ShinyHunters Breach Affects More Salesforce Customers • The Register

ShinyHunters, a well-known group within the hacking community, recently claimed to have stolen data from around 100 prominent companies in a significant breach related to Salesforce. The group publicly announced that it has been exploiting publicly accessible Salesforce Experience Cloud sites to access sensitive information.

Details of the Breach

The breach reportedly affects several high-profile organizations including Snowflake, Okta, LastPass, Sony, and AMD. The disclosure from ShinyHunters indicated that the exploitation and reconnaissance efforts had been ongoing for several months.

Salesforce’s Response

In the wake of these revelations, Salesforce issued warnings regarding the ongoing activities by a “known threat actor group.” Although Salesforce has not confirmed the specific involvement of ShinyHunters, the company emphasized that the breach isn’t due to vulnerabilities in its platform. Instead, it pointed to misconfigurations in guest user profiles as the root cause.

• Overly broad permissions assigned to guest user profiles have led to unauthorized data access.
• The Salesforce security advisory recommends auditing guest user permissions and restricting access to sensitive data.
• Companies are urged to ensure that public access settings are configured correctly to avoid similar issues.

Exploiting Misconfigurations

ShinyHunters reportedly used a modified version of an open-source scanning tool, AuraInspector, developed by Mandiant to identify vulnerable targets. This tool, originally designed for Salesforce administrators, helps detect misconfigurations in the Salesforce Aura framework.

However, ShinyHunters adapted this tool to exploit overly permissive guest user settings effectively. By gaining access to these configurations, the group was able to extract valuable data without requiring authentication.

Impact on Affected Companies

Many organizations, including LastPass, acknowledged their awareness of the breach. They are actively working with Salesforce to investigate the incident further. Despite the concerns raised, a LastPass spokesperson indicated no direct link between this breach and a recent phishing campaign.

Preventive Measures for Customers

Salesforce has provided specific recommendations to mitigate risks associated with this security incident:

• Regularly audit guest user permissions to minimize access.
• Set the external access to “private” in sharing settings.
• Disable guest user access to public APIs and restrict system permissions.

Conclusion

The ongoing threat posed by groups like ShinyHunters highlights the importance of proper configuration in cloud platforms. With increasing data theft incidents, organizations must remain vigilant and proactive in their security measures.