Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
US cloud security firm Zscaler is the latest victim of a wide-ranging supply chain attack campaign targeting marketing software-as-a-service platform Salesloft.
Cyber security firm Zscaler has confirmed that a limited amount of its business contact information has been compromised as part of a widespread supply chain attack targeting AI-powered marketing platform Salesloft.
“Zscaler was made aware of a campaign targeted at Salesloft Drift (marketing software-as-a-service) and impacting a large number of Salesforce customers. This incident involved the theft of OAuth tokens connected to Salesloft Drift, a third-party application used for automating sales workflows that integrates with Salesforce databases to manage leads and contact information,” Zscaler said in a 30 August statement.
“The scope of the incident is confined to Salesforce and does not involve access to any of Zscaler’s products, services or underlying systems and infrastructure.
“As part of this campaign, unauthorised actors gained access to Salesloft Drift credentials of its customers, including Zscaler. Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information.”
According to the company, the compromised data includes names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content regarding “certain support cases”. Zscaler has confirmed, however, that the latter does not include any attachments or other files.
“After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information,” Zscaler said.
“If anything changes, we will provide further communications and updates.”
In response, Zscaler revoked Salesloft Drift’s access to Zscaler’s Salesforce data, rotated its API access tokens, and launched “a detailed investigation into the scope of the event, working closely with Salesforce to assess and understand impacts as they continue investigating”.
The Google Threat Intelligence Group (GTIG) rang alarm bells last week when it advised that the scope of this supply chain compromise was far larger than originally anticipated.
“We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised,” GTIG said in a 28 August update.
“We recommend organisations take immediate action to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorised access.”
Google revealed that the threat actor behind the campaign, currently tracked as UNC6395, accessed a “very small number of Google Workspace accounts” on 9 August.
“In response to these findings and to protect our customers, Google identified the impacted users, revoked the specific OAuth tokens granted to the Drift Email application, and disabled the integration functionality between Google Workspace and Salesloft Drift pending further investigation,” Google said.
There is evidence that the Scattered Spider and ShinyHunters collectives, which appear to have formed some kind of loose hacking alliance, may be behind the hacking campaign. According to Obsidian Security, as of 28 August, more than 700 companies have had their data compromised by the campaign, mostly in the IT sector.
“Most victims are technology and software firms themselves, meaning any one of them could trigger a cascading supply-chain breach,” Obsidian Security said in a recent blog post.
“This represents a seismic risk for any company using SaaS integrations that bypass proxy and access controls by default.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
