The bad actors behind the massive data leak linked to Salesloft’s Drift platform that sparked the sprawling supply chain attacks that racked up such high-profile names as Cloudflare, SentinelOne, Zscaler and Palo Alto Networks spent months running through Salesloft’s systems after accessing its GitHub account earlier this year.

Salesloft this week outlined the results of an investigation by Google’s Mandiant unit that found that the threat group, UNC6395, accessed the GitHub account between March and June, during which time they also ran reconnaissance operations into the environments for both Salesloft and Drift.

Salesloft didn’t say how the hackers were able to break into its GitHub account.

“With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows,” the company wrote. “The analysis has not found evidence beyond limited reconnaissance related to the Salesloft application environment.”

From there, the UNC6395 actors accessed Drift’s cloud environment in Amazon Web Services (AWS), grabbing OAuth tokens for the customer integrations with Drift and using those tokens to access customers’ Salesforce instances.

By accessing the Salesforce instances, the hackers, starting at least in early August, were able to steal large amounts of data from myriad Salesforce instances, according to researchers with Mandiant and Google’s Threat Intelligence Group (GTIG).

Stealing Information is the Goal

They wrote in a report that the “primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments.”

They saw UNC6395 targeting sensitive credentials, including AWS access keys, passwords, and access tokens related to cloud-based data platform provider Snowflake.

“UNC6395 demonstrated operational security awareness by deleting query jobs,” the Google researchers wrote, adding that “however, logs were not impacted and organizations should still review relevant logs for evidence of data exposure.”

A Widespread Attack

So far, 22 companies have announced they were hit by the attackers. However, the data breach was widespread, wrote Obsidian Security analysts Sophie Zhu and Damien Miller-McAndrews, who called it the “largest SaaS breach campaign of the year, impacting over 700 companies and counting” and noted that both Salesforce and Gmail instances were compromised.

Initially, Salesloft executives said that only those companies that integrated the Drift application with their Salesforce instances were affected by the data breach, but the Google researchers in late August wrote that the bad actor also compromised OAuth tokens for the Drift Email integration and used the tokens to access email from a small contingent of Google Workspace accounts. Given that, GTIG and Mandiant advised all organizations using Salesloft Drift to view all authentication tokens linked to the Drift platform as possibly compromised.

Hardening the Drift Platform

Salesloft took a number of steps when the data breach was detected, including isolating Drift’s infrastructure, app, and code, and taking the application offline. It also rotated credentials, enhanced its environment to protect against the methods used by UNC6395 and used threat-hunting capabilities from Mandiant.

In addition, “Mandiant has verified the technical segmentation between Salesloft and Drift applications and infrastructure environments,” the company wrote.

Salesloft bought Drift last year. Organizations will integrate the application with customer relationship management (CRM), sales, analytics and other systems to monitor and detail help desk interactions and other customer activities.

Hackers Focusing on SaaS Apps

The Salesloft breach is the latest example of hackers targeting SaaS applications, according to Chad Knipschild, director of product marketing at AppOmni.

“Recent attacks by UNC6395 (which abused the Drift integration with Salesforce) and UNC6040 (which leveraged a rogue Salesforce Data Loader app) highlight a dangerous new reality: Attackers are no longer just targeting your users or your network,” Knipschild wrote in a blog post this week. “They are exploiting the trusted connections between your SaaS applications (your SaaS supply chain) to steal data, and most security tools can’t see it happening.”

Attackers are not only abusing the trust between platforms like Salesforce, Microsoft 365, and Google Workspace, but also the integration connections to other clients.

“An organization may have hundreds or even thousands of Microsoft or Salesforce tenants that all need to be managed and maintained with different connections for different purposes,” he wrote. “As organizations rely on a growing number of SaaS applications, each integration becomes part of the attack surface. The complexity is staggering, and most security stacks today aren’t equipped to monitor or defend against this type of threat.”

Taking It Further

That said, the UNC6395 breach of Salesloft’s Drift goes another step, Obsidian’s Zhu and Damien Miller-McAndrews wrote.

“This attack is different,” they wrote. “By exploiting a third-party integration, hackers have amplified the scale and impact of the breach by 10x. Most victims are technology and software firms themselves, meaning any one of them could trigger a cascading supply-chain breach. This represents a seismic risk for any company using SaaS integrations that bypass proxy and access controls by default.”