Full Report
Okta thwarted the supply-chain attack with security controls it had in place. Zscaler did not. Their experiences provide insights into the root of a much broader problem. The post Security leaders at Okta and Zscaler share lessons from Salesloft Drift attacks appeared first on CyberScoop.
Analysis Summary
# Incident Report: Salesloft Drift Supply Chain Attack
## Executive Summary
A significant supply chain attack targeted Salesloft Drift customers, exploiting compromised OAuth tokens to steal Salesforce customer data. Okta successfully prevented impact through proactive IP restrictions, while Zscaler suffered a data breach involving customer and internal information despite having recently terminated the Drift service. The incident highlights the effectiveness of granular access controls like IP whitelisting versus reliance on only OAuth tokens.
## Incident Details
- Discovery Date: Approximately one week after the main data theft concluded (when Zscaler was alerted by Salesforce).
- Incident Date: A 10-day data theft campaign occurred in mid-August.
- Affected Organization: Okta and Zscaler (among over 700 total Drift customers targeted).
- Sector: Cybersecurity/Software-as-a-Service (SaaS)
- Geography: Not explicitly stated, but involves US-based major tech companies.
## Timeline of Events
### Initial Access
- Date/Time: Threat group (UNC6395) gained access to Salesloft's GitHub account as far back as **March**.
- Vector: Compromise of Salesloft's GitHub account.
- Details: The threat group achieved lateral movement within the Salesloft application environment and subsequently accessed Drift’s AWS environment.
### Lateral Movement
- Details: Attackers obtained OAuth tokens used by Drift customers, which allowed access to data across integrated platforms (like Salesforce).
### Data Exfiltration/Impact
- Details: Widespread data theft campaign over a 10-day period in mid-August. Zscaler confirmed exposure of names, business email addresses, job titles, phone numbers, location details, product licensing/commercial information, and plaintext content from some support cases belonging to a large number of its customers.
### Detection & Response
- **Okta:** Proactively hunted for compromise indicators after warnings were issued. Detected a "short burst of attempts" to use Drift tokens originating outside their manually configured security IP range, successfully blocking the attack before impact.
- **Zscaler:** Received first alert from Salesforce about unauthorized API usage targeting its Drift OAuth token a week *after* the theft concluded. Immediately revoked the token, but damage was already done. Zscaler had stopped using Drift in July, unrelated to the attack.
## Attack Methodology
- Initial Access: Compromise of Salesloft GitHub account leveraged by UNC6395.
- Persistence: Not the primary focus; the goal was rapid data exfiltration via stolen tokens.
- Privilege Escalation: Not explicitly detailed, but achieving access to AWS and obtaining customer OAuth tokens served as the mechanism for elevated access into customer environments.
- Defense Evasion: The campaign appeared automated, possibly using a single significant script designed to hit multiple targets simultaneously.
- Credential Access: Access to tokens serving as authentication credentials for integrated services (Drift OAuth tokens).
- Discovery: Reconnaissance likely occurred within the Salesloft/Drift environment prior to the August theft window.
- Lateral Movement: Using stolen OAuth tokens to access integrated platforms (e.g., Salesforce).
- Collection: Gathering customer data (names, emails, titles, support case content, etc.) associated with the breached connection.
- Exfiltration: Implied mass extraction of collected data facilitated by the OAuth tokens.
- Impact: Unauthorized access and theft of sensitive customer and internal company data (Zscaler).
## Impact Assessment
- Financial: Not publicly disclosed/estimated.
- Data Breach: **Zscaler:** Large volume of customer data exposed, including PII (name, email, phone), job titles, location, licensing info, and support case content.
- Operational: **Okta:** No measurable impact due to successful preventative controls. **Zscaler:** Experienced unauthorized access and confirmed data loss requiring incident management.
- Reputational: Both companies were exposed as targets in a major supply chain attack.
## Indicators of Compromise
- Network indicators: Unauthorized IP addresses using the Drift API endpoint (Defanged example: `hxxp://suspicious-ip-address.com`).
- File indicators: Not specified, likely involved malicious scripts used by UNC6395 but not found within Okta/Zscaler environments.
- Behavioral indicators: Anomalous API calls originating from non-whitelisted IP ranges utilizing the Drift OAuth token.
## Response Actions
- **Containment (Okta):** Proactive threat hunting led to the identification of anomalous token usage; security controls blocked access from external IP ranges.
- **Containment (Zscaler):** Immediate revocation of the compromised Drift OAuth token upon alert.
- **Eradication/Recovery:** Not detailed, but Zscaler would have needed to engage affected customers and remediate any subsequent impact from the exposed data.
## Lessons Learned
- **Proactive Defense Wins:** Okta’s manual configuration of IP restrictions for API calls, though laborious, directly thwarted the attack.
- **Token Security is Crucial:** Relinquishing control over OAuth tokens without layered security (like IP restrictions) allows attackers easy lateral access into integrated systems.
- **Timing/Context Matters:** Zscaler was fortunate to have ceased using the vulnerable service (Drift) shortly before the attack, though it didn't prevent retrospective data loss.
- **Automation Risk:** The attack suggests a highly automated, wide-net approach by the threat actor, demanding automated, fast-acting defensive controls.
## Recommendations
- Implement mandatory IP restrictions or strict source-IP verification policies (whitelisting) for all critical SaaS application API integrations where possible, especially those utilizing persistent OAuth tokens.
- Review and potentially restrict the scope and lifetime of all third-party OAuth tokens.
- Continuously monitor third-party activity logs (like Salesforce API logs) even for services that are scheduled for deprecation, as historical access can still be abused.