Full Report
The recent developments surrounding the Salesforce data breach serve as a stark reminder of the persistent threats organizations face. What began as a concerning incident earlier this summer has now escalated dramatically, with threat actors following through on their threats and releasing a substantial trove of Qantas customer data to the public. This serves as […] The post Salesforce breach escalates: Qantas & Vietnam Airlines data leaked on dark web appeared first on Outpost24.
Analysis Summary
# Incident Report: Escalated Salesforce Data Breach (Qantas & Vietnam Airlines)
## Executive Summary
A major data breach involving a Salesforce-managed environment has escalated, resulting in the public leak of sensitive customer data from Qantas and Vietnam Airlines on the dark web. The incident was driven by the "Scattered LAPSUS$ Hunters" threat group, who utilized advanced social engineering to compromise identities. This breach underscores the significant risks associated with third-party SaaS providers and the weaponization of employee credentials.
## Incident Details
- **Discovery Date:** Early Summer (Initial reports); Leak confirmed August 2024
- **Incident Date:** Ongoing escalation since mid-2024
- **Affected Organization:** Salesforce (Platform), Qantas, Vietnam Airlines
- **Sector:** Technology / Aviation
- **Geography:** Global (Australia and Vietnam specific focus)
## Timeline of Events
### Initial Access
- **Date/Time:** Summer 2024
- **Vector:** Social Engineering / Identity Compromise
- **Details:** Attackers targeted employees via social engineering tactics to obtain legitimate credentials and bypass technical perimeters.
### Lateral Movement
- Attackers leveraged compromised credentials to access protected Salesforce environments, moving between organizational data silos managed on the platform.
### Data Exfiltration/Impact
- Large troves of customer data belonging to Qantas and Vietnam Airlines were successfully exfiltrated. This culminated in the release of this data on dark web forums after extortion attempts were likely unsuccessful or followed through upon.
### Detection & Response
- **Detection:** Identified through threat intelligence monitoring of dark web leak sites.
- **Response:** Outpost24 KrakenLabs and internal security teams identified the leaked datasets; ongoing efforts to prioritize remediation of exposed assets and credentials.
## Attack Methodology
- **Initial Access:** Social Engineering (targeting human vulnerability).
- **Persistence:** Utilization of compromised legitimate corporate credentials.
- **Privilege Escalation:** Not explicitly detailed, but implied through access to multi-tenant customer data.
- **Defense Evasion:** Use of legitimate identities to blend in with authorized traffic.
- **Credential Access:** Theft of employee credentials via social engineering.
- **Discovery:** Mapping of customer data structures within the Salesforce platform.
- **Lateral Movement:** Identity-based movement across SaaS platform resources.
- **Collection:** Gathering sensitive customer information from airline databases.
- **Exfiltration:** Transfer of data to attacker-controlled infrastructure for subsequent leak.
- **Impact:** Data breach and public disclosure of sensitive information.
## Impact Assessment
- **Financial:** Potential for significant regulatory fines (GDPR/APP) and loss of customer lifetime value.
- **Data Breach:** Substantial volume of customer data (PII) leaked to the public.
- **Operational:** Disruption to customer trust and necessity for mass password/identity resets.
- **Reputational:** High-profile damage to airline brands and Salesforce’s security perception.
## Indicators of Compromise
- **Network indicators:** [hxxps]://outpost24[.]com/ (Reference site for monitoring)
- **File indicators:** Datasets labeled "Qantas" and "Vietnam Airlines" appearing on dark web leak sites.
- **Behavioral indicators:** Unusual login locations or times for employee accounts; massive data export requests from SaaS environments.
## Response Actions
- **Containment:** Monitoring of external attack surfaces and identification of leaked credentials.
- **Eradication:** Rotation of compromised credentials and decommissioning of unauthorized access points.
- **Recovery:** Implementation of Digital Risk Protection (DRP) to identify further exposures and notify affected parties.
## Lessons Learned
- **SaaS Dependency:** The security of a company is only as strong as its third-party providers.
- **Identity as the Perimeter:** Traditional firewalls are insufficient when attackers use legitimate credentials.
- **Dark Web Monitoring:** Early detection of leaked data is critical for managing the fallout of a breach.
## Recommendations
- **Implement Phishing-Resistant MFA:** Move beyond SMS or push-based MFA to hardware keys (FIDO2) to mitigate social engineering.
- **SaaS Auditing:** Regularly audit Salesforce permissions and "Who Can See What" settings.
- **Monitor External Attack Surface:** Use EASM and DRP tools to identify if company credentials or data appear on the dark web in real-time.
- **Identity Threat Detection & Response (ITDR):** Invest in tools that monitor for anomalous behavior within identity providers.