Full Report
Salesforce has warned of an increase in threat actor activity that's aimed at exploiting misconfigurations in publicly accessible Experience Cloud sites by making use of a customized version of an open-source tool called AuraInspector. The activity, per the company, involves the exploitation of customers' overly permissive Experience Cloud guest user configurations to obtain access to sensitive
Analysis Summary
# Tool/Technique: Modified AuraInspector
## Overview
AuraInspector is originally an open-source security auditing tool developed by Mandiant (Google) to help security teams identify access control misconfigurations within the Salesforce Aura framework. However, threat actors have developed a customized, weaponized version of this tool to perform mass scanning and automated data exfiltration from Salesforce Experience Cloud sites that possess overly permissive guest user configurations.
## Technical Details
- **Type:** Attack Tool / Assessment Tool (Modified)
- **Platform:** Salesforce Experience Cloud (Aura Framework)
- **Capabilities:** Mass scanning, API probing, and automated data extraction.
- **First Seen:** January 2026 (Original tool release); March 2026 (Reported active exploitation).
## MITRE ATT&CK Mapping
- **TA0001 - Reconnaissance**
- **T1595 - Active Scanning:** Probing `/s/sfsites/aura` endpoints to identify vulnerable Salesforce instances.
- **T1592 - Gather Victim Host Information:** Identifying configuration weaknesses in Guest User profiles.
- **TA0009 - Collection**
- **T1560 - Archive Collected Data:** Harvesting CRM object data.
- **TA0007 - Discovery**
- **T1083 - File and Directory Discovery:** Using the tool to enumerate accessible Salesforce CRM objects.
- **TA0006 - Credential Access**
- **T1528 - Steal Application Access Token:** Exploiting guest user tokens to query internal APIs.
## Functionality
### Core Capabilities
- **API Probing:** Target the specific `/s/sfsites/aura` endpoint to determine if a Salesforce site is using the Aura framework.
- **Vulnerability Identification:** Identifying Salesforce objects that are inadvertently exposed via the Guest User profile.
- **Mass Scanning:** Automated discovery of publicly accessible Experience Cloud sites across the internet.
### Advanced Features
- **Automated Data Extraction:** Unlike the original version which only identified vulnerabilities, the modified version can autonomously query and extract sensitive CRM data (e.g., names, phone numbers).
- **Object Querying:** Directly querying Salesforce CRM objects without requiring authentication by leveraging misconfigured guest permissions.
## Indicators of Compromise
- **File Hashes:** None provided in the report.
- **File Names:** `AuraInspector` (and variants).
- **Registry Keys:** N/A (Cloud-based targeting).
- **Network Indicators:**
- Probes targeting URIs containing `/s/sfsites/aura`.
- User agents associated with custom scraping frameworks.
- **Behavioral Indicators:**
- High-frequency API calls to Salesforce CRM objects from single IP addresses.
- Unusual volume of guest user traffic querying sensitive data fields (names, phone numbers).
- Rapid enumeration of Salesforce object schemas by unauthenticated users.
## Associated Threat Actors
- **UNC6240 (ShinyHunters):** Suspected based on historical patterns of targeting Salesforce environments through third-party integrations (e.g., Salesloft, Gainsight).
## Detection Methods
- **Behavioral Detection:** Monitor Salesforce event logs for unauthenticated (Guest) users performing bulk queries or accessing objects they do not typically interact with.
- **Log Analysis:** Audit the Salesforce `ApexUnexpectedException` and `API Total Usage` logs for spikes in traffic to the Aura endpoint.
- **Signature-based:** Detect the specific traffic patterns of the AuraInspector tool in Web Application Firewall (WAF) logs.
## Mitigation Strategies
- **Profile Hardening:** Ensure "Default External Access" for all Salesforce objects is set to "Private."
- **API Security:** Disable guest user access to public APIs if not explicitly required for business operations.
- **Visibility Restrictions:** Enable settings to prevent guest users from seeing or enumerating internal organization members.
- **Identity Security:** Review and restrict Guest User profile permissions to the absolute minimum necessary.
- **Configuration Audit:** Periodically use the legitimate Mandiant AuraInspector or Salesforce Optimizer to check for misconfigurations.
## Related Tools/Techniques
- **AuraInspector (Original):** The legitimate open-source auditing tool.
- **Identity-Based Targeting:** The broader trend of using harvested data for vishing (voice phishing) and social engineering.
- **Cloud Metadata Scraping:** Similar techniques used to enumerate misconfigured S3 buckets or Azure blobs.