Since late last year, the ShinyHunters group has been targeting a raft of companies via their Salesforce instances, stealing data and extorting victims before publishing it on its leak sites.
Music streaming service SoundCloud was one of the first victims of the latest campaign, with companies such as Crunchbase, Bumble, and Harvard University since revealed as victims.
The group has listed 20 victims in total, but has said far more are to come.
“Several hundreds of companies set to release with FINAL WARNINGs upon failure to comply. To all affected companies who will be or are being contacted by us ("ShinyHunters"), please consider this a preliminary warning before we release your name with FINAL WARNING or a complete data leak,” the hackers said in a March 9 update.
“Reply, engage, pay a small price, and prevent a publication. Make the right decision, don't be the next headline.”
All that said, while Salesforce is the common element in ShinyHunters’ operations, the company itself has gone to great lengths to explain that it is not its software at fault.
“It is important to note that Salesforce remains secure, and this issue is not due to any vulnerability inherent to our platform,” Salesforce said in a recent security update.
“Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw.”
Salesforce believes the hackers are taking advantage of a modified version of the open-source tool Aura Inspector, which was initially developed by Mandiant. They’re using this tool to scan for public-facing Experience Cloud sites, and this custom version is able to not only identify exposed API endpoints, but also extract data where guest user settings are “overly permissive”.
According to Salesforce, ShinyHunters is looking for two things in a potential victim: they’re using the guest user profile, and have configured permissions to allow public access to objects and fields not intended to be publicly available – in contravention of the company’s own recommended configuration advice.
“This threat actor activity reflects a broader trend of ‘identity-based’ targeting,” Salesforce said.
“Data harvested in these scans, such as names and phone numbers, is often used to build follow-on targeted social engineering and ‘vishing’ (voice phishing) campaigns.”
Recommended actions
Salesforce said that while it has enhanced its anomaly detection capabilities, security remains a shared responsibility, and has suggested its customers immediately conduct an audit of guest permissions and enforce “least privilege” access models to protect their data.
In addition, the company has made nine further recommendations.
1. Review guest user configurations.
2. Set organisation-wide defaults to “Private”.
3. Disable all public APIs.
4. Uncheck “Portal User Visibility” and “Site User Visibility” in Sharing Settings.
5. Disable self-registration if it is not needed.
6. Review the Enhanced Personal Information Masking (EPIM) configuration.
7. Enable profile filtering.
8. Enable the display of nicknames.
9. Review Field-Level Security for non-User Objects.
You can read more about Salesforce’s security recommendations here.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.