Full Report
Trustwave's Security & Compliance Team is aware of the Salesloft vulnerability affecting Drift chatbot integrations. Trustwave, A LevelBlue Company, and its affiliated entities do not utilize Drift, and Salesforce has confirmed the incident did not impact clients without this integration.
Analysis Summary
# Incident Report: Salesloft/Drift Supply Chain Compromise
## Executive Summary
A supply chain attack leveraged a vulnerability impacting the Salesloft integration with the Drift chatbot, which in turn affected downstream users utilizing the Drift-Salesforce integration. The compromise of Salesloft allowed attackers to pivot to Drift's AWS environment, steal OAuth tokens, and ultimately access and exfiltrate data from hundreds of Drift customers' Salesforce integrations. Trustwave itself was not impacted as it does not use Drift.
## Incident Details
- **Discovery Date:** Not explicitly stated, but impact was evident up to the restoration date of September 9.
- **Incident Date:** Attack began with the initial Salesloft breach, involving unauthorized activity spanning at least from an unspecified date leading up to June, extending to early August for the pivot to AWS.
- **Affected Organization:** Salesloft (Primary victim/Initial vector) and numerous downstream customers utilizing connected Drift/Salesforce integrations.
- **Sector:** Technology/Software Vendors (Targeted entities span various sectors based on customer base).
- **Geography:** Global (Implied by the nature of major SaaS platforms).
## Timeline of Events
### Initial Access
- **Date/Time:** Activity noted leading up to and including **June**.
- **Vector:** Compromise of a specific **Salesloft** account.
- **Details:** Threat actors gained unauthorized access to a Salesloft account, leading to the download of multiple private code repositories.
### Lateral Movement
- **Date/Time:** **Early August**.
- **Vector:** Pivot enabled by stolen credentials/tokens from the breached Salesloft environment.
- **Details:** Attackers leveraged access gained through the Salesloft breach to pivot into **Drift's AWS environment**.
### Data Exfiltration/Impact
- **Date/Time:** Following access to Drift's AWS environment in early August.
- **Vector:** Use of stolen **OAuth tokens** for Drift integrations.
- **Details:** Threat actors used the compromised tokens to access hundreds of **Drift customers' Salesforce integrations**. Data was downloaded and exfiltrated from these integrations. The attacker also deleted logged records of the queries and export jobs to evade forensic analysis.
### Detection & Response
- **Date/Time:** Attacks were countered by **September 9**.
- **Vector:** Unspecified detection mechanism, followed by specific remediation actions.
- **Details:** As of September 9, the integration between Salesloft and Salesforce was reported as restored.
## Attack Methodology
- **Initial Access:** Compromise of an external vendor's (Salesloft) system.
- **Persistence:** Maintained access within the Salesloft environment through at least June.
- **Privilege Escalation:** Gained elevated access rights (implied) by pivoting from Salesloft access to Drift's AWS environment.
- **Defense Evasion:** Deleted logged records of queries and export jobs to hinder forensics.
- **Credential Access:** Stole **OAuth tokens** relevant to Drift integrations by compromising Drift’s AWS environment.
- **Discovery:** Not detailed, but necessary to identify valuable integration targets.
- **Lateral Movement:** Moved from Salesloft compromise to Drift's AWS environment, and then outward to connected customer Salesforce instances.
- **Collection:** Downloaded and exfiltrated data from customer Salesforce databases linked via Drift OAuth tokens.
- **Exfiltration:** Data download from connected customer environments.
- **Impact:** Unauthorized access and exfiltration of customer data from integrated systems.
## Impact Assessment
- **Financial:** Not quantified.
- **Data Breach:** Sensitive data potentially exfiltrated from **hundreds of organizations** via their connected Drift/Salesforce integrations.
- **Operational:** Disruption to data synchronization/flow across integrated platforms during the incident timeline, resolved by September 9.
- **Reputational:** Negative impact on Trust/Confidence in Salesloft, Drift, and the affected customer environment integrations.
## Indicators of Compromise
*Note: No specific IoCs were provided in the source text.*
- **Network indicators:** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Unauthorized querying and export jobs against customer data sources via Salesforce integration APIs facilitated by stolen OAuth tokens.
## Response Actions
- **Containment measures:** Implied actions taken by Salesloft/Drift to stop unauthorized pivoting and data access.
- **Eradication steps:** Implied steps to remove the threat actor's access methods (e.g., rotating or revoking compromised OAuth tokens).
- **Recovery actions:** Restoration of the integration between Salesloft and Salesforce as of September 9.
## Lessons Learned
- Supply chain attacks cause massive damage through a single point of compromise by targeting integrations between major third-party vendors (Salesloft impacting Drift customers).
- It is vital to inventory all third-party vendors and document the business impact if one supplier is compromised.
- Organizations must ensure their suppliers are performing adequate due diligence to secure their environments.
## Recommendations
- Implement rigorous monitoring of data access patterns that deviate from baseline behavior, especially across critical SaaS-to-SaaS integrations (like Drift/Salesforce/Salesloft).
- Conduct comprehensive due diligence and obtain assurance regarding the security posture of all direct third-party vendors.
- Implement strict controls over secrets and tokens (like OAuth tokens) stored within cloud environments (e.g., Drift's AWS environment).