Full Report
The attack originated reportedly from a security incident affecting Anodot, a SaaS analytics and anomaly detection platform that integrates with multiple cloud services (e.g., Snowflake, S3, and streaming pipelines). Threat actors reportedly obtained authentication tokens asso...
Analysis Summary
# Incident Report: Stolen SaaS Integration Tokens (Anodot Supply Chain Compromise)
## Executive Summary
A supply chain attack targeting the SaaS analytics platform Anodot led to the theft of authentication tokens used for cloud integrations. Threat actors, identified as **Bling Libra**, leveraged these tokens to gain unauthorized access to Snowflake and Salesforce environments of Anodot’s customers. The campaign resulted in large-scale data exfiltration and subsequent extortion attempts by the ShinyHunters group.
## Incident Details
- **Discovery Date:** April 2026
- **Incident Date:** Latent access prior to April 2026; Campaign peaked early April 2026
- **Affected Organization:** Anodot (Primary), multiple Snowflake and Salesforce customers (Secondary)
- **Sector:** SaaS / Data Analytics / Cloud Storage
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-April 2026
- **Vector:** Third-party / Supply Chain Compromise
- **Details:** Attackers compromised Anodot’s internal environment to harvest persistent authentication tokens belonging to their customers.
### Lateral Movement
- **Details:** Attackers used valid OAuth/integration tokens to move from the compromised Anodot platform directly into the customers' Snowflake and S3 environments. This bypassed standard perimeter defenses as the traffic appeared to originate from a legitimate integrated service.
### Data Exfiltration/Impact
- **Details:** Attackers queried and exfiltrated sensitive data from Snowflake databases. Attempts were also made to pivot into Salesforce environments, though some of these were successfully blocked.
### Detection & Response
- **How it was discovered:** Anomalous data access patterns in Snowflake and subsequent extortion communications from ShinyHunters.
- **Response actions taken:** Targeted blocking of Salesforce access attempts; notification of Snowflake customers regarding compromised integration credentials.
## Attack Methodology
- **Initial Access:** Supply Chain Compromise (Anodot platform breach).
- **Persistence:** Use of long-lived SaaS integration tokens that bypass MFA.
- **Privilege Escalation:** Not applicable; tokens provided high-level service account access to data warehouses.
- **Defense Evasion:** Use of legitimate authentication tokens to mimic authorized SaaS-to-SaaS traffic.
- **Credential Access:** Theft of integration/OAuth tokens from Anodot’s database or memory.
- **Discovery:** Querying connected cloud environments (Snowflake, S3) to identify high-value data.
- **Lateral Movement:** SaaS-to-SaaS movement using stolen API keys/tokens.
- **Collection:** Bulk querying of Snowflake tables.
- **Exfiltration:** Direct transfer of data from cloud environments to attacker-controlled infrastructure.
- **Impact:** Extortion (Threats of public data release by ShinyHunters).
## Impact Assessment
- **Financial:** Significant costs related to digital forensics, legal fees, and potential extortion payments.
- **Data Breach:** High volume of sensitive corporate and customer data exfiltrated from Snowflake environments.
- **Operational:** Disruption of data analytics pipelines and required rotation of all cloud integration secrets.
- **Reputational:** High public impact for Anodot (provider) and Snowflake (platform) regarding the security of SaaS integrations.
## Indicators of Compromise
- **Network indicators:** Unusual source IPs accessing Snowflake API endpoints (IPs should be cross-referenced with known Anodot egress ranges).
- **File indicators:** Not reported (cloud-native attack).
- **Behavioral indicators:**
- Unexpected bulk data exports via integration service accounts.
- Token usage from geolocation-inconsistent IP addresses.
- Salesforce login failures via Anodot integration.
## Response Actions
- **Containment:** Revocation of all existing Anodot-linked authentication tokens and API keys.
- **Eradication:** Securing the Anodot environment to prevent further token harvesting.
- **Recovery:** Rotating secrets and implementing IP whitelisting for all cloud integrations.
## Lessons Learned
- **Key takeaways:** SaaS integrations often represent a "blind spot" where MFA is often bypassed by design for automation.
- **What could have been done better:** Lack of IP pinning or restrictive scoping on integration tokens allowed attackers to use them from unauthorized infrastructure.
## Recommendations
- **Least Privilege:** Limit the scope of SaaS integration tokens to only the specific databases or buckets required for the service to function.
- **IP Whitelisting:** Restrict the use of integration Coworker/SaaS tokens to the known outbound IP addresses of the SaaS provider.
- **Token Rotation:** Implement frequent expiration and rotation policies for all API keys and OAuth tokens.
- **Monitoring:** Enable enhanced logging for Service Accounts and monitor for unusual spikes in data egress volumes.