好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内,并且不需要特定的开头。首先,我得仔细阅读文章,抓住主要信息。 文章讲的是黑客利用修改过的AuraInspector工具,大规模扫描Salesforce的Experience Cloud站点。他们利用配置错误,获取敏感数据。Salesforce的安全团队警告说,攻击者用的是修改后的工具,能提取数据。问题出在过于宽松的访客用户设置上,可能导致CRM数据泄露,用于钓鱼等攻击。Salesforce强调这不是平台漏洞,而是客户配置问题,并建议加强安全措施。 接下来,我需要把这些要点浓缩成一句话。要包含威胁行为者、 AuraInspector、 Salesforce系统、数据窃取、配置错误等因素。 可能的结构是:威胁行为者利用修改后的工具扫描Salesforce站点,窃取敏感数据,源于配置错误。 现在检查字数是否在100字以内,并确保信息准确全面。 </think> 威胁行为者利用修改后的AuraInspector工具大规模扫描Salesforce Experience Cloud站点,窃取敏感数据。攻击者通过过度宽松的访客用户设置访问CRM数据,用于社会工程或钓鱼攻击。Salesforce建议加强配置和安全措施以减少风险。 2026-3-10 12:29:52 Author: securityaffairs.com(查看原文) 阅读量:6 收藏
Threat actors use custom AuraInspector to harvest data from Salesforce systems
Attackers are mass-scanning Salesforce Experience Cloud sites using a modified AuraInspector tool to exploit misconfigurations and access sensitive data.
Salesforce CSOC warns that threat actors are mass-scanning publicly accessible Experience Cloud sites using a modified version of the AuraInspector tool.
AuraInspector is an open‑source command‑line tool released by Google/Mandiant to audit Salesforce Aura and Experience Cloud applications for data exposure risks. It simulates an unauthenticated or guest user and automatically discovers Aura endpoints, then tests them for access‑control misconfigurations that might expose sensitive records (e.g., Accounts, Contacts, Leads) via Aura methods, record lists, or GraphQL controllers.
The campaign targets misconfigured guest user settings that are overly permissive, allowing attackers to access sensitive data from exposed environments.
“Evidence indicates the threat actor is leveraging a modified version of the open-source tool Aura Inspector (originally developed by Mandiant) to perform mass scanning of public-facing Experience Cloud sites.” reads the report published by Salesforce. “While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings. “
Misconfigured sites risk exposing CRM data, which can then be used for targeted social engineering or vishing attacks.
The company said the activity does not involve a platform vulnerability but exploits customer misconfigurations. Organizations are urged to review and secure Experience Cloud guest user settings to reduce exposure.
“At this time, we have not identified any vulnerability inherent to the Salesforce platform associated with this activity. These attempts are focused on customer configuration settings that, if not properly secured, may increase exposure.” reads the security advisory. “We encourage customers to review their Experience Cloud guest user settings and take immediate recommended actions. For additional details and steps to help protect your org, please see our blog: https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/“
Salesforce attributes the campaign to a known threat actor group, possibly ShinyHunters, known for targeting Salesforce environments through third-party apps. The company urges customers to secure Experience Cloud guest settings, restrict public access, disable unnecessary APIs, and monitor logs.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
如有侵权请联系:admin#unsafe.sh