce instances.
- Impact: Unauthorized access to customer data stored in Salesforce.
## Impact Assessment
- Financial: Not quantified.
- Data Breach: Unauthorized access to "certain customers’ Salesforce data." Scope suggests potentially hundreds (200+ instances observed by GTIG) of organizations are affected.
- Operational: Gainsight experienced Salesforce connection failures and preemptively pulled its app from the Hubspot Marketplace.
- Reputational: Negative impact due to repeat incidence of third-party vendor breaches affecting Salesforce customers.
## Indicators of Compromise
- Network Indicators: N/A (No specific URLs/IPs provided).
- File Indicators: N/A.
- Behavioral Indicators: Unusual activity detected specifically within **Gainsight applications connected to the Salesforce environment**.
## Response Actions
- Containment Measures: Salesforce revoked access tokens associated with the third-party application connection.
- Eradication Steps: Not detailed. Likely involves vendor remediation of the identified compromise point.
- Recovery Actions: Salesforce will update its security page with guidance for customers.
## Lessons Learned
- **Third-Party Risk is Prevalent:** This marks another significant incident exploiting supply chain trust between a core platform (Salesforce) and integrated vendors (Gainsight, previously Salesloft Drift).
- **Attribution Pattern:** There is a high probability that the same threat cluster (ShinyHunters or UNC6240, related to UNC6040) is responsible for multiple attacks targeting Salesforce integrations, indicating a persistent, effective strategy.
- **Salesforce Platform Security:** Salesforce confirmed no vulnerability in its core platform, reinforcing that access control through vendor integrations remains the primary weakness.
## Recommendations
- Mandate stringent, regularly audited security standards for all third-party vendors holding API access to production environments.
- Implement least-privilege access controls for all third-party application integrations, ensuring tokens only grant the minimum necessary permissions.
- Increase monitoring specifically around data access patterns initiated through known third-party application tokens.