“It is important to note that Salesforce remains secure, and this issue is not due to any vulnerability inherent to our platform. Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw,” it added.The company noted that the threat actor has abused a modified version of an open source tool called Aura Inspector, which Mandiant developed for auditing Salesforce Aura instances and identifying data exposures.“While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings,” Salesforce explained.While the CRM vendor has not named the threat actor, the ShinyHunters group took credit for the attack, claiming to have targeted “several hundreds of companies” as part of what it calls the ‘Salesforce Aura Campaign’.The cybercrime gang has threatened to release information stolen from companies’ Salesforce instances if they refuse to comply with their extortion demands.Related:Wynn Resorts Confirms Data Breach After Hackers Remove It From Leak SiteRelated:ShinyHunters-Branded Extortion Activity Expands, EscalatesRelated:Hackers Extorting Salesforce After Stealing Data From Dozens of Customers
The company noted that the threat actor has abused a modified version of an open source tool called Aura Inspector, which Mandiant developed for auditing Salesforce Aura instances and identifying data exposures.“While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings,” Salesforce explained.While the CRM vendor has not named the threat actor, the ShinyHunters group took credit for the attack, claiming to have targeted “several hundreds of companies” as part of what it calls the ‘Salesforce Aura Campaign’.The cybercrime gang has threatened to release information stolen from companies’ Salesforce instances if they refuse to comply with their extortion demands.Related:Wynn Resorts Confirms Data Breach After Hackers Remove It From Leak SiteRelated:ShinyHunters-Branded Extortion Activity Expands, EscalatesRelated:Hackers Extorting Salesforce After Stealing Data From Dozens of Customers
“While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings,” Salesforce explained.While the CRM vendor has not named the threat actor, the ShinyHunters group took credit for the attack, claiming to have targeted “several hundreds of companies” as part of what it calls the ‘Salesforce Aura Campaign’.The cybercrime gang has threatened to release information stolen from companies’ Salesforce instances if they refuse to comply with their extortion demands.Related:Wynn Resorts Confirms Data Breach After Hackers Remove It From Leak SiteRelated:ShinyHunters-Branded Extortion Activity Expands, EscalatesRelated:Hackers Extorting Salesforce After Stealing Data From Dozens of Customers
While the CRM vendor has not named the threat actor, the ShinyHunters group took credit for the attack, claiming to have targeted “several hundreds of companies” as part of what it calls the ‘Salesforce Aura Campaign’.The cybercrime gang has threatened to release information stolen from companies’ Salesforce instances if they refuse to comply with their extortion demands.Related:Wynn Resorts Confirms Data Breach After Hackers Remove It From Leak SiteRelated:ShinyHunters-Branded Extortion Activity Expands, EscalatesRelated:Hackers Extorting Salesforce After Stealing Data From Dozens of Customers
The cybercrime gang has threatened to release information stolen from companies’ Salesforce instances if they refuse to comply with their extortion demands.Related:Wynn Resorts Confirms Data Breach After Hackers Remove It From Leak SiteRelated:ShinyHunters-Branded Extortion Activity Expands, EscalatesRelated:Hackers Extorting Salesforce After Stealing Data From Dozens of Customers
Related:Wynn Resorts Confirms Data Breach After Hackers Remove It From Leak SiteRelated:ShinyHunters-Branded Extortion Activity Expands, EscalatesRelated:Hackers Extorting Salesforce After Stealing Data From Dozens of Customers
Related:ShinyHunters-Branded Extortion Activity Expands, EscalatesRelated:Hackers Extorting Salesforce After Stealing Data From Dozens of Customers
Related:Hackers Extorting Salesforce After Stealing Data From Dozens of Customers
Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure.
Source: SecurityWeek
