Executive Summary

A sophisticated supply chain attack has compromised the Salesforce data of more than 200 organizations. The threat actor, a collective calling itself Scattered Lapsus$ Hunters, exploited abused OAuth tokens associated with the Gainsight application, a popular tool on the Salesforce AppExchange. The incident was not a direct breach of Salesforce's platform but a classic example of a SaaS-to-SaaS attack, where the trusted connection between two cloud services is compromised. Salesforce has responded by revoking affected tokens and temporarily removing the Gainsight app. The attackers have publicly named numerous high-profile companies as victims, including Atlassian, Docusign, F5, and Verizon, creating a widespread security event with significant potential for data exposure across multiple industries.

Threat Overview

The attack, detected by Google Threat Intelligence, involved the abuse of OAuth access and refresh tokens. These tokens, designed to allow Gainsight's application to interact with a customer's Salesforce instance, were compromised and used by the attackers to gain unauthorized access to sensitive customer data stored within Salesforce. The initial vector for the token theft appears to be a prior compromise of Gainsight itself, which the attackers claim was a result of another supply chain attack involving Salesloft/Drift.

Scattered Lapsus$ Hunters, a group reportedly composed of members from notorious crews like ShinyHunters, Scattered Spider, and Lapsus$, claimed the attack on their Telegram channel. They alleged the compromise of nearly 300 organizations and threatened to leak data from almost 1,000 organizations when combined with previous breaches. This incident highlights a dangerous trend where attackers pivot from one compromised SaaS provider to another, creating a cascading effect of breaches across the cloud ecosystem.

Technical Analysis

The attack chain leverages the inherent trust model of OAuth 2.0, a standard widely used for delegated authorization between cloud services.

1. Initial Compromise: The threat actors first compromised a SaaS provider (Gainsight). The attackers claim this was achieved by leveraging credentials or tokens stolen from a previous breach of Salesloft/Drift, which counted Gainsight as a customer. This suggests a chained supply chain attack.
2. Token Theft: Once inside Gainsight's environment, the attackers located and exfiltrated OAuth tokens that Gainsight's application used to access its customers' Salesforce instances. These tokens are bearer tokens, meaning anyone possessing them can use them to access the associated resources.
3. Unauthorized Access: The attackers used the stolen OAuth tokens to make API calls directly to the Salesforce environments of Gainsight's customers. This allowed them to bypass traditional authentication methods like passwords and MFA, as the tokens represented a legitimate, pre-authorized application.
4. Data Exfiltration: With authorized access, the attackers could query and exfiltrate any data the Gainsight application was permitted to access within the victim's Salesforce instance. This could include customer lists, sales data, internal communications, and other sensitive business information.

MITRE ATT&CK Techniques

• T1528 - Steal Application Access Token: The core of the attack, where adversaries stole OAuth tokens to impersonate the Gainsight application.
• T1111 - Two-Factor Authentication Interception: While not a direct interception, the abuse of OAuth tokens effectively bypasses MFA protections on user accounts.
• T1078.004 - Valid Accounts: Cloud Accounts: The attackers used the stolen tokens, which represent a valid (application) account, to access cloud resources.
• T1530 - Data from Cloud Storage Object: The ultimate goal was to exfiltrate data stored within Salesforce cloud objects.
• T1625 - Hijack Session: The use of stolen tokens is a form of session hijacking, allowing the attacker to take over an authorized application's session.
• T1199 - Trusted Relationship: The attackers exploited the trusted relationship between organizations and their third-party SaaS providers (Salesforce and Gainsight).

Impact Assessment

The business impact of this breach is potentially massive and far-reaching. With over 200 organizations compromised, including Fortune 500 companies, the potential for data leakage is severe. The stolen data, originating from Salesforce CRMs, is highly valuable and could include:

• Customer Personally Identifiable Information (PII)
• Proprietary sales strategies and pipelines
• Confidential business contracts and pricing
• Internal employee information

The public naming of victims like Atlassian, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, and Verizon causes significant reputational damage, regardless of the extent of data loss. For Gainsight, the incident is catastrophic, eroding customer trust and likely leading to significant financial and legal repercussions. For the affected organizations, the breach necessitates costly incident response efforts, customer notifications, and potential regulatory fines under laws like GDPR or CCPA.

IOCs

No specific file-based or network-based IOCs were provided in the source articles. The primary indicator is the abuse of OAuth tokens, which must be detected through log analysis.

Cyber Observables for Detection

Detection & Response

Detecting this type of attack requires a focus on API and cloud application security monitoring.

1. Log Analysis: Security teams must ingest and analyze logs from their SaaS platforms, particularly Salesforce's Event Monitoring logs. Look for anomalous patterns associated with service accounts or third-party applications. Key indicators include:

   • Access from unusual IP addresses, geolocations, or autonomous systems (ASNs).
   • A sudden spike in data access or download volume (ApiTotalUsage events).
   • Access to objects or records outside the application's normal operating parameters.

2. CASB/SSPM: A Cloud Access Security Broker (CASB) or SaaS Security Posture Management (SSPM) tool is crucial. These tools can baseline normal application behavior and alert on deviations. They can also provide visibility into OAuth permissions and help identify over-privileged applications. For detection, D3-RAPA: Resource Access Pattern Analysis is a key defensive technique to implement within these platforms.

3. Token Lifecycle Management: Regularly audit all authorized OAuth applications. Revoke tokens for unused or suspicious applications. Implement policies for short-lived refresh tokens where possible. D3-ANCI: Authentication Cache Invalidation should be applied by immediately revoking sessions and tokens upon detection of suspicious activity.

Mitigation

Mitigating SaaS-to-SaaS supply chain attacks requires a multi-layered approach focusing on visibility, control, and incident readiness.

• Immediate Action: Salesforce has already revoked the tokens, which is the correct immediate response. Affected customers should assume their data was accessed and initiate their incident response plans.

• Strategic Mitigation:

  1. Principle of Least Privilege: Scrutinize the permissions granted to all third-party applications. Use SSPM tools to identify and remediate over-privileged OAuth grants. Applications should only have access to the specific data and API endpoints required for their function. This aligns with D3-UAP: User Account Permissions.
  2. Vendor Risk Management: Enhance third-party risk management programs to include deep dives into the security posture of SaaS vendors, including their own supply chain dependencies.
  3. Network Egress Controls: While difficult with SaaS, where possible, restrict API access to known IP ranges to prevent stolen tokens from being used from unauthorized locations. This is a form of D3-ITF: Inbound Traffic Filtering applied to the SaaS provider.
  4. Continuous Monitoring: Implement continuous monitoring of SaaS application activity. Use CASB/SSPM solutions to detect anomalous behavior and enforce security policies automatically.