Subscribe
Share
Share
Embed
Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats.
We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals.
Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!
You put everything in the cloud
as software as a service, and
you assume your security is
arranged just fine. Yet your
data got exfiltrated. This is
what happened to customers of
Salesforce.
In today's Threat Talks Deep
Dive, we find out what exactly
happened. Let's get on to it.
Welcome to Threat Talks. Let's
delve deep into the dynamic
world of cybersecurity.
So with me today is Luca Cipriano,
our Threat Intel and Red Team
Program Lead.
So welcome, Luca.
Thank you.
And my name is Rob Maas, Field
CTO here at ON2IT.
So Salesforce, data got exfiltrated.
But before we dive in,
Salesforce, what is it?
Yes, indeed.
So, well, Salesforce is a CRM.
So it's a customer relation
management software.
It's cloud-based.
It is used by companies because
it offers tools to manage sales
and marketing, customer service,
for example, and also help with
enterprise workflow.
This specific software is one
of the biggest ones, I believe,
that exists.
And it allows integration with
external application via APIs.
So it's quite flexible as well.
So it's a CRM system, customer
relationship management.
Yeah.
That means there's a lot of
sensitive data in there, a lot
of personal data in there.
I assume also that puts a big,
big mark on their back for
attackers.
Yeah, of course.
I mean, it's a treasure of data
for them.
And as we have seen, actually,
Salesforce has been targeted by
two different campaigns in 2025.
Well, not Salesforce the
company per se, but like
companies using Salesforce or
integration.
We will go in depth with this
in a few.
For example, the first campaign
that we have seen, it started
end of 2024.
And it continued for the
beginning of 2025.
And it was a vishing campaign.
Okay, so before you continue,
vishing campaign sounds
different like phishing.
yeah it's it's it's like phishing
but it's a voice vishing
basically the voice so instead
of
receiving an email then you
will receive a phone call and
the attackers try to trick you
into
well achieving whatever they
want to achieve okay what did
they want you to do in this
case
so yeah in in this case they
targeted companies that were
using salesforce like people
maybe from
sales or marketing or whoever
they knew that might have
access to Salesforce. And what
the attacker
did, they crafted a malicious
application. This malicious
application was most of the
time kind of
a trojanized version of a data
loader from Salesforce. And
they call the victims
pretending
to be part of their IT team or
maybe pretending to be part of
Salesforce themselves.
So, but in this case, the
victims are the end users of
Salesforce.
The end user of the company, of
different companies that use
Salesforce, yes.
And they trick them into accept
and authenticate their app
within their victim Salesforce
environment.
So, in this case, it could have
been like, for example, a link
or just telling them where
they need to find the
application but the important
thing is that that person the
victim was supposed
to allow the application to
their environment once the
victim allows the application
to their
environment they get an OAuth
authentication flow and they
get issued an authentication
token
with a refresh token as well so
that means that even if that
token time times out they can
use
the refresh token to refresh it
and keep the session live until
the token gets revoked or the
application gets uh and by
having this token i assume they
had access to all the data
within the
victim's environment yes indeed
so what they did with the
this token they could reuse it
so they had infrastructure like
a VPN or they use Tor to
camouflage their their IP to
and
they sent either
bulk API calls or
SOQL, so
SOQL commands
which is basically the SQL
that is used by Salesforce
the SQL from Salesforce
so SQL is just a language
to query data, this was the
language
for Salesforce. So they
bulk queried the data and they
exfiltrated
the data via these APIs
calls. And this
was campaign one? Yeah, this
was
the first campaign and already
had some notable yeah they
targeted and they managed to
affect
also big companies like for
example Adidas Louis Vuitton or
luxury brands for example so it
had
already a lot of impact this
this campaign okay and you said
well this was the first
campaign
i think the second campaign we're
heading now to is even more at
least got more covers in the
media
So probably more well known.
What happened there? So the
second campaign, it was a
campaign that
targeted actually Salesloft,
specifically Drift. So now we
say a lot of buzzwords. What is
that?
So what's Drift? Yeah, what's
Salesloft first? Because it's
not Salesforce, it's Salesloft.
Yeah. So Salesloft is a third
party sales engagement platform.
And it offers
integration that works with
Salesforce and they have, for
example, they use some
application to
streamline emails or for
example, tracking prospects for
companies, but they have also
this
drift and this drift is like an
AI chatbot integration that can
be used by customers as
as an integration.
So what the attacker did,
they managed to,
between March and June 2025,
they managed to gain access
to the Salesloft GitHub.
As you can imagine there,
when they were in the GitHub,
they did a lot of things
like created users,
dumped Git,
downloaded repositories,
all these kind of things.
Basically, once they had access
to Git,
of course, they can see
all the inner workings.
Yes, they can see the source
code,
inner working,
get, for example,
authentication tokens if you're
there, everything.
So what they did from there,
they managed to lateral move
into the Drift AWS environment.
So at that point, they had
access to all the OAuth token
that Drift was using for
authenticating
with Salesforce instances of a
lot of different companies.
Of course, now we're talking
about Salesforce, but that's
not the only integration.
Like, for example, there was
integration with maybe Slack or
your Microsoft environment,
all this kind of tokens.
So it might end up that we hear
a lot more about this attack,
but they're not involving
Salesforce, but other companies.
Yeah, it involved other
software that companies were
using.
So not maybe necessarily only
Salesforce.
Of course, similar to what
happened with the first
campaign that we were talking
about,
attackers gained a long-lived
token, so they had a really
long-lived,
and they could reuse this token
from different, well, IPs, for
example,
and they managed to do the same.
So bulk API calls, download
data, or using a SOQL,
and what they did also after
each of these, for example,
bulk API calls,
they also deleted the API job
metadata to cover their tracks.
But they managed to impact more
than 700 companies
and just get data exfiltrated.
So this is a really big attack,
but for them a good result.
Yeah, that shows how, for
example,
an attack against a software as
a service
can cascade in a lot of data
leaks
from all the integration that
they are.
And also this is something that
we need to keep in mind is that
this is something that probably
it's a bit more difficult to
detect also because you can't
rely on your EDR solutions or
IPS solution.
No, it's running in the cloud
and you're not in between.
Yeah, the cloud is in the cloud,
stays in the cloud.
It's a bit more difficult.
Maybe to summarize both
campaigns in the end.
So the way to get hold of the
token, the OAuth token is
different.
But in the end, the OAuth token
was the way to access the data.
Yeah.
And the second campaign target,
well, we mentioned more than
700 companies,
but also big names like, for
example, Zscaler, Palo Alto
Networks, Cloudflare, also HackerOne.
A lot of security companies.
And HackerOne is very
interesting here.
Yeah.
And of course, it depends on
what Salesforce is used on all
of these companies.
But imagine, for example, HackerOne.
they have maybe ticketing
system,
they need to talk with security
researchers,
which are providing a step-by-step
proof of concept
of zero days and new
vulnerabilities.
So you can imagine if some of
the data is in the leak,
that's...
Yeah, then the attackers also
end up with a possible zero
days.
Yeah, exactly.
So it all depends on how the
integration is used with
Salesforce.
Well, what I found interesting
with this hack
and these security companies
involved
is that how they respond to
this attack
because that was quite
different.
Maybe it was just because the
difference in data
they had stored with Salesforce
and Salesforce
where the data had access to
or where they had access to.
But some companies were very
brief
and just said, okay, this
happened.
No data was lost or limited
data, no sensitive data.
And all our companies reacted
with,
okay, this happened and all
data has lost.
So there was a big difference
there in communication.
That was quite interesting to
see with this attack.
Yeah, I guess it really depends
on the reach that the attacker
had on the data of that
customer.
Because like another thing that
you can think about is if you
have your provider and you need
to open a case with them
because something is not
working or they need to help
you troubleshoot something.
You can imagine that you will
share things like maybe...
Internal details of your
configuration, etc.
Yes, also maybe credentials or
certificates or whatever you're
troubleshooting.
if that is in the leak then of
course the impact is bigger for
your company and for your
customers
as well yeah that makes a nice
uh bridge to the next point so
do we know who was behind this
attack
and also what did they do with
all that data that they
gathered um yes so the
first uh what
we know a bit of it so the
first thing is like in the
first campaign we, we know
that it was
most likely ShinyHunters
because of the ransom node that
they demanded and everything
but for
the second campaign it was a
group of attackers so it was a
Shiny Hunter Scattered Spider and
Lapsus$
and we know that also because
they created a website on the
dark web for the leak of this
data
So it's like the same as, well,
a ransomware group.
So they made this website.
The website was brought down by
the law enforcement.
So it's not up anymore at the
moment.
But some of the data, of course,
got already leaked
because for some companies, I
think the data was found,
you can find it on Have I Been
Pwned, for example.
But also the thing that you
need to think about
is that these attackers have
the data.
So although the law enforcement
might seize the dark web
website,
you don't know what they're
going to do with that data.
They can sell it peer-to-peer.
And like, for example, another
thing that can happen
is they just mentioned that
they will be under the radar
for a while.
What does that mean?
But also just looking into the
data, what do we actually have?
How can we use this data maybe
for other attacks?
It could be also could be that
they are going to rebrand or
maybe part of them is going to
start a new, I don't know,
hacking group.
And of course, they have that
data and they might use it for
achieving their goals.
Maybe it's already good to know
if you were involved in this
attack or your data got stolen
and you know, okay, maybe there
are credentials, et cetera, in
there.
Change everything.
You should rotate all the
credentials or change your
certificate so that might be
there and all these kind of
things.
so that's still a bit unclear
what the attackers are going to
do with all the data that they
have
because that must be a lot yeah
even if it's not public it is
in the world they have it yeah
so
yeah it's out there yeah these
campaigns also resulted in some
lawsuits against
salesforce yeah that's also
another interesting
point because by september 2025
Salesforce got at least 14
class actions against them
because they're saying that
Salesforce failed on securing,
for example, the integration
between apps.
So they were not really
monitoring if malicious apps
were integrated in their
platform.
But of course, Salesforce point
is like that.
That is a shared responsibility
because you should not accept
app.
So that's not totally on that.
That's the we'll come to that,
but it's the shared
responsibility model within
cloud.
You put something in there and
the vendor says in this case,
Salesforce says, OK,
I'm responsible for my
infrastructure. Yes.
My application makes sure that's
secure, but everything that you
will send to it
or get out it or all the
controls that we give you, that's
up to you.
And I can also imagine
sometimes that leaves a bit of
a gray area.
Who's responsible for what?
Indeed, but in this case, if
you think about it,
it's not that Salesforce was,
their infrastructure were
hacked.
That's not exactly what
happened.
No, it's really just third
party or someone tricked to
make sure
that the attackers get an OAuth
token.
So you had like either your own
employees that made a mistake,
like they fell for vishing, or
you have, for example,
a supply chain attack that
Salesforce probably does not
really have much.
And an interesting thing here,
so Salesforce says, okay, it
was not our fault.
You should take better security
yourself.
But that also led to the
attackers collaborate with some
of the investigation firms for
these lawsuits.
Yeah, that's of course, that's
the opportunistic part.
And yeah, that's what the
attackers did.
They also on their website,
they released like a statement
and they were saying,
that they already were in
contact with the law firms
that were busy with this class
sections.
And they were going to be
willing to share
all the data that has been
leaked.
But not only that, but also
explain how easy it was for
them
to get that data and what the
companies didn't do correct
to prevent this kind of attack.
Okay, that's a nice angle.
At least something you would
not expect.
Yeah, no, they actually framed
their part in it
like their extension as a legal
whistle blowing.
So it's a white hat action.
They made it ethical.
So we already mentioned
Salesforce running in the cloud.
So endpoint detection doesn't
do much.
But other things you can do if
you run,
for example if you use
Salesforce what can you do to
defend yourself against these
kinds of attacks
so there are some basic things
you can do and and for example
if you think about a company
that they
affected more than some other
companies and one of the
companies that was affected
like this was
Okta but Okta was not breached
why they didn't have any data
leak it is because what they
have done
they have wide listed the IP
for the Salesloft drift
integration.
So they knew that API
token for that application
could come only from the
legitimate IPs.
So when the attackers tried to
use the Tor or VPNs,
well, they were not successful
on connecting
because that was a wide listing.
It was just blocking the
connection at all.
Yes.
So it is sometimes difficult,
especially if you have to deal
with,
I'm not saying that this is the
case,
but if you have to deal with
third parties
that they don't really know,
because it happened to me that
I had to deal with...
Or they run a dynamic
infrastructure.
Yes.
So the IP addresses will change
frequently,
then it will be really hard.
So it might be not easy,
but for sure it's a possibility.
It's an effective method if you
have it.
So in this case, it worked for
sure.
Of course, I think there should
be also,
you as a company should audit
the apps
that are connected to your
Salesforce environment
every now and then
and just make sure that you
disconnect
or remove apps that you don't
know.
This might be hard, I think,
because your people within the
company
are using Salesforce
and then they see this tool.
Okay, this makes my life easier.
Can we not just add it?
Maybe they can even add it
themselves.
Yeah, that is difficult for
sure.
But then at that point, maybe
you can also just review which
apps they should be used and
only use an allow list of
approved apps.
So not give them the choice.
It's kind of asset management,
but then for your cloud
applications.
Yes, asset inventory for
connected apps or something
like that.
Makes sense.
Maybe also like reviewing the
all-out session that are active
and then just monitor token
usage, what they're doing.
I mean, again, it's not easy,
but especially when you use a
lot of these integrations,
but it's definitely something.
Yeah, of course, geoblocking or
whitelisting the IPs
that this connection should
come from, that worked for Okta.
So that is something that
definitely works.
but also i think especially for
the first campaign like maybe
educate the staff against
fishing
it's not only good for your
company but also for them in
the private life so they don't
get
fished or feast or for the for
their private thing so that's
always i would say that's a
soft measure you can educate
them but it doesn't if an
attacker is clever enough or
sophisticated
enough they still might be able
to trick that person in
performing the actions that
they set
out of course that can that can
but it certainly helps it could
not hurt to put some effort in
education yeah that's i think
it's it can't hurt for sure
yeah and i think uh and
that's maybe
also to wrap it up a bit is uh
the shared responsibility so
even if you put your data in
the cloud and you use
applications in the cloud, you're
still responsible for your data.
And the cloud vendor, in this
case Salesforce, is responsible
for the infrastructure and
the application and that data
of different tenants cannot
reach each other or communicate
with each other.
But all the controls and
external access, etcetera, is
still your responsibility.
Yeah.
Don't assume that it's
protected because you don't offload
everything.
Yeah, exactly.
So I think that brings us to an
end here.
So make sure that you're in
control of your cloud
applications,
that there is a shared
responsibility.
So also you have to take action.
So if you're not sure, go out
and check it.
And with that, Luca, I will
thank you for all the
information.
Learned a lot today.
Thank you.
And to you listeners, I hope to
see you next time.
If you didn't already do,
please like and subscribe.
See you next time.
Thank you for listening to Threat
Talks, a podcast by ON2IT
Cybersecurity and AMS-IX.
Did you like what you heard?
Do you want to learn more?
Follow Threat Talks to stay up
to date on the topic of
cybersecurity.
security.
Thank you.
Thank you.