Palo Alto Networks Data Leak Exposes Customer Details

Data breaches resulting from a recent supply chain attack to Salesloft Drift are being reported by Palo Alto Networks, Zscaler, and Cloudflare.

Palo Alto Networks says it had experienced a data breach in which customer information and support case records were exposed, following unauthorized access to its Salesforce environment. The intrusion was facilitated by attackers who leveraged compromised OAuth tokens originating from the Salesloft Drift breach.

Claims by the company is that there was a supply-chain assault that was made public last week and this had affected hundreds of businesses, with threat to actors using the stolen authentication credentials to steal information.

Customers of Palo Alto Networks informed the media about the hack in the past weekend, voicing their worry that private data, including passwords and IT details, disclosed in support cases, were been compromised.

Palo Alto Networks later told the media that there was no products, systems, or services that were affected and that the incident was exclusive to its Salesforce CRM.

The business told the media that Palo Alto Networks confirms that it was one of hundreds of customers impacted by the widespread supply chain attack targeting the Salesloft Drift application that exposed Salesforce data.

“The situation was quickly contained, and the application was removed from its Salesforce system. It was also confirmed by its Unit 42 investigation that no Palo Alto Networks systems, services, or products which were affected by this circumstance.

“In addition to internal sales account records and basic case data, the attacker mainly extracted business contact and other related account information. They are now in contact with the affected consumers immediately.

Palo Alto Networks further informed the media that there were no technical support files or attachments in the exfiltrated support case data, instead of just contact information and text comments. 

The effort was first identified as UNC6395 by Google’s Threat Intelligence team, focusing on support cases to find private information that might be used to steal data by leveraging into other cloud services, including passwords, authentication tokens, and cloud secrets.

In a danger brief which was sent, Palo Alto Networks warned, “Our observations indicate that the threat actor performed mass exfiltration of sensitive data from various Salesforce objects, including Account, Contact, Case, and Opportunity records.”

“The actor seems to be looking for the obtained data for credentials after exfiltration, most likely with the goal of enabling additional assaults or extending their access. The team noticed that, most likely as an anti-forensics tactic, the threat actor erased queries to conceal evidence of the jobs they executed.

With these credentials, there will be more cloud platforms which might be compromised, allowing data to be stolen for extortion attacks purpose.

Also according to Google and Palo Alto Networks, the threat actors stole data by the use of automated techniques, and user-agent strings type which suggested that they utilised proprietary Python programs:

During these assaults, the threat actors mass-exfiltrated information from the Salesforce objects are Account, Contact, Case, and Opportunity.

The threat actors hid their origin using Tor and erased logs for purposes of avoiding detection.

After the incident, Palo Alto Networks claims to have changed the credentials and revoked the related tokens.

Customers of Salesloft Drift are advised by the company to handle the situation with “immediate urgency” and take the following steps:

Step 1: Examining network logs, identity providers, and Salesforce for any compromise.

Step 2: Examining the every Drift integration for any questionable links.

Step 3: Rotating and revoking credentials, secrets, and authentication keys.

Step 4: Checking the code repositories for embedded authentication keys or tokens using automated tools such as Trufflehog and Gitleaks.

Step 5: In the event that data exfiltration was verified, credentials should be checked.

Though drift integrations have now been stopped by Palto Alto Networks, Salesforce, and Google while at the other hand OAuth token theft inquiry is ongoing.

Google and Zscaler are among the other businesses affected by the supply chain hack.

Members connected to the ShinyHunters extortion organisation have been attacking Salesforce with data theft since the beginning of the year.

Threat actors have used voice phishing, or vishing, attempts previously to fool staff members into connecting a malicious OAuth application to their organization’s Salesforce instances.

Once connected, the threat actors downloaded and stole the databases, which they then utilised to send extortion emails to the company.

But thanks to the Salesloft hack, the threat actors were able to use the OAuth tokens they had stolen to steal data.

Numerous data breaches have been linked previously to the social engineering assaults since Google first revealed them in June. These include Google, Cisco, Farmers Insurance, Workday, Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.

Google also claims there is not enough proof that the Salesloft supply chain assaults are connected, despite several researchers telling the media that they think the same threat actors are involved.

Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, told the media, “At this time, we haven’t seen any compelling evidence connecting them.”

The “Salesforce instance, which we use for customer support and internal customer case management, and some of the data it contains,” was accessed by an external party, this is in relation to a blog post by Cloudflare.

According to the report, “the majority of this data consists of customer contact details and basic support case information, but certain customer support interactions may disclose details about a customer’s configuration and may contain sensitive information like access tokens.” “We strongly advise you to rotate any credentials that you may have shared with us through this channel, as Salesforce support case data contains the contents of support tickets with Cloudflare. Any information that a customer may have shared with Cloudflare in our support system, including logs, tokens, or passwords, should be considered compromised.”

For Cloudflare, the incidence was not a unique one. For next attacks, the threat actor planned to gather customer data and login passwords.

The statement has read that they had suspected the threat actor will use this information to launch targeted attacks against customers across the affected organisations, given that this Drift compromise affected hundreds of organisations.

According to Michal, Cloudflare’s revelation of the Salesloft/Drift issue is a particularly “good” illustration of accountability and openness in cybersecurity reporting.

Michal further said that their blog “openly accepts responsibility for the risks posed by third-party integrations which is external to them and, in addition to providing clear technical detail.” “Cloudflare showed maturity and leadership in incident response by pledging to fortify their SaaS environments and toolchain security moving forward, setting a high bar for how organisations should communicate, remediate, and reinforce trust in the wake of supply chain compromises.”