News has been trickling out since August 20 about a security issue in Salesloft’s Drift product, a marketing and sales chatbot that integrates with CRM systems to capture and track sales opportunities. The issue started in March, when threat actors accessed Salesloft’s GitHub account and did reconnaissance, which helped them access Drift’s AWS environment and obtain OAuth tokens. From there, they accessed Drift customers’ Salesforce instances from August 8–18.
Salesforce has suffered repeated attacks this year where advanced persistent threats (APTs) compromised customer databases by targeting individual companies. This attack is much broader in terms of both scope and number of companies affected, as Drift is a popular tool used by over 700 companies. Its customers include several notable cybersecurity vendors such as Black Duck, Cloudflare, Okta, OneTrust, Palo Alto Networks, Proofpoint, and Zscaler.
What Data Was Compromised?
By design, Drift is meant to improve sales engagement with prospects and customers. Its integration with CRM systems lets Drift track leads, update CRM records, and trigger follow-up actions. Because of the Salesforce integration, the threat actors were able to access:
Sensitive information about client environments such as IP addresses, account information, and access tokens. These are stored in clear text within support case notes to make supporting that customer easier when a case is passed to multiple analysts, but for a hacker, this gives them critical access details to the client’s infrastructure.
Standard information about accounts such as client contact data, sales pipeline, support history, and business strategy. This information seems generic, but for social engineering campaigns, these are the details that threat actors need to make their engagement more believable.
Actions To Take Now To Reduce The Threat To Your Business
While Salesloft has reset the authentication tokens and temporarily disabled Drift, impacted businesses need to take further steps to protect themselves and their employees. After working with their third-party risk management program to define the scope of the breach, companies should take the following actions:
Revoke and rotate all API keys, credentials, and authentication tokens associated with the integration. Additionally, if your investigation of your Salesforce data uncovers any hardcoded secrets or exposed API keys/credentials, they must be rotated immediately. Establish a regular rotation schedule for all API keys and other secrets used in third-party integrations to reduce the window of exposure.
Tune tech and train teams for the social engineering onslaught. Various human-element breach types and tactics will spring up in the coming weeks and months based on the data that was extracted, requiring specific tech and process controls. Your email, messaging, and collaboration security solution and your employees should be tuned to spot the traditional signs of social engineering: authority, novelty, and urgency. Employees should be encouraged — and publicly praised — to pause in the face of these signs and seek additional verification before providing information or completing transactions.
Institute least privileged access controls on your data used by third parties. The guidance we’ve provided on SaaS security applies equally to app developers and customers to limit access to data to only what is needed for that function to execute. In this campaign, companies that restricted inbound access from approved IP addresses did not have their Salesforce data extracted, even though they were targeted. Utilize SaaS security posture management solutions to uncover the risks in your SaaS deployments and improve threat monitoring of your configurations within these apps to limit your exposure based on identified risks.
Secure your software supply chain. Start with an inventory of all software used in the development and delivery process; this includes open-source software tools and components. Ensure that dev environments, pipelines, and source-code management systems utilize Zero Trust principles, have phishing-resistant multifactor authentication enforced, enable branch protection, monitor for security misconfigurations, automate application security testing, and utilize a secrets management solution to avoid any credentials, tokens, or environment variables being passed in plaintext.
Define your incident escalation matrix. Delineate severity levels and assess materiality in the context of the regulatory requirements to which your organization is beholden. Socialize this matrix with all internal and external stakeholders, and work with outside counsel and your incident response service provider to develop executive and board tabletop exercises involving complex, cascading nth-party breach and breach notification scenarios.
Stay Tuned
Details continue to emerge from Salesloft as well as businesses directly impacted by the breach. Because we still don’t know how many companies were victims of data theft or the exact attack details, the total impact remains unclear. The security and risk team at Forrester will provide updates to help clients as new details come to light.
