This security incident was not the result of a traditional software vulnerability (CVE) but rather a sophisticated “social engineering campaign” attributed to the threat actor group “ShinyHunters”. The attack vector involved targeting employees of Salesforce customers directly through voice phishing (vishing) and text messages (smishing). The primary goal of this initial contact was to deceive an employee with privileged access into authorizing a malicious OAuth application within the company's Salesforce CRM environment.
By successfully tricking an employee into granting these permissions, the attackers gained unauthorized access to the Salesforce instance. This allowed them to exfiltrate data stored within the CRM. According to the disclosures, the compromised data was limited to business contact information, such as names, email addresses, and phone numbers. The primary risk from this breach is the high probability that the threat actor will use this validated contact data to launch more targeted and credible phishing campaigns against employees and customers.
What To Do
- Alert your teams - Brief all Salesforce and Workday users about this active threat.
- Verify caller identity - Instruct employees to independently verify any unexpected calls requesting credentials through official channels.
- Review access logs - Monitor Salesforce login activity for unusual patterns or unauthorized access.
- Strengthen authentication - Ensure MFA is enabled and consider additional security controls.
- Report suspicious activity - Document and report any suspicious calls to your security team immediately.
- Assess third parties - Use the Companies List > Service Provider filter in Bitsight to identify vendors, subsidiaries, and other critical organizations using Salesforce. While not evidence of compromise, understanding which organizations in your ecosystem rely on Salesforce can help you stay alert to potential targeting as this threat evolves.
Feedback
0 comments
Please sign in to leave a comment.